Merge pull request #10052 from derekwaynecarr/admission_subresources

Admission control exposes subresource
2026-01-19 16:24:33 +00:00 · 2015-06-22 13:11:58 -07:00
parent 1874599c00 795e444ba3
commit 0c7fbacfb1
15 changed files with 186 additions and 69 deletions
--- a/pkg/admission/attributes.go
+++ b/pkg/admission/attributes.go
@@ -22,22 +22,24 @@ import (
 )

 type attributesRecord struct {
-	kind      string
-	namespace string
-	resource  string
-	operation Operation
-	object    runtime.Object
-	userInfo  user.Info
+	kind        string
+	namespace   string
+	resource    string
+	subresource string
+	operation   Operation
+	object      runtime.Object
+	userInfo    user.Info
 }

-func NewAttributesRecord(object runtime.Object, kind, namespace, resource string, operation Operation, userInfo user.Info) Attributes {
+func NewAttributesRecord(object runtime.Object, kind, namespace, resource, subresource string, operation Operation, userInfo user.Info) Attributes {
 	return &attributesRecord{
-		kind:      kind,
-		namespace: namespace,
-		resource:  resource,
-		operation: operation,
-		object:    object,
-		userInfo:  userInfo,
+		kind:        kind,
+		namespace:   namespace,
+		resource:    resource,
+		subresource: subresource,
+		operation:   operation,
+		object:      object,
+		userInfo:    userInfo,
 	}
 }

@@ -53,6 +55,10 @@ func (record *attributesRecord) GetResource() string {
 	return record.resource
 }

+func (record *attributesRecord) GetSubresource() string {
+	return record.subresource
+}
+
 func (record *attributesRecord) GetOperation() Operation {
 	return record.operation
 }
--- a/pkg/admission/chain_test.go
+++ b/pkg/admission/chain_test.go
@@ -98,7 +98,7 @@ func TestAdmit(t *testing.T) {
 		},
 	}
 	for _, test := range tests {
-		err := test.chain.Admit(NewAttributesRecord(nil, "", "", "", test.operation, nil))
+		err := test.chain.Admit(NewAttributesRecord(nil, "", "", "", "", test.operation, nil))
 		accepted := (err == nil)
 		if accepted != test.accept {
 			t.Errorf("%s: unexpected result of admit call: %v\n", test.name, accepted)
--- a/pkg/admission/interfaces.go
+++ b/pkg/admission/interfaces.go
@@ -24,11 +24,21 @@ import (
 // Attributes is an interface used by AdmissionController to get information about a request
 // that is used to make an admission decision.
 type Attributes interface {
+	// GetNamespace is the namespace associated with the request (if any)
 	GetNamespace() string
+	// GetResource is the name of the resource being requested.  This is not the kind.  For example: pods
 	GetResource() string
+	// GetSubresource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind.
+	// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
+	// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
+	GetSubresource() string
+	// GetOperation is the operation being performed
 	GetOperation() Operation
+	// GetObject is the object from the incoming request prior to default values being applied
 	GetObject() runtime.Object
+	// GetKind is the type of object being manipulated.  For example: Pod
 	GetKind() string
+	// GetUserInfo is information about the requesting user
 	GetUserInfo() user.Info
 }

--- a/pkg/apiserver/api_installer.go
+++ b/pkg/apiserver/api_installer.go
@@ -365,6 +365,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 		APIVersion:       a.group.Version,
 		ServerAPIVersion: serverVersion,
 		Resource:         resource,
+		Subresource:      subresource,
 		Kind:             kind,
 	}
 	for _, action := range actions {
--- a/pkg/apiserver/resthandler.go
+++ b/pkg/apiserver/resthandler.go
@@ -67,9 +67,10 @@ type RequestScope struct {
 	Creater   runtime.ObjectCreater
 	Convertor runtime.ObjectConvertor

-	Resource   string
-	Kind       string
-	APIVersion string
+	Resource    string
+	Subresource string
+	Kind        string
+	APIVersion  string

 	// The version of apiserver resources to use
 	ServerAPIVersion string
@@ -164,7 +165,7 @@ func ConnectResource(connecter rest.Connecter, scope RequestScope, admit admissi
 				ResourcePath: restPath,
 			}
 			userInfo, _ := api.UserFrom(ctx)
-			err = admit.Admit(admission.NewAttributesRecord(connectRequest, scope.Kind, namespace, scope.Resource, admission.Connect, userInfo))
+			err = admit.Admit(admission.NewAttributesRecord(connectRequest, scope.Kind, namespace, scope.Resource, scope.Subresource, admission.Connect, userInfo))
 			if err != nil {
 				errorJSON(err, scope.Codec, w)
 				return
@@ -308,7 +309,7 @@ func createHandler(r rest.NamedCreater, scope RequestScope, typer runtime.Object

 		if admit.Handles(admission.Create) {
 			userInfo, _ := api.UserFrom(ctx)
-			err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, admission.Create, userInfo))
+			err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, scope.Subresource, admission.Create, userInfo))
 			if err != nil {
 				errorJSON(err, scope.Codec, w)
 				return
@@ -378,7 +379,7 @@ func PatchResource(r rest.Patcher, scope RequestScope, typer runtime.ObjectTyper
 		// PATCH requires same permission as UPDATE
 		if admit.Handles(admission.Update) {
 			userInfo, _ := api.UserFrom(ctx)
-			err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, admission.Update, userInfo))
+			err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, scope.Subresource, admission.Update, userInfo))
 			if err != nil {
 				errorJSON(err, scope.Codec, w)
 				return
@@ -478,7 +479,7 @@ func UpdateResource(r rest.Updater, scope RequestScope, typer runtime.ObjectType

 		if admit.Handles(admission.Update) {
 			userInfo, _ := api.UserFrom(ctx)
-			err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, admission.Update, userInfo))
+			err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, scope.Subresource, admission.Update, userInfo))
 			if err != nil {
 				errorJSON(err, scope.Codec, w)
 				return
@@ -542,7 +543,7 @@ func DeleteResource(r rest.GracefulDeleter, checkBody bool, scope RequestScope,

 		if admit.Handles(admission.Delete) {
 			userInfo, _ := api.UserFrom(ctx)
-			err = admit.Admit(admission.NewAttributesRecord(nil, scope.Kind, namespace, scope.Resource, admission.Delete, userInfo))
+			err = admit.Admit(admission.NewAttributesRecord(nil, scope.Kind, namespace, scope.Resource, scope.Subresource, admission.Delete, userInfo))
 			if err != nil {
 				errorJSON(err, scope.Codec, w)
 				return