diff --git a/staging/src/k8s.io/apiserver/pkg/admission/BUILD b/staging/src/k8s.io/apiserver/pkg/admission/BUILD index f409c9a3690..45df48cc6a1 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/admission/BUILD @@ -9,6 +9,7 @@ load( go_test( name = "go_default_test", srcs = [ + "attributes_test.go", "chain_test.go", "config_test.go", "errors_test.go", @@ -16,6 +17,7 @@ go_test( ], embed = [":go_default_library"], deps = [ + "//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", @@ -48,6 +50,7 @@ go_library( "//vendor/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library", "//vendor/k8s.io/apiserver/pkg/apis/apiserver:go_default_library", "//vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", diff --git a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go index 406235dd03c..7272e888bcf 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/attributes.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/attributes.go @@ -17,8 +17,13 @@ limitations under the License. package admission import ( + "fmt" + "strings" + "sync" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apiserver/pkg/authentication/user" ) @@ -32,6 +37,11 @@ type attributesRecord struct { object runtime.Object oldObject runtime.Object userInfo user.Info + + // other elements are always accessed in single goroutine. + // But ValidatingAdmissionWebhook add annotations concurrently. + annotations map[string]string + annotationsLock sync.RWMutex } func NewAttributesRecord(object runtime.Object, oldObject runtime.Object, kind schema.GroupVersionKind, namespace, name string, resource schema.GroupVersionResource, subresource string, operation Operation, userInfo user.Info) Attributes { @@ -83,3 +93,48 @@ func (record *attributesRecord) GetOldObject() runtime.Object { func (record *attributesRecord) GetUserInfo() user.Info { return record.userInfo } + +// getAnnotations implements privateAnnotationsGetter.It's a private method used +// by WithAudit decorator. +func (record *attributesRecord) getAnnotations() map[string]string { + record.annotationsLock.RLock() + defer record.annotationsLock.RUnlock() + + if record.annotations == nil { + return nil + } + cp := make(map[string]string, len(record.annotations)) + for key, value := range record.annotations { + cp[key] = value + } + return cp +} + +func (record *attributesRecord) AddAnnotation(key, value string) error { + if err := checkKeyFormat(key); err != nil { + return err + } + + record.annotationsLock.Lock() + defer record.annotationsLock.Unlock() + + if record.annotations == nil { + record.annotations = make(map[string]string) + } + if v, ok := record.annotations[key]; ok && v != value { + return fmt.Errorf("admission annotations are not allowd to be overwritten, key:%q, old value: %q, new value:%q", key, record.annotations[key], value) + } + record.annotations[key] = value + return nil +} + +func checkKeyFormat(key string) error { + parts := strings.Split(key, "/") + if len(parts) != 2 { + return fmt.Errorf("annotation key has invalid format, the right format is a DNS subdomain prefix and '/' and key name. (e.g. 'podsecuritypolicy.admission.k8s.io/admit-policy')") + } + if msgs := validation.IsQualifiedName(key); len(msgs) != 0 { + return fmt.Errorf("annotation key has invalid format %s. A qualified name like 'podsecuritypolicy.admission.k8s.io/admit-policy' is required.", strings.Join(msgs, ",")) + } + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/attributes_test.go b/staging/src/k8s.io/apiserver/pkg/admission/attributes_test.go new file mode 100644 index 00000000000..d54780d9998 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/attributes_test.go @@ -0,0 +1,64 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package admission + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestAddAnnotation(t *testing.T) { + attr := &attributesRecord{} + + // test AddAnnotation + attr.AddAnnotation("podsecuritypolicy.admission.k8s.io/validate-policy", "privileged") + attr.AddAnnotation("podsecuritypolicy.admission.k8s.io/admit-policy", "privileged") + annotations := attr.getAnnotations() + assert.Equal(t, annotations["podsecuritypolicy.admission.k8s.io/validate-policy"], "privileged") + + // test overwrite + assert.Error(t, attr.AddAnnotation("podsecuritypolicy.admission.k8s.io/validate-policy", "privileged-overwrite"), + "admission annotations should not be allowd to be overwritten") + annotations = attr.getAnnotations() + assert.Equal(t, annotations["podsecuritypolicy.admission.k8s.io/validate-policy"], "privileged", "admission annotations should not be overwritten") + + // test invalid plugin names + var testCases map[string]string = map[string]string{ + "invalid dns subdomain": "INVALID-DNS-Subdomain/policy", + "no plugin name": "policy", + "no key name": "podsecuritypolicy.admission.k8s.io", + "empty key": "", + } + for name, invalidKey := range testCases { + err := attr.AddAnnotation(invalidKey, "value-foo") + assert.Error(t, err) + annotations = attr.getAnnotations() + assert.Equal(t, annotations[invalidKey], "", name+": invalid pluginName is not allowed ") + } + + // test all saved annotations + assert.Equal( + t, + annotations, + map[string]string{ + "podsecuritypolicy.admission.k8s.io/validate-policy": "privileged", + "podsecuritypolicy.admission.k8s.io/admit-policy": "privileged", + }, + "unexpected final annotations", + ) +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go index 76d3864e275..68ef558da4c 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go @@ -49,6 +49,23 @@ type Attributes interface { GetKind() schema.GroupVersionKind // GetUserInfo is information about the requesting user GetUserInfo() user.Info + + // AddAnnotation sets annotation according to key-value pair. The key should be qualified, e.g., podsecuritypolicy.admission.k8s.io/admit-policy, where + // "podsecuritypolicy" is the name of the plugin, "admission.k8s.io" is the name of the organization, "admit-policy" is the key name. + // An error is returned if the format of key is invalid. When trying to overwrite annotation with a new value, an error is returned. + // Both ValidationInterface and MutationInterface are allowed to add Annotations. + AddAnnotation(key, value string) error +} + +// privateAnnotationsGetter is a private interface which allows users to get annotations from Attributes. +type privateAnnotationsGetter interface { + getAnnotations() map[string]string +} + +// AnnotationsGetter allows users to get annotations from Attributes. An alternate Attribute should implement +// this interface. +type AnnotationsGetter interface { + GetAnnotations() map[string]string } // Interface is an abstract, pluggable interface for Admission Control decisions.