FailurePolicy of PodMutatingWebhook turn to Fail (openkruise#129)

Signed-off-by: ChrisLiu <[email protected]>

Author: chrisliu1995

cloudprovider/alibabacloud/slb.go

@@ -120,11 +120,7 @@ func initLbCache(svcList []corev1.Service, minPort, maxPort int32) (map[string]p
 }
 
 func (s *SlbPlugin) OnPodAdded(c client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {
-	networkManager := utils.NewNetworkManager(pod, c)
-	networkConfig := networkManager.GetNetworkConfig()
-	sc := parseLbConfig(networkConfig)
-	err := c.Create(ctx, s.consSvc(sc, pod, c, ctx))
-	return pod, cperrors.ToPluginError(err, cperrors.ApiCallError)
+	return pod, nil
 }
 
 func (s *SlbPlugin) OnPodUpdated(c client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {

cloudprovider/kubernetes/hostPort.go

@@ -70,14 +70,15 @@ func (hpp *HostPortPlugin) Alias() string {
 }
 
 func (hpp *HostPortPlugin) OnPodAdded(c client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, errors.PluginError) {
+	log.Infof("Receiving pod %s/%s ADD Operation", pod.GetNamespace(), pod.GetName())
 	podNow := &corev1.Pod{}
 	err := c.Get(ctx, types.NamespacedName{
 		Namespace: pod.GetNamespace(),
 		Name:      pod.GetName(),
 	}, podNow)
-	// There is a pod with same ns/name exists in cluster, do not allocate
 	if err == nil {
-		return pod, nil
+		log.Infof("There is a pod with same ns/name(%s/%s) exists in cluster, do not allocate", pod.GetNamespace(), pod.GetName())
+		return pod, errors.NewPluginError(errors.InternalError, "There is a pod with same ns/name exists in cluster")
 	}
 	if !k8serrors.IsNotFound(err) {
 		return pod, errors.NewPluginError(errors.ApiCallError, err.Error())
@@ -118,6 +119,7 @@ func (hpp *HostPortPlugin) OnPodAdded(c client.Client, pod *corev1.Pod, ctx cont
 }
 
 func (hpp *HostPortPlugin) OnPodUpdated(c client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, errors.PluginError) {
+	log.Infof("Receiving pod %s/%s UPDATE Operation", pod.GetNamespace(), pod.GetName())
 	node := &corev1.Node{}
 	err := c.Get(ctx, types.NamespacedName{
 		Name: pod.Spec.NodeName,
@@ -183,6 +185,7 @@ func (hpp *HostPortPlugin) OnPodUpdated(c client.Client, pod *corev1.Pod, ctx co
 }
 
 func (hpp *HostPortPlugin) OnPodDeleted(c client.Client, pod *corev1.Pod, ctx context.Context) errors.PluginError {
+	log.Infof("Receiving pod %s/%s DELETE Operation", pod.GetNamespace(), pod.GetName())
 	if _, ok := hpp.podAllocated[pod.GetNamespace()+"/"+pod.GetName()]; !ok {
 		return nil
 	}

cloudprovider/kubernetes/ingress.go

@@ -78,23 +78,6 @@ func (i IngressPlugin) Init(client client.Client, options cloudprovider.CloudPro
 }
 
 func (i IngressPlugin) OnPodAdded(c client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {
-	networkManager := utils.NewNetworkManager(pod, c)
-	conf := networkManager.GetNetworkConfig()
-	ic, err := parseIngConfig(conf, pod)
-	if err != nil {
-		return pod, cperrors.NewPluginError(cperrors.ParameterError, err.Error())
-	}
-
-	err = c.Create(ctx, consSvc(ic, pod, c, ctx))
-	if err != nil {
-		return pod, cperrors.NewPluginError(cperrors.ApiCallError, err.Error())
-	}
-
-	err = c.Create(ctx, consIngress(ic, pod, c, ctx))
-	if err != nil {
-		return pod, cperrors.NewPluginError(cperrors.ApiCallError, err.Error())
-	}
-
 	return pod, nil
 }
 

cloudprovider/volcengine/clb.go

@@ -128,11 +128,7 @@ func initLbCache(svcList []corev1.Service, minPort, maxPort int32) (map[string]p
 }
 
 func (c *ClbPlugin) OnPodAdded(client client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {
-	networkManager := utils.NewNetworkManager(pod, client)
-	networkConfig := networkManager.GetNetworkConfig()
-	sc := parseLbConfig(networkConfig)
-	err := client.Create(ctx, c.consSvc(sc, pod, client, ctx))
-	return pod, cperrors.ToPluginError(err, cperrors.ApiCallError)
+	return pod, nil
 }
 
 func (c *ClbPlugin) OnPodUpdated(client client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {

pkg/webhook/mutating_pod.go

@@ -129,7 +129,7 @@ func getPodFromRequest(req admission.Request, decoder *admission.Decoder) (*core
 
 func getAdmissionResponse(req admission.Request, result patchResult) admission.Response {
 	if result.err != nil {
-		return admission.Allowed(result.err.Error())
+		return admission.Denied(result.err.Error())
 	}
 	if req.Operation == admissionv1.Delete {
 		return admission.Allowed("delete successfully")

pkg/webhook/webhook.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	gamekruiseiov1alpha1 "github.com/openkruise/kruise-game/apis/v1alpha1"
 	manager2 "github.com/openkruise/kruise-game/cloudprovider/manager"
 	"github.com/openkruise/kruise-game/pkg/webhook/util/generator"
 	"github.com/openkruise/kruise-game/pkg/webhook/util/writer"
@@ -247,12 +248,12 @@ func getValidatingWebhookConf(dnsName string, caBundle []byte) []admissionregist
 
 func getMutatingWebhookConf(dnsName string, caBundle []byte) []admissionregistrationv1.MutatingWebhook {
 	sideEffectClassNone := admissionregistrationv1.SideEffectClassNone
-	ignore := admissionregistrationv1.Ignore
+	fail := admissionregistrationv1.Fail
 	return []admissionregistrationv1.MutatingWebhook{
 		{
 			Name:                    dnsName,
 			SideEffects:             &sideEffectClassNone,
-			FailurePolicy:           &ignore,
+			FailurePolicy:           &fail,
 			AdmissionReviewVersions: []string{"v1", "v1beta1"},
 			ClientConfig: admissionregistrationv1.WebhookClientConfig{
 				Service: &admissionregistrationv1.ServiceReference{
@@ -272,6 +273,15 @@ func getMutatingWebhookConf(dnsName string, caBundle []byte) []admissionregistra
 					},
 				},
 			},
+			ObjectSelector: &metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      gamekruiseiov1alpha1.GameServerOwnerGssKey,
+						Operator: metav1.LabelSelectorOpExists,
+						Values:   []string{},
+					},
+				},
+			},
 		},
 	}
 }