feat: add ruleset api(#1844)

* fix(controller): decode old object for delete requests Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * sec(ghsa-2ww6-hf35-mfjm): intercept namespace subresource Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2026-05-04 08:26:41 +00:00 · 2026-01-27 14:28:48 +01:00
parent b9a14a954d
commit a6b830b1af
284 changed files with 12699 additions and 2162 deletions
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -31,6 +31,8 @@ import (

 	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"github.com/projectcapsule/capsule/internal/cache"
+	"github.com/projectcapsule/capsule/internal/controllers/admission"
 	configcontroller "github.com/projectcapsule/capsule/internal/controllers/cfg"
 	podlabelscontroller "github.com/projectcapsule/capsule/internal/controllers/pod"
 	"github.com/projectcapsule/capsule/internal/controllers/pv"
@@ -63,8 +65,9 @@ import (
 	tenantvalidation "github.com/projectcapsule/capsule/internal/webhook/tenant/validation"
 	tntresource "github.com/projectcapsule/capsule/internal/webhook/tenantresource"
 	"github.com/projectcapsule/capsule/internal/webhook/utils"
-	"github.com/projectcapsule/capsule/pkg/configuration"
-	"github.com/projectcapsule/capsule/pkg/indexer"
+	"github.com/projectcapsule/capsule/pkg/runtime/configuration"
+	"github.com/projectcapsule/capsule/pkg/runtime/handlers"
+	"github.com/projectcapsule/capsule/pkg/runtime/indexers"
 )

 var (
@@ -190,7 +193,7 @@ func main() {
 	if directCfg.EnableTLSConfiguration() {
 		tlsReconciler := &tlscontroller.Reconciler{
 			Client:        directClient,
-			Log:           ctrl.Log.WithName("controllers").WithName("TLS"),
+			Log:           ctrl.Log.WithName("capsule.ctrl").WithName("tls"),
 			Namespace:     ns,
 			Configuration: directCfg,
 		}
@@ -213,12 +216,14 @@ func main() {
 		}
 	}

+	registryCache := cache.NewRegistryRuleSetCache()
+
 	if err = (&tenantcontroller.Manager{
 		RESTConfig:    manager.GetConfig(),
 		Client:        manager.GetClient(),
 		Metrics:       metrics.MustMakeTenantRecorder(),
-		Log:           ctrl.Log.WithName("controllers").WithName("Tenant"),
-		Recorder:      manager.GetEventRecorderFor("tenant-controller"),
+		Log:           ctrl.Log.WithName("capsule.ctrl").WithName("tenant"),
+		Recorder:      manager.GetEventRecorder("tenant-controller"),
 		Configuration: cfg,
 	}).SetupWithManager(manager, controllerConfig); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Tenant")
@@ -230,7 +235,7 @@ func main() {
 		os.Exit(1)
 	}

-	if err = indexer.AddToManager(ctx, setupLog, manager); err != nil {
+	if err = indexers.AddToManager(ctx, setupLog, manager); err != nil {
 		setupLog.Error(err, "unable to setup indexers")
 		os.Exit(1)
 	}
@@ -244,11 +249,12 @@ func main() {

 	// webhooks: the order matters, don't change it and just append
 	webhooksList := append(
-		make([]webhook.Webhook, 0),
+		make([]handlers.Webhook, 0),
 		route.Pod(
 			pod.Handler(
 				pod.ImagePullPolicy(),
-				pod.ContainerRegistry(cfg),
+				pod.ContainerRegistryLegacy(cfg),
+				pod.ContainerRegistry(cfg, registryCache),
 				pod.PriorityClass(),
 				pod.RuntimeClass(),
 			),
@@ -265,10 +271,10 @@ func main() {
 				service.Validating(),
 			),
 		),
-		route.TenantResourceObjects(utils.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
-		route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
+		route.TenantResourceObjects(handlers.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())),
+		route.NetworkPolicy(handlers.InCapsuleGroups(cfg, networkpolicy.Handler())),
 		route.Cordoning(tenantvalidation.CordoningHandler(cfg)),
-		route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
+		route.Node(handlers.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
 		route.ServiceAccounts(
 			serviceaccounts.Handler(
 				serviceaccounts.Validating(cfg),
@@ -287,6 +293,7 @@ func main() {
 			tenantvalidation.IngressClassRegexHandler(),
 			tenantvalidation.StorageClassRegexHandler(),
 			tenantvalidation.ContainerRegistryRegexHandler(),
+			tenantvalidation.RuleHandler(),
 			tenantvalidation.HostnameRegexHandler(),
 			tenantvalidation.FreezedEmitter(),
 			tenantvalidation.ServiceAccountNameHandler(),
@@ -316,9 +323,12 @@ func main() {
 		route.ResourcePoolValidation((resourcepool.PoolValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepool")))),
 		route.ResourcePoolClaimMutation((resourcepool.ClaimMutationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
 		route.ResourcePoolClaimValidation((resourcepool.ClaimValidationHandler(ctrl.Log.WithName("webhooks").WithName("resourcepoolclaims")))),
-		route.TenantAssignment(
+		route.MiscTenantAssignment(
 			misc.TenantAssignmentHandler(),
 		),
+		route.MiscManagedValidation(
+			handlers.InCapsuleGroups(cfg, misc.ManagedValidatingHandler()),
+		),
 		route.ConfigValidation(
 			cfgvalidation.WarningHandler(),
 		),
@@ -326,7 +336,7 @@ func main() {

 	nodeWebhookSupported, _ := utils.NodeWebhookSupported(kubeVersion)
 	if !nodeWebhookSupported {
-		setupLog.Info("Disabling node labels verification webhook as current Kubernetes version doesn't have fix for CVE-2021-25735")
+		setupLog.Info("disabling node labels verification webhook as current Kubernetes version doesn't have fix for CVE-2021-25735")
 	}

 	if err = webhook.Register(manager, webhooksList...); err != nil {
@@ -335,7 +345,7 @@ func main() {
 	}

 	rbacManager := &rbaccontroller.Manager{
-		Log:           ctrl.Log.WithName("controllers").WithName("Rbac"),
+		Log:           ctrl.Log.WithName("capsule.ctrl").WithName("rbac"),
 		Client:        manager.GetClient(),
 		Configuration: cfg,
 	}
@@ -351,14 +361,14 @@ func main() {
 	}

 	if err = (&servicelabelscontroller.ServicesLabelsReconciler{
-		Log: ctrl.Log.WithName("controllers").WithName("ServiceLabels"),
+		Log: ctrl.Log.WithName("capsule.ctrl").WithName("services"),
 	}).SetupWithManager(ctx, manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ServiceLabels")
 		os.Exit(1)
 	}

 	if err = (&servicelabelscontroller.EndpointSlicesLabelsReconciler{
-		Log: ctrl.Log.WithName("controllers").WithName("EndpointSliceLabels"),
+		Log: ctrl.Log.WithName("capsule.ctrl").WithName("endpointslices"),
 	}).SetupWithManager(ctx, manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "EndpointSliceLabels")
 	}
@@ -374,8 +384,9 @@ func main() {
 	}

 	if err = (&configcontroller.Manager{
-		Client: manager.GetClient(),
-		Log:    ctrl.Log.WithName("controllers").WithName("CapsuleConfiguration"),
+		Client:        manager.GetClient(),
+		RegistryCache: registryCache,
+		Log:           ctrl.Log.WithName("capsule.ctrl").WithName("configuration"),
 	}).SetupWithManager(manager, controllerConfig); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CapsuleConfiguration")
 		os.Exit(1)
@@ -391,10 +402,21 @@ func main() {
 		os.Exit(1)
 	}

-	if err := resourcepools.Add(
-		ctrl.Log.WithName("controllers").WithName("ResourcePools"),
+	if err := admission.Add(
+		ctrl.Log.WithName("capsule.ctrl").WithName("admission"),
 		manager,
-		manager.GetEventRecorderFor("pools-ctrl"),
+		manager.GetEventRecorder("admission-ctrl"),
+		controllerConfig,
+		cfg,
+	); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "admission")
+		os.Exit(1)
+	}
+
+	if err := resourcepools.Add(
+		ctrl.Log.WithName("capsule.ctrl").WithName("resourcepools"),
+		manager,
+		manager.GetEventRecorder("pools-ctrl"),
 		controllerConfig,
 	); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "resourcepools")