Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(webhook): add validation for namspace delete requests #1754

Merged
merged 3 commits into from
Sep 14, 2020
Merged

feat(webhook): add validation for namspace delete requests #1754

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
37b9c4c
feat(webhook): add validation for namspace delete requests
shubham14bajpai Sep 14, 2020
972348d
this commit fixes the log message and adds changelog
shubham14bajpai Sep 14, 2020
2733534
added ndm clientset to webhook struct
shubham14bajpai Sep 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions pkg/webhook/configuration.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ var (
addCSPCDeleteRule,
addCVCWithUpdateRule,
addSPCWithDeleteRule,
addNSWithDeleteRule,
}
cvcRuleWithOperations = v1beta1.RuleWithOperations{
Operations: []v1beta1.OperationType{
Expand All @@ -102,6 +103,16 @@ var (
Resources: []string{"storagepoolclaims"},
},
}
nsRuleWithOperations = v1beta1.RuleWithOperations{
Operations: []v1beta1.OperationType{
v1beta1.Delete,
},
Rule: v1beta1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"namespaces"},
},
}
)

// createWebhookService creates our webhook Service resource if it does not
Expand Down Expand Up @@ -214,6 +225,7 @@ func createValidatingWebhookConfig(
},
cvcRuleWithOperations,
spcRuleWithOperations,
nsRuleWithOperations,
},
ClientConfig: v1beta1.WebhookClientConfig{
Service: &v1beta1.ServiceReference{
Expand Down Expand Up @@ -507,6 +519,12 @@ func addSPCWithDeleteRule(config *v1beta1.ValidatingWebhookConfiguration) {
}
}

func addNSWithDeleteRule(config *v1beta1.ValidatingWebhookConfiguration) {
if util.IsCurrentLessThanNewVersion(config.Labels[string(apis.OpenEBSVersionKey)], "2.1.0") {
config.Webhooks[0].Rules = append(config.Webhooks[0].Rules, nsRuleWithOperations)
}
}

func getOldService(openebsNamespace string) (*corev1.ServiceList, error) {
v100SVCName := "admission-server-svc"
// fetch service 1.1.0 onwards based on label
Expand Down
70 changes: 70 additions & 0 deletions pkg/webhook/webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (

snapshot "github.com/openebs/maya/pkg/apis/openebs.io/snapshot/v1"
"github.com/openebs/maya/pkg/apis/openebs.io/v1alpha1"
blockdeviceclaim "github.com/openebs/maya/pkg/blockdeviceclaim/v1alpha1"
clientset "github.com/openebs/maya/pkg/client/generated/clientset/versioned"
snapclient "github.com/openebs/maya/pkg/client/generated/openebs.io/snapshot/v1/clientset/internalclientset"
"github.com/pkg/errors"
Expand Down Expand Up @@ -421,6 +422,9 @@ func (wh *webhook) validate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRespo
response.Allowed = true
klog.Info("Admission webhook request received")
switch req.Kind.Kind {
case "Namespace":
klog.V(2).Infof("Admission webhook request for type %s", req.Kind.Kind)
return wh.validateNamespace(ar)
Copy link
Contributor

@prateekpandey14 prateekpandey14 Oct 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this validate kicks in for any namespace deletion , can we use the webhook namespace itself to get the openebs namespace and skip for other namespace validations

case "PersistentVolumeClaim":
klog.V(2).Infof("Admission webhook request for type %s", req.Kind.Kind)
return wh.validatePVC(ar)
Expand Down Expand Up @@ -453,6 +457,72 @@ func (wh *webhook) validatePVC(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRe
return response
}

func (wh *webhook) validateNamespace(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
req := ar.Request
response := &v1beta1.AdmissionResponse{}
response.Allowed = true
// validates only if requested operation is CREATE or DELETE
shubham14bajpai marked this conversation as resolved.
Show resolved Hide resolved
if req.Operation == v1beta1.Delete {
return wh.validateNamespaceDeleteRequest(req)
}
klog.V(2).Info("Admission wehbook for PVC module not " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also check that this rule only applies to openebs namespace? Other namespace requests shouldn't get impacted by this.

Add a test to verify that when BDCs are present, a test namespace can be created and deleted without any issues.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the log message and added the manual test result to the PR description.

"configured for operations other than DELETE")
return response
}

func (wh *webhook) validateNamespaceDeleteRequest(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
response := &v1beta1.AdmissionResponse{}
response.Allowed = true
svcLabel := "openebs.io/controller-service=jiva-controller-svc"

msg := fmt.Sprintf("either BDCs or services with the label %s exists in the namespace %s.", svcLabel, req.Name)

// ignore the Delete request of Namespace if resource name is empty
if req.Name == "" {
return response
}

bdcList, err := blockdeviceclaim.NewKubeClient().
shubham14bajpai marked this conversation as resolved.
Show resolved Hide resolved
WithNamespace(req.Name).
List(metav1.ListOptions{})
if err != nil {
response.Allowed = false
response.Result = &metav1.Status{
Message: fmt.Sprintf("error listing BDC in namespace %s: %v", req.Name, err.Error()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failure is here in case of helm chart deletion

}
return response
}

if len(bdcList.Items) != 0 {
response.Allowed = false
response.Result = &metav1.Status{
Message: msg,
}
return response
}

svcList, err := wh.kubeClient.CoreV1().Services(req.Name).
List(metav1.ListOptions{
LabelSelector: svcLabel,
})
if err != nil {
response.Allowed = false
response.Result = &metav1.Status{
Message: fmt.Sprintf("error listing svc in namespace %s: %v", req.Name, err.Error()),
}
return response
}

if len(svcList.Items) != 0 {
response.Allowed = false
response.Result = &metav1.Status{
Message: msg,
}
return response
}
return response
}

// getCstorVolumes gets the list of CstorVolumes based in the source-volume labels
func (wh *webhook) getCstorVolumes(listOptions metav1.ListOptions) (*v1alpha1.CStorVolumeList, error) {
return wh.clientset.OpenebsV1alpha1().CStorVolumes("").List(listOptions)
Expand Down