-
Notifications
You must be signed in to change notification settings - Fork 46
Expand file tree
/
Copy pathadmissionpolicy_webhook.go
More file actions
102 lines (80 loc) · 4.01 KB
/
admissionpolicy_webhook.go
File metadata and controls
102 lines (80 loc) · 4.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"context"
"fmt"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"github.com/go-logr/logr"
"github.com/kubewarden/adm-controller/internal/constants"
)
// SetupWebhookWithManager registers the AdmissionPolicy webhook with the controller manager.
func (r *AdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error {
logger := mgr.GetLogger().WithName("admissionpolicy-webhook")
err := ctrl.NewWebhookManagedBy(mgr, r).
WithDefaulter(&admissionPolicyDefaulter{
logger: logger,
}).
WithValidator(&admissionPolicyValidator{
logger: logger,
}).
Complete()
if err != nil {
return fmt.Errorf("failed enrolling webhook with manager: %w", err)
}
return nil
}
//+kubebuilder:webhook:path=/mutate-policies-kubewarden-io-v1-admissionpolicy,mutating=true,failurePolicy=fail,sideEffects=None,groups=policies.kubewarden.io,resources=admissionpolicies,verbs=create;update,versions=v1,name=madmissionpolicy.kb.io,admissionReviewVersions={v1,v1beta1}
// admissionPolicyDefaulter sets default values of AdmissionPolicy objects when they are created or updated.
type admissionPolicyDefaulter struct {
logger logr.Logger
}
// Default implements webhook.CustomDefaulter so a webhook will be registered for the type.
func (d *admissionPolicyDefaulter) Default(_ context.Context, admissionPolicy *AdmissionPolicy) error {
if admissionPolicy.Spec.PolicyServer == "" {
admissionPolicy.Spec.PolicyServer = constants.DefaultPolicyServer
}
if admissionPolicy.ObjectMeta.DeletionTimestamp == nil {
controllerutil.AddFinalizer(admissionPolicy, constants.KubewardenFinalizer)
}
return nil
}
//+kubebuilder:webhook:path=/validate-policies-kubewarden-io-v1-admissionpolicy,mutating=false,failurePolicy=fail,sideEffects=None,groups=policies.kubewarden.io,resources=admissionpolicies,verbs=create;update,versions=v1,name=vadmissionpolicy.kb.io,admissionReviewVersions={v1,v1beta1}
// admissionPolicyValidator validates AdmissionPolicy objects when they are created, updated, or deleted.
type admissionPolicyValidator struct {
logger logr.Logger
}
// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type.
func (v *admissionPolicyValidator) ValidateCreate(_ context.Context, admissionPolicy *AdmissionPolicy) (admission.Warnings, error) {
v.logger.Info("Validating AdmissionPolicy creation", "name", admissionPolicy.GetName())
allErrors := validatePolicyCreate(admissionPolicy)
if len(allErrors) != 0 {
return nil, prepareInvalidAPIError(admissionPolicy, allErrors)
}
return nil, nil
}
// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type.
func (v *admissionPolicyValidator) ValidateUpdate(_ context.Context, oldAdmissionPolicy, newAdmissionPolicy *AdmissionPolicy) (admission.Warnings, error) {
v.logger.Info("Validating ClusterAdmissionPolicy update", "name", newAdmissionPolicy.GetName())
allErrors := validatePolicyUpdate(oldAdmissionPolicy, newAdmissionPolicy)
if len(allErrors) != 0 {
return nil, prepareInvalidAPIError(newAdmissionPolicy, allErrors)
}
return nil, nil
}
// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.
func (v *admissionPolicyValidator) ValidateDelete(_ context.Context, admissionPolicy *AdmissionPolicy) (admission.Warnings, error) {
v.logger.Info("Validating AdmissionPolicy delete", "name", admissionPolicy.GetName())
return nil, nil
}