Skip to content

Commit

Permalink
add logs for pod, replica set validating webhooks (#722)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Arvindthiru
Arvindthiru authored Mar 15, 2024
1 parent f3d06c4 commit 3914b93
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 2 deletions.
14 changes: 13 additions & 1 deletion pkg/webhook/pod/pod_validating_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,21 @@ import (

admissionv1 "k8s.io/api/admission/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

"go.goms.io/fleet/pkg/utils"
)

const (
deniedPodResource = "Pod creation is disallowed in the fleet hub cluster"
allowedPodResource = "Pod creation is allowed in the fleet hub cluster"
podDeniedFormat = "Pod %s/%s creation is disallowed in the fleet hub cluster"
)

var (
// ValidationPath is the webhook service path which admission requests are routed to for validating Pod resources.
ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, corev1.SchemeGroupVersion.Group, corev1.SchemeGroupVersion.Version, "pod")
Expand All @@ -37,15 +45,19 @@ type podValidator struct {

// Handle podValidator denies a pod if it is not created in the system namespaces.
func (v *podValidator) Handle(_ context.Context, req admission.Request) admission.Response {
namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
if req.Operation == admissionv1.Create {
klog.V(2).InfoS("handling pod resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
pod := &corev1.Pod{}
err := v.decoder.Decode(req, pod)
if err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
if !utils.IsReservedNamespace(pod.Namespace) {
return admission.Denied(fmt.Sprintf("Pod %s/%s creation is disallowed in the fleet hub cluster", pod.Namespace, pod.Name))
klog.V(2).InfoS(deniedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
return admission.Denied(fmt.Sprintf(podDeniedFormat, pod.Namespace, pod.Name))
}
}
klog.V(3).InfoS(allowedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
return admission.Allowed("")
}
14 changes: 13 additions & 1 deletion pkg/webhook/replicaset/replicaset_validating_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,21 @@ import (

admissionv1 "k8s.io/api/admission/v1"
appsv1 "k8s.io/api/apps/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

"go.goms.io/fleet/pkg/utils"
)

const (
deniedReplicaSetResource = "ReplicaSet creation is disallowed in the fleet hub cluster"
allowedReplicaSetResource = "ReplicaSet creation is allowed in the fleet hub cluster"
replicaSetDeniedFormat = "ReplicaSet %s/%s creation is disallowed in the fleet hub cluster."
)

var (
// ValidationPath is the webhook service path which admission requests are routed to for validating ReplicaSet resources.
ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, appsv1.SchemeGroupVersion.Group, appsv1.SchemeGroupVersion.Version, "replicaset")
Expand All @@ -37,14 +45,18 @@ func Add(mgr manager.Manager) error {

// Handle replicaSetValidator denies all creation requests.
func (v *replicaSetValidator) Handle(_ context.Context, req admission.Request) admission.Response {
namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
if req.Operation == admissionv1.Create {
klog.V(2).InfoS("handling replicaSet resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
rs := &appsv1.ReplicaSet{}
if err := v.decoder.Decode(req, rs); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
if !utils.IsReservedNamespace(rs.Namespace) {
return admission.Denied(fmt.Sprintf("ReplicaSet %s/%s creation is disallowed in the fleet hub cluster.", rs.Namespace, rs.Name))
klog.V(2).InfoS(deniedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
return admission.Denied(fmt.Sprintf(replicaSetDeniedFormat, rs.Namespace, rs.Name))
}
}
klog.V(3).InfoS(allowedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
return admission.Allowed("")
}

0 comments on commit 3914b93

Please sign in to comment.