NK-31: Implemented webhook registration logic.

2025-03-31 03:45:17 +00:00 · 2019-03-19 21:32:31 +02:00 · 2019-03-19 21:32:31 +02:00 · 89b211d1f9
commit 89b211d1f9
parent 13c9611402
4 changed files with 127 additions and 7 deletions
--- a/definitions/examples/selector-policy.yaml
+++ b/definitions/examples/selector-policy.yaml
@ -0,0 +1,21 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind : Policy
+metadata:
+  name: selector-policy
+spec:
+  failurePolicy: continueOnError
+  rules:
+  - resource:
+      kind: ConfigMap 
+      selector: 
+        matchLabels:
+          label1: test1
+        matchExpressions:
+        - key: label2
+          operator: In
+          values:
+          - test2
+    patch: 
+    - path: /
+      op : add
+      value : "20"
--- a/init.go
+++ b/init.go
@ -73,8 +73,3 @@ func initTlsPemsPair(config *rest.Config, client *kubeclient.KubeClient) (*utils

 	return tlsPair, nil
 }
-
-func registerWebhook(client *kubeclient.KubeClient) error {
-	// TODO
-	return nil
-}
--- a/main.go
+++ b/main.go
@ -6,6 +6,7 @@ import (

 	"github.com/nirmata/kube-policy/controller"
 	"github.com/nirmata/kube-policy/kubeclient"
+	"github.com/nirmata/kube-policy/webhooks"
 	"github.com/nirmata/kube-policy/server"

 	signals "k8s.io/sample-controller/pkg/signals"
@ -23,9 +24,14 @@ func main() {
 		log.Fatalf("Error building kubeconfig: %v\n", err)
 	}

+	_, err = webhooks.RegisterMutationWebhook(clientConfig)
+	if err != nil {
+		log.Fatalf("Error registering mutation webhook server: %v\n", err)
+	}
+
 	controller, err := controller.NewPolicyController(clientConfig, nil)
 	if err != nil {
-		log.Fatalf("Error creating PolicyController! Error: %s\n", err)
+		log.Fatalf("Error creating PolicyController: %s\n", err)
 	}

 	kubeclient, err := kubeclient.NewKubeClient(clientConfig, nil)
--- a/webhooks/registration.go
+++ b/webhooks/registration.go
@ -0,0 +1,98 @@
+package webhooks
+import (
+	"io/ioutil"
+	"encoding/base64"
+
+	rest "k8s.io/client-go/rest"
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+	adm "k8s.io/api/admissionregistration/v1beta1"
+	types "k8s.io/api/admissionregistration/v1beta1"
+	admreg "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
+)
+
+const (
+	webhookName = "nirmata-kube-policy-webhook-cfg"
+	mutationWebhookName = "webhook.nirmata.kube-policy"
+	webhookServiceNamespace = "default"
+	webhookServiceName = "kube-policy-svc"
+)
+
+var (
+	webhookPath = "mutate"
+	webhookLabels = map[string]string {
+	    "app": "kube-policy",
+    }
+)
+
+func RegisterMutationWebhook(config *rest.Config) (*types.MutatingWebhookConfiguration, error) {
+var result *types.MutatingWebhookConfiguration = nil
+
+	registrationClient, err := admreg.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	result, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config))
+	if err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfiguration {
+	return &adm.MutatingWebhookConfiguration {
+		ObjectMeta: meta.ObjectMeta {
+			Name: webhookName,
+			Labels: webhookLabels,
+		},
+		Webhooks: []adm.Webhook {
+			adm.Webhook {
+				Name: mutationWebhookName,
+				ClientConfig: adm.WebhookClientConfig {
+                    Service: &adm.ServiceReference {
+						Namespace: webhookServiceNamespace,
+						Name: webhookServiceName,
+						Path: &webhookPath,
+					},
+					CABundle: extractCA(config),
+				},
+				Rules: []adm.RuleWithOperations {
+					adm.RuleWithOperations {
+						Operations: []adm.OperationType {
+							adm.Create,
+						},
+						Rule: adm.Rule {
+							APIGroups: []string {
+								"*",
+							},
+							APIVersions: []string {
+								"*",
+							},
+							Resources: []string {
+								"*/*",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func extractCA(config *rest.Config) (result []byte) {
+	
+	if config.TLSClientConfig.CAData != nil {
+		return config.TLSClientConfig.CAData
+	} else {
+		fileName := config.TLSClientConfig.CAFile
+		bytes, err := ioutil.ReadFile(fileName)
+
+		if err != nil {
+			return nil
+		}
+
+		base64.StdEncoding.Encode(result, bytes)
+		return
+	}
+}