From 38ca9e702ea8a2fc5321b45d95ab32ea8eae4905 Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 17 Jun 2022 23:16:19 +0800 Subject: [PATCH] Release 1.6.3 (#4134) * fix: do not remove webhooks during initialization (#3641) * Do not remove webhooks during initialization During initialization the Kyverno leader Pod deletes all the existing webhooks and recreates them. There is a small time window were the cluster is not protected by the webhooks, allowing a user to apply resources without any verfication. This commit updates the leader registration logic to not remove and recreate the webhooks but, in the case that the webhooks already exist, update them. Signed-off-by: Ioannis Bouloumpasis * Fix linter errors Signed-off-by: Ioannis Bouloumpasis * Use the Lister to get webhook configurations Signed-off-by: Ioannis Bouloumpasis Signed-off-by: ShutingZhao * Tag v1.6.3 Signed-off-by: ShutingZhao Co-authored-by: Ioannis Bouloumpasis --- charts/kyverno-policies/Chart.yaml | 4 +- charts/kyverno/Chart.yaml | 4 +- charts/kyverno/templates/crds.yaml | 14 ++-- config/install.yaml | 68 ++++++++--------- config/release/install.yaml | 68 ++++++++--------- config/release/kustomization.yaml | 4 +- config/release/labels.yaml | 2 +- pkg/webhookconfig/registration.go | 115 +++++++++++++++++++++++++++-- 8 files changed, 192 insertions(+), 87 deletions(-) diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index c7dcfd42d2c1..c6be390fd2d5 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno-policies -version: v2.3.4 -appVersion: v1.6.2 +version: v2.3.5 +appVersion: v1.6.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 15703905b6a5..fedca0040561 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: v2.3.3 -appVersion: v1.6.2 +version: v2.3.4 +appVersion: v1.6.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 4a8318140b3c..1772b77bbdde 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -11,7 +11,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -1388,7 +1388,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1880,7 +1880,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -2372,7 +2372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -2553,7 +2553,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -3930,7 +3930,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4422,7 +4422,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io diff --git a/config/install.yaml b/config/install.yaml index 02dbc40824b4..b95855db02a9 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2202,7 +2202,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2882,7 +2882,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3562,7 +3562,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3759,7 +3759,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -5942,7 +5942,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6620,7 +6620,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7298,7 +7298,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-service-account namespace: kyverno --- @@ -7311,7 +7311,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno rules: @@ -7345,7 +7345,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7372,7 +7372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7399,7 +7399,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7426,7 +7426,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events rules: - apiGroups: @@ -7448,7 +7448,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate rules: - apiGroups: @@ -7495,7 +7495,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies rules: - apiGroups: @@ -7546,7 +7546,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo rules: - apiGroups: @@ -7569,7 +7569,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view rules: - apiGroups: @@ -7590,7 +7590,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook rules: - apiGroups: @@ -7616,7 +7616,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7637,7 +7637,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7657,7 +7657,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7677,7 +7677,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7697,7 +7697,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,7 +7717,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7737,7 +7737,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7761,7 +7761,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno --- @@ -7777,7 +7777,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-metrics namespace: kyverno --- @@ -7790,7 +7790,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc namespace: kyverno spec: @@ -7811,7 +7811,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7832,7 +7832,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno spec: @@ -7854,7 +7854,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 spec: affinity: podAntiAffinity: @@ -7885,7 +7885,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:v1.6.2 + image: ghcr.io/kyverno/kyverno:v1.6.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7940,7 +7940,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.6.2 + image: ghcr.io/kyverno/kyvernopre:v1.6.3 imagePullPolicy: IfNotPresent name: kyverno-pre resources: diff --git a/config/release/install.yaml b/config/release/install.yaml index 02dbc40824b4..b95855db02a9 100755 --- a/config/release/install.yaml +++ b/config/release/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2202,7 +2202,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2882,7 +2882,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3562,7 +3562,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3759,7 +3759,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -5942,7 +5942,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6620,7 +6620,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7298,7 +7298,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-service-account namespace: kyverno --- @@ -7311,7 +7311,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno rules: @@ -7345,7 +7345,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7372,7 +7372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7399,7 +7399,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7426,7 +7426,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events rules: - apiGroups: @@ -7448,7 +7448,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate rules: - apiGroups: @@ -7495,7 +7495,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies rules: - apiGroups: @@ -7546,7 +7546,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo rules: - apiGroups: @@ -7569,7 +7569,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view rules: - apiGroups: @@ -7590,7 +7590,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook rules: - apiGroups: @@ -7616,7 +7616,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7637,7 +7637,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7657,7 +7657,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7677,7 +7677,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7697,7 +7697,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,7 +7717,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7737,7 +7737,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7761,7 +7761,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno --- @@ -7777,7 +7777,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-metrics namespace: kyverno --- @@ -7790,7 +7790,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc namespace: kyverno spec: @@ -7811,7 +7811,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7832,7 +7832,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno spec: @@ -7854,7 +7854,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 spec: affinity: podAntiAffinity: @@ -7885,7 +7885,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:v1.6.2 + image: ghcr.io/kyverno/kyverno:v1.6.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7940,7 +7940,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.6.2 + image: ghcr.io/kyverno/kyvernopre:v1.6.3 imagePullPolicy: IfNotPresent name: kyverno-pre resources: diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index 8d13b59e32dc..07401ba63800 100755 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -9,6 +9,6 @@ transformers: images: - name: ghcr.io/kyverno/kyverno - newTag: v1.6.2 + newTag: v1.6.3 - name: ghcr.io/kyverno/kyvernopre - newTag: v1.6.2 + newTag: v1.6.3 diff --git a/config/release/labels.yaml b/config/release/labels.yaml index c34a8aa6a3e0..9122d512e57e 100644 --- a/config/release/labels.yaml +++ b/config/release/labels.yaml @@ -4,7 +4,7 @@ kind: LabelTransformer metadata: name: labelTransformer labels: - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 fieldSpecs: - path: metadata/labels create: true diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 32dbe2b8c416..95fb31d00239 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -126,7 +126,6 @@ func (wrc *Register) Register() error { return err } } - wrc.removeWebhookConfigurations() caData := wrc.readCaData() if caData == nil { @@ -318,9 +317,12 @@ func (wrc *Register) createResourceMutatingWebhookConfiguration(caData []byte) e _, err := wrc.client.CreateResource("", kindMutating, "", *config, false) if errorsapi.IsAlreadyExists(err) { logger.V(6).Info("resource mutating webhook configuration already exists", "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } - if err != nil { logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name) return err @@ -344,6 +346,10 @@ func (wrc *Register) createResourceValidatingWebhookConfiguration(caData []byte) _, err := wrc.client.CreateResource("", kindValidating, "", *config, false) if errorsapi.IsAlreadyExists(err) { logger.V(6).Info("resource validating webhook configuration already exists", "name", config.Name) + err = wrc.updateValidatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -369,6 +375,10 @@ func (wrc *Register) createPolicyValidatingWebhookConfiguration(caData []byte) e if _, err := wrc.client.CreateResource("", kindValidating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindValidating, "name", config.Name) + err = wrc.updateValidatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -392,6 +402,10 @@ func (wrc *Register) createPolicyMutatingWebhookConfiguration(caData []byte) err if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -414,6 +428,10 @@ func (wrc *Register) createVerifyMutatingWebhookConfiguration(caData []byte) err if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -684,9 +702,6 @@ func (wrc *Register) checkEndpoint() error { } } - // clean up old webhook configurations, if any - wrc.removeWebhookConfigurations() - err = fmt.Errorf("endpoint not ready") wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) return err @@ -851,3 +866,93 @@ func (wrc *Register) updateResourceMutatingWebhookConfiguration(nsSelector map[s return nil } + +// updateMutatingWebhookConfiguration updates an existing MutatingWebhookConfiguration with the rules provided by +// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved. +func (wrc *Register) updateMutatingWebhookConfiguration(targetConfig *admregapi.MutatingWebhookConfiguration) error { + // Fetch the existing webhook. + currentConfiguration, err := wrc.mwcLister.Get(targetConfig.Name) + if err != nil { + return fmt.Errorf("failed to get %s %s: %v", kindMutating, targetConfig.Name, err) + } + // Create a map of the target webhooks. + targetWebhooksMap := make(map[string]admregapi.MutatingWebhook) + for _, w := range targetConfig.Webhooks { + targetWebhooksMap[w.Name] = w + } + // Update the webhooks. + newWebhooks := make([]admregapi.MutatingWebhook, 0) + for _, w := range currentConfiguration.Webhooks { + target, exist := targetWebhooksMap[w.Name] + if !exist { + continue + } + delete(targetWebhooksMap, w.Name) + // Update the webhook configuration + w.ClientConfig.URL = target.ClientConfig.URL + w.ClientConfig.Service = target.ClientConfig.Service + w.ClientConfig.CABundle = target.ClientConfig.CABundle + if target.Rules != nil { + // If the target webhook has rule definitions override the current. + w.Rules = target.Rules + } + newWebhooks = append(newWebhooks, w) + } + // Check if there are additional webhooks defined and add them. + for _, w := range targetWebhooksMap { + newWebhooks = append(newWebhooks, w) + } + // Update the current configuration. + currentConfiguration.Webhooks = newWebhooks + _, err = wrc.client.UpdateResource("", kindMutating, "", currentConfiguration, false) + if err != nil { + return err + } + wrc.log.V(3).Info("successfully updated mutatingWebhookConfigurations", "name", targetConfig.Name) + return nil +} + +// updateValidatingWebhookConfiguration updates an existing ValidatingWebhookConfiguration with the rules provided by +// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved. +func (wrc *Register) updateValidatingWebhookConfiguration(targetConfig *admregapi.ValidatingWebhookConfiguration) error { + // Fetch the existing webhook. + currentConfiguration, err := wrc.vwcLister.Get(targetConfig.Name) + if err != nil { + return fmt.Errorf("failed to get %s %s: %v", kindValidating, targetConfig.Name, err) + } + // Create a map of the target webhooks. + targetWebhooksMap := make(map[string]admregapi.ValidatingWebhook) + for _, w := range targetConfig.Webhooks { + targetWebhooksMap[w.Name] = w + } + // Update the webhooks. + newWebhooks := make([]admregapi.ValidatingWebhook, 0) + for _, w := range currentConfiguration.Webhooks { + target, exist := targetWebhooksMap[w.Name] + if !exist { + continue + } + delete(targetWebhooksMap, w.Name) + // Update the webhook configuration + w.ClientConfig.URL = target.ClientConfig.URL + w.ClientConfig.Service = target.ClientConfig.Service + w.ClientConfig.CABundle = target.ClientConfig.CABundle + if target.Rules != nil { + // If the target webhook has rule definitions override the current. + w.Rules = target.Rules + } + newWebhooks = append(newWebhooks, w) + } + // Check if there are additional webhooks defined and add them. + for _, w := range targetWebhooksMap { + newWebhooks = append(newWebhooks, w) + } + // Update the current configuration. + currentConfiguration.Webhooks = newWebhooks + _, err = wrc.client.UpdateResource("", kindValidating, "", currentConfiguration, false) + if err != nil { + return err + } + wrc.log.V(3).Info("successfully updated validatingWebhookConfigurations", "name", targetConfig.Name) + return nil +}