From bdea07ceafa08a2241e61b00eb9d0e07f61fa71d Mon Sep 17 00:00:00 2001 From: Xinnan Wen Date: Mon, 21 Oct 2019 16:35:50 -0700 Subject: [PATCH 1/4] Initial commit of validation webhook --- cmd/manager/server.go | 5 ++ deploy/cert.yaml | 26 +++++++++ deploy/kustomization.yaml | 2 + deploy/operator.yaml | 17 +++++- deploy/service.yaml | 5 +- deploy/webhook.yaml | 26 +++++++++ pkg/validate/validate.go | 5 ++ pkg/webhook/istiocontrolplane/iscpwebhook.go | 57 ++++++++++++++++++++ pkg/webhook/istiocontrolplane/server.go | 36 +++++++++++++ pkg/webhook/webhook.go | 26 +++++++++ 10 files changed, 202 insertions(+), 3 deletions(-) create mode 100644 deploy/cert.yaml create mode 100644 deploy/webhook.yaml create mode 100644 pkg/webhook/istiocontrolplane/iscpwebhook.go create mode 100644 pkg/webhook/istiocontrolplane/server.go create mode 100644 pkg/webhook/webhook.go diff --git a/cmd/manager/server.go b/cmd/manager/server.go index c12279b0c..c9bec5095 100644 --- a/cmd/manager/server.go +++ b/cmd/manager/server.go @@ -30,6 +30,7 @@ import ( "istio.io/operator/pkg/apis" "istio.io/operator/pkg/controller" "istio.io/operator/pkg/controller/istiocontrolplane" + "istio.io/operator/pkg/webhook" "istio.io/pkg/ctrlz" "istio.io/pkg/log" ) @@ -132,6 +133,10 @@ func run() { log.Fatalf("Could not add all controllers to operator manager: %v", err) } + // setup webhooks + if err := webhook.AddToManager(mgr); err != nil { + log.Fatalf("Could not add webhooks to operator manager: %v", err) + } log.Info("Starting the Cmd.") // Start the Cmd diff --git a/deploy/cert.yaml b/deploy/cert.yaml new file mode 100644 index 000000000..aa02e039b --- /dev/null +++ b/deploy/cert.yaml @@ -0,0 +1,26 @@ +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + labels: + app: istio-operator + name: webhook-server-cert + namespace: istio-operator +spec: + commonName: istio-operator.istio-operator.svc + dnsNames: + - istio-operator.istio-operator.svc.cluster.local + issuerRef: + kind: Issuer + name: webhook-selfsigned-issuer + secretName: webhook-server-cert +--- + +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Issuer +metadata: + labels: + app: istio-operator + name: webhook-selfsigned-issuer + namespace: istio-operator +spec: + selfSigned: {} \ No newline at end of file diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index ac845b705..ee5150d2e 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -8,4 +8,6 @@ resources: - service_account.yaml - operator.yaml - service.yaml +- cert.yaml +- webhook.yaml ... diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 3e6ff598e..d91704a56 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -17,7 +17,11 @@ spec: serviceAccountName: istio-operator containers: - name: istio-operator - image: gcr.io/istio-testing/operator:1.5-dev + image: richardwxn/operator:test + ports: + - containerPort: 443 + name: webhook-server + protocol: TCP command: - istio-operator - server @@ -42,4 +46,13 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: "istio-operator" -... + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +... \ No newline at end of file diff --git a/deploy/service.yaml b/deploy/service.yaml index b5b47d190..f772e6d83 100644 --- a/deploy/service.yaml +++ b/deploy/service.yaml @@ -5,9 +5,12 @@ metadata: namespace: istio-operator labels: name: istio-operator - name: istio-operator-metrics + name: istio-operator spec: ports: + - port: 443 + name: webhook + targetPort: 443 - name: http-metrics port: 8383 targetPort: 8383 diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml new file mode 100644 index 000000000..987976244 --- /dev/null +++ b/deploy/webhook.yaml @@ -0,0 +1,26 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration + annotations: + certmanager.k8s.io/inject-ca-from: istio-operator/webhook-server-cert +webhooks: + - clientConfig: + caBundle: Cg== + service: + name: istio-operator + namespace: istio-operator + path: /validate-v1alpha2-istiocontrolplane + failurePolicy: Fail + name: mistiocontrolplane.kb.io + rules: + - apiGroups: + - install.istio.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - istiocontrolplane \ No newline at end of file diff --git a/pkg/validate/validate.go b/pkg/validate/validate.go index bbf26b565..06b0684cb 100644 --- a/pkg/validate/validate.go +++ b/pkg/validate/validate.go @@ -45,6 +45,11 @@ func CheckIstioControlPlaneSpec(is *v1alpha2.IstioControlPlaneSpec, checkRequire return util.AppendErrs(errs, validate(defaultValidations, is, nil, checkRequired)) } +// CheckIstioControlPlaneSpecExcludeValues validates the IstioControlPlane spec schema only, excluding the values.yaml pass through part. +func CheckIstioControlPlaneSpecExcludeValues(is *v1alpha2.IstioControlPlaneSpec, checkRequired bool) (errs util.Errors) { + return util.AppendErrs(errs, validate(defaultValidations, is, nil, checkRequired)) +} + func validate(validations map[string]ValidatorFunc, structPtr interface{}, path util.Path, checkRequired bool) (errs util.Errors) { scope.Debugf("validate with path %s, %v (%T)", path, structPtr, structPtr) if structPtr == nil { diff --git a/pkg/webhook/istiocontrolplane/iscpwebhook.go b/pkg/webhook/istiocontrolplane/iscpwebhook.go new file mode 100644 index 000000000..4e1153aac --- /dev/null +++ b/pkg/webhook/istiocontrolplane/iscpwebhook.go @@ -0,0 +1,57 @@ +// Copyright 2019 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiocontrolplane + +import ( + "context" + "istio.io/operator/pkg/apis/istio/v1alpha2" + "istio.io/operator/pkg/validate" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// +kubebuilder:webhook:path=/validate-v1alpha2-istiocontrolplane,mutating=true,failurePolicy=fail,groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io + +// podAnnotator annotates Pods +type iscpValidator struct { + client client.Client + decoder *admission.Decoder +} + +// iscpValidator validates created IstioControlPlane CR. +func (a *iscpValidator) Handle(ctx context.Context, req admission.Request) admission.Response { + icp := &v1alpha2.IstioControlPlane{} + err := a.decoder.Decode(req, icp) + if err != nil { + return admission.Denied(err.Error()) + } + //TODO: update to full validation including values part after values schema formalized. + if errs := validate.CheckIstioControlPlaneSpecExcludeValues(icp.Spec, true); len(errs) != 0 { + return admission.Denied(errs.Error()) + } + return admission.Allowed("IstioControlPlane schema validated") +} + +// InjectClient injects the client. +func (a *iscpValidator) InjectClient(c client.Client) error { + a.client = c + return nil +} + +// InjectDecoder injects the decoder. +func (a *iscpValidator) InjectDecoder(d *admission.Decoder) error { + a.decoder = d + return nil +} \ No newline at end of file diff --git a/pkg/webhook/istiocontrolplane/server.go b/pkg/webhook/istiocontrolplane/server.go new file mode 100644 index 000000000..5ee1c7fb5 --- /dev/null +++ b/pkg/webhook/istiocontrolplane/server.go @@ -0,0 +1,36 @@ +// Copyright 2019 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiocontrolplane + +import ( + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/webhook" + + "istio.io/pkg/log" +) + +func Add(mgr manager.Manager) error { + return add(mgr) +} + +func add(mgr manager.Manager) error { + log.Info("setting up webhook server") + webhookServer := mgr.GetWebhookServer() + //webhookServer.CertDir = "/tmp/cert" + + webhookServer.Register("/validate-v1alpha2-istiocontrolplane", + &webhook.Admission{Handler: &iscpValidator{}}) + return nil +} diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go new file mode 100644 index 000000000..b0a625014 --- /dev/null +++ b/pkg/webhook/webhook.go @@ -0,0 +1,26 @@ +// Copyright 2019 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package webhook + +import ( + "istio.io/operator/pkg/webhook/istiocontrolplane" + "sigs.k8s.io/controller-runtime/pkg/manager" +) + + +// AddToManager adds all webhooks to the Manager +func AddToManager(m manager.Manager) error { + return istiocontrolplane.Add(m) +} \ No newline at end of file From 7555eb4d658f6544330a7bdab9f13dfb7486cacd Mon Sep 17 00:00:00 2001 From: Xinnan Wen Date: Tue, 22 Oct 2019 15:12:06 -0700 Subject: [PATCH 2/4] Fix lint --- deploy/clusterrole.yaml | 13 +++++++++++++ deploy/operator.yaml | 6 ++++++ pkg/webhook/istiocontrolplane/iscpwebhook.go | 11 +++++++---- pkg/webhook/istiocontrolplane/server.go | 1 - pkg/webhook/webhook.go | 6 +++--- 5 files changed, 29 insertions(+), 8 deletions(-) diff --git a/deploy/clusterrole.yaml b/deploy/clusterrole.yaml index 6374301fe..ded1c823f 100644 --- a/deploy/clusterrole.yaml +++ b/deploy/clusterrole.yaml @@ -111,4 +111,17 @@ rules: - serviceaccounts verbs: - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - certmanager.k8s.io + resources: + - certificate + - issuer + verbs: + - '*' ... diff --git a/deploy/operator.yaml b/deploy/operator.yaml index d91704a56..fb4501e94 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -33,6 +33,12 @@ spec: requests: cpu: 50m memory: 128Mi + securityContext: + runAsUser: 0 + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN env: - name: WATCH_NAMESPACE value: "istio-operator" diff --git a/pkg/webhook/istiocontrolplane/iscpwebhook.go b/pkg/webhook/istiocontrolplane/iscpwebhook.go index 4e1153aac..4d871c850 100644 --- a/pkg/webhook/istiocontrolplane/iscpwebhook.go +++ b/pkg/webhook/istiocontrolplane/iscpwebhook.go @@ -16,13 +16,16 @@ package istiocontrolplane import ( "context" - "istio.io/operator/pkg/apis/istio/v1alpha2" - "istio.io/operator/pkg/validate" + "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" + + "istio.io/operator/pkg/apis/istio/v1alpha2" + "istio.io/operator/pkg/validate" ) -// +kubebuilder:webhook:path=/validate-v1alpha2-istiocontrolplane,mutating=true,failurePolicy=fail,groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io +// +kubebuilder:webhook:path=/validate-v1alpha2-istiocontrolplane,mutating=true,failurePolicy=fail, +// groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io // podAnnotator annotates Pods type iscpValidator struct { @@ -54,4 +57,4 @@ func (a *iscpValidator) InjectClient(c client.Client) error { func (a *iscpValidator) InjectDecoder(d *admission.Decoder) error { a.decoder = d return nil -} \ No newline at end of file +} diff --git a/pkg/webhook/istiocontrolplane/server.go b/pkg/webhook/istiocontrolplane/server.go index 5ee1c7fb5..8ccf05a04 100644 --- a/pkg/webhook/istiocontrolplane/server.go +++ b/pkg/webhook/istiocontrolplane/server.go @@ -28,7 +28,6 @@ func Add(mgr manager.Manager) error { func add(mgr manager.Manager) error { log.Info("setting up webhook server") webhookServer := mgr.GetWebhookServer() - //webhookServer.CertDir = "/tmp/cert" webhookServer.Register("/validate-v1alpha2-istiocontrolplane", &webhook.Admission{Handler: &iscpValidator{}}) diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index b0a625014..1456fcff4 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -15,12 +15,12 @@ package webhook import ( - "istio.io/operator/pkg/webhook/istiocontrolplane" "sigs.k8s.io/controller-runtime/pkg/manager" -) + "istio.io/operator/pkg/webhook/istiocontrolplane" +) // AddToManager adds all webhooks to the Manager func AddToManager(m manager.Manager) error { return istiocontrolplane.Add(m) -} \ No newline at end of file +} From e610bf6654601ad4d529e8ee60298faad9cf5398 Mon Sep 17 00:00:00 2001 From: Xinnan Wen Date: Thu, 7 Nov 2019 12:16:57 -0800 Subject: [PATCH 3/4] Try to get handler work --- cmd/manager/server.go | 36 +++++++++++++++-- deploy/webhook.yaml | 29 ++++++++++++-- .../v1alpha2/istiocontrolplane_types.pb.go | 39 +++++++++++++++++++ pkg/webhook/istiocontrolplane/iscpwebhook.go | 8 ++-- pkg/webhook/istiocontrolplane/server.go | 35 ----------------- pkg/webhook/webhook.go | 26 ------------- 6 files changed, 102 insertions(+), 71 deletions(-) delete mode 100644 pkg/webhook/istiocontrolplane/server.go delete mode 100644 pkg/webhook/webhook.go diff --git a/cmd/manager/server.go b/cmd/manager/server.go index c9bec5095..207a2ea1e 100644 --- a/cmd/manager/server.go +++ b/cmd/manager/server.go @@ -15,9 +15,17 @@ package main import ( + "context" "fmt" "os" + "istio.io/operator/pkg/apis/istio/v1alpha2" + controllerruntime "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" + + //"sigs.k8s.io/controller-runtime/pkg/webhook/admission" + // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) _ "k8s.io/client-go/plugin/pkg/client/auth" @@ -30,7 +38,6 @@ import ( "istio.io/operator/pkg/apis" "istio.io/operator/pkg/controller" "istio.io/operator/pkg/controller/istiocontrolplane" - "istio.io/operator/pkg/webhook" "istio.io/pkg/ctrlz" "istio.io/pkg/log" ) @@ -134,9 +141,32 @@ func run() { } // setup webhooks - if err := webhook.AddToManager(mgr); err != nil { - log.Fatalf("Could not add webhooks to operator manager: %v", err) + log.Info("setting up webhook server") + + // Method 1 + validatingHook := &webhook.Admission{ + Handler: admission.HandlerFunc(func(ctx context.Context, req webhook.AdmissionRequest) webhook.AdmissionResponse { + log.Info("enterring admission handler!") + return webhook.Denied("Test only: none shall pass!") + }), } + crv := mgr.GetWebhookServer() + crv.CertDir = "/tmp/k8s-webhook-server/serving-certs" + //crv.Port = 8443 + crv.Register("/validate", validatingHook) + + // method 2 +//crv.Register("/validate-install-istio-io-v1alpha2-istiocontrolplane", +// &webhook.Admission{Handler: &iscpwebhook.IscpValidator{}}) + + // Method3(implement the validator inside v1alpha2.IstioControlPlane) +/* err = controllerruntime.NewWebhookManagedBy(mgr). + For(&v1alpha2.IstioControlPlane{}). + Complete() +if err != nil { + os.Exit(1) +}*/ + log.Info("Starting the Cmd.") // Start the Cmd diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index 987976244..d7d57a5dd 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -11,9 +11,9 @@ webhooks: service: name: istio-operator namespace: istio-operator - path: /validate-v1alpha2-istiocontrolplane + path: /validate-install-istio-io-v1alpha2-istiocontrolplane failurePolicy: Fail - name: mistiocontrolplane.kb.io + name: vistiocontrolplane.kb.io rules: - apiGroups: - install.istio.io @@ -23,4 +23,27 @@ webhooks: - CREATE - UPDATE resources: - - istiocontrolplane \ No newline at end of file + - istiocontrolplane + +--- + +# Testing only, see if basic resource admission request can go to webserver +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation-webhook-example-cfg + labels: + app: admission-webhook-example +webhooks: + - name: required-labels.banzaicloud.com + clientConfig: + service: + name: istio-operator + namespace: istio-operator + path: "/validate" + caBundle: Cg== + rules: + - operations: [ "CREATE", "UPDATE" ] + apiGroups: ["apps", ""] + apiVersions: ["v1"] + resources: ["deployments","services"] \ No newline at end of file diff --git a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go index 539b51c9c..bf2cefbe4 100644 --- a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go +++ b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go @@ -143,6 +143,8 @@ import ( v1 "k8s.io/api/core/v1" v11 "k8s.io/apimachinery/pkg/apis/meta/v1" math "math" + "k8s.io/apimachinery/pkg/runtime" + "sigs.k8s.io/controller-runtime/pkg/webhook" ) // Reference imports to suppress errors if they are not otherwise used. @@ -206,6 +208,43 @@ type IstioControlPlane struct { XXX_sizecache int32 `json:"-"` } +// +kubebuilder:webhook:path=/validate,mutating=true,failurePolicy=fail, +// groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io + +var _ webhook.Validator = &IstioControlPlane{} + +// ValidateCreate implements webhookutil.validator so a webhook will be registered for the type +func (c *IstioControlPlane) ValidateCreate() error { + fmt.Printf("validating creation!") + return nil +} + +// ValidateUpdate implements webhookutil.validator so a webhook will be registered for the type +func (c *IstioControlPlane) ValidateUpdate(old runtime.Object) error { + fmt.Printf("validating update!") + return nil +} + +// ValidateDelete implements webhookutil.validator so a webhook will be registered for the type +func (c *IstioControlPlane) ValidateDelete() error { + fmt.Printf("validating deletion!") + return nil +} + +// +kubebuilder:webhook:path=/validate,mutating=true,failurePolicy=fail, +// groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io + +var _ webhook.Defaulter = &IstioControlPlane{} + +// Default implements webhookutil.defaulter so a webhook will be registered for the type +func (c *IstioControlPlane) Default() { + fmt.Printf("defaulter") +} + +func init() { + SchemeBuilder.Register(&IstioControlPlane{}, &IstioControlPlaneList{}) +} + func (m *IstioControlPlane) Reset() { *m = IstioControlPlane{} } func (m *IstioControlPlane) String() string { return proto.CompactTextString(m) } func (*IstioControlPlane) ProtoMessage() {} diff --git a/pkg/webhook/istiocontrolplane/iscpwebhook.go b/pkg/webhook/istiocontrolplane/iscpwebhook.go index 4d871c850..5cf765c37 100644 --- a/pkg/webhook/istiocontrolplane/iscpwebhook.go +++ b/pkg/webhook/istiocontrolplane/iscpwebhook.go @@ -28,13 +28,13 @@ import ( // groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io // podAnnotator annotates Pods -type iscpValidator struct { +type IscpValidator struct { client client.Client decoder *admission.Decoder } // iscpValidator validates created IstioControlPlane CR. -func (a *iscpValidator) Handle(ctx context.Context, req admission.Request) admission.Response { +func (a *IscpValidator) Handle(ctx context.Context, req admission.Request) admission.Response { icp := &v1alpha2.IstioControlPlane{} err := a.decoder.Decode(req, icp) if err != nil { @@ -48,13 +48,13 @@ func (a *iscpValidator) Handle(ctx context.Context, req admission.Request) admis } // InjectClient injects the client. -func (a *iscpValidator) InjectClient(c client.Client) error { +func (a *IscpValidator) InjectClient(c client.Client) error { a.client = c return nil } // InjectDecoder injects the decoder. -func (a *iscpValidator) InjectDecoder(d *admission.Decoder) error { +func (a *IscpValidator) InjectDecoder(d *admission.Decoder) error { a.decoder = d return nil } diff --git a/pkg/webhook/istiocontrolplane/server.go b/pkg/webhook/istiocontrolplane/server.go deleted file mode 100644 index 8ccf05a04..000000000 --- a/pkg/webhook/istiocontrolplane/server.go +++ /dev/null @@ -1,35 +0,0 @@ -// Copyright 2019 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package istiocontrolplane - -import ( - "sigs.k8s.io/controller-runtime/pkg/manager" - "sigs.k8s.io/controller-runtime/pkg/webhook" - - "istio.io/pkg/log" -) - -func Add(mgr manager.Manager) error { - return add(mgr) -} - -func add(mgr manager.Manager) error { - log.Info("setting up webhook server") - webhookServer := mgr.GetWebhookServer() - - webhookServer.Register("/validate-v1alpha2-istiocontrolplane", - &webhook.Admission{Handler: &iscpValidator{}}) - return nil -} diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go deleted file mode 100644 index 1456fcff4..000000000 --- a/pkg/webhook/webhook.go +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright 2019 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package webhook - -import ( - "sigs.k8s.io/controller-runtime/pkg/manager" - - "istio.io/operator/pkg/webhook/istiocontrolplane" -) - -// AddToManager adds all webhooks to the Manager -func AddToManager(m manager.Manager) error { - return istiocontrolplane.Add(m) -} From c93af51861ff4ce579ebbd108600fa0a514a88ef Mon Sep 17 00:00:00 2001 From: Xinnan Wen Date: Tue, 12 Nov 2019 14:46:28 -0800 Subject: [PATCH 4/4] update to plurals --- cmd/manager/server.go | 36 +++-------------- deploy/operator.yaml | 6 --- deploy/service.yaml | 2 +- deploy/webhook.yaml | 25 +----------- .../v1alpha2/istiocontrolplane_types.pb.go | 39 ------------------- pkg/webhook/istiocontrolplane/iscpwebhook.go | 7 +++- 6 files changed, 12 insertions(+), 103 deletions(-) diff --git a/cmd/manager/server.go b/cmd/manager/server.go index 207a2ea1e..ed8a8382b 100644 --- a/cmd/manager/server.go +++ b/cmd/manager/server.go @@ -15,22 +15,14 @@ package main import ( - "context" "fmt" "os" - "istio.io/operator/pkg/apis/istio/v1alpha2" - controllerruntime "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - - //"sigs.k8s.io/controller-runtime/pkg/webhook/admission" - // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) - _ "k8s.io/client-go/plugin/pkg/client/auth" - drm "github.com/openshift/cluster-network-operator/pkg/util/k8s" "github.com/spf13/cobra" + _ "k8s.io/client-go/plugin/pkg/client/auth" "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/manager/signals" @@ -38,6 +30,7 @@ import ( "istio.io/operator/pkg/apis" "istio.io/operator/pkg/controller" "istio.io/operator/pkg/controller/istiocontrolplane" + iscpwebhook "istio.io/operator/pkg/webhook/istiocontrolplane" "istio.io/pkg/ctrlz" "istio.io/pkg/log" ) @@ -142,30 +135,11 @@ func run() { // setup webhooks log.Info("setting up webhook server") - - // Method 1 - validatingHook := &webhook.Admission{ - Handler: admission.HandlerFunc(func(ctx context.Context, req webhook.AdmissionRequest) webhook.AdmissionResponse { - log.Info("enterring admission handler!") - return webhook.Denied("Test only: none shall pass!") - }), - } crv := mgr.GetWebhookServer() crv.CertDir = "/tmp/k8s-webhook-server/serving-certs" - //crv.Port = 8443 - crv.Register("/validate", validatingHook) - - // method 2 -//crv.Register("/validate-install-istio-io-v1alpha2-istiocontrolplane", -// &webhook.Admission{Handler: &iscpwebhook.IscpValidator{}}) - - // Method3(implement the validator inside v1alpha2.IstioControlPlane) -/* err = controllerruntime.NewWebhookManagedBy(mgr). - For(&v1alpha2.IstioControlPlane{}). - Complete() -if err != nil { - os.Exit(1) -}*/ + crv.Port = 8443 + crv.Register("/validate-install-istio-io-v1alpha2-istiocontrolplane", + &webhook.Admission{Handler: &iscpwebhook.IscpValidator{}}) log.Info("Starting the Cmd.") diff --git a/deploy/operator.yaml b/deploy/operator.yaml index fb4501e94..d91704a56 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -33,12 +33,6 @@ spec: requests: cpu: 50m memory: 128Mi - securityContext: - runAsUser: 0 - runAsNonRoot: false - capabilities: - add: - - NET_ADMIN env: - name: WATCH_NAMESPACE value: "istio-operator" diff --git a/deploy/service.yaml b/deploy/service.yaml index f772e6d83..d395ba44b 100644 --- a/deploy/service.yaml +++ b/deploy/service.yaml @@ -10,7 +10,7 @@ spec: ports: - port: 443 name: webhook - targetPort: 443 + targetPort: 8443 - name: http-metrics port: 8383 targetPort: 8383 diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index d7d57a5dd..2c6c27f7b 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -23,27 +23,4 @@ webhooks: - CREATE - UPDATE resources: - - istiocontrolplane - ---- - -# Testing only, see if basic resource admission request can go to webserver -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation-webhook-example-cfg - labels: - app: admission-webhook-example -webhooks: - - name: required-labels.banzaicloud.com - clientConfig: - service: - name: istio-operator - namespace: istio-operator - path: "/validate" - caBundle: Cg== - rules: - - operations: [ "CREATE", "UPDATE" ] - apiGroups: ["apps", ""] - apiVersions: ["v1"] - resources: ["deployments","services"] \ No newline at end of file + - istiocontrolplanes diff --git a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go index bf2cefbe4..539b51c9c 100644 --- a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go +++ b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go @@ -143,8 +143,6 @@ import ( v1 "k8s.io/api/core/v1" v11 "k8s.io/apimachinery/pkg/apis/meta/v1" math "math" - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/webhook" ) // Reference imports to suppress errors if they are not otherwise used. @@ -208,43 +206,6 @@ type IstioControlPlane struct { XXX_sizecache int32 `json:"-"` } -// +kubebuilder:webhook:path=/validate,mutating=true,failurePolicy=fail, -// groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io - -var _ webhook.Validator = &IstioControlPlane{} - -// ValidateCreate implements webhookutil.validator so a webhook will be registered for the type -func (c *IstioControlPlane) ValidateCreate() error { - fmt.Printf("validating creation!") - return nil -} - -// ValidateUpdate implements webhookutil.validator so a webhook will be registered for the type -func (c *IstioControlPlane) ValidateUpdate(old runtime.Object) error { - fmt.Printf("validating update!") - return nil -} - -// ValidateDelete implements webhookutil.validator so a webhook will be registered for the type -func (c *IstioControlPlane) ValidateDelete() error { - fmt.Printf("validating deletion!") - return nil -} - -// +kubebuilder:webhook:path=/validate,mutating=true,failurePolicy=fail, -// groups="install.istio.io",resources=IstioControlPlane,verbs=create;update,versions=v1alpha2,name=mistiocontrolplane.kb.io - -var _ webhook.Defaulter = &IstioControlPlane{} - -// Default implements webhookutil.defaulter so a webhook will be registered for the type -func (c *IstioControlPlane) Default() { - fmt.Printf("defaulter") -} - -func init() { - SchemeBuilder.Register(&IstioControlPlane{}, &IstioControlPlaneList{}) -} - func (m *IstioControlPlane) Reset() { *m = IstioControlPlane{} } func (m *IstioControlPlane) String() string { return proto.CompactTextString(m) } func (*IstioControlPlane) ProtoMessage() {} diff --git a/pkg/webhook/istiocontrolplane/iscpwebhook.go b/pkg/webhook/istiocontrolplane/iscpwebhook.go index 5cf765c37..17fca11ab 100644 --- a/pkg/webhook/istiocontrolplane/iscpwebhook.go +++ b/pkg/webhook/istiocontrolplane/iscpwebhook.go @@ -16,6 +16,7 @@ package istiocontrolplane import ( "context" + "fmt" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" @@ -41,8 +42,10 @@ func (a *IscpValidator) Handle(ctx context.Context, req admission.Request) admis return admission.Denied(err.Error()) } //TODO: update to full validation including values part after values schema formalized. - if errs := validate.CheckIstioControlPlaneSpecExcludeValues(icp.Spec, true); len(errs) != 0 { - return admission.Denied(errs.Error()) + if errs := validate.CheckIstioControlPlaneSpecExcludeValues(icp.Spec, false); len(errs) != 0 { + fmt.Printf("proceed with validation err: %v", errs.Error()) + // TODO: allow the request now until we fully done the validation logic. + return admission.Allowed("IstioControlPlane schema validated with err") } return admission.Allowed("IstioControlPlane schema validated") }