mirror of
				https://github.com/k8snetworkplumbingwg/multus-cni.git
				synced 2025-10-22 15:59:00 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			204 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			204 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright (c) 2018 Intel Corporation
 | |
| //
 | |
| // Licensed under the Apache License, Version 2.0 (the "License");
 | |
| // you may not use this file except in compliance with the License.
 | |
| // You may obtain a copy of the License at
 | |
| //
 | |
| //     http://www.apache.org/licenses/LICENSE-2.0
 | |
| //
 | |
| // Unless required by applicable law or agreed to in writing, software
 | |
| // distributed under the License is distributed on an "AS IS" BASIS,
 | |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| // See the License for the specific language governing permissions and
 | |
| // limitations under the License.
 | |
| 
 | |
| package main
 | |
| 
 | |
| import (
 | |
| 	"encoding/json"
 | |
| 	"flag"
 | |
| 	"fmt"
 | |
| 	"io/ioutil"
 | |
| 	"net/http"
 | |
| 	"regexp"
 | |
| 
 | |
| 	"github.com/intel/multus-cni/logging"
 | |
| 	"github.com/intel/multus-cni/types"
 | |
| 
 | |
| 	"github.com/containernetworking/cni/libcni"
 | |
| 	"k8s.io/api/admission/v1beta1"
 | |
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 | |
| 	"k8s.io/apimachinery/pkg/runtime"
 | |
| 	"k8s.io/apimachinery/pkg/runtime/serializer"
 | |
| )
 | |
| 
 | |
| func validateNetworkAttachmentDefinition(netAttachDef types.NetworkAttachmentDefinition) (bool, error) {
 | |
| 	nameRegex := `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
 | |
| 	isNameCorrect, err := regexp.MatchString(nameRegex, netAttachDef.Metadata.Name)
 | |
| 	if !isNameCorrect {
 | |
| 		logging.Errorf("Invalid name.")
 | |
| 		return false, fmt.Errorf("Invalid name")
 | |
| 	}
 | |
| 	if err != nil {
 | |
| 		logging.Errorf("Error validating name: %s.", err)
 | |
| 		return false, err
 | |
| 	}
 | |
| 
 | |
| 	if netAttachDef.Spec.Config == "" {
 | |
| 		logging.Errorf("Network Config is empty.")
 | |
| 		return false, fmt.Errorf("Network Config is empty")
 | |
| 	}
 | |
| 
 | |
| 	logging.Printf(logging.DebugLevel, "Validating network config spec: %s", netAttachDef.Spec.Config)
 | |
| 
 | |
| 	/* try to unmarshal config into NetworkConfig or NetworkConfigList
 | |
| 	   using actual code from libcni - if succesful, it means that the config
 | |
| 		 will be accepted by CNI itseld as well */
 | |
| 	confBytes := []byte(netAttachDef.Spec.Config)
 | |
| 	_, err = libcni.ConfListFromBytes(confBytes)
 | |
| 	if err != nil {
 | |
| 		logging.Printf(logging.DebugLevel, "Spec is not a valid network config: %s. Trying to parse into config list", err)
 | |
| 		_, err = libcni.ConfFromBytes(confBytes)
 | |
| 		if err != nil {
 | |
| 			logging.Printf(logging.DebugLevel, "Spec is not a valid network config list: %s", err)
 | |
| 			logging.Errorf("Invalid config: %s", err)
 | |
| 			return false, fmt.Errorf("Invalid network config spec")
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	logging.Printf(logging.DebugLevel, "Network Attachment Defintion is valid. Admission Review request allowed")
 | |
| 	return true, nil
 | |
| }
 | |
| 
 | |
| func prepareAdmissionReviewResponse(allowed bool, message string, ar *v1beta1.AdmissionReview) error {
 | |
| 	if ar.Request != nil {
 | |
| 		ar.Response = &v1beta1.AdmissionResponse{
 | |
| 			UID:     ar.Request.UID,
 | |
| 			Allowed: allowed,
 | |
| 		}
 | |
| 		if message != "" {
 | |
| 			ar.Response.Result = &metav1.Status{
 | |
| 				Message: message,
 | |
| 			}
 | |
| 		}
 | |
| 		return nil
 | |
| 	} else {
 | |
| 		return fmt.Errorf("AdmissionReview request empty")
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func deserializeAdmissionReview(body []byte) (v1beta1.AdmissionReview, error) {
 | |
| 	ar := v1beta1.AdmissionReview{}
 | |
| 	runtimeScheme := runtime.NewScheme()
 | |
| 	codecs := serializer.NewCodecFactory(runtimeScheme)
 | |
| 	deserializer := codecs.UniversalDeserializer()
 | |
| 	_, _, err := deserializer.Decode(body, nil, &ar)
 | |
| 
 | |
| 	/* Decode() won't return an error if the data wasn't actual AdmissionReview */
 | |
| 	if err == nil && ar.TypeMeta.Kind != "AdmissionReview" {
 | |
| 		err = fmt.Errorf("Object is not an AdmissionReview")
 | |
| 	}
 | |
| 
 | |
| 	return ar, err
 | |
| }
 | |
| 
 | |
| func deserializeNetworkAttachmentDefinition(ar v1beta1.AdmissionReview) (types.NetworkAttachmentDefinition, error) {
 | |
| 	/* unmarshal NetworkAttachmentDefinition from AdmissionReview request */
 | |
| 	netAttachDef := types.NetworkAttachmentDefinition{}
 | |
| 	err := json.Unmarshal(ar.Request.Object.Raw, &netAttachDef)
 | |
| 	return netAttachDef, err
 | |
| }
 | |
| 
 | |
| func handleValidationError(w http.ResponseWriter, ar v1beta1.AdmissionReview, orgErr error) {
 | |
| 	err := prepareAdmissionReviewResponse(false, orgErr.Error(), &ar)
 | |
| 	if err != nil {
 | |
| 		logging.Errorf("Error preparing AdmissionResponse: %s", err.Error())
 | |
| 		http.Error(w, fmt.Sprintf("Error preparing AdmissionResponse: %s", err.Error()), http.StatusBadRequest)
 | |
| 		return
 | |
| 	}
 | |
| 	writeResponse(w, ar)
 | |
| }
 | |
| 
 | |
| func writeResponse(w http.ResponseWriter, ar v1beta1.AdmissionReview) {
 | |
| 	logging.Printf(logging.DebugLevel, "Sending response to the API server")
 | |
| 	resp, _ := json.Marshal(ar)
 | |
| 	w.Write(resp)
 | |
| }
 | |
| 
 | |
| func validateHandler(w http.ResponseWriter, req *http.Request) {
 | |
| 	var body []byte
 | |
| 
 | |
| 	if req.Body != nil {
 | |
| 		if data, err := ioutil.ReadAll(req.Body); err == nil {
 | |
| 			body = data
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if len(body) == 0 {
 | |
| 		logging.Errorf("Error reading HTTP request: empty body")
 | |
| 		http.Error(w, "Error reading HTTP request: empty body", http.StatusBadRequest)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	/* validate HTTP request headers */
 | |
| 	contentType := req.Header.Get("Content-Type")
 | |
| 	if contentType != "application/json" {
 | |
| 		logging.Errorf("Invalid Content-Type='%s', expected 'application/json'", contentType)
 | |
| 		http.Error(w, "Invalid Content-Type='%s', expected 'application/json'", http.StatusUnsupportedMediaType)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	/* read AdmissionReview from the request body */
 | |
| 	ar, err := deserializeAdmissionReview(body)
 | |
| 	if err != nil {
 | |
| 		logging.Errorf("Error deserializing AdmissionReview: %s", err.Error())
 | |
| 		http.Error(w, fmt.Sprintf("Error deserializing AdmissionReview: %s", err.Error()), http.StatusBadRequest)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	netAttachDef, err := deserializeNetworkAttachmentDefinition(ar)
 | |
| 	if err != nil {
 | |
| 		handleValidationError(w, ar, err)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	/* perform actual object validation */
 | |
| 	allowed, err := validateNetworkAttachmentDefinition(netAttachDef)
 | |
| 	if err != nil {
 | |
| 		handleValidationError(w, ar, err)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	err = prepareAdmissionReviewResponse(allowed, "", &ar)
 | |
| 	if err != nil {
 | |
| 		logging.Errorf(err.Error())
 | |
| 		http.Error(w, err.Error(), http.StatusBadRequest)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	writeResponse(w, ar)
 | |
| }
 | |
| 
 | |
| func main() {
 | |
| 	/* load configuration */
 | |
| 	port := flag.Int("port", 443, "The port on which to serve.")
 | |
| 	address := flag.String("bind-address", "0.0.0.0", "The IP address on which to listen for the --port port.")
 | |
| 	cert := flag.String("tls-cert-file", "cert.pem", "File containing the default x509 Certificate for HTTPS.")
 | |
| 	key := flag.String("tls-private-key-file", "key.pem", "File containing the default x509 private key matching --tls-cert-file.")
 | |
| 	flag.Parse()
 | |
| 
 | |
| 	/* enable logging */
 | |
| 	logging.SetLogLevel("debug")
 | |
| 	logging.Printf(logging.DebugLevel, "Starting Multus webhook server")
 | |
| 
 | |
| 	/* register handlers */
 | |
| 	http.HandleFunc("/validate", validateHandler)
 | |
| 
 | |
| 	/* start serving */
 | |
| 	err := http.ListenAndServeTLS(fmt.Sprintf("%s:%d", *address, *port), *cert, *key, nil)
 | |
| 	if err != nil {
 | |
| 		logging.Errorf("Error starting web server: %s", err.Error())
 | |
| 		return
 | |
| 	}
 | |
| }
 |