mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
Merge pull request #54727 from caesarxuchao/namespaceSelector
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add namespace selector to admission webhook Implementing the [design](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/admission-webhook-bootstrapping.md). * Added the NamespaceSelector field to the webhook configuration API * Let the webhook plugin respect the NamespaceSelector * Added unit test and e2e test cc @kubernetes/sig-api-machinery-api-reviews ```release-note Added namespaceSelector to externalAdmissionWebhook configuration to allow applying webhooks only to objects in the namespaces that have matching labels. ```
This commit is contained in:
commit
e52e79342c
4
api/openapi-spec/swagger.json
generated
4
api/openapi-spec/swagger.json
generated
@ -68023,6 +68023,10 @@
|
||||
"description": "The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.",
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"description": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is other cluster scoped resource, it is not subjected to the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
|
||||
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
|
||||
},
|
||||
"rules": {
|
||||
"description": "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.",
|
||||
"type": "array",
|
||||
|
@ -2619,6 +2619,10 @@
|
||||
"failurePolicy": {
|
||||
"$ref": "v1alpha1.FailurePolicyType",
|
||||
"description": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore."
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"$ref": "v1.LabelSelector",
|
||||
"description": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is other cluster scoped resource, it is not subjected to the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything."
|
||||
}
|
||||
}
|
||||
},
|
||||
@ -2705,6 +2709,48 @@
|
||||
"id": "v1alpha1.FailurePolicyType",
|
||||
"properties": {}
|
||||
},
|
||||
"v1.LabelSelector": {
|
||||
"id": "v1.LabelSelector",
|
||||
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.",
|
||||
"properties": {
|
||||
"matchLabels": {
|
||||
"type": "object",
|
||||
"description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
|
||||
},
|
||||
"matchExpressions": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"$ref": "v1.LabelSelectorRequirement"
|
||||
},
|
||||
"description": "matchExpressions is a list of label selector requirements. The requirements are ANDed."
|
||||
}
|
||||
}
|
||||
},
|
||||
"v1.LabelSelectorRequirement": {
|
||||
"id": "v1.LabelSelectorRequirement",
|
||||
"description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
|
||||
"required": [
|
||||
"key",
|
||||
"operator"
|
||||
],
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string",
|
||||
"description": "key is the label key that the selector applies to."
|
||||
},
|
||||
"operator": {
|
||||
"type": "string",
|
||||
"description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."
|
||||
},
|
||||
"values": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."
|
||||
}
|
||||
}
|
||||
},
|
||||
"v1alpha1.ValidatingWebhookConfigurationList": {
|
||||
"id": "v1alpha1.ValidatingWebhookConfigurationList",
|
||||
"description": "ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.",
|
||||
|
@ -500,6 +500,43 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_failurepolicytype">v1alpha1.FailurePolicyType</a></p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">namespaceSelector</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is other cluster scoped resource, it is not subjected to the webhook.<br>
|
||||
<br>
|
||||
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {<br>
|
||||
"matchExpressions": [<br>
|
||||
{<br>
|
||||
"key": "runlevel",<br>
|
||||
"operator": "NotIn",<br>
|
||||
"values": [<br>
|
||||
"0",<br>
|
||||
"1"<br>
|
||||
]<br>
|
||||
}<br>
|
||||
]<br>
|
||||
}<br>
|
||||
<br>
|
||||
If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {<br>
|
||||
"matchExpressions": [<br>
|
||||
{<br>
|
||||
"key": "environment",<br>
|
||||
"operator": "In",<br>
|
||||
"values": [<br>
|
||||
"prod",<br>
|
||||
"staging"<br>
|
||||
]<br>
|
||||
}<br>
|
||||
]<br>
|
||||
}<br>
|
||||
<br>
|
||||
See <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/">https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/</a> for more examples of label selectors.<br>
|
||||
<br>
|
||||
Default to the empty LabelSelector, which matches everything.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
@ -918,6 +955,95 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_v1_labelselector">v1.LabelSelector</h3>
|
||||
<div class="paragraph">
|
||||
<p>A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.</p>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all" style="width:100%; ">
|
||||
<colgroup>
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr>
|
||||
<th class="tableblock halign-left valign-top">Name</th>
|
||||
<th class="tableblock halign-left valign-top">Description</th>
|
||||
<th class="tableblock halign-left valign-top">Required</th>
|
||||
<th class="tableblock halign-left valign-top">Schema</th>
|
||||
<th class="tableblock halign-left valign-top">Default</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">matchLabels</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">object</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">matchExpressions</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">matchExpressions is a list of label selector requirements. The requirements are ANDed.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselectorrequirement">v1.LabelSelectorRequirement</a> array</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_v1_labelselectorrequirement">v1.LabelSelectorRequirement</h3>
|
||||
<div class="paragraph">
|
||||
<p>A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.</p>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all" style="width:100%; ">
|
||||
<colgroup>
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
<col style="width:20%;">
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr>
|
||||
<th class="tableblock halign-left valign-top">Name</th>
|
||||
<th class="tableblock halign-left valign-top">Description</th>
|
||||
<th class="tableblock halign-left valign-top">Required</th>
|
||||
<th class="tableblock halign-left valign-top">Schema</th>
|
||||
<th class="tableblock halign-left valign-top">Default</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">key</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">key is the label key that the selector applies to.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">operator</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">values</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_v1alpha1_servicereference">v1alpha1.ServiceReference</h3>
|
||||
|
@ -191,6 +191,52 @@ type Webhook struct {
|
||||
// allowed values are Ignore or Fail. Defaults to Ignore.
|
||||
// +optional
|
||||
FailurePolicy *FailurePolicyType
|
||||
|
||||
// NamespaceSelector decides whether to run the webhook on an object based
|
||||
// on whether the namespace for that object matches the selector. If the
|
||||
// object itself is a namespace, the matching is performed on
|
||||
// object.metadata.labels. If the object is other cluster scoped resource,
|
||||
// it is not subjected to the webhook.
|
||||
//
|
||||
// For example, to run the webhook on any objects whose namespace is not
|
||||
// associated with "runlevel" of "0" or "1"; you will set the selector as
|
||||
// follows:
|
||||
// "namespaceSelector": {
|
||||
// "matchExpressions": [
|
||||
// {
|
||||
// "key": "runlevel",
|
||||
// "operator": "NotIn",
|
||||
// "values": [
|
||||
// "0",
|
||||
// "1"
|
||||
// ]
|
||||
// }
|
||||
// ]
|
||||
// }
|
||||
//
|
||||
// If instead you want to only run the webhook on any objects whose
|
||||
// namespace is associated with the "environment" of "prod" or "staging";
|
||||
// you will set the selector as follows:
|
||||
// "namespaceSelector": {
|
||||
// "matchExpressions": [
|
||||
// {
|
||||
// "key": "environment",
|
||||
// "operator": "In",
|
||||
// "values": [
|
||||
// "prod",
|
||||
// "staging"
|
||||
// ]
|
||||
// }
|
||||
// ]
|
||||
// }
|
||||
//
|
||||
// See
|
||||
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
||||
// for more examples of label selectors.
|
||||
//
|
||||
// Default to the empty LabelSelector, which matches everything.
|
||||
// +optional
|
||||
NamespaceSelector *metav1.LabelSelector
|
||||
}
|
||||
|
||||
// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
|
||||
|
@ -18,6 +18,7 @@ go_library(
|
||||
deps = [
|
||||
"//pkg/apis/admissionregistration:go_default_library",
|
||||
"//vendor/k8s.io/api/admissionregistration/v1alpha1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
|
@ -18,6 +18,7 @@ package v1alpha1
|
||||
|
||||
import (
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
@ -30,4 +31,8 @@ func SetDefaults_Webhook(obj *admissionregistrationv1alpha1.Webhook) {
|
||||
policy := admissionregistrationv1alpha1.Ignore
|
||||
obj.FailurePolicy = &policy
|
||||
}
|
||||
if obj.NamespaceSelector == nil {
|
||||
selector := metav1.LabelSelector{}
|
||||
obj.NamespaceSelector = &selector
|
||||
}
|
||||
}
|
||||
|
@ -22,6 +22,7 @@ package v1alpha1
|
||||
|
||||
import (
|
||||
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
conversion "k8s.io/apimachinery/pkg/conversion"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
admissionregistration "k8s.io/kubernetes/pkg/apis/admissionregistration"
|
||||
@ -296,6 +297,7 @@ func autoConvert_v1alpha1_Webhook_To_admissionregistration_Webhook(in *v1alpha1.
|
||||
}
|
||||
out.Rules = *(*[]admissionregistration.RuleWithOperations)(unsafe.Pointer(&in.Rules))
|
||||
out.FailurePolicy = (*admissionregistration.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
|
||||
out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -311,6 +313,7 @@ func autoConvert_admissionregistration_Webhook_To_v1alpha1_Webhook(in *admission
|
||||
}
|
||||
out.Rules = *(*[]v1alpha1.RuleWithOperations)(unsafe.Pointer(&in.Rules))
|
||||
out.FailurePolicy = (*v1alpha1.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
|
||||
out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -24,6 +24,7 @@ go_library(
|
||||
deps = [
|
||||
"//pkg/apis/admissionregistration:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/validation:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||
|
@ -21,6 +21,7 @@ import (
|
||||
"strings"
|
||||
|
||||
genericvalidation "k8s.io/apimachinery/pkg/api/validation"
|
||||
metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
@ -195,6 +196,10 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
|
||||
allErrors = append(allErrors, validateURLPath(fldPath.Child("clientConfig", "urlPath"), hook.ClientConfig.URLPath)...)
|
||||
}
|
||||
|
||||
if hook.NamespaceSelector != nil {
|
||||
allErrors = append(allErrors, metav1validation.ValidateLabelSelector(hook.NamespaceSelector, fldPath.Child("namespaceSelector"))...)
|
||||
}
|
||||
|
||||
return allErrors
|
||||
}
|
||||
|
||||
|
@ -21,6 +21,7 @@ limitations under the License.
|
||||
package admissionregistration
|
||||
|
||||
import (
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
@ -340,6 +341,15 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
|
||||
**out = **in
|
||||
}
|
||||
}
|
||||
if in.NamespaceSelector != nil {
|
||||
in, out := &in.NamespaceSelector, &out.NamespaceSelector
|
||||
if *in == nil {
|
||||
*out = nil
|
||||
} else {
|
||||
*out = new(v1.LabelSelector)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -44,6 +44,8 @@ import proto "github.com/gogo/protobuf/proto"
|
||||
import fmt "fmt"
|
||||
import math "math"
|
||||
|
||||
import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
import strings "strings"
|
||||
import reflect "reflect"
|
||||
|
||||
@ -571,6 +573,16 @@ func (m *Webhook) MarshalTo(dAtA []byte) (int, error) {
|
||||
i = encodeVarintGenerated(dAtA, i, uint64(len(*m.FailurePolicy)))
|
||||
i += copy(dAtA[i:], *m.FailurePolicy)
|
||||
}
|
||||
if m.NamespaceSelector != nil {
|
||||
dAtA[i] = 0x2a
|
||||
i++
|
||||
i = encodeVarintGenerated(dAtA, i, uint64(m.NamespaceSelector.Size()))
|
||||
n9, err := m.NamespaceSelector.MarshalTo(dAtA[i:])
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
i += n9
|
||||
}
|
||||
return i, nil
|
||||
}
|
||||
|
||||
@ -592,11 +604,11 @@ func (m *WebhookClientConfig) MarshalTo(dAtA []byte) (int, error) {
|
||||
dAtA[i] = 0xa
|
||||
i++
|
||||
i = encodeVarintGenerated(dAtA, i, uint64(m.Service.Size()))
|
||||
n9, err := m.Service.MarshalTo(dAtA[i:])
|
||||
n10, err := m.Service.MarshalTo(dAtA[i:])
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
i += n9
|
||||
i += n10
|
||||
if m.CABundle != nil {
|
||||
dAtA[i] = 0x12
|
||||
i++
|
||||
@ -800,6 +812,10 @@ func (m *Webhook) Size() (n int) {
|
||||
l = len(*m.FailurePolicy)
|
||||
n += 1 + l + sovGenerated(uint64(l))
|
||||
}
|
||||
if m.NamespaceSelector != nil {
|
||||
l = m.NamespaceSelector.Size()
|
||||
n += 1 + l + sovGenerated(uint64(l))
|
||||
}
|
||||
return n
|
||||
}
|
||||
|
||||
@ -950,6 +966,7 @@ func (this *Webhook) String() string {
|
||||
`ClientConfig:` + strings.Replace(strings.Replace(this.ClientConfig.String(), "WebhookClientConfig", "WebhookClientConfig", 1), `&`, ``, 1) + `,`,
|
||||
`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "RuleWithOperations", "RuleWithOperations", 1), `&`, ``, 1) + `,`,
|
||||
`FailurePolicy:` + valueToStringGenerated(this.FailurePolicy) + `,`,
|
||||
`NamespaceSelector:` + strings.Replace(fmt.Sprintf("%v", this.NamespaceSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
|
||||
`}`,
|
||||
}, "")
|
||||
return s
|
||||
@ -2253,6 +2270,39 @@ func (m *Webhook) Unmarshal(dAtA []byte) error {
|
||||
s := FailurePolicyType(dAtA[iNdEx:postIndex])
|
||||
m.FailurePolicy = &s
|
||||
iNdEx = postIndex
|
||||
case 5:
|
||||
if wireType != 2 {
|
||||
return fmt.Errorf("proto: wrong wireType = %d for field NamespaceSelector", wireType)
|
||||
}
|
||||
var msglen int
|
||||
for shift := uint(0); ; shift += 7 {
|
||||
if shift >= 64 {
|
||||
return ErrIntOverflowGenerated
|
||||
}
|
||||
if iNdEx >= l {
|
||||
return io.ErrUnexpectedEOF
|
||||
}
|
||||
b := dAtA[iNdEx]
|
||||
iNdEx++
|
||||
msglen |= (int(b) & 0x7F) << shift
|
||||
if b < 0x80 {
|
||||
break
|
||||
}
|
||||
}
|
||||
if msglen < 0 {
|
||||
return ErrInvalidLengthGenerated
|
||||
}
|
||||
postIndex := iNdEx + msglen
|
||||
if postIndex > l {
|
||||
return io.ErrUnexpectedEOF
|
||||
}
|
||||
if m.NamespaceSelector == nil {
|
||||
m.NamespaceSelector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
|
||||
}
|
||||
if err := m.NamespaceSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
|
||||
return err
|
||||
}
|
||||
iNdEx = postIndex
|
||||
default:
|
||||
iNdEx = preIndex
|
||||
skippy, err := skipGenerated(dAtA[iNdEx:])
|
||||
@ -2524,62 +2574,65 @@ func init() {
|
||||
}
|
||||
|
||||
var fileDescriptorGenerated = []byte{
|
||||
// 912 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0xbf, 0x6f, 0x23, 0x45,
|
||||
0x14, 0xce, 0xc6, 0x8e, 0x62, 0x8f, 0x6d, 0xdd, 0xdd, 0x40, 0x61, 0x45, 0xa7, 0xb5, 0xe5, 0x02,
|
||||
0xe5, 0x84, 0xd8, 0x25, 0x01, 0x9d, 0x90, 0x10, 0xa0, 0x6c, 0x24, 0x4e, 0x96, 0x72, 0x77, 0x61,
|
||||
0x08, 0x77, 0x12, 0xa2, 0x60, 0xbc, 0x7e, 0x5e, 0x0f, 0xde, 0x5f, 0x9a, 0x99, 0x35, 0x84, 0x8a,
|
||||
0x86, 0x1e, 0x89, 0x7f, 0x82, 0x3f, 0x25, 0xe5, 0x89, 0x02, 0x52, 0x59, 0x64, 0x91, 0x28, 0x29,
|
||||
0x28, 0xaf, 0x42, 0xb3, 0xbf, 0x7d, 0x89, 0x43, 0x4c, 0x91, 0xe2, 0x3a, 0xcf, 0x7b, 0xf3, 0x7d,
|
||||
0xef, 0xfb, 0x66, 0xe6, 0x3d, 0x2f, 0x22, 0xb3, 0x0f, 0x84, 0xc1, 0x02, 0x73, 0x16, 0x8d, 0x80,
|
||||
0xfb, 0x20, 0x41, 0x98, 0x73, 0xf0, 0xc7, 0x01, 0x37, 0xb3, 0x04, 0x0d, 0x99, 0x49, 0xc7, 0x1e,
|
||||
0x13, 0x82, 0x05, 0x3e, 0x07, 0x87, 0x09, 0xc9, 0xa9, 0x64, 0x81, 0x6f, 0xce, 0xf7, 0xa8, 0x1b,
|
||||
0x4e, 0xe9, 0x9e, 0xe9, 0x80, 0x0f, 0x9c, 0x4a, 0x18, 0x1b, 0x21, 0x0f, 0x64, 0x80, 0x1f, 0xa4,
|
||||
0x50, 0x83, 0x86, 0xcc, 0xb8, 0x12, 0x6a, 0xe4, 0xd0, 0x9d, 0x77, 0x1c, 0x26, 0xa7, 0xd1, 0xc8,
|
||||
0xb0, 0x03, 0xcf, 0x74, 0x02, 0x27, 0x30, 0x13, 0x86, 0x51, 0x34, 0x49, 0x56, 0xc9, 0x22, 0xf9,
|
||||
0x95, 0x32, 0xef, 0xbc, 0x5f, 0x8a, 0xf2, 0xa8, 0x3d, 0x65, 0x3e, 0xf0, 0x53, 0x33, 0x9c, 0x39,
|
||||
0x2a, 0x20, 0x4c, 0x0f, 0x24, 0x35, 0xe7, 0x97, 0xf4, 0xec, 0x98, 0xab, 0x50, 0x3c, 0xf2, 0x25,
|
||||
0xf3, 0xe0, 0x12, 0xe0, 0xe1, 0x7f, 0x01, 0x84, 0x3d, 0x05, 0x8f, 0x5e, 0xc2, 0xbd, 0xb7, 0x0a,
|
||||
0x17, 0x49, 0xe6, 0x9a, 0xcc, 0x97, 0x42, 0xf2, 0x57, 0x41, 0x83, 0x1f, 0x35, 0xd4, 0x1a, 0xfa,
|
||||
0x4c, 0x32, 0xea, 0xb2, 0xef, 0x81, 0xe3, 0x3e, 0xaa, 0xfb, 0xd4, 0x83, 0xae, 0xd6, 0xd7, 0x76,
|
||||
0x9b, 0x56, 0xfb, 0x6c, 0xd1, 0xdb, 0x88, 0x17, 0xbd, 0xfa, 0x13, 0xea, 0x01, 0x49, 0x32, 0xf8,
|
||||
0x04, 0x6d, 0xf1, 0xc8, 0x05, 0xd1, 0xdd, 0xec, 0xd7, 0x76, 0x5b, 0xfb, 0xa6, 0x71, 0xe3, 0xf3,
|
||||
0x36, 0x48, 0xe4, 0x82, 0xd5, 0xc9, 0x38, 0xb7, 0xd4, 0x4a, 0x90, 0x94, 0x6c, 0xf0, 0xb7, 0x86,
|
||||
0xba, 0x15, 0x1d, 0x87, 0x81, 0x3f, 0x61, 0x4e, 0x94, 0x12, 0xe0, 0xaf, 0x51, 0x43, 0x9d, 0xee,
|
||||
0x98, 0x4a, 0x9a, 0x08, 0x6b, 0xed, 0xbf, 0x5b, 0xa9, 0x5a, 0x98, 0x35, 0xc2, 0x99, 0xa3, 0x02,
|
||||
0xc2, 0x50, 0xbb, 0x8d, 0xf9, 0x9e, 0xf1, 0x74, 0xf4, 0x0d, 0xd8, 0xf2, 0x31, 0x48, 0x6a, 0xe1,
|
||||
0xac, 0x2c, 0x2a, 0x63, 0xa4, 0x60, 0xc5, 0x21, 0x6a, 0xb3, 0xb2, 0x7a, 0xee, 0xed, 0xe1, 0x1a,
|
||||
0xde, 0x2a, 0xe2, 0xad, 0x37, 0xb3, 0x5a, 0xed, 0x4a, 0x50, 0x90, 0xa5, 0x0a, 0x83, 0xbf, 0x34,
|
||||
0x74, 0x7f, 0x95, 0xe1, 0x23, 0x26, 0x24, 0xfe, 0xea, 0x92, 0x69, 0xe3, 0x66, 0xa6, 0x15, 0x3a,
|
||||
0xb1, 0x7c, 0x37, 0x93, 0xd1, 0xc8, 0x23, 0x15, 0xc3, 0x53, 0xb4, 0xc5, 0x24, 0x78, 0xb9, 0xd3,
|
||||
0xc3, 0xff, 0xe7, 0x74, 0x49, 0x75, 0x79, 0xb3, 0x43, 0xc5, 0x4c, 0xd2, 0x02, 0x83, 0xdf, 0x34,
|
||||
0x74, 0xff, 0x71, 0x24, 0xa9, 0x64, 0xbe, 0xf3, 0x1c, 0x46, 0xd3, 0x20, 0x98, 0xdd, 0xf6, 0xed,
|
||||
0x9e, 0xa0, 0x46, 0x56, 0x39, 0xf7, 0xbb, 0xbf, 0x86, 0xdf, 0x0c, 0x6a, 0xd5, 0x55, 0x0d, 0xd2,
|
||||
0xf8, 0x36, 0x63, 0x52, 0x4f, 0xb6, 0x7f, 0x9d, 0xb1, 0x5b, 0xb8, 0x45, 0x77, 0xf9, 0x16, 0x1f,
|
||||
0xad, 0xe1, 0xea, 0x3a, 0xe5, 0x2b, 0x6e, 0xf2, 0x67, 0x0d, 0xd5, 0x55, 0xd3, 0xe2, 0xb7, 0x51,
|
||||
0x93, 0x86, 0xec, 0x11, 0x0f, 0xa2, 0x50, 0x74, 0xb5, 0x7e, 0x6d, 0xb7, 0x69, 0x75, 0xe2, 0x45,
|
||||
0xaf, 0x79, 0x70, 0x3c, 0x4c, 0x83, 0xa4, 0xcc, 0xe3, 0x3d, 0xd4, 0xa2, 0x21, 0x7b, 0x06, 0x5c,
|
||||
0x69, 0x49, 0x95, 0x36, 0xad, 0x3b, 0xf1, 0xa2, 0xd7, 0x3a, 0x38, 0x1e, 0xe6, 0x61, 0x52, 0xdd,
|
||||
0xa3, 0xf8, 0x39, 0x88, 0x20, 0xe2, 0x36, 0x88, 0x6e, 0xad, 0xe4, 0x27, 0x79, 0x90, 0x94, 0xf9,
|
||||
0xc1, 0x2f, 0x1a, 0xc2, 0x4a, 0xd5, 0x73, 0x26, 0xa7, 0x4f, 0x43, 0x48, 0x1d, 0x08, 0xfc, 0x09,
|
||||
0x42, 0x41, 0xb1, 0xca, 0x44, 0xf6, 0x92, 0x17, 0x52, 0x44, 0x5f, 0x2e, 0x7a, 0x9d, 0x62, 0x75,
|
||||
0x72, 0x1a, 0x02, 0xa9, 0x40, 0xf0, 0x67, 0xa8, 0xae, 0x46, 0x53, 0x77, 0x33, 0xb9, 0xb5, 0xb5,
|
||||
0xc7, 0x5c, 0x31, 0x3a, 0xd5, 0x8a, 0x24, 0x54, 0x03, 0x40, 0x77, 0x3f, 0x07, 0x3e, 0x67, 0x36,
|
||||
0x10, 0x98, 0x00, 0x07, 0xdf, 0x06, 0x6c, 0xa2, 0xa6, 0x1a, 0xab, 0x22, 0xa4, 0x76, 0x3e, 0x75,
|
||||
0xef, 0x65, 0xd0, 0xe6, 0x93, 0x3c, 0x41, 0xca, 0x3d, 0xc5, 0x84, 0xde, 0x5c, 0x35, 0xa1, 0x07,
|
||||
0xe7, 0x1a, 0xd2, 0x9f, 0x51, 0x97, 0x8d, 0x5f, 0xbf, 0x9e, 0xfb, 0x47, 0x43, 0x83, 0xeb, 0xad,
|
||||
0xdd, 0x42, 0xd7, 0xf9, 0xcb, 0x5d, 0x37, 0x5c, 0xc3, 0xd7, 0xf5, 0xda, 0x57, 0xf4, 0xdd, 0xef,
|
||||
0x9b, 0x68, 0x3b, 0xdb, 0x7e, 0x83, 0xff, 0xe7, 0xef, 0x50, 0xdb, 0x76, 0x19, 0xf8, 0x32, 0xa5,
|
||||
0xce, 0xde, 0xef, 0xc7, 0xeb, 0x1f, 0xfe, 0x61, 0x85, 0xa5, 0xfc, 0x4b, 0xab, 0x46, 0xc9, 0x52,
|
||||
0x25, 0x3c, 0xca, 0xbf, 0x0c, 0x6a, 0xc9, 0xb9, 0x7c, 0xb4, 0x66, 0xcb, 0x2c, 0x37, 0xf0, 0xd5,
|
||||
0xdf, 0x09, 0xf8, 0x08, 0x75, 0x26, 0x94, 0xb9, 0x11, 0x87, 0xe3, 0xc0, 0x65, 0xf6, 0x69, 0xb7,
|
||||
0x9e, 0x1c, 0xc4, 0x5b, 0xf1, 0xa2, 0xd7, 0xf9, 0xb4, 0x9a, 0x78, 0xb9, 0xe8, 0xdd, 0x5b, 0x0a,
|
||||
0x24, 0x0d, 0xbe, 0x0c, 0x1e, 0xfc, 0xaa, 0xa1, 0x37, 0xae, 0x70, 0x8b, 0x27, 0x68, 0x5b, 0xa4,
|
||||
0x8d, 0x9a, 0x3d, 0x9f, 0x0f, 0xd7, 0xf0, 0xf2, 0x6a, 0x8b, 0x5b, 0x77, 0x32, 0x27, 0xdb, 0x79,
|
||||
0x26, 0x27, 0xc7, 0xbb, 0xa8, 0x61, 0x53, 0x2b, 0xf2, 0xc7, 0xd9, 0x9c, 0x69, 0x5b, 0x6d, 0xf5,
|
||||
0xe6, 0x0e, 0x0f, 0xd2, 0x18, 0x29, 0xb2, 0xf8, 0x01, 0xda, 0x8e, 0xb8, 0x7b, 0x4c, 0xe5, 0xb4,
|
||||
0x5b, 0x4b, 0x1c, 0x17, 0xa4, 0x5f, 0x90, 0x23, 0x15, 0x26, 0x79, 0xde, 0x32, 0xce, 0x2e, 0xf4,
|
||||
0x8d, 0x17, 0x17, 0xfa, 0xc6, 0xf9, 0x85, 0xbe, 0xf1, 0x43, 0xac, 0x6b, 0x67, 0xb1, 0xae, 0xbd,
|
||||
0x88, 0x75, 0xed, 0x3c, 0xd6, 0xb5, 0x3f, 0x62, 0x5d, 0xfb, 0xe9, 0x4f, 0x7d, 0xe3, 0xcb, 0x46,
|
||||
0xae, 0xf7, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf2, 0x3a, 0x64, 0xed, 0x85, 0x0b, 0x00, 0x00,
|
||||
// 960 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0x4f, 0x6f, 0x23, 0xc5,
|
||||
0x13, 0xf5, 0xc4, 0x8e, 0x62, 0xb7, 0x6d, 0xed, 0xa6, 0x7f, 0x3f, 0x24, 0x2b, 0x5a, 0x8d, 0xad,
|
||||
0x39, 0xa0, 0xac, 0x10, 0x33, 0x24, 0x8b, 0x56, 0x48, 0x08, 0x50, 0x26, 0x12, 0x2b, 0x4b, 0xd9,
|
||||
0x6c, 0xe8, 0x0d, 0xbb, 0x12, 0xe2, 0x40, 0x7b, 0x5c, 0xb6, 0x1b, 0x8f, 0x67, 0x46, 0xdd, 0x3d,
|
||||
0x66, 0xc3, 0x89, 0x0b, 0x77, 0x24, 0xbe, 0x04, 0x1f, 0x25, 0xc7, 0x85, 0x03, 0xca, 0xc9, 0x22,
|
||||
0x83, 0xc4, 0x91, 0x03, 0xc7, 0x3d, 0xa1, 0x9e, 0x7f, 0x1e, 0xc7, 0x71, 0x88, 0x39, 0xe4, 0xc0,
|
||||
0xcd, 0x5d, 0xd5, 0xef, 0x55, 0xbd, 0xaa, 0xae, 0xf2, 0x20, 0x32, 0xfe, 0x40, 0x98, 0xcc, 0xb7,
|
||||
0xc6, 0x61, 0x0f, 0xb8, 0x07, 0x12, 0x84, 0x35, 0x05, 0xaf, 0xef, 0x73, 0x2b, 0x75, 0xd0, 0x80,
|
||||
0x59, 0xb4, 0x3f, 0x61, 0x42, 0x30, 0xdf, 0xe3, 0x30, 0x64, 0x42, 0x72, 0x2a, 0x99, 0xef, 0x59,
|
||||
0xd3, 0x3d, 0xea, 0x06, 0x23, 0xba, 0x67, 0x0d, 0xc1, 0x03, 0x4e, 0x25, 0xf4, 0xcd, 0x80, 0xfb,
|
||||
0xd2, 0xc7, 0x0f, 0x13, 0xa8, 0x49, 0x03, 0x66, 0x5e, 0x0b, 0x35, 0x33, 0xe8, 0xce, 0xbb, 0x43,
|
||||
0x26, 0x47, 0x61, 0xcf, 0x74, 0xfc, 0x89, 0x35, 0xf4, 0x87, 0xbe, 0x15, 0x33, 0xf4, 0xc2, 0x41,
|
||||
0x7c, 0x8a, 0x0f, 0xf1, 0xaf, 0x84, 0x79, 0xc7, 0x28, 0x24, 0xe5, 0xf8, 0x1c, 0xac, 0xe9, 0x52,
|
||||
0xf4, 0x9d, 0xf7, 0xe7, 0x77, 0x26, 0xd4, 0x19, 0x31, 0x0f, 0xf8, 0x99, 0x15, 0x8c, 0x87, 0xca,
|
||||
0x20, 0xac, 0x09, 0x48, 0x7a, 0x1d, 0xca, 0x5a, 0x85, 0xe2, 0xa1, 0x27, 0xd9, 0x04, 0x96, 0x00,
|
||||
0x8f, 0xff, 0x09, 0x20, 0x9c, 0x11, 0x4c, 0xe8, 0x12, 0xee, 0xd1, 0x2a, 0x5c, 0x28, 0x99, 0x6b,
|
||||
0x31, 0x4f, 0x0a, 0xc9, 0xaf, 0x82, 0x8c, 0xef, 0x35, 0x54, 0xef, 0x7a, 0x4c, 0x32, 0xea, 0xb2,
|
||||
0x6f, 0x81, 0xe3, 0x0e, 0xaa, 0x78, 0x74, 0x02, 0x2d, 0xad, 0xa3, 0xed, 0xd6, 0xec, 0xc6, 0xf9,
|
||||
0xac, 0x5d, 0x8a, 0x66, 0xed, 0xca, 0x31, 0x9d, 0x00, 0x89, 0x3d, 0xf8, 0x14, 0x6d, 0xf2, 0xd0,
|
||||
0x05, 0xd1, 0xda, 0xe8, 0x94, 0x77, 0xeb, 0xfb, 0x96, 0x79, 0xeb, 0x9e, 0x98, 0x24, 0x74, 0xc1,
|
||||
0x6e, 0xa6, 0x9c, 0x9b, 0xea, 0x24, 0x48, 0x42, 0x66, 0xfc, 0xa9, 0xa1, 0x56, 0x21, 0x8f, 0x43,
|
||||
0xdf, 0x1b, 0xb0, 0x61, 0x98, 0x10, 0xe0, 0xaf, 0x50, 0x55, 0x55, 0xb7, 0x4f, 0x25, 0x8d, 0x13,
|
||||
0xab, 0xef, 0xbf, 0x57, 0x88, 0x9a, 0x8b, 0x35, 0x83, 0xf1, 0x50, 0x19, 0x84, 0xa9, 0x6e, 0x9b,
|
||||
0xd3, 0x3d, 0xf3, 0x59, 0xef, 0x6b, 0x70, 0xe4, 0x53, 0x90, 0xd4, 0xc6, 0x69, 0x58, 0x34, 0xb7,
|
||||
0x91, 0x9c, 0x15, 0x07, 0xa8, 0xc1, 0xe6, 0xd1, 0x33, 0x6d, 0x8f, 0xd7, 0xd0, 0x56, 0x48, 0xde,
|
||||
0xfe, 0x7f, 0x1a, 0xab, 0x51, 0x30, 0x0a, 0xb2, 0x10, 0xc1, 0xf8, 0x43, 0x43, 0x0f, 0x56, 0x09,
|
||||
0x3e, 0x62, 0x42, 0xe2, 0x2f, 0x97, 0x44, 0x9b, 0xb7, 0x13, 0xad, 0xd0, 0xb1, 0xe4, 0xfb, 0x69,
|
||||
0x1a, 0xd5, 0xcc, 0x52, 0x10, 0x3c, 0x42, 0x9b, 0x4c, 0xc2, 0x24, 0x53, 0x7a, 0xf8, 0xef, 0x94,
|
||||
0x2e, 0x64, 0x3d, 0xef, 0x6c, 0x57, 0x31, 0x93, 0x24, 0x80, 0xf1, 0xab, 0x86, 0x1e, 0x3c, 0x0d,
|
||||
0x25, 0x95, 0xcc, 0x1b, 0xbe, 0x84, 0xde, 0xc8, 0xf7, 0xc7, 0x77, 0xdd, 0xdd, 0x53, 0x54, 0x4d,
|
||||
0x23, 0x67, 0x7a, 0xf7, 0xd7, 0xd0, 0x9b, 0x42, 0xed, 0x8a, 0x8a, 0x41, 0xaa, 0xdf, 0xa4, 0x4c,
|
||||
0xea, 0xc9, 0x76, 0x6e, 0x12, 0x76, 0x07, 0x5d, 0x74, 0x17, 0xbb, 0xf8, 0x64, 0x0d, 0x55, 0x37,
|
||||
0x65, 0xbe, 0xa2, 0x93, 0x3f, 0x6a, 0xa8, 0xa2, 0x86, 0x16, 0xbf, 0x83, 0x6a, 0x34, 0x60, 0x4f,
|
||||
0xb8, 0x1f, 0x06, 0xa2, 0xa5, 0x75, 0xca, 0xbb, 0x35, 0xbb, 0x19, 0xcd, 0xda, 0xb5, 0x83, 0x93,
|
||||
0x6e, 0x62, 0x24, 0x73, 0x3f, 0xde, 0x43, 0x75, 0x1a, 0xb0, 0x17, 0xc0, 0x55, 0x2e, 0x49, 0xa6,
|
||||
0x35, 0xfb, 0x5e, 0x34, 0x6b, 0xd7, 0x0f, 0x4e, 0xba, 0x99, 0x99, 0x14, 0xef, 0x28, 0x7e, 0x0e,
|
||||
0xc2, 0x0f, 0xb9, 0x03, 0xa2, 0x55, 0x9e, 0xf3, 0x93, 0xcc, 0x48, 0xe6, 0x7e, 0xe3, 0x27, 0x0d,
|
||||
0x61, 0x95, 0xd5, 0x4b, 0x26, 0x47, 0xcf, 0x02, 0x48, 0x14, 0x08, 0xfc, 0x09, 0x42, 0x7e, 0x7e,
|
||||
0x4a, 0x93, 0x6c, 0xc7, 0x2f, 0x24, 0xb7, 0xbe, 0x99, 0xb5, 0x9b, 0xf9, 0xe9, 0xf4, 0x2c, 0x00,
|
||||
0x52, 0x80, 0xe0, 0xcf, 0x50, 0x45, 0xad, 0xa6, 0xd6, 0x46, 0xdc, 0xb5, 0xb5, 0xd7, 0x5c, 0xbe,
|
||||
0x3a, 0xd5, 0x89, 0xc4, 0x54, 0x06, 0xa0, 0xfb, 0xcf, 0x81, 0x4f, 0x99, 0x03, 0x04, 0x06, 0xc0,
|
||||
0xc1, 0x73, 0x00, 0x5b, 0xa8, 0xa6, 0xd6, 0xaa, 0x08, 0xa8, 0x93, 0x6d, 0xdd, 0xed, 0x14, 0x5a,
|
||||
0x3b, 0xce, 0x1c, 0x64, 0x7e, 0x27, 0xdf, 0xd0, 0x1b, 0xab, 0x36, 0xb4, 0x71, 0xa1, 0x21, 0xfd,
|
||||
0x05, 0x75, 0x59, 0xff, 0xbf, 0x37, 0x73, 0x7f, 0x69, 0xc8, 0xb8, 0x59, 0xda, 0x1d, 0x4c, 0x9d,
|
||||
0xb7, 0x38, 0x75, 0xdd, 0x35, 0x74, 0xdd, 0x9c, 0xfb, 0x8a, 0xb9, 0xfb, 0xb9, 0x8c, 0xb6, 0xd2,
|
||||
0xeb, 0xb7, 0xf8, 0x7f, 0x7e, 0x85, 0x1a, 0x8e, 0xcb, 0xc0, 0x93, 0x09, 0x75, 0xfa, 0x7e, 0x3f,
|
||||
0x5e, 0xbf, 0xf8, 0x87, 0x05, 0x96, 0xf9, 0x5f, 0x5a, 0xd1, 0x4a, 0x16, 0x22, 0xe1, 0x5e, 0xf6,
|
||||
0x65, 0x50, 0x8e, 0xeb, 0xf2, 0xd1, 0x9a, 0x23, 0xb3, 0x38, 0xc0, 0xd7, 0x7f, 0x27, 0xe0, 0x23,
|
||||
0xd4, 0x1c, 0x50, 0xe6, 0x86, 0x1c, 0x4e, 0x7c, 0x97, 0x39, 0x67, 0xad, 0x4a, 0x5c, 0x88, 0xb7,
|
||||
0xa3, 0x59, 0xbb, 0xf9, 0x69, 0xd1, 0xf1, 0x66, 0xd6, 0xde, 0x5e, 0x30, 0xc4, 0x03, 0xbe, 0x08,
|
||||
0xc6, 0xaf, 0xd0, 0x76, 0x3e, 0x58, 0xcf, 0xc1, 0x05, 0x47, 0xfa, 0xbc, 0xb5, 0x19, 0x17, 0xec,
|
||||
0xd1, 0x2d, 0x1f, 0x0c, 0xed, 0x81, 0x9b, 0x41, 0xed, 0xb7, 0xa2, 0x59, 0x7b, 0xfb, 0xf8, 0x2a,
|
||||
0x23, 0x59, 0x0e, 0x62, 0xfc, 0xa2, 0xa1, 0xff, 0x5d, 0x53, 0x67, 0x3c, 0x40, 0x5b, 0x22, 0x59,
|
||||
0x11, 0xe9, 0xc3, 0xfd, 0x70, 0x8d, 0x2a, 0x5e, 0x5d, 0x2e, 0xf6, 0xbd, 0xb4, 0x86, 0x5b, 0x99,
|
||||
0x27, 0x23, 0xc7, 0xbb, 0xa8, 0xea, 0x50, 0x3b, 0xf4, 0xfa, 0xe9, 0x86, 0x6b, 0xd8, 0x0d, 0xf5,
|
||||
0xda, 0x0f, 0x0f, 0x12, 0x1b, 0xc9, 0xbd, 0xf8, 0x21, 0xda, 0x0a, 0xb9, 0x7b, 0x42, 0xe5, 0xa8,
|
||||
0x55, 0x8e, 0x6b, 0x9d, 0x93, 0x7e, 0x4e, 0x8e, 0x94, 0x99, 0x64, 0x7e, 0xdb, 0x3c, 0xbf, 0xd4,
|
||||
0x4b, 0xaf, 0x2f, 0xf5, 0xd2, 0xc5, 0xa5, 0x5e, 0xfa, 0x2e, 0xd2, 0xb5, 0xf3, 0x48, 0xd7, 0x5e,
|
||||
0x47, 0xba, 0x76, 0x11, 0xe9, 0xda, 0x6f, 0x91, 0xae, 0xfd, 0xf0, 0xbb, 0x5e, 0xfa, 0xa2, 0x9a,
|
||||
0xe5, 0xfb, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0x37, 0xaf, 0xd5, 0xfa, 0x23, 0x0c, 0x00, 0x00,
|
||||
}
|
||||
|
@ -21,6 +21,7 @@ syntax = 'proto2';
|
||||
|
||||
package k8s.io.api.admissionregistration.v1alpha1;
|
||||
|
||||
import "k8s.io/api/core/v1/generated.proto";
|
||||
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
||||
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
||||
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
||||
@ -200,6 +201,52 @@ message Webhook {
|
||||
// allowed values are Ignore or Fail. Defaults to Ignore.
|
||||
// +optional
|
||||
optional string failurePolicy = 4;
|
||||
|
||||
// NamespaceSelector decides whether to run the webhook on an object based
|
||||
// on whether the namespace for that object matches the selector. If the
|
||||
// object itself is a namespace, the matching is performed on
|
||||
// object.metadata.labels. If the object is other cluster scoped resource,
|
||||
// it is not subjected to the webhook.
|
||||
//
|
||||
// For example, to run the webhook on any objects whose namespace is not
|
||||
// associated with "runlevel" of "0" or "1"; you will set the selector as
|
||||
// follows:
|
||||
// "namespaceSelector": {
|
||||
// "matchExpressions": [
|
||||
// {
|
||||
// "key": "runlevel",
|
||||
// "operator": "NotIn",
|
||||
// "values": [
|
||||
// "0",
|
||||
// "1"
|
||||
// ]
|
||||
// }
|
||||
// ]
|
||||
// }
|
||||
//
|
||||
// If instead you want to only run the webhook on any objects whose
|
||||
// namespace is associated with the "environment" of "prod" or "staging";
|
||||
// you will set the selector as follows:
|
||||
// "namespaceSelector": {
|
||||
// "matchExpressions": [
|
||||
// {
|
||||
// "key": "environment",
|
||||
// "operator": "In",
|
||||
// "values": [
|
||||
// "prod",
|
||||
// "staging"
|
||||
// ]
|
||||
// }
|
||||
// ]
|
||||
// }
|
||||
//
|
||||
// See
|
||||
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
||||
// for more examples of label selectors.
|
||||
//
|
||||
// Default to the empty LabelSelector, which matches everything.
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
|
||||
}
|
||||
|
||||
// WebhookClientConfig contains the information to make a TLS
|
||||
|
@ -197,6 +197,52 @@ type Webhook struct {
|
||||
// allowed values are Ignore or Fail. Defaults to Ignore.
|
||||
// +optional
|
||||
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"`
|
||||
|
||||
// NamespaceSelector decides whether to run the webhook on an object based
|
||||
// on whether the namespace for that object matches the selector. If the
|
||||
// object itself is a namespace, the matching is performed on
|
||||
// object.metadata.labels. If the object is other cluster scoped resource,
|
||||
// it is not subjected to the webhook.
|
||||
//
|
||||
// For example, to run the webhook on any objects whose namespace is not
|
||||
// associated with "runlevel" of "0" or "1"; you will set the selector as
|
||||
// follows:
|
||||
// "namespaceSelector": {
|
||||
// "matchExpressions": [
|
||||
// {
|
||||
// "key": "runlevel",
|
||||
// "operator": "NotIn",
|
||||
// "values": [
|
||||
// "0",
|
||||
// "1"
|
||||
// ]
|
||||
// }
|
||||
// ]
|
||||
// }
|
||||
//
|
||||
// If instead you want to only run the webhook on any objects whose
|
||||
// namespace is associated with the "environment" of "prod" or "staging";
|
||||
// you will set the selector as follows:
|
||||
// "namespaceSelector": {
|
||||
// "matchExpressions": [
|
||||
// {
|
||||
// "key": "environment",
|
||||
// "operator": "In",
|
||||
// "values": [
|
||||
// "prod",
|
||||
// "staging"
|
||||
// ]
|
||||
// }
|
||||
// ]
|
||||
// }
|
||||
//
|
||||
// See
|
||||
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
||||
// for more examples of label selectors.
|
||||
//
|
||||
// Default to the empty LabelSelector, which matches everything.
|
||||
// +optional
|
||||
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
|
||||
}
|
||||
|
||||
// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
|
||||
|
@ -128,11 +128,12 @@ func (ValidatingWebhookConfigurationList) SwaggerDoc() map[string]string {
|
||||
}
|
||||
|
||||
var map_Webhook = map[string]string{
|
||||
"": "Webhook describes an admission webhook and the resources and operations it applies to.",
|
||||
"name": "The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.",
|
||||
"clientConfig": "ClientConfig defines how to communicate with the hook. Required",
|
||||
"rules": "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.",
|
||||
"failurePolicy": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.",
|
||||
"": "Webhook describes an admission webhook and the resources and operations it applies to.",
|
||||
"name": "The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.",
|
||||
"clientConfig": "ClientConfig defines how to communicate with the hook. Required",
|
||||
"rules": "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.",
|
||||
"failurePolicy": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.",
|
||||
"namespaceSelector": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is other cluster scoped resource, it is not subjected to the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
|
||||
}
|
||||
|
||||
func (Webhook) SwaggerDoc() map[string]string {
|
||||
|
@ -21,6 +21,7 @@ limitations under the License.
|
||||
package v1alpha1
|
||||
|
||||
import (
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
@ -340,6 +341,15 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
|
||||
**out = **in
|
||||
}
|
||||
}
|
||||
if in.NamespaceSelector != nil {
|
||||
in, out := &in.NamespaceSelector, &out.NamespaceSelector
|
||||
if *in == nil {
|
||||
*out = nil
|
||||
} else {
|
||||
*out = new(v1.LabelSelector)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -20,7 +20,9 @@ go_library(
|
||||
"//vendor/k8s.io/api/admissionregistration/v1alpha1:go_default_library",
|
||||
"//vendor/k8s.io/api/authentication/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
|
||||
@ -29,7 +31,9 @@ go_library(
|
||||
"//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/admission/configuration:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/admission/initializer:go_default_library",
|
||||
"//vendor/k8s.io/client-go/informers:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
|
||||
"//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/rest:go_default_library",
|
||||
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
|
||||
"//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
|
||||
@ -54,6 +58,7 @@ go_test(
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
|
||||
|
@ -32,7 +32,9 @@ import (
|
||||
admissionv1alpha1 "k8s.io/api/admission/v1alpha1"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/api/meta"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/serializer"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
@ -41,7 +43,9 @@ import (
|
||||
"k8s.io/apiserver/pkg/admission"
|
||||
"k8s.io/apiserver/pkg/admission/configuration"
|
||||
genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
|
||||
"k8s.io/client-go/informers"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
corelisters "k8s.io/client-go/listers/core/v1"
|
||||
"k8s.io/client-go/rest"
|
||||
)
|
||||
|
||||
@ -123,6 +127,8 @@ type GenericAdmissionWebhook struct {
|
||||
hookSource WebhookSource
|
||||
serviceResolver ServiceResolver
|
||||
negotiatedSerializer runtime.NegotiatedSerializer
|
||||
namespaceLister corelisters.NamespaceLister
|
||||
client clientset.Interface
|
||||
|
||||
authInfoResolver AuthenticationInfoResolver
|
||||
cache *lru.Cache
|
||||
@ -163,9 +169,17 @@ func (a *GenericAdmissionWebhook) SetScheme(scheme *runtime.Scheme) {
|
||||
|
||||
// WantsExternalKubeClientSet defines a function which sets external ClientSet for admission plugins that need it
|
||||
func (a *GenericAdmissionWebhook) SetExternalKubeClientSet(client clientset.Interface) {
|
||||
a.client = client
|
||||
a.hookSource = configuration.NewValidatingWebhookConfigurationManager(client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations())
|
||||
}
|
||||
|
||||
// SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface.
|
||||
func (a *GenericAdmissionWebhook) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
|
||||
namespaceInformer := f.Core().V1().Namespaces()
|
||||
a.namespaceLister = namespaceInformer.Lister()
|
||||
a.SetReadyFunc(namespaceInformer.Informer().HasSynced)
|
||||
}
|
||||
|
||||
// ValidateInitialization implements the InitializationValidator interface.
|
||||
func (a *GenericAdmissionWebhook) ValidateInitialization() error {
|
||||
if a.hookSource == nil {
|
||||
@ -174,6 +188,9 @@ func (a *GenericAdmissionWebhook) ValidateInitialization() error {
|
||||
if a.negotiatedSerializer == nil {
|
||||
return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a runtime.Scheme to be provided to derive a serializer")
|
||||
}
|
||||
if a.namespaceLister == nil {
|
||||
return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a namespaceLister")
|
||||
}
|
||||
go a.hookSource.Run(wait.NeverStop)
|
||||
return nil
|
||||
}
|
||||
@ -255,7 +272,74 @@ func (a *GenericAdmissionWebhook) Admit(attr admission.Attributes) error {
|
||||
return errs[0]
|
||||
}
|
||||
|
||||
func (a *GenericAdmissionWebhook) getNamespaceLabels(attr admission.Attributes) (map[string]string, error) {
|
||||
// If the request itself is creating or updating a namespace, then get the
|
||||
// labels from attr.Object, because namespaceLister doesn't have the latest
|
||||
// namespace yet.
|
||||
//
|
||||
// However, if the request is deleting a namespace, then get the label from
|
||||
// the namespace in the namespaceLister, because a delete request is not
|
||||
// going to change the object, and attr.Object will be a DeleteOptions
|
||||
// rather than a namespace object.
|
||||
if attr.GetResource().Resource == "namespaces" &&
|
||||
len(attr.GetSubresource()) == 0 &&
|
||||
(attr.GetOperation() == admission.Create || attr.GetOperation() == admission.Update) {
|
||||
accessor, err := meta.Accessor(attr.GetObject())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return accessor.GetLabels(), nil
|
||||
}
|
||||
|
||||
namespaceName := attr.GetNamespace()
|
||||
namespace, err := a.namespaceLister.Get(namespaceName)
|
||||
if err != nil && !apierrors.IsNotFound(err) {
|
||||
return nil, err
|
||||
}
|
||||
if apierrors.IsNotFound(err) {
|
||||
// in case of latency in our caches, make a call direct to storage to verify that it truly exists or not
|
||||
namespace, err = a.client.Core().Namespaces().Get(namespaceName, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
return namespace.Labels, nil
|
||||
}
|
||||
|
||||
// whether the request is exempted by the webhook because of the
|
||||
// namespaceSelector of the webhook.
|
||||
func (a *GenericAdmissionWebhook) exemptedByNamespaceSelector(h *v1alpha1.Webhook, attr admission.Attributes) (bool, error) {
|
||||
namespaceName := attr.GetNamespace()
|
||||
if len(namespaceName) == 0 && attr.GetResource().Resource != "namespaces" {
|
||||
// If the request is about a cluster scoped resource, and it is not a
|
||||
// namespace, it is exempted from all webhooks for now.
|
||||
// TODO: figure out a way selective exempt cluster scoped resources.
|
||||
// Also update the comment in types.go
|
||||
return true, nil
|
||||
}
|
||||
namespaceLabels, err := a.getNamespaceLabels(attr)
|
||||
if apierrors.IsNotFound(err) {
|
||||
return false, err
|
||||
}
|
||||
if err != nil {
|
||||
return false, apierrors.NewInternalError(err)
|
||||
}
|
||||
// TODO: adding an LRU cache to cache the translation
|
||||
selector, err := metav1.LabelSelectorAsSelector(h.NamespaceSelector)
|
||||
if err != nil {
|
||||
return false, apierrors.NewInternalError(err)
|
||||
}
|
||||
return !selector.Matches(labels.Set(namespaceLabels)), nil
|
||||
}
|
||||
|
||||
func (a *GenericAdmissionWebhook) callHook(ctx context.Context, h *v1alpha1.Webhook, attr admission.Attributes) error {
|
||||
excluded, err := a.exemptedByNamespaceSelector(h, attr)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if excluded {
|
||||
return nil
|
||||
}
|
||||
matches := false
|
||||
for _, r := range h.Rules {
|
||||
m := RuleMatcher{Rule: r, Attr: attr}
|
||||
|
@ -24,16 +24,20 @@ import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"reflect"
|
||||
"strings"
|
||||
"sync/atomic"
|
||||
"testing"
|
||||
|
||||
"k8s.io/api/admission/v1alpha1"
|
||||
registrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
api "k8s.io/api/core/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apiserver/pkg/admission"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/client-go/rest"
|
||||
@ -48,6 +52,11 @@ func (f *fakeHookSource) Webhooks() (*registrationv1alpha1.ValidatingWebhookConf
|
||||
if f.err != nil {
|
||||
return nil, f.err
|
||||
}
|
||||
for i, h := range f.hooks {
|
||||
if h.NamespaceSelector == nil {
|
||||
f.hooks[i].NamespaceSelector = &metav1.LabelSelector{}
|
||||
}
|
||||
}
|
||||
return ®istrationv1alpha1.ValidatingWebhookConfiguration{Webhooks: f.hooks}, nil
|
||||
}
|
||||
|
||||
@ -65,11 +74,26 @@ func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL,
|
||||
return &u, nil
|
||||
}
|
||||
|
||||
type fakeNamespaceLister struct {
|
||||
namespaces map[string]*corev1.Namespace
|
||||
}
|
||||
|
||||
func (f fakeNamespaceLister) List(selector labels.Selector) (ret []*corev1.Namespace, err error) {
|
||||
return nil, nil
|
||||
}
|
||||
func (f fakeNamespaceLister) Get(name string) (*corev1.Namespace, error) {
|
||||
ns, ok := f.namespaces[name]
|
||||
if ok {
|
||||
return ns, nil
|
||||
}
|
||||
return nil, errors.NewNotFound(corev1.Resource("namespaces"), name)
|
||||
}
|
||||
|
||||
// TestAdmit tests that GenericAdmissionWebhook#Admit works as expected
|
||||
func TestAdmit(t *testing.T) {
|
||||
scheme := runtime.NewScheme()
|
||||
v1alpha1.AddToScheme(scheme)
|
||||
api.AddToScheme(scheme)
|
||||
corev1.AddToScheme(scheme)
|
||||
|
||||
testServer := newTestServer(t)
|
||||
testServer.StartTLS()
|
||||
@ -85,12 +109,22 @@ func TestAdmit(t *testing.T) {
|
||||
wh.authInfoResolver = newFakeAuthenticationInfoResolver()
|
||||
wh.serviceResolver = fakeServiceResolver{base: *serverURL}
|
||||
wh.SetScheme(scheme)
|
||||
namespace := "webhook-test"
|
||||
wh.namespaceLister = fakeNamespaceLister{map[string]*corev1.Namespace{
|
||||
namespace: {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Labels: map[string]string{
|
||||
"runlevel": "0",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Set up a test object for the call
|
||||
kind := api.SchemeGroupVersion.WithKind("Pod")
|
||||
kind := corev1.SchemeGroupVersion.WithKind("Pod")
|
||||
name := "my-pod"
|
||||
namespace := "webhook-test"
|
||||
object := api.Pod{
|
||||
object := corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Labels: map[string]string{
|
||||
"pod.name": name,
|
||||
@ -103,11 +137,11 @@ func TestAdmit(t *testing.T) {
|
||||
Kind: "Pod",
|
||||
},
|
||||
}
|
||||
oldObject := api.Pod{
|
||||
oldObject := corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace},
|
||||
}
|
||||
operation := admission.Update
|
||||
resource := api.Resource("pods").WithVersion("v1")
|
||||
resource := corev1.Resource("pods").WithVersion("v1")
|
||||
subResource := ""
|
||||
userInfo := user.DefaultInfo{
|
||||
Name: "webhook-test",
|
||||
@ -167,6 +201,40 @@ func TestAdmit(t *testing.T) {
|
||||
},
|
||||
errorContains: "you shall not pass",
|
||||
},
|
||||
"match & disallow & but allowed because namespaceSelector exempt the namespace": {
|
||||
hookSource: fakeHookSource{
|
||||
hooks: []registrationv1alpha1.Webhook{{
|
||||
Name: "disallow",
|
||||
ClientConfig: newFakeHookClientConfig("disallow"),
|
||||
Rules: newMatchEverythingRules(),
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||
Key: "runlevel",
|
||||
Values: []string{"1"},
|
||||
Operator: metav1.LabelSelectorOpIn,
|
||||
}},
|
||||
},
|
||||
}},
|
||||
},
|
||||
expectAllow: true,
|
||||
},
|
||||
"match & disallow & but allowed because namespaceSelector exempt the namespace ii": {
|
||||
hookSource: fakeHookSource{
|
||||
hooks: []registrationv1alpha1.Webhook{{
|
||||
Name: "disallow",
|
||||
ClientConfig: newFakeHookClientConfig("disallow"),
|
||||
Rules: newMatchEverythingRules(),
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||
Key: "runlevel",
|
||||
Values: []string{"0"},
|
||||
Operator: metav1.LabelSelectorOpNotIn,
|
||||
}},
|
||||
},
|
||||
}},
|
||||
},
|
||||
expectAllow: true,
|
||||
},
|
||||
"match & fail (but allow because fail open)": {
|
||||
hookSource: fakeHookSource{
|
||||
hooks: []registrationv1alpha1.Webhook{{
|
||||
@ -230,9 +298,11 @@ func TestAdmit(t *testing.T) {
|
||||
}
|
||||
|
||||
for name, tt := range table {
|
||||
if !strings.Contains(name, "no match") {
|
||||
continue
|
||||
}
|
||||
t.Run(name, func(t *testing.T) {
|
||||
wh.hookSource = &tt.hookSource
|
||||
|
||||
err = wh.Admit(admission.NewAttributesRecord(&object, &oldObject, kind, namespace, name, resource, subResource, operation, &userInfo))
|
||||
if tt.expectAllow != (err == nil) {
|
||||
t.Errorf("expected allowed=%v, but got err=%v", tt.expectAllow, err)
|
||||
@ -254,7 +324,7 @@ func TestAdmit(t *testing.T) {
|
||||
func TestAdmitCachedClient(t *testing.T) {
|
||||
scheme := runtime.NewScheme()
|
||||
v1alpha1.AddToScheme(scheme)
|
||||
api.AddToScheme(scheme)
|
||||
corev1.AddToScheme(scheme)
|
||||
|
||||
testServer := newTestServer(t)
|
||||
testServer.StartTLS()
|
||||
@ -270,12 +340,22 @@ func TestAdmitCachedClient(t *testing.T) {
|
||||
wh.authInfoResolver = newFakeAuthenticationInfoResolver()
|
||||
wh.serviceResolver = fakeServiceResolver{base: *serverURL}
|
||||
wh.SetScheme(scheme)
|
||||
namespace := "webhook-test"
|
||||
wh.namespaceLister = fakeNamespaceLister{map[string]*corev1.Namespace{
|
||||
namespace: {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Labels: map[string]string{
|
||||
"runlevel": "0",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Set up a test object for the call
|
||||
kind := api.SchemeGroupVersion.WithKind("Pod")
|
||||
kind := corev1.SchemeGroupVersion.WithKind("Pod")
|
||||
name := "my-pod"
|
||||
namespace := "webhook-test"
|
||||
object := api.Pod{
|
||||
object := corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Labels: map[string]string{
|
||||
"pod.name": name,
|
||||
@ -288,11 +368,11 @@ func TestAdmitCachedClient(t *testing.T) {
|
||||
Kind: "Pod",
|
||||
},
|
||||
}
|
||||
oldObject := api.Pod{
|
||||
oldObject := corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace},
|
||||
}
|
||||
operation := admission.Update
|
||||
resource := api.Resource("pods").WithVersion("v1")
|
||||
resource := corev1.Resource("pods").WithVersion("v1")
|
||||
subResource := ""
|
||||
userInfo := user.DefaultInfo{
|
||||
Name: "webhook-test",
|
||||
@ -522,3 +602,89 @@ func newMatchEverythingRules() []registrationv1alpha1.RuleWithOperations {
|
||||
},
|
||||
}}
|
||||
}
|
||||
|
||||
func TestGetNamespaceLabels(t *testing.T) {
|
||||
namespace1Labels := map[string]string{
|
||||
"runlevel": "1",
|
||||
}
|
||||
namespace1 := corev1.Namespace{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "1",
|
||||
Labels: namespace1Labels,
|
||||
},
|
||||
}
|
||||
namespace2Labels := map[string]string{
|
||||
"runlevel": "2",
|
||||
}
|
||||
namespace2 := corev1.Namespace{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "2",
|
||||
Labels: namespace2Labels,
|
||||
},
|
||||
}
|
||||
namespaceLister := fakeNamespaceLister{map[string]*corev1.Namespace{
|
||||
"1": &namespace1,
|
||||
},
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
attr admission.Attributes
|
||||
expectedLabels map[string]string
|
||||
}{
|
||||
{
|
||||
name: "request is for creating namespace, the labels should be from the object itself",
|
||||
attr: admission.NewAttributesRecord(&namespace2, nil, schema.GroupVersionKind{}, "", namespace2.Name, schema.GroupVersionResource{Resource: "namespaces"}, "", admission.Create, nil),
|
||||
expectedLabels: namespace2Labels,
|
||||
},
|
||||
{
|
||||
name: "request is for updating namespace, the labels should be from the new object",
|
||||
attr: admission.NewAttributesRecord(&namespace2, nil, schema.GroupVersionKind{}, namespace2.Name, namespace2.Name, schema.GroupVersionResource{Resource: "namespaces"}, "", admission.Update, nil),
|
||||
expectedLabels: namespace2Labels,
|
||||
},
|
||||
{
|
||||
name: "request is for deleting namespace, the labels should be from the cache",
|
||||
attr: admission.NewAttributesRecord(&namespace2, nil, schema.GroupVersionKind{}, namespace1.Name, namespace1.Name, schema.GroupVersionResource{Resource: "namespaces"}, "", admission.Delete, nil),
|
||||
expectedLabels: namespace1Labels,
|
||||
},
|
||||
{
|
||||
name: "request is for namespace/finalizer",
|
||||
attr: admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{}, namespace1.Name, "mock-name", schema.GroupVersionResource{Resource: "namespaces"}, "finalizers", admission.Create, nil),
|
||||
expectedLabels: namespace1Labels,
|
||||
},
|
||||
{
|
||||
name: "request is for pod",
|
||||
attr: admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{}, namespace1.Name, "mock-name", schema.GroupVersionResource{Resource: "pods"}, "", admission.Create, nil),
|
||||
expectedLabels: namespace1Labels,
|
||||
},
|
||||
}
|
||||
wh, err := NewGenericAdmissionWebhook(nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
wh.namespaceLister = namespaceLister
|
||||
for _, tt := range tests {
|
||||
actualLabels, err := wh.getNamespaceLabels(tt.attr)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
if !reflect.DeepEqual(actualLabels, tt.expectedLabels) {
|
||||
t.Errorf("expected labels to be %#v, got %#v", tt.expectedLabels, actualLabels)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestExemptClusterScopedResource(t *testing.T) {
|
||||
hook := ®istrationv1alpha1.Webhook{
|
||||
NamespaceSelector: &metav1.LabelSelector{},
|
||||
}
|
||||
attr := admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{}, "", "mock-name", schema.GroupVersionResource{Version: "v1", Resource: "nodes"}, "", admission.Create, nil)
|
||||
g := GenericAdmissionWebhook{}
|
||||
exempted, err := g.exemptedByNamespaceSelector(hook, attr)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !exempted {
|
||||
t.Errorf("cluster scoped resources (but not a namespace) should be exempted from all webhooks")
|
||||
}
|
||||
}
|
||||
|
@ -27,6 +27,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
utilversion "k8s.io/kubernetes/pkg/util/version"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
|
||||
@ -36,11 +37,16 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
secretName = "sample-webhook-secret"
|
||||
deploymentName = "sample-webhook-deployment"
|
||||
serviceName = "e2e-test-webhook"
|
||||
roleBindingName = "webhook-auth-reader"
|
||||
webhookConfigName = "e2e-test-webhook-config"
|
||||
secretName = "sample-webhook-secret"
|
||||
deploymentName = "sample-webhook-deployment"
|
||||
serviceName = "e2e-test-webhook"
|
||||
roleBindingName = "webhook-auth-reader"
|
||||
webhookConfigName = "e2e-test-webhook-config"
|
||||
skipNamespaceLabelKey = "skip-webhook-admission"
|
||||
skipNamespaceLabelValue = "yes"
|
||||
skippedNamespaceName = "exempted-namesapce"
|
||||
disallowedPodName = "disallowed-pod"
|
||||
disallowedConfigMapName = "disallowed-configmap"
|
||||
)
|
||||
|
||||
var serverWebhookVersion = utilversion.MustParseSemantic("v1.8.0")
|
||||
@ -51,7 +57,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
|
||||
cleanWebhookTest(f)
|
||||
})
|
||||
|
||||
It("Should be able to deny pod creation", func() {
|
||||
It("Should be able to deny pod and configmap creation", func() {
|
||||
// Make sure the relevant provider supports admission webhook
|
||||
framework.SkipUnlessServerVersionGTE(serverWebhookVersion, f.ClientSet.Discovery())
|
||||
framework.SkipUnlessProviderIs("gce", "gke")
|
||||
@ -68,7 +74,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
|
||||
// Note that in 1.9 we will have backwards incompatible change to
|
||||
// admission webhooks, so the image will be updated to 1.9 sometime in
|
||||
// the development 1.9 cycle.
|
||||
deployWebhookAndService(f, "gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v1", context)
|
||||
deployWebhookAndService(f, "gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v2", context)
|
||||
registerWebhook(f, context)
|
||||
testWebhook(f)
|
||||
})
|
||||
@ -223,7 +229,7 @@ func registerWebhook(f *framework.Framework, context *certContext) {
|
||||
},
|
||||
Webhooks: []v1alpha1.Webhook{
|
||||
{
|
||||
Name: "e2e-test-webhook.k8s.io",
|
||||
Name: "deny-unwanted-pod-container-name-and-label.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
@ -237,6 +243,36 @@ func registerWebhook(f *framework.Framework, context *certContext) {
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
},
|
||||
URLPath: "/pods",
|
||||
CABundle: context.signingCert,
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "deny-unwanted-configmap-data.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
APIGroups: []string{""},
|
||||
APIVersions: []string{"v1"},
|
||||
Resources: []string{"configmaps"},
|
||||
},
|
||||
}},
|
||||
// The webhook skips the namespace that has label "skip-webhook-admission":"yes"
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchExpressions: []metav1.LabelSelectorRequirement{
|
||||
{
|
||||
Key: skipNamespaceLabelKey,
|
||||
Operator: metav1.LabelSelectorOpNotIn,
|
||||
Values: []string{skipNamespaceLabelValue},
|
||||
},
|
||||
},
|
||||
},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: v1alpha1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
},
|
||||
URLPath: "/configmaps",
|
||||
CABundle: context.signingCert,
|
||||
},
|
||||
},
|
||||
@ -262,12 +298,45 @@ func testWebhook(f *framework.Framework) {
|
||||
// TODO: Test if webhook can detect pod with non-compliant metadata.
|
||||
// Currently metadata is lost because webhook uses the external version of
|
||||
// the objects, and the apiserver sends the internal objects.
|
||||
|
||||
By("create a configmap that should be denied by the webhook")
|
||||
// Creating the configmap, the request should be rejected
|
||||
configmap := nonCompliantConfigMap(f)
|
||||
_, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(configmap)
|
||||
Expect(err).NotTo(BeNil())
|
||||
expectedErrMsg = "the configmap contains unwanted key and value"
|
||||
if !strings.Contains(err.Error(), expectedErrMsg) {
|
||||
framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error())
|
||||
}
|
||||
|
||||
By("create a namespace that bypass the webhook")
|
||||
err = wait.Poll(100*time.Millisecond, 30*time.Second, func() (bool, error) {
|
||||
_, err2 := client.CoreV1().Namespaces().Create(&v1.Namespace{ObjectMeta: metav1.ObjectMeta{
|
||||
Name: skippedNamespaceName,
|
||||
Labels: map[string]string{
|
||||
skipNamespaceLabelKey: skipNamespaceLabelValue,
|
||||
},
|
||||
}})
|
||||
if err2 != nil {
|
||||
if strings.HasPrefix(err2.Error(), "object is being deleted:") {
|
||||
return false, nil
|
||||
}
|
||||
return false, err2
|
||||
}
|
||||
return true, nil
|
||||
})
|
||||
framework.ExpectNoError(err, "creating namespace %q", skippedNamespaceName)
|
||||
|
||||
By("create a configmap that violates the webhook policy but is in a whitelisted namespace")
|
||||
configmap = nonCompliantConfigMap(f)
|
||||
_, err = client.CoreV1().ConfigMaps(skippedNamespaceName).Create(configmap)
|
||||
Expect(err).To(BeNil())
|
||||
}
|
||||
|
||||
func nonCompliantPod(f *framework.Framework) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "disallowed-pod",
|
||||
Name: disallowedPodName,
|
||||
Labels: map[string]string{
|
||||
"webhook-e2e-test": "disallow",
|
||||
},
|
||||
@ -283,6 +352,17 @@ func nonCompliantPod(f *framework.Framework) *v1.Pod {
|
||||
}
|
||||
}
|
||||
|
||||
func nonCompliantConfigMap(f *framework.Framework) *v1.ConfigMap {
|
||||
return &v1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: disallowedConfigMapName,
|
||||
},
|
||||
Data: map[string]string{
|
||||
"webhook-e2e-test": "webhook-disallow",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func cleanWebhookTest(f *framework.Framework) {
|
||||
client := f.ClientSet
|
||||
_ = client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Delete(webhookConfigName, nil)
|
||||
@ -291,4 +371,6 @@ func cleanWebhookTest(f *framework.Framework) {
|
||||
_ = client.ExtensionsV1beta1().Deployments(namespaceName).Delete(deploymentName, nil)
|
||||
_ = client.CoreV1().Secrets(namespaceName).Delete(secretName, nil)
|
||||
_ = client.RbacV1beta1().RoleBindings("kube-system").Delete(roleBindingName, nil)
|
||||
_ = client.CoreV1().ConfigMaps(skippedNamespaceName).Delete(disallowedConfigMapName, nil)
|
||||
_ = client.CoreV1().Namespaces().Delete(skippedNamespaceName, nil)
|
||||
}
|
||||
|
@ -14,6 +14,6 @@
|
||||
|
||||
build:
|
||||
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o webhook .
|
||||
docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v1 .
|
||||
docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v2 .
|
||||
push:
|
||||
gcloud docker --push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v1 .
|
||||
gcloud docker -- push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v2
|
||||
|
@ -44,7 +44,8 @@ func (c *Config) addFlags() {
|
||||
}
|
||||
|
||||
// only allow pods to pull images from specific registry.
|
||||
func admit(data []byte) *v1alpha1.AdmissionReviewStatus {
|
||||
func admitPods(data []byte) *v1alpha1.AdmissionReviewStatus {
|
||||
glog.V(2).Info("admitting pods")
|
||||
ar := v1alpha1.AdmissionReview{}
|
||||
if err := json.Unmarshal(data, &ar); err != nil {
|
||||
glog.Error(err)
|
||||
@ -86,7 +87,42 @@ func admit(data []byte) *v1alpha1.AdmissionReviewStatus {
|
||||
return &reviewStatus
|
||||
}
|
||||
|
||||
func serve(w http.ResponseWriter, r *http.Request) {
|
||||
// deny configmaps with specific key-value pair.
|
||||
func admitConfigMaps(data []byte) *v1alpha1.AdmissionReviewStatus {
|
||||
glog.V(2).Info("admitting configmaps")
|
||||
ar := v1alpha1.AdmissionReview{}
|
||||
if err := json.Unmarshal(data, &ar); err != nil {
|
||||
glog.Error(err)
|
||||
return nil
|
||||
}
|
||||
configMapResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
|
||||
if ar.Spec.Resource != configMapResource {
|
||||
glog.Errorf("expect resource to be %s", configMapResource)
|
||||
return nil
|
||||
}
|
||||
|
||||
raw := ar.Spec.Object.Raw
|
||||
configmap := v1.ConfigMap{}
|
||||
if err := json.Unmarshal(raw, &configmap); err != nil {
|
||||
glog.Error(err)
|
||||
return nil
|
||||
}
|
||||
reviewStatus := v1alpha1.AdmissionReviewStatus{}
|
||||
reviewStatus.Allowed = true
|
||||
for k, v := range configmap.Data {
|
||||
if k == "webhook-e2e-test" && v == "webhook-disallow" {
|
||||
reviewStatus.Allowed = false
|
||||
reviewStatus.Result = &metav1.Status{
|
||||
Reason: "the configmap contains unwanted key and value",
|
||||
}
|
||||
}
|
||||
}
|
||||
return &reviewStatus
|
||||
}
|
||||
|
||||
type admitFunc func(data []byte) *v1alpha1.AdmissionReviewStatus
|
||||
|
||||
func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
|
||||
var body []byte
|
||||
if r.Body != nil {
|
||||
if data, err := ioutil.ReadAll(r.Body); err == nil {
|
||||
@ -102,8 +138,10 @@ func serve(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
reviewStatus := admit(body)
|
||||
ar := v1alpha1.AdmissionReview{
|
||||
Status: *reviewStatus,
|
||||
|
||||
ar := v1alpha1.AdmissionReview{}
|
||||
if reviewStatus != nil {
|
||||
ar.Status = *reviewStatus
|
||||
}
|
||||
|
||||
resp, err := json.Marshal(ar)
|
||||
@ -115,12 +153,20 @@ func serve(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
func servePods(w http.ResponseWriter, r *http.Request) {
|
||||
serve(w, r, admitPods)
|
||||
}
|
||||
func serveConfigmaps(w http.ResponseWriter, r *http.Request) {
|
||||
serve(w, r, admitConfigMaps)
|
||||
}
|
||||
|
||||
func main() {
|
||||
var config Config
|
||||
config.addFlags()
|
||||
flag.Parse()
|
||||
|
||||
http.HandleFunc("/", serve)
|
||||
http.HandleFunc("/pods", servePods)
|
||||
http.HandleFunc("/configmaps", serveConfigmaps)
|
||||
clientset := getClient()
|
||||
server := &http.Server{
|
||||
Addr: ":443",
|
||||
|
Loading…
Reference in New Issue
Block a user