mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
NK-47: Added missed files
This commit is contained in:
parent
4912f20885
commit
c0ce49052b
2 changed files with 88 additions and 36 deletions
|
@ -4,29 +4,49 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
|
"os"
|
||||||
|
|
||||||
controller "github.com/nirmata/kube-policy/controller"
|
controller "github.com/nirmata/kube-policy/controller"
|
||||||
kubeclient "github.com/nirmata/kube-policy/kubeclient"
|
kubeclient "github.com/nirmata/kube-policy/kubeclient"
|
||||||
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
||||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
rest "k8s.io/client-go/rest"
|
||||||
)
|
)
|
||||||
|
|
||||||
// MutationWebhook is a data type that represents
|
// MutationWebhook is a data type that represents
|
||||||
// buisness logic for resource mutation
|
// business logic for resource mutation
|
||||||
type MutationWebhook struct {
|
type MutationWebhook struct {
|
||||||
kubeclient *kubeclient.KubeClient
|
kubeclient *kubeclient.KubeClient
|
||||||
controller *controller.PolicyController
|
controller *controller.PolicyController
|
||||||
|
registration *MutationWebhookRegistration
|
||||||
logger *log.Logger
|
logger *log.Logger
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewMutationWebhook is a method that returns new instance
|
// Registers mutation webhook in cluster and creates object for this webhook
|
||||||
// of MutationWebhook struct
|
func CreateMutationWebhook(clientConfig *rest.Config, kubeclient *kubeclient.KubeClient, controller *controller.PolicyController, logger *log.Logger) (*MutationWebhook, error) {
|
||||||
func NewMutationWebhook(kubeclient *kubeclient.KubeClient, controller *controller.PolicyController, logger *log.Logger) (*MutationWebhook, error) {
|
if clientConfig == nil || kubeclient == nil || controller == nil {
|
||||||
if kubeclient == nil || controller == nil || logger == nil {
|
|
||||||
return nil, errors.New("Some parameters are not set")
|
return nil, errors.New("Some parameters are not set")
|
||||||
}
|
}
|
||||||
return &MutationWebhook{kubeclient: kubeclient, controller: controller, logger: logger}, nil
|
|
||||||
|
registration, err := NewMutationWebhookRegistration(clientConfig)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if logger == nil {
|
||||||
|
logger = log.New(os.Stdout, "Mutation WebHook: ", log.LstdFlags|log.Lshortfile)
|
||||||
|
}
|
||||||
|
return &MutationWebhook{
|
||||||
|
kubeclient: kubeclient,
|
||||||
|
controller: controller,
|
||||||
|
registration: registration,
|
||||||
|
logger: logger,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (mw *MutationWebhook) Deregister() error {
|
||||||
|
return mw.registration.Deregister()
|
||||||
}
|
}
|
||||||
|
|
||||||
// Mutate applies admission to request
|
// Mutate applies admission to request
|
||||||
|
|
|
@ -1,53 +1,85 @@
|
||||||
package webhooks
|
package webhooks
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
|
||||||
"github.com/nirmata/kube-policy/config"
|
"github.com/nirmata/kube-policy/config"
|
||||||
|
|
||||||
adm "k8s.io/api/admissionregistration/v1beta1"
|
admregapi "k8s.io/api/admissionregistration/v1beta1"
|
||||||
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
admreg "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
|
admregclient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
|
||||||
rest "k8s.io/client-go/rest"
|
rest "k8s.io/client-go/rest"
|
||||||
)
|
)
|
||||||
|
|
||||||
func RegisterMutationWebhook(config *rest.Config) error {
|
type MutationWebhookRegistration struct {
|
||||||
registrationClient, err := admreg.NewForConfig(config)
|
registrationClient *admregclient.AdmissionregistrationV1beta1Client
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config))
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func constructWebhookConfig(configuration *rest.Config) *adm.MutatingWebhookConfiguration {
|
func NewMutationWebhookRegistration(clientConfig *rest.Config) (*MutationWebhookRegistration, error) {
|
||||||
return &adm.MutatingWebhookConfiguration{
|
registrationClient, err := admregclient.NewForConfig(clientConfig)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
webhookConfig, err := constructWebhookConfig(clientConfig)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
oldConfig, err := registrationClient.MutatingWebhookConfigurations().Get(config.WebhookConfigName, meta.GetOptions{})
|
||||||
|
if oldConfig != nil && oldConfig.ObjectMeta.UID != "" {
|
||||||
|
// Normally webhook configuration should be deleted from cluster when controller end his work.
|
||||||
|
// But if old configuration is detected in cluster, it should be replaced by new one.
|
||||||
|
err = registrationClient.MutatingWebhookConfigurations().Delete(config.WebhookConfigName, &meta.DeleteOptions{})
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.New(fmt.Sprintf("Failed to delete old webhook configuration: %v", err))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = registrationClient.MutatingWebhookConfigurations().Create(webhookConfig)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &MutationWebhookRegistration{
|
||||||
|
registrationClient: registrationClient,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (mwr *MutationWebhookRegistration) Deregister() error {
|
||||||
|
return mwr.registrationClient.MutatingWebhookConfigurations().Delete(config.MutationWebhookName, &meta.DeleteOptions{})
|
||||||
|
}
|
||||||
|
|
||||||
|
func constructWebhookConfig(configuration *rest.Config) (*admregapi.MutatingWebhookConfiguration, error) {
|
||||||
|
caData := ExtractCA(configuration)
|
||||||
|
if len(caData) == 0 {
|
||||||
|
return nil, errors.New("Unable to extract CA data from configuration")
|
||||||
|
}
|
||||||
|
|
||||||
|
return &admregapi.MutatingWebhookConfiguration{
|
||||||
ObjectMeta: meta.ObjectMeta{
|
ObjectMeta: meta.ObjectMeta{
|
||||||
Name: config.WebhookConfigName,
|
Name: config.WebhookConfigName,
|
||||||
Labels: config.WebhookConfigLabels,
|
Labels: config.WebhookConfigLabels,
|
||||||
},
|
},
|
||||||
Webhooks: []adm.Webhook{
|
Webhooks: []admregapi.Webhook{
|
||||||
adm.Webhook{
|
admregapi.Webhook{
|
||||||
Name: config.MutationWebhookName,
|
Name: config.MutationWebhookName,
|
||||||
ClientConfig: adm.WebhookClientConfig{
|
ClientConfig: admregapi.WebhookClientConfig{
|
||||||
Service: &adm.ServiceReference{
|
Service: &admregapi.ServiceReference{
|
||||||
Namespace: config.WebhookServiceNamespace,
|
Namespace: config.WebhookServiceNamespace,
|
||||||
Name: config.WebhookServiceName,
|
Name: config.WebhookServiceName,
|
||||||
Path: &config.WebhookServicePath,
|
Path: &config.WebhookServicePath,
|
||||||
},
|
},
|
||||||
CABundle: ExtractCA(configuration),
|
CABundle: caData,
|
||||||
},
|
},
|
||||||
Rules: []adm.RuleWithOperations{
|
Rules: []admregapi.RuleWithOperations{
|
||||||
adm.RuleWithOperations{
|
admregapi.RuleWithOperations{
|
||||||
Operations: []adm.OperationType{
|
Operations: []admregapi.OperationType{
|
||||||
adm.Create,
|
admregapi.Create,
|
||||||
},
|
},
|
||||||
Rule: adm.Rule{
|
Rule: admregapi.Rule{
|
||||||
APIGroups: []string{
|
APIGroups: []string{
|
||||||
"*",
|
"*",
|
||||||
},
|
},
|
||||||
|
@ -62,7 +94,7 @@ func constructWebhookConfig(configuration *rest.Config) *adm.MutatingWebhookConf
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func ExtractCA(config *rest.Config) (result []byte) {
|
func ExtractCA(config *rest.Config) (result []byte) {
|
||||||
|
|
Loading…
Add table
Reference in a new issue