github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

make webhook ac use the configuration manager

Browse Source
This commit is contained in:
Chao Xu 2017-06-14 10:20:06 -07:00
parent 4d834b22ea
commit fb06bd823a
4 changed files with 72 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
plugin/pkg/admission/webhook/admission.go
View File

@ -27,16 +27,20 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
apierrors "k8s.io/apimachinery/pkg/api/errors" apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apimachinery/pkg/runtime/serializer"
utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
admissionv1alpha1 "k8s.io/kubernetes/pkg/apis/admission/v1alpha1" admissionv1alpha1 "k8s.io/kubernetes/pkg/apis/admission/v1alpha1"
"k8s.io/kubernetes/pkg/apis/admissionregistration" "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1"
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
admissioninit "k8s.io/kubernetes/pkg/kubeapiserver/admission" admissioninit "k8s.io/kubernetes/pkg/kubeapiserver/admission"
"k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration"
// install the clientgo admission API for use with api registry // install the clientgo admission API for use with api registry
_ "k8s.io/kubernetes/pkg/apis/admission/install" _ "k8s.io/kubernetes/pkg/apis/admission/install"
@ -72,6 +76,12 @@ func Register(plugins *admission.Plugins) {
}) })
} }
// WebhookSource can list dynamic webhook plugins.
type WebhookSource interface {
Run(stopCh <-chan struct{})
ExternalAdmissionHooks() (*v1alpha1.ExternalAdmissionHookConfiguration, error)
}
// NewGenericAdmissionWebhook returns a generic admission webhook plugin. // NewGenericAdmissionWebhook returns a generic admission webhook plugin.
func NewGenericAdmissionWebhook() (*GenericAdmissionWebhook, error) { func NewGenericAdmissionWebhook() (*GenericAdmissionWebhook, error) {
return &GenericAdmissionWebhook{ return &GenericAdmissionWebhook{
@ -90,7 +100,7 @@ func NewGenericAdmissionWebhook() (*GenericAdmissionWebhook, error) {
// GenericAdmissionWebhook is an implementation of admission.Interface. // GenericAdmissionWebhook is an implementation of admission.Interface.
type GenericAdmissionWebhook struct { type GenericAdmissionWebhook struct {
*admission.Handler *admission.Handler
hookSource admissioninit.WebhookSource hookSource WebhookSource
serviceResolver admissioninit.ServiceResolver serviceResolver admissioninit.ServiceResolver
negotiatedSerializer runtime.NegotiatedSerializer negotiatedSerializer runtime.NegotiatedSerializer
clientCert []byte clientCert []byte
@ -100,7 +110,7 @@ type GenericAdmissionWebhook struct {
var ( var (
_ = admissioninit.WantsServiceResolver(&GenericAdmissionWebhook{}) _ = admissioninit.WantsServiceResolver(&GenericAdmissionWebhook{})
_ = admissioninit.WantsClientCert(&GenericAdmissionWebhook{}) _ = admissioninit.WantsClientCert(&GenericAdmissionWebhook{})
_ = admissioninit.WantsWebhookSource(&GenericAdmissionWebhook{}) _ = admissioninit.WantsExternalKubeClientSet(&GenericAdmissionWebhook{})
) )
func (a *GenericAdmissionWebhook) SetServiceResolver(sr admissioninit.ServiceResolver) { func (a *GenericAdmissionWebhook) SetServiceResolver(sr admissioninit.ServiceResolver) {
@ -112,23 +122,51 @@ func (a *GenericAdmissionWebhook) SetClientCert(cert, key []byte) {
a.clientKey = key a.clientKey = key
} }
func (a *GenericAdmissionWebhook) SetWebhookSource(ws admissioninit.WebhookSource) { func (a *GenericAdmissionWebhook) SetExternalKubeClientSet(client clientset.Interface) {
a.hookSource = ws a.hookSource = configuration.NewExternalAdmissionHookConfigurationManager(client.Admissionregistration().ExternalAdmissionHookConfigurations())
}
func (a *GenericAdmissionWebhook) Validate() error {
if a.hookSource == nil {
return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a Kubernetes client to be provided")
}
go a.hookSource.Run(wait.NeverStop)
return nil
}
func (a *GenericAdmissionWebhook) loadConfiguration(attr admission.Attributes) (*v1alpha1.ExternalAdmissionHookConfiguration, error) {
hookConfig, err := a.hookSource.ExternalAdmissionHooks()
// if ExternalAdmissionHook configuration is disabled, fail open
if err == configuration.ErrDisabled {
return &v1alpha1.ExternalAdmissionHookConfiguration{}, nil
}
if err != nil {
e := apierrors.NewServerTimeout(attr.GetResource().GroupResource(), string(attr.GetOperation()), 1)
e.ErrStatus.Message = fmt.Sprintf("Unable to refresh the ExternalAdmissionHook configuration: %v", err)
e.ErrStatus.Reason = "LoadingConfiguration"
e.ErrStatus.Details.Causes = append(e.ErrStatus.Details.Causes, metav1.StatusCause{
Type: "ExternalAdmissionHookConfigurationFailure",
Message: "An error has occurred while refreshing the externalAdmissionHook configuration, no resources can be created/updated/deleted/connected until a refresh succeeds.",
})
return nil, e
}
return hookConfig, nil
} }
// Admit makes an admission decision based on the request attributes. // Admit makes an admission decision based on the request attributes.
func (a *GenericAdmissionWebhook) Admit(attr admission.Attributes) error { func (a *GenericAdmissionWebhook) Admit(attr admission.Attributes) error {
hooks, err := a.hookSource.List() hookConfig, err := a.loadConfiguration(attr)
if err != nil { if err != nil {
return fmt.Errorf("failed listing hooks: %v", err) return err
} }
hooks := hookConfig.ExternalAdmissionHooks
ctx := context.TODO() ctx := context.TODO()
errCh := make(chan error, len(hooks)) errCh := make(chan error, len(hooks))
wg := sync.WaitGroup{} wg := sync.WaitGroup{}
wg.Add(len(hooks)) wg.Add(len(hooks))
for i := range hooks { for i := range hooks {
go func(hook *admissionregistration.ExternalAdmissionHook) { go func(hook *v1alpha1.ExternalAdmissionHook) {
defer wg.Done() defer wg.Done()
if err := a.callHook(ctx, hook, attr); err == nil { if err := a.callHook(ctx, hook, attr); err == nil {
return return
@ -161,7 +199,7 @@ func (a *GenericAdmissionWebhook) Admit(attr admission.Attributes) error {
return errs[0] return errs[0]
} }
func (a *GenericAdmissionWebhook) callHook(ctx context.Context, h *admissionregistration.ExternalAdmissionHook, attr admission.Attributes) error { func (a *GenericAdmissionWebhook) callHook(ctx context.Context, h *v1alpha1.ExternalAdmissionHook, attr admission.Attributes) error {
matches := false matches := false
for _, r := range h.Rules { for _, r := range h.Rules {
m := RuleMatcher{Rule: r, Attr: attr} m := RuleMatcher{Rule: r, Attr: attr}
@ -197,7 +235,7 @@ func (a *GenericAdmissionWebhook) callHook(ctx context.Context, h *admissionregi
} }
} }
func (a *GenericAdmissionWebhook) hookClient(h *admissionregistration.ExternalAdmissionHook) (*rest.RESTClient, error) { func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.ExternalAdmissionHook) (*rest.RESTClient, error) {
u, err := a.serviceResolver.ResolveEndpoint(h.ClientConfig.Service.Namespace, h.ClientConfig.Service.Name) u, err := a.serviceResolver.ResolveEndpoint(h.ClientConfig.Service.Namespace, h.ClientConfig.Service.Name)
if err != nil { if err != nil {
return nil, err return nil, err

36
plugin/pkg/admission/webhook/admission_test.go
View File

@ -32,23 +32,25 @@ import (
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/admission/v1alpha1" "k8s.io/kubernetes/pkg/apis/admission/v1alpha1"
"k8s.io/kubernetes/pkg/apis/admissionregistration" registrationv1alpha1 "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1"
_ "k8s.io/kubernetes/pkg/apis/admission/install" _ "k8s.io/kubernetes/pkg/apis/admission/install"
) )
type fakeHookSource struct { type fakeHookSource struct {
hooks []admissionregistration.ExternalAdmissionHook hooks []registrationv1alpha1.ExternalAdmissionHook
err error err error
} }
func (f *fakeHookSource) List() ([]admissionregistration.ExternalAdmissionHook, error) { func (f *fakeHookSource) ExternalAdmissionHooks() (*registrationv1alpha1.ExternalAdmissionHookConfiguration, error) {
if f.err != nil { if f.err != nil {
return nil, f.err return nil, f.err
} }
return f.hooks, nil return &registrationv1alpha1.ExternalAdmissionHookConfiguration{ExternalAdmissionHooks: f.hooks}, nil
} }
func (f *fakeHookSource) Run(stopCh <-chan struct{}) {}
type fakeServiceResolver struct { type fakeServiceResolver struct {
base url.URL base url.URL
} }
@ -124,17 +126,17 @@ func TestAdmit(t *testing.T) {
expectAllow bool expectAllow bool
errorContains string errorContains string
} }
ccfg := func(result string) admissionregistration.AdmissionHookClientConfig { ccfg := func(result string) registrationv1alpha1.AdmissionHookClientConfig {
return admissionregistration.AdmissionHookClientConfig{ return registrationv1alpha1.AdmissionHookClientConfig{
Service: admissionregistration.ServiceReference{ Service: registrationv1alpha1.ServiceReference{
Name: result, Name: result,
}, },
CABundle: caCert, CABundle: caCert,
} }
} }
matchEverythingRules := []admissionregistration.RuleWithOperations{{ matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{
Operations: []admissionregistration.OperationType{admissionregistration.OperationAll}, Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},
Rule: admissionregistration.Rule{ Rule: registrationv1alpha1.Rule{
APIGroups: []string{"*"}, APIGroups: []string{"*"},
APIVersions: []string{"*"}, APIVersions: []string{"*"},
Resources: []string{"*/*"}, Resources: []string{"*/*"},
@ -144,11 +146,11 @@ func TestAdmit(t *testing.T) {
table := map[string]test{ table := map[string]test{
"no match": { "no match": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []admissionregistration.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "nomatch", Name: "nomatch",
ClientConfig: ccfg("disallow"), ClientConfig: ccfg("disallow"),
Rules: []admissionregistration.RuleWithOperations{{ Rules: []registrationv1alpha1.RuleWithOperations{{
Operations: []admissionregistration.OperationType{admissionregistration.Create}, Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create},
}}, }},
}}, }},
}, },
@ -156,7 +158,7 @@ func TestAdmit(t *testing.T) {
}, },
"match & allow": { "match & allow": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []admissionregistration.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "allow", Name: "allow",
ClientConfig: ccfg("allow"), ClientConfig: ccfg("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
@ -166,7 +168,7 @@ func TestAdmit(t *testing.T) {
}, },
"match & disallow": { "match & disallow": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []admissionregistration.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallow", Name: "disallow",
ClientConfig: ccfg("disallow"), ClientConfig: ccfg("disallow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
@ -176,7 +178,7 @@ func TestAdmit(t *testing.T) {
}, },
"match & disallow ii": { "match & disallow ii": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []admissionregistration.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallowReason", Name: "disallowReason",
ClientConfig: ccfg("disallowReason"), ClientConfig: ccfg("disallowReason"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
@ -186,7 +188,7 @@ func TestAdmit(t *testing.T) {
}, },
"match & fail (but allow because fail open)": { "match & fail (but allow because fail open)": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []admissionregistration.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "internalErr A", Name: "internalErr A",
ClientConfig: ccfg("internalErr"), ClientConfig: ccfg("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,

8
plugin/pkg/admission/webhook/rules.go
View File

@ -21,11 +21,11 @@ import (
"strings" "strings"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/kubernetes/pkg/apis/admissionregistration" "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1"
) )
type RuleMatcher struct { type RuleMatcher struct {
Rule admissionregistration.RuleWithOperations Rule v1alpha1.RuleWithOperations
Attr admission.Attributes Attr admission.Attributes
} }
@ -60,12 +60,12 @@ func (r *RuleMatcher) version() bool {
func (r *RuleMatcher) operation() bool { func (r *RuleMatcher) operation() bool {
attrOp := r.Attr.GetOperation() attrOp := r.Attr.GetOperation()
for _, op := range r.Rule.Operations { for _, op := range r.Rule.Operations {
if op == admissionregistration.OperationAll { if op == v1alpha1.OperationAll {
return true return true
} }
// The constants are the same such that this is a valid cast (and this // The constants are the same such that this is a valid cast (and this
// is tested). // is tested).
if op == admissionregistration.OperationType(attrOp) { if op == v1alpha1.OperationType(attrOp) {
return true return true
} }
} }

2
plugin/pkg/admission/webhook/rules_test.go
View File

@ -21,7 +21,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
adreg "k8s.io/kubernetes/pkg/apis/admissionregistration" adreg "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1"
) )
type ruleTest struct { type ruleTest struct {