Change webhook admission/mutation to no longer understand and reject anything which is not
v1 (remove v1beta1) Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
This commit is contained in:
joshvanl
parent
8ae179b8f5
commit
8470ba96f0
@ -86,19 +86,10 @@ func (r *registryBackedValidator) Validate(ctx context.Context, admissionSpec *a
|
||||
}
|
||||
}
|
||||
|
||||
// RequestKind field is only present from Kubernetes 1.15 onwards, so
|
||||
// use the regular 'kind' if RequestKind is not present
|
||||
gvk := schema.GroupVersionKind{
|
||||
Group: admissionSpec.Kind.Group,
|
||||
Version: admissionSpec.Kind.Version,
|
||||
Kind: admissionSpec.Kind.Kind,
|
||||
}
|
||||
if admissionSpec.RequestKind != nil {
|
||||
gvk = schema.GroupVersionKind{
|
||||
Group: admissionSpec.RequestKind.Group,
|
||||
Version: admissionSpec.RequestKind.Version,
|
||||
Kind: admissionSpec.RequestKind.Kind,
|
||||
}
|
||||
Group: admissionSpec.RequestKind.Group,
|
||||
Version: admissionSpec.RequestKind.Version,
|
||||
Kind: admissionSpec.RequestKind.Kind,
|
||||
}
|
||||
errs := field.ErrorList{}
|
||||
var warnings validation.WarningList
|
||||
|
||||
@ -252,35 +252,6 @@ func TestRegistryBackedValidator(t *testing.T) {
|
||||
Allowed: true,
|
||||
},
|
||||
},
|
||||
"should validate in the current APIVersion if RequestKind is not set (for Kubernetes <1.15 support)": {
|
||||
inputRequest: admissionv1.AdmissionRequest{
|
||||
UID: types.UID("abc"),
|
||||
Kind: *testTypeGVKV2,
|
||||
Operation: admissionv1.Create,
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(fmt.Sprintf(`
|
||||
{
|
||||
"apiVersion": "testgroup.testing.cert-manager.io/v2",
|
||||
"kind": "TestType",
|
||||
"metadata": {
|
||||
"name": "testing",
|
||||
"namespace": "abc",
|
||||
"creationTimestamp": null
|
||||
},
|
||||
"testField": "%s"
|
||||
}
|
||||
`, v2.DisallowedTestFieldValue)),
|
||||
},
|
||||
},
|
||||
expectedResponse: admissionv1.AdmissionResponse{
|
||||
UID: types.UID("abc"),
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: metav1.StatusFailure, Code: http.StatusNotAcceptable, Reason: metav1.StatusReasonNotAcceptable,
|
||||
Message: "testField: Invalid value: \"not-allowed-in-v2\": value not allowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for n, test := range tests {
|
||||
|
||||
@ -11,10 +11,8 @@ go_library(
|
||||
"//pkg/util/profiling:go_default_library",
|
||||
"//pkg/webhook/handlers:go_default_library",
|
||||
"//pkg/webhook/server/tls:go_default_library",
|
||||
"//pkg/webhook/server/util:go_default_library",
|
||||
"@com_github_go_logr_logr//:go_default_library",
|
||||
"@io_k8s_api//admission/v1:go_default_library",
|
||||
"@io_k8s_api//admission/v1beta1:go_default_library",
|
||||
"@io_k8s_apiextensions_apiserver//pkg/apis/apiextensions/install:go_default_library",
|
||||
"@io_k8s_apiextensions_apiserver//pkg/apis/apiextensions/v1:go_default_library",
|
||||
"@io_k8s_apiextensions_apiserver//pkg/apis/apiextensions/v1beta1:go_default_library",
|
||||
@ -41,7 +39,6 @@ filegroup(
|
||||
srcs = [
|
||||
":package-srcs",
|
||||
"//pkg/webhook/server/tls:all-srcs",
|
||||
"//pkg/webhook/server/util:all-srcs",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:public"],
|
||||
|
||||
@ -29,7 +29,6 @@ import (
|
||||
"github.com/go-logr/logr"
|
||||
"golang.org/x/sync/errgroup"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
admissionv1beta1 "k8s.io/api/admission/v1beta1"
|
||||
apiextensionsinstall "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/install"
|
||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
|
||||
@ -46,7 +45,6 @@ import (
|
||||
"github.com/jetstack/cert-manager/pkg/util/profiling"
|
||||
"github.com/jetstack/cert-manager/pkg/webhook/handlers"
|
||||
servertls "github.com/jetstack/cert-manager/pkg/webhook/server/tls"
|
||||
webhookutil "github.com/jetstack/cert-manager/pkg/webhook/server/util"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -58,8 +56,6 @@ var (
|
||||
|
||||
func init() {
|
||||
apiextensionsinstall.Install(defaultScheme)
|
||||
|
||||
runtimeutil.Must(admissionv1beta1.AddToScheme(defaultScheme))
|
||||
runtimeutil.Must(admissionv1.AddToScheme(defaultScheme))
|
||||
|
||||
// we need to add the options to empty v1
|
||||
@ -249,55 +245,21 @@ func (s *Server) scheme() *runtime.Scheme {
|
||||
}
|
||||
|
||||
func (s *Server) validate(ctx context.Context, obj runtime.Object) (runtime.Object, error) {
|
||||
outputVersion := admissionv1.SchemeGroupVersion
|
||||
review, isV1 := obj.(*admissionv1.AdmissionReview)
|
||||
if !isV1 {
|
||||
outputVersion = admissionv1beta1.SchemeGroupVersion
|
||||
reviewv1beta1, isv1beta1 := obj.(*admissionv1beta1.AdmissionReview)
|
||||
if !isv1beta1 {
|
||||
return nil, errors.New("request is not of type apiextensions v1 or v1beta1")
|
||||
}
|
||||
review = &admissionv1.AdmissionReview{}
|
||||
webhookutil.Convert_v1beta1_AdmissionReview_To_admission_AdmissionReview(reviewv1beta1, review)
|
||||
return nil, errors.New("request is not of type apiextensions v1")
|
||||
}
|
||||
resp := s.ValidationWebhook.Validate(ctx, review.Request)
|
||||
review.Response = resp
|
||||
|
||||
// reply v1
|
||||
if outputVersion.Version == admissionv1.SchemeGroupVersion.Version {
|
||||
return review, nil
|
||||
}
|
||||
|
||||
// reply v1beta1
|
||||
reviewv1beta1 := &admissionv1beta1.AdmissionReview{}
|
||||
webhookutil.Convert_admission_AdmissionReview_To_v1beta1_AdmissionReview(review, reviewv1beta1)
|
||||
return reviewv1beta1, nil
|
||||
review.Response = s.ValidationWebhook.Validate(ctx, review.Request)
|
||||
return review, nil
|
||||
}
|
||||
|
||||
func (s *Server) mutate(ctx context.Context, obj runtime.Object) (runtime.Object, error) {
|
||||
outputVersion := admissionv1.SchemeGroupVersion
|
||||
review, isV1 := obj.(*admissionv1.AdmissionReview)
|
||||
if !isV1 {
|
||||
outputVersion = admissionv1beta1.SchemeGroupVersion
|
||||
reviewv1beta1, isv1beta1 := obj.(*admissionv1beta1.AdmissionReview)
|
||||
if !isv1beta1 {
|
||||
return nil, errors.New("request is not of type apiextensions v1 or v1beta1")
|
||||
}
|
||||
review = &admissionv1.AdmissionReview{}
|
||||
webhookutil.Convert_v1beta1_AdmissionReview_To_admission_AdmissionReview(reviewv1beta1, review)
|
||||
return nil, errors.New("request is not of type apiextensions v1")
|
||||
}
|
||||
resp := s.MutationWebhook.Mutate(ctx, review.Request)
|
||||
review.Response = resp
|
||||
|
||||
// reply v1
|
||||
if outputVersion.Version == admissionv1.SchemeGroupVersion.Version {
|
||||
return review, nil
|
||||
}
|
||||
|
||||
// reply v1beta1
|
||||
reviewv1beta1 := &admissionv1beta1.AdmissionReview{}
|
||||
webhookutil.Convert_admission_AdmissionReview_To_v1beta1_AdmissionReview(review, reviewv1beta1)
|
||||
return reviewv1beta1, nil
|
||||
review.Response = s.MutationWebhook.Mutate(ctx, review.Request)
|
||||
return review, nil
|
||||
}
|
||||
|
||||
func (s *Server) convert(_ context.Context, obj runtime.Object) (runtime.Object, error) {
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["convert.go"],
|
||||
importpath = "github.com/jetstack/cert-manager/pkg/webhook/server/util",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"@io_k8s_api//admission/v1:go_default_library",
|
||||
"@io_k8s_api//admission/v1beta1:go_default_library",
|
||||
"@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
|
||||
"@io_k8s_apimachinery//pkg/types:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
@ -1,90 +0,0 @@
|
||||
/*
|
||||
Copyright 2020 The cert-manager Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package util
|
||||
|
||||
import (
|
||||
"unsafe"
|
||||
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
admissionv1beta1 "k8s.io/api/admission/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
// these conversions are copied from https://github.com/kubernetes/kubernetes/blob/4db3a096ce8ac730b2280494422e1c4cf5fe875e/pkg/apis/admission/v1beta1/zz_generated.conversion.go
|
||||
// to avoid copying in kubernetes/kubernetes
|
||||
// they are slightly modified to remove complexity
|
||||
|
||||
func Convert_v1beta1_AdmissionReview_To_admission_AdmissionReview(in *admissionv1beta1.AdmissionReview, out *admissionv1.AdmissionReview) {
|
||||
if in.Request != nil {
|
||||
if out.Request == nil {
|
||||
out.Request = &admissionv1.AdmissionRequest{}
|
||||
}
|
||||
in, out := &in.Request, &out.Request
|
||||
*out = new(admissionv1.AdmissionRequest)
|
||||
Convert_v1beta1_AdmissionRequest_To_admission_AdmissionRequest(*in, *out)
|
||||
} else {
|
||||
out.Request = nil
|
||||
}
|
||||
out.Response = (*admissionv1.AdmissionResponse)(unsafe.Pointer(in.Response))
|
||||
}
|
||||
|
||||
func Convert_v1beta1_AdmissionRequest_To_admission_AdmissionRequest(in *admissionv1beta1.AdmissionRequest, out *admissionv1.AdmissionRequest) {
|
||||
out.UID = types.UID(in.UID)
|
||||
out.Kind = in.Kind
|
||||
out.Resource = in.Resource
|
||||
out.SubResource = in.SubResource
|
||||
out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))
|
||||
out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource))
|
||||
out.RequestSubResource = in.RequestSubResource
|
||||
out.Name = in.Name
|
||||
out.Namespace = in.Namespace
|
||||
out.Operation = admissionv1.Operation(in.Operation)
|
||||
out.Object = in.Object
|
||||
out.OldObject = in.OldObject
|
||||
out.Options = in.Options
|
||||
}
|
||||
|
||||
func Convert_admission_AdmissionReview_To_v1beta1_AdmissionReview(in *admissionv1.AdmissionReview, out *admissionv1beta1.AdmissionReview) {
|
||||
if in.Request != nil {
|
||||
if out.Request == nil {
|
||||
out.Request = &admissionv1beta1.AdmissionRequest{}
|
||||
}
|
||||
in, out := &in.Request, &out.Request
|
||||
*out = new(admissionv1beta1.AdmissionRequest)
|
||||
Convert_admission_AdmissionRequest_To_v1beta1_AdmissionRequest(*in, *out)
|
||||
} else {
|
||||
out.Request = nil
|
||||
}
|
||||
out.Response = (*admissionv1beta1.AdmissionResponse)(unsafe.Pointer(in.Response))
|
||||
}
|
||||
|
||||
func Convert_admission_AdmissionRequest_To_v1beta1_AdmissionRequest(in *admissionv1.AdmissionRequest, out *admissionv1beta1.AdmissionRequest) {
|
||||
out.UID = types.UID(in.UID)
|
||||
out.Kind = in.Kind
|
||||
out.Resource = in.Resource
|
||||
out.SubResource = in.SubResource
|
||||
out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))
|
||||
out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource))
|
||||
out.RequestSubResource = in.RequestSubResource
|
||||
out.Name = in.Name
|
||||
out.Namespace = in.Namespace
|
||||
out.Operation = admissionv1beta1.Operation(in.Operation)
|
||||
out.Object = in.Object
|
||||
out.OldObject = in.OldObject
|
||||
out.Options = in.Options
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user