Sign in Sign up
Explore Enterprise Education Gitee Premium Gitee AI
Scan WeChat QR to Pay
Cancel
Complete
Watch
Unwatch Watching Releases Only Ignoring
1 Star 0 Fork 0

zhuchance / kubernetes

Code Issues 0 Pull Requests 0 Wiki Insights Pipelines
Service
Create your Gitee Account
Explore and code with more than 12 million developers,Free private repositories !:)
Sign up
Clone or Download
admission.go 10.35 KB
Copy Edit Raw Blame History
Dr. Stefan Schimanski authored 2018-06-11 14:27 . Cherry pick of #64255: fix field removal in mutating admission webhooks
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327
/*

Copyright 2017 The Kubernetes Authors.



Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at



    http://www.apache.org/licenses/LICENSE-2.0



Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

*/



// Package mutating delegates admission checks to dynamically configured

// mutating webhooks.

package mutating



import (

	"context"

	"fmt"

	"io"

	"time"



	jsonpatch "github.com/evanphx/json-patch"

	"github.com/golang/glog"



	admissionv1beta1 "k8s.io/api/admission/v1beta1"

	"k8s.io/api/admissionregistration/v1beta1"

	apierrors "k8s.io/apimachinery/pkg/api/errors"

	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

	"k8s.io/apimachinery/pkg/runtime"

	"k8s.io/apimachinery/pkg/runtime/serializer/json"

	utilruntime "k8s.io/apimachinery/pkg/util/runtime"

	"k8s.io/apiserver/pkg/admission"

	"k8s.io/apiserver/pkg/admission/configuration"

	genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"

	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"

	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"

	webhookerrors "k8s.io/apiserver/pkg/admission/plugin/webhook/errors"

	"k8s.io/apiserver/pkg/admission/plugin/webhook/namespace"

	"k8s.io/apiserver/pkg/admission/plugin/webhook/request"

	"k8s.io/apiserver/pkg/admission/plugin/webhook/rules"

	"k8s.io/apiserver/pkg/admission/plugin/webhook/versioned"

	"k8s.io/client-go/informers"

	clientset "k8s.io/client-go/kubernetes"

)



const (

	// Name of admission plug-in

	PluginName = "MutatingAdmissionWebhook"

)



// Register registers a plugin

func Register(plugins *admission.Plugins) {

	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {

		plugin, err := NewMutatingWebhook(configFile)

		if err != nil {

			return nil, err

		}



		return plugin, nil

	})

}



// WebhookSource can list dynamic webhook plugins.

type WebhookSource interface {

	Webhooks() *v1beta1.MutatingWebhookConfiguration

}



// NewMutatingWebhook returns a generic admission webhook plugin.

func NewMutatingWebhook(configFile io.Reader) (*MutatingWebhook, error) {

	kubeconfigFile, err := config.LoadConfig(configFile)

	if err != nil {

		return nil, err

	}



	cm, err := config.NewClientManager()

	if err != nil {

		return nil, err

	}

	authInfoResolver, err := config.NewDefaultAuthenticationInfoResolver(kubeconfigFile)

	if err != nil {

		return nil, err

	}

	// Set defaults which may be overridden later.

	cm.SetAuthenticationInfoResolver(authInfoResolver)

	cm.SetServiceResolver(config.NewDefaultServiceResolver())



	return &MutatingWebhook{

		Handler: admission.NewHandler(

			admission.Connect,

			admission.Create,

			admission.Delete,

			admission.Update,

		),

		clientManager: cm,

	}, nil

}



var _ admission.MutationInterface = &MutatingWebhook{}



// MutatingWebhook is an implementation of admission.Interface.

type MutatingWebhook struct {

	*admission.Handler

	hookSource       WebhookSource

	namespaceMatcher namespace.Matcher

	clientManager    config.ClientManager

	convertor        versioned.Convertor

	defaulter        runtime.ObjectDefaulter

	jsonSerializer   runtime.Serializer

}



var (

	_ = genericadmissioninit.WantsExternalKubeClientSet(&MutatingWebhook{})

)



// TODO find a better way wire this, but keep this pull small for now.

func (a *MutatingWebhook) SetAuthenticationInfoResolverWrapper(wrapper config.AuthenticationInfoResolverWrapper) {

	a.clientManager.SetAuthenticationInfoResolverWrapper(wrapper)

}



// SetServiceResolver sets a service resolver for the webhook admission plugin.

// Passing a nil resolver does not have an effect, instead a default one will be used.

func (a *MutatingWebhook) SetServiceResolver(sr config.ServiceResolver) {

	a.clientManager.SetServiceResolver(sr)

}



// SetScheme sets a serializer(NegotiatedSerializer) which is derived from the scheme

func (a *MutatingWebhook) SetScheme(scheme *runtime.Scheme) {

	if scheme != nil {

		a.convertor.Scheme = scheme

		a.defaulter = scheme

		a.jsonSerializer = json.NewSerializer(json.DefaultMetaFactory, scheme, scheme, false)

	}

}



// WantsExternalKubeClientSet defines a function which sets external ClientSet for admission plugins that need it

func (a *MutatingWebhook) SetExternalKubeClientSet(client clientset.Interface) {

	a.namespaceMatcher.Client = client

}



// SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface.

func (a *MutatingWebhook) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {

	namespaceInformer := f.Core().V1().Namespaces()

	a.namespaceMatcher.NamespaceLister = namespaceInformer.Lister()

	mutatingWebhookConfigurationsInformer := f.Admissionregistration().V1beta1().MutatingWebhookConfigurations()

	a.hookSource = configuration.NewMutatingWebhookConfigurationManager(mutatingWebhookConfigurationsInformer)

	a.SetReadyFunc(func() bool {

		return namespaceInformer.Informer().HasSynced() && mutatingWebhookConfigurationsInformer.Informer().HasSynced()

	})

}



// ValidateInitialization implements the InitializationValidator interface.

func (a *MutatingWebhook) ValidateInitialization() error {

	if a.hookSource == nil {

		return fmt.Errorf("MutatingWebhook admission plugin requires a Kubernetes client to be provided")

	}

	if a.jsonSerializer == nil {

		return fmt.Errorf("MutatingWebhook admission plugin's jsonSerializer is not properly setup")

	}

	if err := a.namespaceMatcher.Validate(); err != nil {

		return fmt.Errorf("MutatingWebhook.namespaceMatcher is not properly setup: %v", err)

	}

	if err := a.clientManager.Validate(); err != nil {

		return fmt.Errorf("MutatingWebhook.clientManager is not properly setup: %v", err)

	}

	if err := a.convertor.Validate(); err != nil {

		return fmt.Errorf("MutatingWebhook.convertor is not properly setup: %v", err)

	}

	if a.defaulter == nil {

		return fmt.Errorf("MutatingWebhook.defaulter is not properly setup")

	}

	return nil

}



func (a *MutatingWebhook) loadConfiguration(attr admission.Attributes) *v1beta1.MutatingWebhookConfiguration {

	hookConfig := a.hookSource.Webhooks()

	return hookConfig

}



// Admit makes an admission decision based on the request attributes.

func (a *MutatingWebhook) Admit(attr admission.Attributes) error {

	if rules.IsWebhookConfigurationResource(attr) {

		return nil

	}



	if !a.WaitForReady() {

		return admission.NewForbidden(attr, fmt.Errorf("not yet ready to handle request"))

	}



	hookConfig := a.loadConfiguration(attr)

	hooks := hookConfig.Webhooks

	ctx := context.TODO()



	var relevantHooks []*v1beta1.Webhook

	for i := range hooks {

		call, err := a.shouldCallHook(&hooks[i], attr)

		if err != nil {

			return err

		}

		if call {

			relevantHooks = append(relevantHooks, &hooks[i])

		}

	}



	if len(relevantHooks) == 0 {

		// no matching hooks

		return nil

	}



	// convert the object to the external version before sending it to the webhook

	versionedAttr := &versioned.Attributes{

		Attributes: attr,

	}

	if oldObj := attr.GetOldObject(); oldObj != nil {

		out, err := a.convertor.ConvertToGVK(oldObj, attr.GetKind())

		if err != nil {

			return apierrors.NewInternalError(err)

		}

		versionedAttr.OldObject = out

	}

	if obj := attr.GetObject(); obj != nil {

		out, err := a.convertor.ConvertToGVK(obj, attr.GetKind())

		if err != nil {

			return apierrors.NewInternalError(err)

		}

		versionedAttr.Object = out

	}



	for _, hook := range relevantHooks {

		t := time.Now()

		err := a.callAttrMutatingHook(ctx, hook, versionedAttr)

		admissionmetrics.Metrics.ObserveWebhook(time.Since(t), err != nil, attr, "admit", hook.Name)

		if err == nil {

			continue

		}



		ignoreClientCallFailures := hook.FailurePolicy != nil && *hook.FailurePolicy == v1beta1.Ignore

		if callErr, ok := err.(*webhookerrors.ErrCallingWebhook); ok {

			if ignoreClientCallFailures {

				glog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr)

				utilruntime.HandleError(callErr)

				continue

			}

			glog.Warningf("Failed calling webhook, failing closed %v: %v", hook.Name, err)

		}

		return apierrors.NewInternalError(err)

	}



	// convert attr.Object to the internal version

	return a.convertor.Convert(versionedAttr.Object, attr.GetObject())

}



// TODO: factor into a common place along with the validating webhook version.

func (a *MutatingWebhook) shouldCallHook(h *v1beta1.Webhook, attr admission.Attributes) (bool, *apierrors.StatusError) {

	var matches bool

	for _, r := range h.Rules {

		m := rules.Matcher{Rule: r, Attr: attr}

		if m.Matches() {

			matches = true

			break

		}

	}

	if !matches {

		return false, nil

	}



	return a.namespaceMatcher.MatchNamespaceSelector(h, attr)

}



// note that callAttrMutatingHook updates attr

func (a *MutatingWebhook) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *versioned.Attributes) error {

	// Make the webhook request

	request := request.CreateAdmissionReview(attr)

	client, err := a.clientManager.HookClient(h)

	if err != nil {

		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: err}

	}

	response := &admissionv1beta1.AdmissionReview{}

	if err := client.Post().Context(ctx).Body(&request).Do().Into(response); err != nil {

		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: err}

	}



	if !response.Response.Allowed {

		return webhookerrors.ToStatusErr(h.Name, response.Response.Result)

	}



	patchJS := response.Response.Patch

	if len(patchJS) == 0 {

		return nil

	}

	patchObj, err := jsonpatch.DecodePatch(patchJS)

	if err != nil {

		return apierrors.NewInternalError(err)

	}

	objJS, err := runtime.Encode(a.jsonSerializer, attr.Object)

	if err != nil {

		return apierrors.NewInternalError(err)

	}

	patchedJS, err := patchObj.Apply(objJS)

	if err != nil {

		return apierrors.NewInternalError(err)

	}



	var newObject runtime.Object

	if _, ok := attr.Object.(*unstructured.Unstructured); ok {

		// Custom Resources don't have corresponding Go struct's.

		// They are represented as Unstructured.

		newObject = &unstructured.Unstructured{}

	} else {

		newObject, err = a.convertor.Scheme.New(attr.GetKind())

		if err != nil {

			return apierrors.NewInternalError(err)

		}

	}

	newObject, _, err = a.jsonSerializer.Decode(patchedJS, nil, newObject)

	if err != nil {

		return apierrors.NewInternalError(err)

	}

	attr.Object = newObject



	a.defaulter.Default(attr.Object)

	return nil

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/meoom/kubernetes.git
git@gitee.com:meoom/kubernetes.git
meoom
kubernetes
kubernetes
v1.10.11-beta.0
Going to Help Center

Search

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
Comment
Repository Report
Back to the top
344bd9b3 5694891 D2dac590 5694891