Update dependencies (#400)

* Start working on updating dependencies: * Fix webhook * Rollback jsonschema update * Checkin new config * Fix run as root * Update versions of kind * Fix typo in kind URL * Fix kind config * Add csr permissions * Fix weird image thing * Fixed certificates * Add to logging * Approve cert manually * Fix approval * Add cert script * Fix deployment * Add requests/limits * Wait if certificate doesn't exist yet * Add check for file size * Add variable * Try a different imagE * Fix command * Update certificate logic * Add healthz * Don't check cert size * Remove stat * Fix vet * Put in change that makes no sense * Fix cert names * Roll back * Try changing config * Add logging for each request * Cleanup code some * Remove bad deployments * Fix client injection * Update timeout * Add logging * Fixed e2e webhook tests * Add permissions for approval * Fix permissions for CSR * Remove logging code * Remove refresh certs file * Fix merge issues * Update deployments * Try beta of admission controller config * Target 1.15 for testing * Add beta versions of resourceS * Lower webhook timeout * Refactor out a method * Fix up PR issues * Fix more tabs * Remove unnecessary messageS * Fix go.sum * Fix go.sum
FairwindsOps · Sep 11, 2020 · 7c9f016 · 7c9f016
1 parent 6cb9999
commit 7c9f016
Show file tree

Hide file tree

Showing 26 changed files with 595 additions and 765 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -27,24 +27,22 @@ references:
         sudo apt-get install -yqq jq git
 
         echo "Installing KIND"
-        curl -sLO https://github.com/kubernetes-sigs/kind/releases/download/0.2.1/kind-linux-amd64
+        curl -sLO https://github.com/kubernetes-sigs/kind/releases/download/v0.8.1/kind-linux-amd64
         chmod 0755 kind-linux-amd64
         sudo mv kind-linux-amd64 /usr/local/bin/kind
         kind version
 
         echo "Installing Kubectl"
-        curl -sLO https://storage.googleapis.com/kubernetes-release/release/v1.12.7/bin/linux/amd64/kubectl
+        curl -sLO https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubectl
         chmod 0755 kubectl
         sudo mv kubectl /usr/local/bin/
         kubectl version --client
 
 
         echo "Creating Kubernetes Cluster with Kind"
-        kind create cluster --wait=90s
+        kind create cluster --wait=90s --image kindest/node:v1.15.11
         docker ps -a
 
-        echo "Setting up kubecfg"
-        cp $(kind get kubeconfig-path --name=kind) ~/.kube/config
         kubectl version
 
   # Test scripts

diff --git a/.gitignore b/.gitignore
@@ -21,4 +21,6 @@ main
 
 *-packr.go
 dist
-.vscode
+.vscode
+
+*-test.yaml
diff --git a/cmd/polaris/audit.go b/cmd/polaris/audit.go
@@ -16,6 +16,7 @@ package cmd
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -58,7 +59,7 @@ var auditCmd = &cobra.Command{
 			config.DisplayName = displayName
 		}
 
-		auditData := runAndReportAudit(config, auditPath, resourceToAudit, auditOutputFile, auditOutputURL, auditOutputFormat)
+		auditData := runAndReportAudit(cmd.Context(), config, auditPath, resourceToAudit, auditOutputFile, auditOutputURL, auditOutputFormat)
 
 		summary := auditData.GetSummary()
 		score := summary.GetScore()
@@ -72,14 +73,14 @@ var auditCmd = &cobra.Command{
 	},
 }
 
-func runAndReportAudit(c conf.Configuration, auditPath, workload, outputFile, outputURL, outputFormat string) validator.AuditData {
+func runAndReportAudit(ctx context.Context, c conf.Configuration, auditPath, workload, outputFile, outputURL, outputFormat string) validator.AuditData {
 	// Create a kubernetes client resource provider
-	k, err := kube.CreateResourceProvider(auditPath, workload)
+	k, err := kube.CreateResourceProvider(ctx, auditPath, workload)
 	if err != nil {
 		logrus.Errorf("Error fetching Kubernetes resources %v", err)
 		os.Exit(1)
 	}
-	auditData, err := validator.RunAudit(c, k)
+	auditData, err := validator.RunAudit(ctx, c, k)
 
 	if err != nil {
 		logrus.Errorf("Error while running audit on resources: %v", err)

diff --git a/cmd/polaris/webhook.go b/cmd/polaris/webhook.go
@@ -15,50 +15,18 @@
 package cmd
 
 import (
-	"io/ioutil"
 	"os"
-	"strings"
+	"time"
 
-	fwebhook "github.com/fairwindsops/polaris/pkg/webhook"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	appsv1 "k8s.io/api/apps/v1"
-	appsv1beta1 "k8s.io/api/apps/v1beta1"
-	appsv1beta2 "k8s.io/api/apps/v1beta2"
-	batchv1 "k8s.io/api/batch/v1"
-	batchv1beta1 "k8s.io/api/batch/v1beta1"
-	batchv2alpha1 "k8s.io/api/batch/v2alpha1"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	apitypes "k8s.io/apimachinery/pkg/types"
+
+	fwebhook "github.com/fairwindsops/polaris/pkg/webhook"
 	k8sConfig "sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
-var supportedVersions = map[string]runtime.Object{
-	"appsv1/Deployment":      &appsv1.Deployment{},
-	"appsv1beta1/Deployment": &appsv1beta1.Deployment{},
-	"appsv1beta2/Deployment": &appsv1beta2.Deployment{},
-
-	"appsv1/StatefulSet":      &appsv1.StatefulSet{},
-	"appsv1beta1/StatefulSet": &appsv1beta1.StatefulSet{},
-	"appsv1beta2/StatefulSet": &appsv1beta2.StatefulSet{},
-
-	"appsv1/DaemonSet":      &appsv1.DaemonSet{},
-	"appsv1beta2/DaemonSet": &appsv1beta2.DaemonSet{},
-
-	"batchv1/Job": &batchv1.Job{},
-
-	"batchv1beta1/CronJob":  &batchv1beta1.CronJob{},
-	"batchv2alpha1/CronJob": &batchv2alpha1.CronJob{},
-
-	"corev1/ReplicationController": &corev1.ReplicationController{},
-
-	"corev1/Pod": &corev1.Pod{},
-}
-
 var webhookPort int
 var disableWebhookConfigInstaller bool
 
@@ -74,81 +42,30 @@ var webhookCmd = &cobra.Command{
 	Long:  `Runs the webhook webserver.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		logrus.Debug("Setting up controller manager")
-		mgr, err := manager.New(k8sConfig.GetConfigOrDie(), manager.Options{})
-		if err != nil {
-			logrus.Errorf("Unable to set up overall controller manager: %v", err)
-			os.Exit(1)
-		}
-
-		polarisAppName := "polaris"
-		polarisResourceName := "polaris-webhook"
-		polarisNamespaceBytes, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 
-		if err != nil {
-			// Not exiting here as we have fallback options
-			logrus.Debugf("Error reading namespace information: %v", err)
-		}
-
-		polarisNamespace := string(polarisNamespaceBytes)
-		if polarisNamespace == "" {
-			polarisNamespace = polarisResourceName
-			logrus.Debugf("Could not determine current namespace, creating resources in %s namespace", polarisNamespace)
-		}
-
-		logrus.Info("Setting up webhook server")
-		as, err := webhook.NewServer(polarisResourceName, mgr, webhook.ServerOptions{
-			Port:                          int32(webhookPort),
-			CertDir:                       "/opt/cert",
-			DisableWebhookConfigInstaller: &disableWebhookConfigInstaller,
-			BootstrapOptions: &webhook.BootstrapOptions{
-				ValidatingWebhookConfigName: polarisResourceName,
-				Secret: &apitypes.NamespacedName{
-					Namespace: polarisNamespace,
-					Name:      polarisResourceName,
-				},
-
-				Service: &webhook.Service{
-					Namespace: polarisNamespace,
-					Name:      polarisResourceName,
-
-					// Selectors should select the pods that runs this webhook server.
-					Selectors: map[string]string{
-						"app":       polarisAppName,
-						"component": "webhook",
-					},
-				},
-			},
+		mgr, err := manager.New(k8sConfig.GetConfigOrDie(), manager.Options{
+			CertDir: "/opt/cert",
+			Port:    webhookPort,
 		})
-
 		if err != nil {
-			logrus.Errorf("Error setting up webhook server: %v", err)
+			logrus.Errorf("Unable to set up overall controller manager: %v", err)
 			os.Exit(1)
 		}
 
-		logrus.Infof("Polaris webhook server listening on port %d", webhookPort)
+		_, err = os.Stat("/opt/cert/tls.crt")
+		if os.IsNotExist(err) {
+			time.Sleep(time.Second * 10)
+			panic("Cert does not exist")
+		}
+		server := mgr.GetWebhookServer()
+		server.CertName = "tls.crt"
+		server.KeyName = "tls.key"
 
 		// Iterate all the configurations supported controllers to scan and register them for webhooks
 		// Should only register controllers that are configured to be scanned
-		logrus.Debug("Registering webhooks to the webhook server")
-		var webhooks []webhook.Webhook
-		for name, supportedAPIType := range supportedVersions {
-			webhookName := strings.ToLower(name)
-			webhookName = strings.ReplaceAll(webhookName, "/", "-")
-			hook, err := fwebhook.NewWebhook(webhookName, mgr, fwebhook.Validator{Config: config}, supportedAPIType)
-			if err != nil {
-				logrus.Warningf("Couldn't build webhook %s: %v", webhookName, err)
-				continue
-			}
-			webhooks = append(webhooks, hook)
-			logrus.Infof("%s webhook started", webhookName)
-		}
+		fwebhook.NewWebhook(mgr, fwebhook.Validator{Config: config, Client: mgr.GetClient()})
 
-		if err = as.Register(webhooks...); err != nil {
-			logrus.Debugf("Unable to register webhooks in the admission server: %v", err)
-			os.Exit(1)
-		}
-
-		logrus.Debug("Starting webhook manager")
+		logrus.Infof("Polaris webhook server listening on port %d", webhookPort)
 		if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 			logrus.Errorf("Error starting manager: %v", err)
 			os.Exit(1)
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,4 +21,6 @@ main @@
     *-packr.go
     dist
-    .vscode
+    .vscode
+    *-test.yaml