diff --git a/hack/deploy/admission/operator.yaml b/hack/deploy/admission/operator.yaml index 53ee46ed8..23b4b3cfc 100644 --- a/hack/deploy/admission/operator.yaml +++ b/hack/deploy/admission/operator.yaml @@ -131,7 +131,7 @@ spec: namespace: $STASH_NAMESPACE version: v1alpha1 --- -# register to intercept namespace creates +# register to intercept stash CRD creates / updates apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: @@ -139,37 +139,21 @@ metadata: labels: app: stash webhooks: -- name: resticreviews.admission.stash.appscode.com +- name: admission.stash.appscode.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/resticreviews + path: /apis/admission.stash.appscode.com/v1alpha1/reviews caBundle: $KUBE_CA rules: - operations: - CREATE + - UPDATE apiGroups: - stash.appscode.com apiVersions: - "*" resources: - - restics - failurePolicy: Fail -- name: recoveryreviews.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/recoveryreviews - caBundle: $KUBE_CA - rules: - - operations: - - CREATE - apiGroups: - - stash.appscode.com - apiVersions: - "*" - resources: - - recoveries failurePolicy: Fail diff --git a/pkg/admission/plugin/admission.go b/pkg/admission/plugin/admission.go new file mode 100644 index 000000000..6ff244552 --- /dev/null +++ b/pkg/admission/plugin/admission.go @@ -0,0 +1,88 @@ +package plugin + +import ( + "encoding/json" + "net/http" + + api "github.com/appscode/stash/apis/stash/v1alpha1" + admission "k8s.io/api/admission/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/client-go/rest" +) + +type AdmissionHook struct { +} + +func (a *AdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) { + return schema.GroupVersionResource{ + Group: "admission.stash.appscode.com", + Version: "v1alpha1", + Resource: "reviews", + }, + "review" +} + +func (a *AdmissionHook) Validate(req *admission.AdmissionRequest) *admission.AdmissionResponse { + status := &admission.AdmissionResponse{} + supportedKinds := sets.NewString(api.ResourceKindRestic, api.ResourceKindRecovery) + + if req.Operation != admission.Create || + len(req.SubResource) != 0 || + req.Kind.Group != api.SchemeGroupVersion.Group || + !supportedKinds.Has(req.Kind.Kind) { + status.Allowed = true + return status + } + + switch req.Kind.Kind { + case api.ResourceKindRestic: + obj := &api.Restic{} + err := json.Unmarshal(req.Object.Raw, obj) + if err != nil { + status.Allowed = false + status.Result = &metav1.Status{ + Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest, + Message: err.Error(), + } + return status + } + err = obj.IsValid() + if err != nil { + status.Allowed = false + status.Result = &metav1.Status{ + Status: metav1.StatusFailure, Code: http.StatusForbidden, Reason: metav1.StatusReasonForbidden, + Message: err.Error(), + } + return status + } + case api.ResourceKindRecovery: + obj := &api.Recovery{} + err := json.Unmarshal(req.Object.Raw, obj) + if err != nil { + status.Allowed = false + status.Result = &metav1.Status{ + Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest, + Message: err.Error(), + } + return status + } + err = obj.IsValid() + if err != nil { + status.Allowed = false + status.Result = &metav1.Status{ + Status: metav1.StatusFailure, Code: http.StatusForbidden, Reason: metav1.StatusReasonForbidden, + Message: err.Error(), + } + return status + } + } + + status.Allowed = true + return status +} + +func (a *AdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { + return nil +} diff --git a/pkg/admission/plugin/recovery/admission.go b/pkg/admission/plugin/recovery/admission.go deleted file mode 100644 index e161fd287..000000000 --- a/pkg/admission/plugin/recovery/admission.go +++ /dev/null @@ -1,61 +0,0 @@ -package recovery - -import ( - "encoding/json" - "net/http" - - api "github.com/appscode/stash/apis/stash/v1alpha1" - admission "k8s.io/api/admission/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/client-go/rest" -) - -type AdmissionHook struct { -} - -func (a *AdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) { - return schema.GroupVersionResource{ - Group: "admission.stash.appscode.com", - Version: "v1alpha1", - Resource: "recoveryreviews", - }, - "recoveryreview" -} - -func (a *AdmissionHook) Validate(admissionSpec *admission.AdmissionRequest) *admission.AdmissionResponse { - status := &admission.AdmissionResponse{} - - if admissionSpec.Operation != admission.Create || len(admissionSpec.SubResource) != 0 || - (admissionSpec.Resource.Group != "stash.appscode.com" || admissionSpec.Resource.Resource != "recoveries") { - status.Allowed = true - return status - } - - obj := &api.Recovery{} - err := json.Unmarshal(admissionSpec.Object.Raw, obj) - if err != nil { - status.Allowed = false - status.Result = &metav1.Status{ - Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest, - Message: err.Error(), - } - return status - } - err = obj.IsValid() - if err != nil { - status.Allowed = false - status.Result = &metav1.Status{ - Status: metav1.StatusFailure, Code: http.StatusForbidden, Reason: metav1.StatusReasonForbidden, - Message: err.Error(), - } - return status - } - - status.Allowed = true - return status -} - -func (a *AdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - return nil -} diff --git a/pkg/admission/plugin/restic/admission.go b/pkg/admission/plugin/restic/admission.go deleted file mode 100644 index bb3c31034..000000000 --- a/pkg/admission/plugin/restic/admission.go +++ /dev/null @@ -1,61 +0,0 @@ -package restic - -import ( - "encoding/json" - "net/http" - - api "github.com/appscode/stash/apis/stash/v1alpha1" - admission "k8s.io/api/admission/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/client-go/rest" -) - -type AdmissionHook struct { -} - -func (a *AdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) { - return schema.GroupVersionResource{ - Group: "admission.stash.appscode.com", - Version: "v1alpha1", - Resource: "resticreviews", - }, - "resticreview" -} - -func (a *AdmissionHook) Validate(admissionSpec *admission.AdmissionRequest) *admission.AdmissionResponse { - status := &admission.AdmissionResponse{} - - if admissionSpec.Operation != admission.Create || len(admissionSpec.SubResource) != 0 || - (admissionSpec.Resource.Group != "stash.appscode.com" || admissionSpec.Resource.Resource != "restics") { - status.Allowed = true - return status - } - - obj := &api.Restic{} - err := json.Unmarshal(admissionSpec.Object.Raw, obj) - if err != nil { - status.Allowed = false - status.Result = &metav1.Status{ - Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest, - Message: err.Error(), - } - return status - } - err = obj.IsValid() - if err != nil { - status.Allowed = false - status.Result = &metav1.Status{ - Status: metav1.StatusFailure, Code: http.StatusForbidden, Reason: metav1.StatusReasonForbidden, - Message: err.Error(), - } - return status - } - - status.Allowed = true - return status -} - -func (a *AdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - return nil -}