2019-05-13 21:33:01 +03:00
|
|
|
package webhooks
|
2019-02-07 19:22:04 +02:00
|
|
|
|
|
|
|
|
import (
|
2019-03-04 20:40:02 +02:00
|
|
|
"context"
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"net/http"
|
|
|
|
|
"time"
|
|
|
|
|
|
2019-05-30 12:28:56 -07:00
|
|
|
"github.com/golang/glog"
|
2019-07-17 17:53:13 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/annotations"
|
2019-05-22 18:29:10 +01:00
|
|
|
"github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
|
|
|
|
|
"github.com/nirmata/kyverno/pkg/config"
|
2019-05-29 14:12:09 -07:00
|
|
|
client "github.com/nirmata/kyverno/pkg/dclient"
|
2019-06-26 18:04:50 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/event"
|
2019-05-22 18:29:10 +01:00
|
|
|
"github.com/nirmata/kyverno/pkg/sharedinformer"
|
|
|
|
|
tlsutils "github.com/nirmata/kyverno/pkg/tls"
|
2019-07-31 17:43:46 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/utils"
|
2019-07-15 11:29:58 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/violation"
|
2019-03-04 20:40:02 +02:00
|
|
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
2019-02-07 19:22:04 +02:00
|
|
|
)
|
|
|
|
|
|
2019-03-04 20:40:02 +02:00
|
|
|
// WebhookServer contains configured TLS server with MutationWebhook.
|
|
|
|
|
// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
|
2019-02-07 19:22:04 +02:00
|
|
|
type WebhookServer struct {
|
2019-08-07 18:01:28 -07:00
|
|
|
server http.Server
|
|
|
|
|
client *client.Client
|
|
|
|
|
policyLister v1alpha1.PolicyLister
|
|
|
|
|
eventController event.Generator
|
|
|
|
|
violationBuilder violation.Generator
|
|
|
|
|
annotationsController annotations.Controller
|
|
|
|
|
webhookRegistrationClient *WebhookRegistrationClient
|
|
|
|
|
filterK8Resources []utils.K8Resource
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
|
|
|
|
|
// Policy Controller and Kubernetes Client should be initialized in configuration
|
2019-05-13 21:27:47 +03:00
|
|
|
func NewWebhookServer(
|
2019-05-20 10:56:12 -07:00
|
|
|
client *client.Client,
|
2019-05-14 18:10:25 +03:00
|
|
|
tlsPair *tlsutils.TlsPemPair,
|
2019-06-17 23:41:18 -07:00
|
|
|
shareInformer sharedinformer.PolicyInformer,
|
2019-06-26 18:04:50 -07:00
|
|
|
eventController event.Generator,
|
2019-07-15 14:49:22 -07:00
|
|
|
violationBuilder violation.Generator,
|
2019-07-17 17:53:13 -07:00
|
|
|
annotationsController annotations.Controller,
|
2019-08-07 18:01:28 -07:00
|
|
|
webhookRegistrationClient *WebhookRegistrationClient,
|
2019-07-31 17:43:46 -07:00
|
|
|
filterK8Resources string) (*WebhookServer, error) {
|
2019-03-04 20:40:02 +02:00
|
|
|
|
2019-05-13 21:27:47 +03:00
|
|
|
if tlsPair == nil {
|
2019-03-22 22:11:55 +02:00
|
|
|
return nil, errors.New("NewWebhookServer is not initialized properly")
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var tlsConfig tls.Config
|
2019-03-22 22:11:55 +02:00
|
|
|
pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)
|
2019-03-04 20:40:02 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
tlsConfig.Certificates = []tls.Certificate{pair}
|
|
|
|
|
|
|
|
|
|
ws := &WebhookServer{
|
2019-08-07 18:01:28 -07:00
|
|
|
client: client,
|
|
|
|
|
policyLister: shareInformer.GetLister(),
|
|
|
|
|
eventController: eventController,
|
|
|
|
|
violationBuilder: violationBuilder,
|
|
|
|
|
annotationsController: annotationsController,
|
|
|
|
|
webhookRegistrationClient: webhookRegistrationClient,
|
|
|
|
|
filterK8Resources: utils.ParseKinds(filterK8Resources),
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
mux := http.NewServeMux()
|
2019-05-14 18:10:25 +03:00
|
|
|
mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
|
|
|
|
|
mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve)
|
2019-07-02 18:42:07 -07:00
|
|
|
mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
|
2019-03-04 20:40:02 +02:00
|
|
|
|
|
|
|
|
ws.server = http.Server{
|
|
|
|
|
Addr: ":443", // Listen on port for HTTPS requests
|
|
|
|
|
TLSConfig: &tlsConfig,
|
|
|
|
|
Handler: mux,
|
|
|
|
|
ReadTimeout: 15 * time.Second,
|
|
|
|
|
WriteTimeout: 15 * time.Second,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ws, nil
|
2019-02-21 20:31:18 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-07 17:57:43 +02:00
|
|
|
// Main server endpoint for all requests
|
2019-02-07 19:22:04 +02:00
|
|
|
func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
|
2019-05-14 18:10:25 +03:00
|
|
|
admissionReview := ws.bodyToAdmissionReview(r, w)
|
|
|
|
|
if admissionReview == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
2019-03-04 20:40:02 +02:00
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
admissionReview.Response = &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: true,
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
2019-07-02 17:24:38 -07:00
|
|
|
|
2019-06-19 14:05:23 -07:00
|
|
|
// Do not process the admission requests for kinds that are in filterKinds for filtering
|
2019-07-31 17:43:46 -07:00
|
|
|
if !utils.SkipFilteredResourcesReq(admissionReview.Request, ws.filterK8Resources) {
|
2019-07-15 20:16:06 -07:00
|
|
|
// if the resource is being deleted we need to clear any existing Policy Violations
|
|
|
|
|
// TODO: can report to the user that we clear the violation corresponding to this resource
|
2019-08-08 13:09:40 -07:00
|
|
|
if admissionReview.Request.Operation == v1beta1.Delete && admissionReview.Request.Kind.Kind != policyKind {
|
2019-07-15 20:16:06 -07:00
|
|
|
// Resource DELETE
|
|
|
|
|
err := ws.removePolicyViolation(admissionReview.Request)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Info(err)
|
|
|
|
|
}
|
|
|
|
|
admissionReview.Response = &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: true,
|
|
|
|
|
}
|
|
|
|
|
admissionReview.Response.UID = admissionReview.Request.UID
|
|
|
|
|
} else {
|
|
|
|
|
// Resource CREATE
|
|
|
|
|
// Resource UPDATE
|
|
|
|
|
switch r.URL.Path {
|
|
|
|
|
case config.MutatingWebhookServicePath:
|
|
|
|
|
admissionReview.Response = ws.HandleMutation(admissionReview.Request)
|
|
|
|
|
case config.ValidatingWebhookServicePath:
|
|
|
|
|
admissionReview.Response = ws.HandleValidation(admissionReview.Request)
|
|
|
|
|
case config.PolicyValidatingWebhookServicePath:
|
|
|
|
|
admissionReview.Response = ws.HandlePolicyValidation(admissionReview.Request)
|
|
|
|
|
}
|
2019-06-17 23:41:18 -07:00
|
|
|
|
|
|
|
|
}
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
admissionReview.Response.UID = admissionReview.Request.UID
|
|
|
|
|
|
2019-06-25 18:16:02 -07:00
|
|
|
responseJSON, err := json.Marshal(admissionReview)
|
2019-05-14 18:10:25 +03:00
|
|
|
if err != nil {
|
|
|
|
|
http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
|
|
|
|
|
return
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
2019-06-25 18:16:02 -07:00
|
|
|
if _, err := w.Write(responseJSON); err != nil {
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
2019-02-15 20:00:49 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
// RunAsync TLS server in separate thread and returns control immediately
|
2019-02-07 19:22:04 +02:00
|
|
|
func (ws *WebhookServer) RunAsync() {
|
2019-03-04 20:40:02 +02:00
|
|
|
go func(ws *WebhookServer) {
|
2019-07-23 17:54:31 -07:00
|
|
|
glog.V(3).Infof("serving on %s\n", ws.server.Addr)
|
2019-03-04 20:40:02 +02:00
|
|
|
err := ws.server.ListenAndServeTLS("", "")
|
|
|
|
|
if err != nil {
|
2019-07-23 17:54:31 -07:00
|
|
|
glog.Fatalf("error serving TLS: %v\n", err)
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
}(ws)
|
2019-05-30 12:28:56 -07:00
|
|
|
glog.Info("Started Webhook Server")
|
2019-02-07 19:22:04 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
// Stop TLS server and returns control after the server is shut down
|
2019-02-07 19:22:04 +02:00
|
|
|
func (ws *WebhookServer) Stop() {
|
2019-03-04 20:40:02 +02:00
|
|
|
err := ws.server.Shutdown(context.Background())
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Error from closing listeners, or context timeout:
|
2019-06-07 14:46:18 +03:00
|
|
|
glog.Info("Server Shutdown error: ", err)
|
2019-03-04 20:40:02 +02:00
|
|
|
ws.server.Close()
|
|
|
|
|
}
|
2019-02-07 19:22:04 +02:00
|
|
|
}
|
2019-05-13 21:27:47 +03:00
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
// bodyToAdmissionReview creates AdmissionReview object from request body
|
|
|
|
|
// Answers to the http.ResponseWriter if request is not valid
|
|
|
|
|
func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
|
|
|
|
|
var body []byte
|
|
|
|
|
if request.Body != nil {
|
|
|
|
|
if data, err := ioutil.ReadAll(request.Body); err == nil {
|
|
|
|
|
body = data
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(body) == 0 {
|
2019-05-30 12:28:56 -07:00
|
|
|
glog.Error("Error: empty body")
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(writer, "empty body", http.StatusBadRequest)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
contentType := request.Header.Get("Content-Type")
|
|
|
|
|
if contentType != "application/json" {
|
2019-06-07 14:46:18 +03:00
|
|
|
glog.Error("Error: invalid Content-Type: ", contentType)
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
admissionReview := &v1beta1.AdmissionReview{}
|
|
|
|
|
if err := json.Unmarshal(body, &admissionReview); err != nil {
|
2019-05-30 12:28:56 -07:00
|
|
|
glog.Errorf("Error: Can't decode body as AdmissionReview: %v", err)
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-06-05 17:43:59 -07:00
|
|
|
|
|
|
|
|
return admissionReview
|
2019-05-13 21:27:47 +03:00
|
|
|
}
|
