Skip to content

Commit 3914b93

Browse files
ArvindthiruArvindthiru
authored
add logs for pod, replica set validating webhooks (#722)
1 parent f3d06c4 commit 3914b93

File tree

2 files changed

+26
-2
lines changed

2 files changed

+26
-2
lines changed

pkg/webhook/pod/pod_validating_webhook.go

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,21 @@ import (
1212

1313
admissionv1 "k8s.io/api/admission/v1"
1414
corev1 "k8s.io/api/core/v1"
15+
"k8s.io/apimachinery/pkg/types"
16+
"k8s.io/klog/v2"
1517
"sigs.k8s.io/controller-runtime/pkg/manager"
1618
"sigs.k8s.io/controller-runtime/pkg/webhook"
1719
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
1820

1921
"go.goms.io/fleet/pkg/utils"
2022
)
2123

24+
const (
25+
deniedPodResource = "Pod creation is disallowed in the fleet hub cluster"
26+
allowedPodResource = "Pod creation is allowed in the fleet hub cluster"
27+
podDeniedFormat = "Pod %s/%s creation is disallowed in the fleet hub cluster"
28+
)
29+
2230
var (
2331
// ValidationPath is the webhook service path which admission requests are routed to for validating Pod resources.
2432
ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, corev1.SchemeGroupVersion.Group, corev1.SchemeGroupVersion.Version, "pod")
@@ -37,15 +45,19 @@ type podValidator struct {
3745

3846
// Handle podValidator denies a pod if it is not created in the system namespaces.
3947
func (v *podValidator) Handle(_ context.Context, req admission.Request) admission.Response {
48+
namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
4049
if req.Operation == admissionv1.Create {
50+
klog.V(2).InfoS("handling pod resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
4151
pod := &corev1.Pod{}
4252
err := v.decoder.Decode(req, pod)
4353
if err != nil {
4454
return admission.Errored(http.StatusBadRequest, err)
4555
}
4656
if !utils.IsReservedNamespace(pod.Namespace) {
47-
return admission.Denied(fmt.Sprintf("Pod %s/%s creation is disallowed in the fleet hub cluster", pod.Namespace, pod.Name))
57+
klog.V(2).InfoS(deniedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
58+
return admission.Denied(fmt.Sprintf(podDeniedFormat, pod.Namespace, pod.Name))
4859
}
4960
}
61+
klog.V(3).InfoS(allowedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
5062
return admission.Allowed("")
5163
}

pkg/webhook/replicaset/replicaset_validating_webhook.go

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,21 @@ import (
1212

1313
admissionv1 "k8s.io/api/admission/v1"
1414
appsv1 "k8s.io/api/apps/v1"
15+
"k8s.io/apimachinery/pkg/types"
16+
"k8s.io/klog/v2"
1517
"sigs.k8s.io/controller-runtime/pkg/manager"
1618
"sigs.k8s.io/controller-runtime/pkg/webhook"
1719
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
1820

1921
"go.goms.io/fleet/pkg/utils"
2022
)
2123

24+
const (
25+
deniedReplicaSetResource = "ReplicaSet creation is disallowed in the fleet hub cluster"
26+
allowedReplicaSetResource = "ReplicaSet creation is allowed in the fleet hub cluster"
27+
replicaSetDeniedFormat = "ReplicaSet %s/%s creation is disallowed in the fleet hub cluster."
28+
)
29+
2230
var (
2331
// ValidationPath is the webhook service path which admission requests are routed to for validating ReplicaSet resources.
2432
ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, appsv1.SchemeGroupVersion.Group, appsv1.SchemeGroupVersion.Version, "replicaset")
@@ -37,14 +45,18 @@ func Add(mgr manager.Manager) error {
3745

3846
// Handle replicaSetValidator denies all creation requests.
3947
func (v *replicaSetValidator) Handle(_ context.Context, req admission.Request) admission.Response {
48+
namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
4049
if req.Operation == admissionv1.Create {
50+
klog.V(2).InfoS("handling replicaSet resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
4151
rs := &appsv1.ReplicaSet{}
4252
if err := v.decoder.Decode(req, rs); err != nil {
4353
return admission.Errored(http.StatusBadRequest, err)
4454
}
4555
if !utils.IsReservedNamespace(rs.Namespace) {
46-
return admission.Denied(fmt.Sprintf("ReplicaSet %s/%s creation is disallowed in the fleet hub cluster.", rs.Namespace, rs.Name))
56+
klog.V(2).InfoS(deniedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
57+
return admission.Denied(fmt.Sprintf(replicaSetDeniedFormat, rs.Namespace, rs.Name))
4758
}
4859
}
60+
klog.V(3).InfoS(allowedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
4961
return admission.Allowed("")
5062
}

0 commit comments

Comments
 (0)