support AddAnnotation in admission attributes

staging/src/k8s.io/apiserver/pkg/admission/BUILD

@@ -9,6 +9,7 @@ load(
 go_test(
     name = "go_default_test",
     srcs = [
+        "attributes_test.go",
         "chain_test.go",
         "config_test.go",
         "errors_test.go",
@@ -16,6 +17,7 @@ go_test(
     ],
     embed = [":go_default_library"],
     deps = [
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
@@ -48,6 +50,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/apis/apiserver:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",

staging/src/k8s.io/apiserver/pkg/admission/attributes.go

@@ -17,8 +17,13 @@ limitations under the License.
 package admission
 
 import (
+	"fmt"
+	"strings"
+	"sync"
+
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
@@ -32,6 +37,11 @@ type attributesRecord struct {
 	object      runtime.Object
 	oldObject   runtime.Object
 	userInfo    user.Info
+
+	// other elements are always accessed in single goroutine.
+	// But ValidatingAdmissionWebhook add annotations concurrently.
+	annotations     map[string]string
+	annotationsLock sync.RWMutex
 }
 
 func NewAttributesRecord(object runtime.Object, oldObject runtime.Object, kind schema.GroupVersionKind, namespace, name string, resource schema.GroupVersionResource, subresource string, operation Operation, userInfo user.Info) Attributes {
@@ -83,3 +93,48 @@ func (record *attributesRecord) GetOldObject() runtime.Object {
 func (record *attributesRecord) GetUserInfo() user.Info {
 	return record.userInfo
 }
+
+// getAnnotations implements privateAnnotationsGetter.It's a private method used
+// by WithAudit decorator.
+func (record *attributesRecord) getAnnotations() map[string]string {
+	record.annotationsLock.RLock()
+	defer record.annotationsLock.RUnlock()
+
+	if record.annotations == nil {
+		return nil
+	}
+	cp := make(map[string]string, len(record.annotations))
+	for key, value := range record.annotations {
+		cp[key] = value
+	}
+	return cp
+}
+
+func (record *attributesRecord) AddAnnotation(key, value string) error {
+	if err := checkKeyFormat(key); err != nil {
+		return err
+	}
+
+	record.annotationsLock.Lock()
+	defer record.annotationsLock.Unlock()
+
+	if record.annotations == nil {
+		record.annotations = make(map[string]string)
+	}
+	if v, ok := record.annotations[key]; ok && v != value {
+		return fmt.Errorf("admission annotations are not allowd to be overwritten, key:%q, old value: %q, new value:%q", key, record.annotations[key], value)
+	}
+	record.annotations[key] = value
+	return nil
+}
+
+func checkKeyFormat(key string) error {
+	parts := strings.Split(key, "/")
+	if len(parts) != 2 {
+		return fmt.Errorf("annotation key has invalid format, the right format is a DNS subdomain prefix and '/' and key name. (e.g. 'podsecuritypolicy.admission.k8s.io/admit-policy')")
+	}
+	if msgs := validation.IsQualifiedName(key); len(msgs) != 0 {
+		return fmt.Errorf("annotation key has invalid format %s. A qualified name like 'podsecuritypolicy.admission.k8s.io/admit-policy' is required.", strings.Join(msgs, ","))
+	}
+	return nil
+}

staging/src/k8s.io/apiserver/pkg/admission/attributes_test.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package admission
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAddAnnotation(t *testing.T) {
+	attr := &attributesRecord{}
+
+	// test AddAnnotation
+	attr.AddAnnotation("podsecuritypolicy.admission.k8s.io/validate-policy", "privileged")
+	attr.AddAnnotation("podsecuritypolicy.admission.k8s.io/admit-policy", "privileged")
+	annotations := attr.getAnnotations()
+	assert.Equal(t, annotations["podsecuritypolicy.admission.k8s.io/validate-policy"], "privileged")
+
+	// test overwrite
+	assert.Error(t, attr.AddAnnotation("podsecuritypolicy.admission.k8s.io/validate-policy", "privileged-overwrite"),
+		"admission annotations should not be allowd to be overwritten")
+	annotations = attr.getAnnotations()
+	assert.Equal(t, annotations["podsecuritypolicy.admission.k8s.io/validate-policy"], "privileged", "admission annotations should not be overwritten")
+
+	// test invalid plugin names
+	var testCases map[string]string = map[string]string{
+		"invalid dns subdomain": "INVALID-DNS-Subdomain/policy",
+		"no plugin name":        "policy",
+		"no key name":           "podsecuritypolicy.admission.k8s.io",
+		"empty key":             "",
+	}
+	for name, invalidKey := range testCases {
+		err := attr.AddAnnotation(invalidKey, "value-foo")
+		assert.Error(t, err)
+		annotations = attr.getAnnotations()
+		assert.Equal(t, annotations[invalidKey], "", name+": invalid pluginName is not allowed ")
+	}
+
+	// test all saved annotations
+	assert.Equal(
+		t,
+		annotations,
+		map[string]string{
+			"podsecuritypolicy.admission.k8s.io/validate-policy": "privileged",
+			"podsecuritypolicy.admission.k8s.io/admit-policy":    "privileged",
+		},
+		"unexpected final annotations",
+	)
+}

staging/src/k8s.io/apiserver/pkg/admission/interfaces.go

@@ -49,6 +49,23 @@ type Attributes interface {
 	GetKind() schema.GroupVersionKind
 	// GetUserInfo is information about the requesting user
 	GetUserInfo() user.Info
+
+	// AddAnnotation sets annotation according to key-value pair. The key should be qualified, e.g., podsecuritypolicy.admission.k8s.io/admit-policy, where
+	// "podsecuritypolicy" is the name of the plugin, "admission.k8s.io" is the name of the organization, "admit-policy" is the key name.
+	// An error is returned if the format of key is invalid. When trying to overwrite annotation with a new value, an error is returned.
+	// Both ValidationInterface and MutationInterface are allowed to add Annotations.
+	AddAnnotation(key, value string) error
+}
+
+// privateAnnotationsGetter is a private interface which allows users to get annotations from Attributes.
+type privateAnnotationsGetter interface {
+	getAnnotations() map[string]string
+}
+
+// AnnotationsGetter allows users to get annotations from Attributes. An alternate Attribute should implement
+// this interface.
+type AnnotationsGetter interface {
+	GetAnnotations() map[string]string
 }
 
 // Interface is an abstract, pluggable interface for Admission Control decisions.