2018-01-09 18:57:14 +00:00
|
|
|
/*
|
2018-11-26 18:23:56 +00:00
|
|
|
Copyright 2018 The Kubernetes Authors.
|
2018-01-09 18:57:14 +00:00
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"flag"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
|
|
"k8s.io/api/admission/v1beta1"
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2018-11-26 18:23:56 +00:00
|
|
|
"k8s.io/klog"
|
2018-01-09 18:57:14 +00:00
|
|
|
// TODO: try this library to see if it generates correct json patch
|
|
|
|
|
// https://github.com/mattbaird/jsonpatch
|
|
|
|
|
)
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
// toAdmissionResponse is a helper function to create an AdmissionResponse
|
|
|
|
|
// with an embedded error
|
2018-01-09 18:57:14 +00:00
|
|
|
func toAdmissionResponse(err error) *v1beta1.AdmissionResponse {
|
|
|
|
|
return &v1beta1.AdmissionResponse{
|
|
|
|
|
Result: &metav1.Status{
|
|
|
|
|
Message: err.Error(),
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
// admitFunc is the type we use for all of our validators and mutators
|
2018-01-09 18:57:14 +00:00
|
|
|
type admitFunc func(v1beta1.AdmissionReview) *v1beta1.AdmissionResponse
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
// serve handles the http portion of a request prior to handing to an admit
|
|
|
|
|
// function
|
2018-01-09 18:57:14 +00:00
|
|
|
func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
|
|
|
|
|
var body []byte
|
|
|
|
|
if r.Body != nil {
|
|
|
|
|
if data, err := ioutil.ReadAll(r.Body); err == nil {
|
|
|
|
|
body = data
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// verify the content type is accurate
|
|
|
|
|
contentType := r.Header.Get("Content-Type")
|
|
|
|
|
if contentType != "application/json" {
|
2018-11-26 18:23:56 +00:00
|
|
|
klog.Errorf("contentType=%s, expect application/json", contentType)
|
2018-01-09 18:57:14 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
klog.V(2).Info(fmt.Sprintf("handling request: %s", body))
|
|
|
|
|
|
|
|
|
|
// The AdmissionReview that was sent to the webhook
|
|
|
|
|
requestedAdmissionReview := v1beta1.AdmissionReview{}
|
|
|
|
|
|
|
|
|
|
// The AdmissionReview that will be returned
|
|
|
|
|
responseAdmissionReview := v1beta1.AdmissionReview{}
|
|
|
|
|
|
2018-01-09 18:57:14 +00:00
|
|
|
deserializer := codecs.UniversalDeserializer()
|
2018-11-26 18:23:56 +00:00
|
|
|
if _, _, err := deserializer.Decode(body, nil, &requestedAdmissionReview); err != nil {
|
|
|
|
|
klog.Error(err)
|
|
|
|
|
responseAdmissionReview.Response = toAdmissionResponse(err)
|
2018-01-09 18:57:14 +00:00
|
|
|
} else {
|
2018-11-26 18:23:56 +00:00
|
|
|
// pass to admitFunc
|
|
|
|
|
responseAdmissionReview.Response = admit(requestedAdmissionReview)
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
// Return the same UID
|
|
|
|
|
responseAdmissionReview.Response.UID = requestedAdmissionReview.Request.UID
|
2018-01-09 18:57:14 +00:00
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
klog.V(2).Info(fmt.Sprintf("sending response: %v", responseAdmissionReview.Response))
|
|
|
|
|
|
|
|
|
|
respBytes, err := json.Marshal(responseAdmissionReview)
|
2018-01-09 18:57:14 +00:00
|
|
|
if err != nil {
|
2018-11-26 18:23:56 +00:00
|
|
|
klog.Error(err)
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
2018-11-26 18:23:56 +00:00
|
|
|
if _, err := w.Write(respBytes); err != nil {
|
|
|
|
|
klog.Error(err)
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func serveAlwaysDeny(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, alwaysDeny)
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
func serveAddLabel(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, addLabel)
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-09 18:57:14 +00:00
|
|
|
func servePods(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, admitPods)
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-26 18:23:56 +00:00
|
|
|
func serveAttachingPods(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, denySpecificAttachment)
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-06 22:33:18 +00:00
|
|
|
func serveMutatePods(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, mutatePods)
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-09 18:57:14 +00:00
|
|
|
func serveConfigmaps(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, admitConfigMaps)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func serveMutateConfigmaps(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, mutateConfigmaps)
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func serveCustomResource(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, admitCustomResource)
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func serveMutateCustomResource(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, mutateCustomResource)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func serveCRD(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
serve(w, r, admitCRD)
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
|
var config Config
|
|
|
|
|
config.addFlags()
|
|
|
|
|
flag.Parse()
|
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
http.HandleFunc("/always-deny", serveAlwaysDeny)
|
2018-11-26 18:23:56 +00:00
|
|
|
http.HandleFunc("/add-label", serveAddLabel)
|
2018-01-09 18:57:14 +00:00
|
|
|
http.HandleFunc("/pods", servePods)
|
2018-11-26 18:23:56 +00:00
|
|
|
http.HandleFunc("/pods/attach", serveAttachingPods)
|
2018-03-06 22:33:18 +00:00
|
|
|
http.HandleFunc("/mutating-pods", serveMutatePods)
|
2018-01-09 18:57:14 +00:00
|
|
|
http.HandleFunc("/configmaps", serveConfigmaps)
|
|
|
|
|
http.HandleFunc("/mutating-configmaps", serveMutateConfigmaps)
|
2018-07-18 14:47:22 +00:00
|
|
|
http.HandleFunc("/custom-resource", serveCustomResource)
|
|
|
|
|
http.HandleFunc("/mutating-custom-resource", serveMutateCustomResource)
|
2018-01-09 18:57:14 +00:00
|
|
|
http.HandleFunc("/crd", serveCRD)
|
|
|
|
|
server := &http.Server{
|
|
|
|
|
Addr: ":443",
|
2018-11-26 18:23:56 +00:00
|
|
|
TLSConfig: configTLS(config),
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
|
server.ListenAndServeTLS("", "")
|
|
|
|
|
}
|
