mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 01:46:55 +00:00
96 lines
No EOL
2.1 KiB
Go
96 lines
No EOL
2.1 KiB
Go
package webhooks
|
|
import (
|
|
"io/ioutil"
|
|
|
|
rest "k8s.io/client-go/rest"
|
|
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
adm "k8s.io/api/admissionregistration/v1beta1"
|
|
types "k8s.io/api/admissionregistration/v1beta1"
|
|
admreg "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
|
|
)
|
|
|
|
const (
|
|
webhookName = "nirmata-kube-policy-webhook-cfg"
|
|
mutationWebhookName = "webhook.nirmata.kube-policy"
|
|
webhookServiceNamespace = "default"
|
|
webhookServiceName = "kube-policy-svc"
|
|
)
|
|
|
|
var (
|
|
webhookPath = "mutate"
|
|
webhookLabels = map[string]string {
|
|
"app": "kube-policy",
|
|
}
|
|
)
|
|
|
|
func RegisterMutationWebhook(config *rest.Config) (*types.MutatingWebhookConfiguration, error) {
|
|
var result *types.MutatingWebhookConfiguration = nil
|
|
|
|
registrationClient, err := admreg.NewForConfig(config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
result, err = registrationClient.MutatingWebhookConfigurations().Create(constructWebhookConfig(config))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
func constructWebhookConfig(config *rest.Config) *adm.MutatingWebhookConfiguration {
|
|
return &adm.MutatingWebhookConfiguration {
|
|
ObjectMeta: meta.ObjectMeta {
|
|
Name: webhookName,
|
|
Labels: webhookLabels,
|
|
},
|
|
Webhooks: []adm.Webhook {
|
|
adm.Webhook {
|
|
Name: mutationWebhookName,
|
|
ClientConfig: adm.WebhookClientConfig {
|
|
Service: &adm.ServiceReference {
|
|
Namespace: webhookServiceNamespace,
|
|
Name: webhookServiceName,
|
|
Path: &webhookPath,
|
|
},
|
|
CABundle: ExtractCA(config),
|
|
},
|
|
Rules: []adm.RuleWithOperations {
|
|
adm.RuleWithOperations {
|
|
Operations: []adm.OperationType {
|
|
adm.Create,
|
|
},
|
|
Rule: adm.Rule {
|
|
APIGroups: []string {
|
|
"*",
|
|
},
|
|
APIVersions: []string {
|
|
"*",
|
|
},
|
|
Resources: []string {
|
|
"*/*",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func ExtractCA(config *rest.Config) (result []byte) {
|
|
fileName := config.TLSClientConfig.CAFile
|
|
|
|
if fileName != "" {
|
|
result, err := ioutil.ReadFile(fileName)
|
|
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
return result
|
|
} else {
|
|
return config.TLSClientConfig.CAData
|
|
}
|
|
} |