refactor: add a function to check if VAPs are registered in the API s…

…erver (kyverno#10014) Signed-off-by: Mariam Fahmy <[email protected]>
giantswarm · Apr 17, 2024 · f98d7d8 · f98d7d8
1 parent 3db5bdf
commit f98d7d8
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
@@ -37,6 +37,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/toggle"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
+	"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
 	"github.com/kyverno/kyverno/pkg/validation/exception"
 	"github.com/kyverno/kyverno/pkg/validation/globalcontext"
 	"github.com/kyverno/kyverno/pkg/webhooks"
@@ -48,7 +49,6 @@ import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	kubeinformers "k8s.io/client-go/informers"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -314,9 +314,9 @@ func main() {
 	// check if validating admission policies are registered in the API server
 	generateValidatingAdmissionPolicy := toggle.FromContext(context.TODO()).GenerateValidatingAdmissionPolicy()
 	if generateValidatingAdmissionPolicy {
-		groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
-		if _, err := setup.KyvernoDynamicClient.GetKubeClient().Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
-			setup.Logger.Error(err, "validating admission policies aren't supported.")
+		registered, err := validatingadmissionpolicy.IsValidatingAdmissionPolicyRegistered(setup.KubeClient)
+		if !registered {
+			setup.Logger.Error(err, "ValidatingAdmissionPolicies isn't supported in the API server")
 			os.Exit(1)
 		}
 	}

diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go
@@ -26,8 +26,8 @@ import (
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	"github.com/kyverno/kyverno/pkg/logging"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
+	"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
 	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	kubeinformers "k8s.io/client-go/informers"
 	admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
 	metadatainformers "k8s.io/client-go/metadata/metadatainformer"
@@ -253,9 +253,9 @@ func main() {
 	setup.Logger.Info("background scan interval", "duration", backgroundScanInterval.String())
 	// check if validating admission policies are registered in the API server
 	if validatingAdmissionPolicyReports {
-		groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
-		if _, err := setup.KyvernoDynamicClient.GetKubeClient().Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
-			setup.Logger.Error(err, "validating admission policies aren't supported.")
+		registered, err := validatingadmissionpolicy.IsValidatingAdmissionPolicyRegistered(setup.KubeClient)
+		if !registered {
+			setup.Logger.Error(err, "ValidatingAdmissionPolicies isn't supported in the API server")
 			os.Exit(1)
 		}
 	}

diff --git a/...ingadmissionpolicy/permissions_checker.go → pkg/validatingadmissionpolicy/utils.go b/...ingadmissionpolicy/permissions_checker.go → pkg/validatingadmissionpolicy/utils.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/kyverno/kyverno/pkg/auth/checker"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes"
 )
 
 func hasPermissions(resource schema.GroupVersionResource, s checker.AuthChecker) bool {
@@ -28,3 +29,12 @@ func HasValidatingAdmissionPolicyBindingPermission(s checker.AuthChecker) bool {
 	gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Resource: "validatingadmissionpolicybindings"}
 	return hasPermissions(gvr, s)
 }
+
+// IsValidatingAdmissionPolicyRegistered checks if ValidatingAdmissionPolicies are registered in the API Server
+func IsValidatingAdmissionPolicyRegistered(kubeClient kubernetes.Interface) (bool, error) {
+	groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
+	if _, err := kubeClient.Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
+		return false, err
+	}
+	return true, nil
+}