feat: support image policy

Signed-off-by: HIHIA <283304489@qq.com>
sealerio · Jan 17, 2023 · a8542c4 · a8542c4
1 parent 91ba640
commit a8542c4
Show file tree

Hide file tree

Showing 432 changed files with 29,351 additions and 20,016 deletions.
diff --git a/cmd/sealer/cmd/cluster/run.go b/cmd/sealer/cmd/cluster/run.go
@@ -392,7 +392,7 @@ func installApplication(appImageName string, envs []string, app *v2.Application,
  return loadToRegistry(infraDriver, distributor)
  }
 
- installer := clusterruntime.NewAppInstaller(infraDriver, distributor, extension)
+ installer := clusterruntime.NewAppInstaller(infraDriver, distributor, extension, imageEngine)
  err = installer.Install(infraDriver.GetHostIPListByRole(common.MASTER)[0], v2App.GetImageLaunchCmds())
  if err != nil {
  return err

diff --git a/common/common.go b/common/common.go
@@ -127,6 +127,72 @@ const (
  WINDOWS = "windows"
 )
 
+const (
+ ImagePolicyLabelKey = "app.alpha.sealer.io/image-policy-plugin"
+ ImagePolicyPluginKyverno = "kyverno"
+ ImagePolicyTemplateYamlName = "image-policy-template.yaml"
+ ImagePolicyTemplate = `
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: [[.name]]-redirect-registry
+ namespace: kube-system
+spec:
+ background: false
+ rules:
+ - name: prepend-registry-containers
+ match:
+ resources:
+ kinds:
+ - Pod
+ preconditions:
+ all:
+ - key: "{{request.operation}}"
+ operator: In
+ value:
+ - CREATE
+ - UPDATE
+ mutate:
+ foreach:
+ - list: "request.object.spec.containers"
+ preconditions:
+ all:
+ - key: "{{element.image}}"
+ operator: AnyIn
+ value: [[.imageList]]
+ patchStrategicMerge:
+ spec:
+ containers:
+ - name: "{{ element.name }}"
+ image: "[[.registry]]/{{ images.containers.{{element.name}}.path}}:{{images.containers.{{element.name}}.tag}}"
+ - name: prepend-registry-initcontainers
+ match:
+ resources:
+ kinds:
+ - Pod
+ preconditions:
+ all:
+ - key: "{{request.operation}}"
+ operator: In
+ value:
+ - CREATE
+ - UPDATE
+ mutate:
+ foreach:
+ - list: "request.object.spec.initContainers"
+ preconditions:
+ all:
+ - key: "{{element.image}}"
+ operator: AnyIn
+ value: [[.imageList]]
+ patchStrategicMerge:
+ spec:
+ initContainers:
+ - name: "{{ element.name }}"
+ image: "[[.registry]]/{{ images.initContainers.{{element.name}}.path}}:{{images.initContainers.{{element.name}}.tag}}"
+`
+)
+
 func GetSealerWorkDir() string {
  return filepath.Join(GetHomeDir(), ".sealer")
 }

diff --git a/go.mod b/go.mod
@@ -19,6 +19,7 @@ require (
  github.com/google/uuid v1.3.0
  github.com/hashicorp/go-multierror v1.1.1
  github.com/imdario/mergo v0.3.13
+ github.com/kyverno/kyverno v1.7.5
  github.com/labring/lvscare v1.1.1
  github.com/lestrrat-go/file-rotatelogs v2.4.0+incompatible
  github.com/mitchellh/go-homedir v1.1.0
@@ -30,19 +31,19 @@ require (
  github.com/onsi/gomega v1.20.0
  github.com/opencontainers/go-digest v1.0.0
  github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
- github.com/pelletier/go-toml v1.9.4
+ github.com/pelletier/go-toml v1.9.5
  github.com/pkg/errors v0.9.1
- github.com/pkg/sftp v1.13.0
+ github.com/pkg/sftp v1.13.1
  github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
  github.com/shirou/gopsutil v3.21.11+incompatible
  github.com/sirupsen/logrus v1.9.0
  github.com/spf13/cobra v1.5.0
- github.com/spf13/viper v1.10.0
+ github.com/spf13/viper v1.13.0
  github.com/stretchr/testify v1.8.0
  github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5
- golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
- golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
- golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
+ golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
+ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+ golang.org/x/sys v0.0.0-20220907062415-87db552b00fd
  golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
  gopkg.in/yaml.v2 v2.4.0
  gopkg.in/yaml.v3 v3.0.1
@@ -55,7 +56,7 @@ require (
  k8s.io/kubelet v0.21.0
  k8s.io/kubernetes v1.21.0
  k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
- sigs.k8s.io/controller-runtime v0.8.1
+ sigs.k8s.io/controller-runtime v0.11.0
  sigs.k8s.io/yaml v1.3.0
 )
 
@@ -66,8 +67,6 @@ require (
  github.com/Masterminds/sprig/v3 v3.2.2 // indirect
  github.com/Microsoft/go-winio v0.5.2 // indirect
  github.com/Microsoft/hcsshim v0.9.3 // indirect
- github.com/PuerkitoBio/purell v1.1.1 // indirect
- github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
  github.com/VividCortex/ewma v1.2.0 // indirect
  github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
  github.com/beorn7/perks v1.0.1 // indirect
@@ -91,21 +90,21 @@ require (
  github.com/evanphx/json-patch v4.12.0+incompatible // indirect
  github.com/fsnotify/fsnotify v1.5.4 // indirect
  github.com/fsouza/go-dockerclient v1.8.1 // indirect
- github.com/ghodss/yaml v1.0.0 // indirect
+ github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
  github.com/go-errors/errors v1.0.1 // indirect
- github.com/go-logr/logr v1.2.2 // indirect
+ github.com/go-logr/logr v1.2.3 // indirect
  github.com/go-ole/go-ole v1.2.6 // indirect
  github.com/go-openapi/jsonpointer v0.19.5 // indirect
- github.com/go-openapi/jsonreference v0.19.5 // indirect
- github.com/go-openapi/swag v0.19.14 // indirect
+ github.com/go-openapi/jsonreference v0.20.0 // indirect
+ github.com/go-openapi/swag v0.22.3 // indirect
  github.com/gobwas/glob v0.2.3 // indirect
  github.com/gogo/protobuf v1.3.2 // indirect
  github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
  github.com/golang/protobuf v1.5.2 // indirect
- github.com/google/btree v1.0.1 // indirect
+ github.com/google/btree v1.1.2 // indirect
  github.com/google/gnostic v0.5.7-v3refs // indirect
- github.com/google/go-cmp v0.5.8 // indirect
- github.com/google/go-containerregistry v0.10.0 // indirect
+ github.com/google/go-cmp v0.5.9 // indirect
+ github.com/google/go-containerregistry v0.11.0 // indirect
  github.com/google/go-intervals v0.0.2 // indirect
  github.com/google/gofuzz v1.2.0 // indirect
  github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@@ -122,12 +121,13 @@ require (
  github.com/klauspost/compress v1.15.9 // indirect
  github.com/klauspost/pgzip v1.2.5 // indirect
  github.com/kr/fs v0.1.0 // indirect
+ github.com/kyverno/go-wildcard v1.0.4 // indirect
  github.com/lestrrat-go/strftime v1.0.6 // indirect
- github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect
+ github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect
  github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
  github.com/lithammer/dedent v1.1.0 // indirect
- github.com/magiconair/properties v1.8.5 // indirect
- github.com/mailru/easyjson v0.7.6 // indirect
+ github.com/magiconair/properties v1.8.6 // indirect
+ github.com/mailru/easyjson v0.7.7 // indirect
  github.com/manifoldco/promptui v0.9.0 // indirect
  github.com/mattn/go-runewidth v0.0.13 // indirect
  github.com/mattn/go-shellwords v1.0.12 // indirect
@@ -152,28 +152,29 @@ require (
  github.com/opencontainers/selinux v1.10.1 // indirect
  github.com/openshift/imagebuilder v1.2.4-0.20220711175835-4151e43600df // indirect
  github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
+ github.com/pelletier/go-toml/v2 v2.0.5 // indirect
  github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
  github.com/pmezard/go-difflib v1.0.0 // indirect
  github.com/proglottis/gpgme v0.1.3 // indirect
- github.com/prometheus/client_golang v1.12.1 // indirect
+ github.com/prometheus/client_golang v1.13.0 // indirect
  github.com/prometheus/client_model v0.2.0 // indirect
- github.com/prometheus/common v0.32.1 // indirect
- github.com/prometheus/procfs v0.7.3 // indirect
+ github.com/prometheus/common v0.37.0 // indirect
+ github.com/prometheus/procfs v0.8.0 // indirect
  github.com/rivo/uniseg v0.2.0 // indirect
  github.com/russross/blackfriday/v2 v2.1.0 // indirect
  github.com/seccomp/libseccomp-golang v0.10.0 // indirect
  github.com/shopspring/decimal v1.2.0 // indirect
- github.com/sigstore/sigstore v1.3.1-0.20220629021053-b95fc0d626c1 // indirect
- github.com/spf13/afero v1.6.0 // indirect
- github.com/spf13/cast v1.4.1 // indirect
+ github.com/sigstore/sigstore v1.4.1 // indirect
+ github.com/spf13/afero v1.8.2 // indirect
+ github.com/spf13/cast v1.5.0 // indirect
  github.com/spf13/jwalterweatherman v1.1.0 // indirect
  github.com/spf13/pflag v1.0.5 // indirect
  github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
- github.com/subosito/gotenv v1.2.0 // indirect
+ github.com/subosito/gotenv v1.4.1 // indirect
  github.com/sylabs/sif/v2 v2.7.1 // indirect
  github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
  github.com/tchap/go-patricia v2.3.0+incompatible // indirect
- github.com/theupdateframework/go-tuf v0.3.1 // indirect
+ github.com/theupdateframework/go-tuf v0.5.0 // indirect
  github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
  github.com/ulikunitz/xz v0.5.10 // indirect
  github.com/vbatts/tar-split v0.11.2 // indirect
@@ -188,16 +189,16 @@ require (
  go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
  go.opencensus.io v0.23.0 // indirect
  go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
- golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
- golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
- golang.org/x/text v0.3.7 // indirect
- golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+ golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect
+ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
+ golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
+ golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
  google.golang.org/appengine v1.6.7 // indirect
- google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
- google.golang.org/grpc v1.47.0 // indirect
- google.golang.org/protobuf v1.28.0 // indirect
+ google.golang.org/genproto v0.0.0-20220805133916-01dd62135a58 // indirect
+ google.golang.org/grpc v1.49.0 // indirect
+ google.golang.org/protobuf v1.28.1 // indirect
  gopkg.in/inf.v0 v0.9.1 // indirect
- gopkg.in/ini.v1 v1.66.2 // indirect
+ gopkg.in/ini.v1 v1.67.0 // indirect
  gopkg.in/square/go-jose.v2 v2.6.0 // indirect
  gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
  k8s.io/apiextensions-apiserver v0.24.2 // indirect