Skip to content

Commit

Permalink
add: Support the deletion protection of service and ingress
Browse files Browse the repository at this point in the history
Signed-off-by: kevin1689 <[email protected]>
  • Loading branch information
kevin1689-cloud committed May 27, 2023
1 parent 7f5046d commit 95c0be5
Show file tree
Hide file tree
Showing 9 changed files with 697 additions and 0 deletions.
41 changes: 41 additions & 0 deletions config/webhook/manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -474,6 +474,27 @@ webhooks:
resources:
- imagepulljobs
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-ingress
failurePolicy: Fail
name: vingress.kb.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
- v1beta1
operations:
- DELETE
resources:
- ingresses
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
Expand Down Expand Up @@ -619,6 +640,26 @@ webhooks:
resources:
- podunavailablebudgets
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-service
failurePolicy: Fail
name: vservice.kb.io
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- DELETE
resources:
- services
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
Expand Down
25 changes: 25 additions & 0 deletions pkg/webhook/add_ingress.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package webhook

import (
"github.com/openkruise/kruise/pkg/webhook/ingress/validating"
)

func init() {
addHandlers(validating.HandlerMap)
}
25 changes: 25 additions & 0 deletions pkg/webhook/add_service.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package webhook

import (
"github.com/openkruise/kruise/pkg/webhook/service/validating"
)

func init() {
addHandlers(validating.HandlerMap)
}
89 changes: 89 additions & 0 deletions pkg/webhook/ingress/validating/ingress_handler.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package validating

import (
"context"
"net/http"

"github.com/openkruise/kruise/pkg/webhook/util/deletionprotection"

"k8s.io/klog/v2"

admissionv1 "k8s.io/api/admission/v1"
networkingv1 "k8s.io/api/networking/v1"
networkingv1beta1 "k8s.io/api/networking/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)

type IngressHandler struct {
Client client.Client

// Decoder decodes objects
Decoder *admission.Decoder
}

var _ admission.Handler = &IngressHandler{}

// Handle handles admission requests.
func (h *IngressHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
if req.AdmissionRequest.Operation != admissionv1.Delete || req.AdmissionRequest.SubResource != "" {
return admission.ValidationResponse(true, "")
}
if len(req.OldObject.Raw) == 0 {
klog.Warningf("Skip to validate ingress %s deletion for no old object, maybe because of Kubernetes version < 1.16", req.Name)
return admission.ValidationResponse(true, "")
}

var metaObj metav1.Object
v1beta1 := &networkingv1beta1.Ingress{}
v1 := &networkingv1.Ingress{}
switch req.Kind.Version {
case "v1beta1":
if err := h.Decoder.DecodeRaw(req.AdmissionRequest.OldObject, v1beta1); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
metaObj = v1beta1
case "v1":
if err := h.Decoder.DecodeRaw(req.AdmissionRequest.OldObject, v1); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
metaObj = v1
}

if err := deletionprotection.ValidateIngressDeletion(h.Client, metaObj, v1beta1, v1, req.Kind.Version); err != nil {
return admission.Errored(http.StatusForbidden, err)
}
return admission.ValidationResponse(true, "")
}

var _ inject.Client = &IngressHandler{}

func (h *IngressHandler) InjectClient(c client.Client) error {
h.Client = c
return nil
}

var _ admission.DecoderInjector = &IngressHandler{}

func (h *IngressHandler) InjectDecoder(d *admission.Decoder) error {
h.Decoder = d
return nil
}
28 changes: 28 additions & 0 deletions pkg/webhook/ingress/validating/webhooks.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package validating

import "sigs.k8s.io/controller-runtime/pkg/webhook/admission"

// +kubebuilder:webhook:path=/validate-ingress,mutating=false,failurePolicy=fail,sideEffects=None,admissionReviewVersions=v1;v1beta1,groups=networking.k8s.io,resources=ingresses,verbs=delete,versions=v1;v1beta1,name=vingress.kb.io

var (
// HandlerMap contains admission webhook handlers
HandlerMap = map[string]admission.Handler{
"validate-ingress": &IngressHandler{},
}
)
76 changes: 76 additions & 0 deletions pkg/webhook/service/validating/service_handler.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package validating

import (
"context"
"net/http"

"github.com/openkruise/kruise/pkg/webhook/util/deletionprotection"

"k8s.io/klog/v2"

admissionv1 "k8s.io/api/admission/v1"
v1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)

type ServiceHandler struct {
Client client.Client

// Decoder decodes objects
Decoder *admission.Decoder
}

var _ admission.Handler = &ServiceHandler{}

// Handle handles admission requests.
func (h *ServiceHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
if req.AdmissionRequest.Operation != admissionv1.Delete || req.AdmissionRequest.SubResource != "" {
return admission.ValidationResponse(true, "")
}
if len(req.OldObject.Raw) == 0 {
klog.Warningf("Skip to validate service %s deletion for no old object, maybe because of Kubernetes version < 1.16", req.Name)
return admission.ValidationResponse(true, "")
}

obj := &v1.Service{}
if err := h.Decoder.DecodeRaw(req.AdmissionRequest.OldObject, obj); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}

if err := deletionprotection.ValidateServiceDeletion(h.Client, obj); err != nil {
return admission.Errored(http.StatusForbidden, err)
}
return admission.ValidationResponse(true, "")
}

var _ inject.Client = &ServiceHandler{}

func (h *ServiceHandler) InjectClient(c client.Client) error {
h.Client = c
return nil
}

var _ admission.DecoderInjector = &ServiceHandler{}

func (h *ServiceHandler) InjectDecoder(d *admission.Decoder) error {
h.Decoder = d
return nil
}
28 changes: 28 additions & 0 deletions pkg/webhook/service/validating/webhooks.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package validating

import "sigs.k8s.io/controller-runtime/pkg/webhook/admission"

// +kubebuilder:webhook:path=/validate-service,mutating=false,failurePolicy=fail,sideEffects=None,admissionReviewVersions=v1;v1beta1,groups="",resources=services,verbs=delete,versions=v1,name=vservice.kb.io

var (
// HandlerMap contains admission webhook handlers
HandlerMap = map[string]admission.Handler{
"validate-service": &ServiceHandler{},
}
)
Loading

0 comments on commit 95c0be5

Please sign in to comment.