2019-05-13 21:33:01 +03:00
|
|
|
package webhooks
|
2019-02-07 19:22:04 +02:00
|
|
|
|
|
|
|
|
import (
|
2019-03-04 20:40:02 +02:00
|
|
|
"context"
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"net/http"
|
|
|
|
|
"time"
|
|
|
|
|
|
2019-05-30 12:28:56 -07:00
|
|
|
"github.com/golang/glog"
|
2019-10-30 13:39:19 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/checker"
|
2019-08-17 09:58:14 -07:00
|
|
|
kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
|
2019-11-13 13:41:08 -08:00
|
|
|
kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
|
|
|
|
kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
|
2019-05-22 18:29:10 +01:00
|
|
|
"github.com/nirmata/kyverno/pkg/config"
|
2019-05-29 14:12:09 -07:00
|
|
|
client "github.com/nirmata/kyverno/pkg/dclient"
|
2019-06-26 18:04:50 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/event"
|
2019-08-20 12:51:25 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/policy"
|
2019-11-11 11:10:25 -08:00
|
|
|
"github.com/nirmata/kyverno/pkg/policystore"
|
2019-11-12 14:41:29 -08:00
|
|
|
"github.com/nirmata/kyverno/pkg/policyviolation"
|
2019-05-22 18:29:10 +01:00
|
|
|
tlsutils "github.com/nirmata/kyverno/pkg/tls"
|
2019-11-11 14:52:09 -08:00
|
|
|
userinfo "github.com/nirmata/kyverno/pkg/userinfo"
|
2019-08-21 01:07:32 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/webhookconfig"
|
2020-01-07 10:33:28 -08:00
|
|
|
"github.com/nirmata/kyverno/pkg/webhooks/generate"
|
2019-03-04 20:40:02 +02:00
|
|
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
2019-08-23 18:34:23 -07:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2019-11-11 15:43:13 -08:00
|
|
|
rbacinformer "k8s.io/client-go/informers/rbac/v1"
|
|
|
|
|
rbaclister "k8s.io/client-go/listers/rbac/v1"
|
2019-08-12 10:02:07 -07:00
|
|
|
"k8s.io/client-go/tools/cache"
|
2019-02-07 19:22:04 +02:00
|
|
|
)
|
|
|
|
|
|
2019-03-04 20:40:02 +02:00
|
|
|
// WebhookServer contains configured TLS server with MutationWebhook.
|
|
|
|
|
// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
|
2019-02-07 19:22:04 +02:00
|
|
|
type WebhookServer struct {
|
2019-11-15 15:59:37 -08:00
|
|
|
server http.Server
|
|
|
|
|
client *client.Client
|
|
|
|
|
kyvernoClient *kyvernoclient.Clientset
|
|
|
|
|
// list/get cluster policy resource
|
|
|
|
|
pLister kyvernolister.ClusterPolicyLister
|
|
|
|
|
// returns true if the cluster policy store has synced atleast
|
|
|
|
|
pSynced cache.InformerSynced
|
|
|
|
|
// list/get role binding resource
|
|
|
|
|
rbLister rbaclister.RoleBindingLister
|
|
|
|
|
// return true if role bining store has synced atleast once
|
|
|
|
|
rbSynced cache.InformerSynced
|
|
|
|
|
// list/get cluster role binding resource
|
|
|
|
|
crbLister rbaclister.ClusterRoleBindingLister
|
|
|
|
|
// return true if cluster role binding store has synced atleast once
|
|
|
|
|
crbSynced cache.InformerSynced
|
|
|
|
|
// generate events
|
|
|
|
|
eventGen event.Interface
|
|
|
|
|
// webhook registration client
|
2019-08-21 01:07:32 -07:00
|
|
|
webhookRegistrationClient *webhookconfig.WebhookRegistrationClient
|
2019-08-20 12:51:25 -07:00
|
|
|
// API to send policy stats for aggregation
|
2019-10-18 17:38:46 -07:00
|
|
|
policyStatus policy.PolicyStatusInterface
|
|
|
|
|
// helpers to validate against current loaded configuration
|
|
|
|
|
configHandler config.Interface
|
|
|
|
|
// channel for cleanup notification
|
|
|
|
|
cleanUp chan<- struct{}
|
2019-10-30 13:39:19 -07:00
|
|
|
// last request time
|
|
|
|
|
lastReqTime *checker.LastReqTime
|
2019-11-11 11:10:25 -08:00
|
|
|
// store to hold policy meta data for faster lookup
|
2019-11-12 14:41:29 -08:00
|
|
|
pMetaStore policystore.LookupInterface
|
|
|
|
|
// policy violation generator
|
2020-01-07 10:33:28 -08:00
|
|
|
pvGenerator policyviolation.GeneratorInterface
|
|
|
|
|
// generate request generator
|
|
|
|
|
grGenerator *generate.Generator
|
2019-12-05 15:49:02 -08:00
|
|
|
resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
|
|
|
|
|
// Policy Controller and Kubernetes Client should be initialized in configuration
|
2019-05-13 21:27:47 +03:00
|
|
|
func NewWebhookServer(
|
2019-08-09 19:12:50 -07:00
|
|
|
kyvernoClient *kyvernoclient.Clientset,
|
2019-05-20 10:56:12 -07:00
|
|
|
client *client.Client,
|
2019-05-14 18:10:25 +03:00
|
|
|
tlsPair *tlsutils.TlsPemPair,
|
2019-09-03 14:51:51 -07:00
|
|
|
pInformer kyvernoinformer.ClusterPolicyInformer,
|
2019-11-11 15:43:13 -08:00
|
|
|
rbInformer rbacinformer.RoleBindingInformer,
|
|
|
|
|
crbInformer rbacinformer.ClusterRoleBindingInformer,
|
2019-08-09 13:41:56 -07:00
|
|
|
eventGen event.Interface,
|
2019-08-21 01:07:32 -07:00
|
|
|
webhookRegistrationClient *webhookconfig.WebhookRegistrationClient,
|
2019-08-20 12:51:25 -07:00
|
|
|
policyStatus policy.PolicyStatusInterface,
|
2019-10-18 17:38:46 -07:00
|
|
|
configHandler config.Interface,
|
2019-11-12 14:41:29 -08:00
|
|
|
pMetaStore policystore.LookupInterface,
|
|
|
|
|
pvGenerator policyviolation.GeneratorInterface,
|
2020-01-07 10:33:28 -08:00
|
|
|
grGenerator *generate.Generator,
|
2019-12-05 15:49:02 -08:00
|
|
|
resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
|
2019-08-27 16:44:10 -07:00
|
|
|
cleanUp chan<- struct{}) (*WebhookServer, error) {
|
2019-03-04 20:40:02 +02:00
|
|
|
|
2019-05-13 21:27:47 +03:00
|
|
|
if tlsPair == nil {
|
2019-03-22 22:11:55 +02:00
|
|
|
return nil, errors.New("NewWebhookServer is not initialized properly")
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var tlsConfig tls.Config
|
2019-03-22 22:11:55 +02:00
|
|
|
pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)
|
2019-03-04 20:40:02 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
tlsConfig.Certificates = []tls.Certificate{pair}
|
|
|
|
|
|
|
|
|
|
ws := &WebhookServer{
|
2019-08-07 18:01:28 -07:00
|
|
|
client: client,
|
2019-08-14 19:00:37 -07:00
|
|
|
kyvernoClient: kyvernoClient,
|
|
|
|
|
pLister: pInformer.Lister(),
|
2019-11-15 15:59:37 -08:00
|
|
|
pSynced: pInformer.Informer().HasSynced,
|
|
|
|
|
rbLister: rbInformer.Lister(),
|
|
|
|
|
rbSynced: rbInformer.Informer().HasSynced,
|
|
|
|
|
crbLister: crbInformer.Lister(),
|
|
|
|
|
crbSynced: crbInformer.Informer().HasSynced,
|
2019-08-14 19:00:37 -07:00
|
|
|
eventGen: eventGen,
|
2019-08-07 18:01:28 -07:00
|
|
|
webhookRegistrationClient: webhookRegistrationClient,
|
2019-08-20 12:51:25 -07:00
|
|
|
policyStatus: policyStatus,
|
2019-10-18 17:38:46 -07:00
|
|
|
configHandler: configHandler,
|
2019-08-27 16:44:10 -07:00
|
|
|
cleanUp: cleanUp,
|
2019-12-05 13:51:02 -08:00
|
|
|
lastReqTime: resourceWebhookWatcher.LastReqTime,
|
2019-11-12 14:41:29 -08:00
|
|
|
pvGenerator: pvGenerator,
|
2019-11-11 11:10:25 -08:00
|
|
|
pMetaStore: pMetaStore,
|
2020-01-07 10:33:28 -08:00
|
|
|
grGenerator: grGenerator,
|
2019-12-04 12:31:27 -08:00
|
|
|
resourceWebhookWatcher: resourceWebhookWatcher,
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
mux := http.NewServeMux()
|
2019-05-14 18:10:25 +03:00
|
|
|
mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
|
2019-12-13 11:13:58 -08:00
|
|
|
mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve)
|
2019-07-02 18:42:07 -07:00
|
|
|
mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
|
2019-08-27 16:44:10 -07:00
|
|
|
mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve)
|
2019-03-04 20:40:02 +02:00
|
|
|
ws.server = http.Server{
|
|
|
|
|
Addr: ":443", // Listen on port for HTTPS requests
|
|
|
|
|
TLSConfig: &tlsConfig,
|
|
|
|
|
Handler: mux,
|
|
|
|
|
ReadTimeout: 15 * time.Second,
|
|
|
|
|
WriteTimeout: 15 * time.Second,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ws, nil
|
2019-02-21 20:31:18 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-07 17:57:43 +02:00
|
|
|
// Main server endpoint for all requests
|
2019-02-07 19:22:04 +02:00
|
|
|
func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
|
2019-11-12 14:41:29 -08:00
|
|
|
startTime := time.Now()
|
2020-01-24 12:05:53 -08:00
|
|
|
// for every request received on the ep update last request time,
|
2019-10-30 13:39:19 -07:00
|
|
|
// this is used to verify admission control
|
|
|
|
|
ws.lastReqTime.SetTime(time.Now())
|
2019-05-14 18:10:25 +03:00
|
|
|
admissionReview := ws.bodyToAdmissionReview(r, w)
|
|
|
|
|
if admissionReview == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
2019-11-12 14:41:29 -08:00
|
|
|
defer func() {
|
|
|
|
|
glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
|
|
|
|
|
}()
|
2019-03-04 20:40:02 +02:00
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
admissionReview.Response = &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: true,
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
2019-07-02 17:24:38 -07:00
|
|
|
|
2019-06-19 14:05:23 -07:00
|
|
|
// Do not process the admission requests for kinds that are in filterKinds for filtering
|
2019-10-18 17:38:46 -07:00
|
|
|
request := admissionReview.Request
|
2019-10-30 13:39:19 -07:00
|
|
|
switch r.URL.Path {
|
|
|
|
|
case config.VerifyMutatingWebhookServicePath:
|
2020-01-24 12:05:53 -08:00
|
|
|
// we do not apply filters as this endpoint is used explicitly
|
2019-10-30 13:39:19 -07:00
|
|
|
// to watch kyveno deployment and verify if admission control is enabled
|
|
|
|
|
admissionReview.Response = ws.handleVerifyRequest(request)
|
|
|
|
|
case config.MutatingWebhookServicePath:
|
|
|
|
|
if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
|
2019-10-18 17:38:46 -07:00
|
|
|
admissionReview.Response = ws.handleAdmissionRequest(request)
|
2019-10-30 13:39:19 -07:00
|
|
|
}
|
|
|
|
|
case config.PolicyValidatingWebhookServicePath:
|
|
|
|
|
if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
|
2019-10-18 17:38:46 -07:00
|
|
|
admissionReview.Response = ws.handlePolicyValidation(request)
|
2019-10-30 13:39:19 -07:00
|
|
|
}
|
|
|
|
|
case config.PolicyMutatingWebhookServicePath:
|
|
|
|
|
if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
|
2019-10-18 17:38:46 -07:00
|
|
|
admissionReview.Response = ws.handlePolicyMutation(request)
|
2019-06-17 23:41:18 -07:00
|
|
|
}
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
2019-10-18 17:38:46 -07:00
|
|
|
admissionReview.Response.UID = request.UID
|
2019-05-14 18:10:25 +03:00
|
|
|
|
2019-06-25 18:16:02 -07:00
|
|
|
responseJSON, err := json.Marshal(admissionReview)
|
2019-05-14 18:10:25 +03:00
|
|
|
if err != nil {
|
|
|
|
|
http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
|
|
|
|
|
return
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
2019-06-25 18:16:02 -07:00
|
|
|
if _, err := w.Write(responseJSON); err != nil {
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
2019-02-15 20:00:49 +02:00
|
|
|
}
|
|
|
|
|
|
2019-08-27 16:44:10 -07:00
|
|
|
func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
2020-02-05 15:55:37 +05:30
|
|
|
policies, err := ws.pMetaStore.GetAll()
|
2019-11-07 12:13:16 -08:00
|
|
|
if err != nil {
|
2019-11-13 12:15:51 -08:00
|
|
|
// Unable to connect to policy Lister to access policies
|
2019-11-07 12:13:16 -08:00
|
|
|
glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
|
|
|
|
|
return &v1beta1.AdmissionResponse{Allowed: true}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-11 14:52:09 -08:00
|
|
|
var roles, clusterRoles []string
|
|
|
|
|
|
|
|
|
|
// getRoleRef only if policy has roles/clusterroles defined
|
2019-11-11 21:23:26 -08:00
|
|
|
startTime := time.Now()
|
2019-11-11 14:52:09 -08:00
|
|
|
if containRBACinfo(policies) {
|
2019-11-11 15:43:13 -08:00
|
|
|
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
|
2019-11-11 14:52:09 -08:00
|
|
|
if err != nil {
|
|
|
|
|
// TODO(shuting): continue apply policy if error getting roleRef?
|
|
|
|
|
glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
|
|
|
|
|
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
|
|
|
|
|
}
|
2019-11-08 18:56:24 -08:00
|
|
|
}
|
2019-11-11 21:23:26 -08:00
|
|
|
glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
|
2019-11-08 18:56:24 -08:00
|
|
|
|
2020-01-06 19:24:24 -08:00
|
|
|
// convert RAW to unstructured
|
2020-01-07 11:32:52 -08:00
|
|
|
resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
|
2020-01-06 19:24:24 -08:00
|
|
|
if err != nil {
|
2020-01-07 11:32:52 -08:00
|
|
|
glog.Errorf(err.Error())
|
|
|
|
|
|
2020-01-06 19:24:24 -08:00
|
|
|
return &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: false,
|
|
|
|
|
Result: &metav1.Status{
|
|
|
|
|
Status: "Failure",
|
2020-01-07 11:32:52 -08:00
|
|
|
Message: err.Error(),
|
2020-01-06 19:24:24 -08:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-07 11:32:52 -08:00
|
|
|
if checkPodTemplateAnn(resource) {
|
2020-01-06 19:24:24 -08:00
|
|
|
return &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: true,
|
|
|
|
|
Result: &metav1.Status{
|
|
|
|
|
Status: "Success",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-23 18:34:23 -07:00
|
|
|
// MUTATION
|
2020-01-15 21:46:58 -08:00
|
|
|
// mutation failure should not block the resource creation
|
|
|
|
|
// any mutation failure is reported as the violation
|
2020-01-16 14:29:44 -08:00
|
|
|
patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
|
2019-08-14 11:51:01 -07:00
|
|
|
|
2019-08-23 18:34:23 -07:00
|
|
|
// patch the resource with patches before handling validation rules
|
|
|
|
|
patchedResource := processResourceWithPatches(patches, request.Object.Raw)
|
|
|
|
|
|
|
|
|
|
// VALIDATION
|
2020-01-15 21:46:58 -08:00
|
|
|
ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
|
2019-08-23 18:34:23 -07:00
|
|
|
if !ok {
|
2019-10-15 20:56:41 -07:00
|
|
|
glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
|
2019-08-23 18:34:23 -07:00
|
|
|
return &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: false,
|
|
|
|
|
Result: &metav1.Status{
|
|
|
|
|
Status: "Failure",
|
|
|
|
|
Message: msg,
|
|
|
|
|
},
|
|
|
|
|
}
|
2019-08-14 11:51:01 -07:00
|
|
|
}
|
|
|
|
|
|
2020-01-07 10:33:28 -08:00
|
|
|
// GENERATE
|
|
|
|
|
// Only applied during resource creation
|
|
|
|
|
// Success -> Generate Request CR created successsfully
|
|
|
|
|
// Failed -> Failed to create Generate Request CR
|
|
|
|
|
if request.Operation == v1beta1.Create {
|
|
|
|
|
ok, msg = ws.HandleGenerate(request, policies, patchedResource, roles, clusterRoles)
|
|
|
|
|
if !ok {
|
|
|
|
|
glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
|
|
|
|
|
return &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: false,
|
|
|
|
|
Result: &metav1.Status{
|
|
|
|
|
Status: "Failure",
|
|
|
|
|
Message: msg,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-08-23 18:34:23 -07:00
|
|
|
// Succesfful processing of mutation & validation rules in policy
|
|
|
|
|
patchType := v1beta1.PatchTypeJSONPatch
|
|
|
|
|
return &v1beta1.AdmissionResponse{
|
|
|
|
|
Allowed: true,
|
|
|
|
|
Result: &metav1.Status{
|
|
|
|
|
Status: "Success",
|
|
|
|
|
},
|
|
|
|
|
Patch: patches,
|
|
|
|
|
PatchType: &patchType,
|
|
|
|
|
}
|
2019-08-14 11:51:01 -07:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
// RunAsync TLS server in separate thread and returns control immediately
|
2019-10-25 16:55:48 -05:00
|
|
|
func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
|
2019-11-15 15:59:37 -08:00
|
|
|
if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) {
|
|
|
|
|
glog.Error("webhook: failed to sync informer cache")
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-04 20:40:02 +02:00
|
|
|
go func(ws *WebhookServer) {
|
2019-07-23 17:54:31 -07:00
|
|
|
glog.V(3).Infof("serving on %s\n", ws.server.Addr)
|
2019-08-27 17:00:16 -07:00
|
|
|
if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
|
|
|
|
|
glog.Infof("HTTP server error: %v", err)
|
2019-03-04 20:40:02 +02:00
|
|
|
}
|
|
|
|
|
}(ws)
|
2019-05-30 12:28:56 -07:00
|
|
|
glog.Info("Started Webhook Server")
|
2019-10-30 13:39:19 -07:00
|
|
|
// verifys if the admission control is enabled and active
|
|
|
|
|
// resync: 60 seconds
|
|
|
|
|
// deadline: 60 seconds (send request)
|
|
|
|
|
// max deadline: deadline*3 (set the deployment annotation as false)
|
2019-11-25 18:07:11 -08:00
|
|
|
go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
|
2020-01-07 10:33:28 -08:00
|
|
|
|
2019-02-07 19:22:04 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
// Stop TLS server and returns control after the server is shut down
|
2019-11-18 11:41:37 -08:00
|
|
|
func (ws *WebhookServer) Stop(ctx context.Context) {
|
|
|
|
|
// cleanUp
|
|
|
|
|
// remove the static webhookconfigurations
|
|
|
|
|
go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
|
|
|
|
|
// shutdown http.Server with context timeout
|
|
|
|
|
err := ws.server.Shutdown(ctx)
|
2019-03-04 20:40:02 +02:00
|
|
|
if err != nil {
|
|
|
|
|
// Error from closing listeners, or context timeout:
|
2019-06-07 14:46:18 +03:00
|
|
|
glog.Info("Server Shutdown error: ", err)
|
2019-03-04 20:40:02 +02:00
|
|
|
ws.server.Close()
|
|
|
|
|
}
|
2019-02-07 19:22:04 +02:00
|
|
|
}
|
2019-05-13 21:27:47 +03:00
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
// bodyToAdmissionReview creates AdmissionReview object from request body
|
|
|
|
|
// Answers to the http.ResponseWriter if request is not valid
|
|
|
|
|
func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
|
|
|
|
|
var body []byte
|
|
|
|
|
if request.Body != nil {
|
|
|
|
|
if data, err := ioutil.ReadAll(request.Body); err == nil {
|
|
|
|
|
body = data
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(body) == 0 {
|
2019-05-30 12:28:56 -07:00
|
|
|
glog.Error("Error: empty body")
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(writer, "empty body", http.StatusBadRequest)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
contentType := request.Header.Get("Content-Type")
|
|
|
|
|
if contentType != "application/json" {
|
2019-06-07 14:46:18 +03:00
|
|
|
glog.Error("Error: invalid Content-Type: ", contentType)
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
admissionReview := &v1beta1.AdmissionReview{}
|
|
|
|
|
if err := json.Unmarshal(body, &admissionReview); err != nil {
|
2019-05-30 12:28:56 -07:00
|
|
|
glog.Errorf("Error: Can't decode body as AdmissionReview: %v", err)
|
2019-05-14 18:10:25 +03:00
|
|
|
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-06-05 17:43:59 -07:00
|
|
|
|
|
|
|
|
return admissionReview
|
2019-05-13 21:27:47 +03:00
|
|
|
}
|
