1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00

NK-47: Added missed files

This commit is contained in:
belyshevdenis 2019-03-25 10:11:50 +02:00
parent 4912f20885
commit c0ce49052b
2 changed files with 88 additions and 36 deletions

View file

@ -4,29 +4,49 @@ import (
"errors" "errors"
"fmt" "fmt"
"log" "log"
"os"
controller "github.com/nirmata/kube-policy/controller" controller "github.com/nirmata/kube-policy/controller"
kubeclient "github.com/nirmata/kube-policy/kubeclient" kubeclient "github.com/nirmata/kube-policy/kubeclient"
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
v1beta1 "k8s.io/api/admission/v1beta1" v1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
rest "k8s.io/client-go/rest"
) )
// MutationWebhook is a data type that represents // MutationWebhook is a data type that represents
// buisness logic for resource mutation // business logic for resource mutation
type MutationWebhook struct { type MutationWebhook struct {
kubeclient *kubeclient.KubeClient kubeclient *kubeclient.KubeClient
controller *controller.PolicyController controller *controller.PolicyController
registration *MutationWebhookRegistration
logger *log.Logger logger *log.Logger
} }
// NewMutationWebhook is a method that returns new instance // Registers mutation webhook in cluster and creates object for this webhook
// of MutationWebhook struct func CreateMutationWebhook(clientConfig *rest.Config, kubeclient *kubeclient.KubeClient, controller *controller.PolicyController, logger *log.Logger) (*MutationWebhook, error) {
func NewMutationWebhook(kubeclient *kubeclient.KubeClient, controller *controller.PolicyController, logger *log.Logger) (*MutationWebhook, error) { if clientConfig == nil || kubeclient == nil || controller == nil {
if kubeclient == nil || controller == nil || logger == nil {
return nil, errors.New("Some parameters are not set") return nil, errors.New("Some parameters are not set")
} }
return &MutationWebhook{kubeclient: kubeclient, controller: controller, logger: logger}, nil
registration, err := NewMutationWebhookRegistration(clientConfig)
if err != nil {
return nil, err
}
if logger == nil {
logger = log.New(os.Stdout, "Mutation WebHook: ", log.LstdFlags|log.Lshortfile)
}
return &MutationWebhook{
kubeclient: kubeclient,
controller: controller,
registration: registration,
logger: logger,
}, nil
}
func (mw *MutationWebhook) Deregister() error {
return mw.registration.Deregister()
} }
// Mutate applies admission to request // Mutate applies admission to request

View file

@ -1,53 +1,85 @@
package webhooks package webhooks
import ( import (
"errors"
"fmt"
"io/ioutil" "io/ioutil"
"github.com/nirmata/kube-policy/config" "github.com/nirmata/kube-policy/config"
adm "k8s.io/api/admissionregistration/v1beta1" admregapi "k8s.io/api/admissionregistration/v1beta1"
meta "k8s.io/apimachinery/pkg/apis/meta/v1" meta "k8s.io/apimachinery/pkg/apis/meta/v1"
admreg "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" admregclient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
rest "k8s.io/client-go/rest" rest "k8s.io/client-go/rest"
) )
func RegisterMutationWebhook(config *rest.Config) error { type MutationWebhookRegistration struct {
registrationClient, err := admreg.NewForConfig(config) registrationClient *admregclient.AdmissionregistrationV1beta1Client
if err != nil {
return err
}
_, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config))
if err != nil {
return err
}
return nil
} }
func constructWebhookConfig(configuration *rest.Config) *adm.MutatingWebhookConfiguration { func NewMutationWebhookRegistration(clientConfig *rest.Config) (*MutationWebhookRegistration, error) {
return &adm.MutatingWebhookConfiguration{ registrationClient, err := admregclient.NewForConfig(clientConfig)
if err != nil {
return nil, err
}
webhookConfig, err := constructWebhookConfig(clientConfig)
if err != nil {
return nil, err
}
oldConfig, err := registrationClient.MutatingWebhookConfigurations().Get(config.WebhookConfigName, meta.GetOptions{})
if oldConfig != nil && oldConfig.ObjectMeta.UID != "" {
// Normally webhook configuration should be deleted from cluster when controller end his work.
// But if old configuration is detected in cluster, it should be replaced by new one.
err = registrationClient.MutatingWebhookConfigurations().Delete(config.WebhookConfigName, &meta.DeleteOptions{})
if err != nil {
return nil, errors.New(fmt.Sprintf("Failed to delete old webhook configuration: %v", err))
}
}
_, err = registrationClient.MutatingWebhookConfigurations().Create(webhookConfig)
if err != nil {
return nil, err
}
return &MutationWebhookRegistration{
registrationClient: registrationClient,
}, nil
}
func (mwr *MutationWebhookRegistration) Deregister() error {
return mwr.registrationClient.MutatingWebhookConfigurations().Delete(config.MutationWebhookName, &meta.DeleteOptions{})
}
func constructWebhookConfig(configuration *rest.Config) (*admregapi.MutatingWebhookConfiguration, error) {
caData := ExtractCA(configuration)
if len(caData) == 0 {
return nil, errors.New("Unable to extract CA data from configuration")
}
return &admregapi.MutatingWebhookConfiguration{
ObjectMeta: meta.ObjectMeta{ ObjectMeta: meta.ObjectMeta{
Name: config.WebhookConfigName, Name: config.WebhookConfigName,
Labels: config.WebhookConfigLabels, Labels: config.WebhookConfigLabels,
}, },
Webhooks: []adm.Webhook{ Webhooks: []admregapi.Webhook{
adm.Webhook{ admregapi.Webhook{
Name: config.MutationWebhookName, Name: config.MutationWebhookName,
ClientConfig: adm.WebhookClientConfig{ ClientConfig: admregapi.WebhookClientConfig{
Service: &adm.ServiceReference{ Service: &admregapi.ServiceReference{
Namespace: config.WebhookServiceNamespace, Namespace: config.WebhookServiceNamespace,
Name: config.WebhookServiceName, Name: config.WebhookServiceName,
Path: &config.WebhookServicePath, Path: &config.WebhookServicePath,
}, },
CABundle: ExtractCA(configuration), CABundle: caData,
}, },
Rules: []adm.RuleWithOperations{ Rules: []admregapi.RuleWithOperations{
adm.RuleWithOperations{ admregapi.RuleWithOperations{
Operations: []adm.OperationType{ Operations: []admregapi.OperationType{
adm.Create, admregapi.Create,
}, },
Rule: adm.Rule{ Rule: admregapi.Rule{
APIGroups: []string{ APIGroups: []string{
"*", "*",
}, },
@ -62,7 +94,7 @@ func constructWebhookConfig(configuration *rest.Config) *adm.MutatingWebhookConf
}, },
}, },
}, },
} }, nil
} }
func ExtractCA(config *rest.Config) (result []byte) { func ExtractCA(config *rest.Config) (result []byte) {