Add SubjectAccessReview client to validation registration on webhook start. Make API address configurable

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
2021-03-22 14:36:22 +00:00 · 2021-03-22 14:36:22 +00:00 · 59049ee58a
commit 59049ee58a
parent f640f64fcb
3 changed files with 19 additions and 1 deletions
--- a/cmd/webhook/app/BUILD.bazel
+++ b/cmd/webhook/app/BUILD.bazel
@ -16,6 +16,7 @@ go_library(
        "//pkg/webhook/server/tls:go_default_library",
        "@com_github_go_logr_logr//:go_default_library",
        "@com_github_spf13_cobra//:go_default_library",
+        "@io_k8s_client_go//kubernetes:go_default_library",
        "@io_k8s_client_go//tools/clientcmd:go_default_library",
    ],
 )
--- a/cmd/webhook/app/options/options.go
+++ b/cmd/webhook/app/options/options.go
@ -46,7 +46,8 @@ type WebhookOptions struct {
 	// Optional path to the kubeconfig used to connect to the apiserver when
 	// using the 'dynamic serving' certificate sources.
 	// If not specified, in cluster config will be used.
-	Kubeconfig string
+	Kubeconfig    string
+	APIServerHost string

 	// TLSCipherSuites is the list of allowed cipher suites for the server.
 	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
@ -67,6 +68,9 @@ func (o *WebhookOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.DynamicServingCASecretName, "dynamic-serving-ca-secret-name", "", "name of the secret used to store the CA that signs serving certificates certificates")
 	fs.StringSliceVar(&o.DynamicServingDNSNames, "dynamic-serving-dns-names", []string{""}, "DNS names that should be present on certificates generated by the dynamic serving CA")
 	fs.StringVar(&o.Kubeconfig, "kubeconfig", "", "optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used")
+	fs.StringVar(&o.APIServerHost, "master", "", ""+
+		"Optional apiserver host address to connect to. If not specified, autoconfiguration "+
+		"will be attempted.")

 	tlsCipherPossibleValues := cliflag.TLSCipherPossibleValues()
 	fs.StringSliceVar(&o.TLSCipherSuites, "tls-cipher-suites", o.TLSCipherSuites,
--- a/cmd/webhook/app/webhook.go
+++ b/cmd/webhook/app/webhook.go
@ -22,6 +22,7 @@ import (

 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"

 	"github.com/jetstack/cert-manager/cmd/webhook/app/options"
@ -39,6 +40,18 @@ var mutationHook handlers.MutatingAdmissionHook = handlers.NewRegistryBackedMuta
 var conversionHook handlers.ConversionHook = handlers.NewSchemeBackedConverter(logf.Log, webhook.Scheme)

 func NewServerWithOptions(log logr.Logger, opts options.WebhookOptions) (*server.Server, error) {
+	restcfg, err := clientcmd.BuildConfigFromFlags(opts.APIServerHost, opts.Kubeconfig)
+	if err != nil {
+		return nil, err
+	}
+
+	cl, err := kubernetes.NewForConfig(restcfg)
+	if err != nil {
+		return nil, fmt.Errorf("error creating kubernetes client: %s", err)
+	}
+
+	webhook.ValidationRegistry = webhook.ValidationRegistry.WithSubjectAccessReviewClient(cl.AuthorizationV1().SubjectAccessReviews())
+
 	var source tls.CertificateSource
 	switch {
 	case options.FileTLSSourceEnabled(opts):