Skip to content

Commit

Permalink
upgrade crd to v1
Browse files Browse the repository at this point in the history
  • Loading branch information
@zhiweiyin318
zhiweiyin318 committed Mar 22, 2021
1 parent 618396d commit d4024ec
Show file tree
Hide file tree
Showing 16 changed files with 749 additions and 1,266 deletions.
6 changes: 2 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,7 @@ KB_TOOLS_ARCHIVE_PATH := $(PERMANENT_TMP_GOPATH)/$(KB_TOOLS_ARCHIVE_NAME)
# Add packages to do unit test
GO_TEST_PACKAGES :=./pkg/...

# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
CRD_OPTIONS ?= "crd"
CRD_OPTIONS ?= "crd:crdVersions=v1"

# This will call a macro called "build-image" which will generate image specific targets based on the parameters:
# $0 - macro name
Expand Down Expand Up @@ -119,7 +118,6 @@ generate_files: generate_exes
manifests: ensure-controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/action/v1beta1" output:crd:artifacts:config=deploy/foundation/hub/resources/crds
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/view/v1beta1" output:crd:artifacts:config=deploy/foundation/hub/resources/crds
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/cluster/v1alpha1" output:crd:artifacts:config=deploy/foundation/hub/resources/crds
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/internal.open-cluster-management.io/v1beta1" output:crd:artifacts:config=deploy/foundation/hub/resources/crds
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/inventory/v1alpha1" output:crd:artifacts:config=deploy/foundation/hub/resources/crds

Expand Down Expand Up @@ -162,7 +160,7 @@ ifeq (, $(shell which controller-gen))
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0 ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOBIN)/controller-gen
Expand Down
8 changes: 4 additions & 4 deletions cmd/webhook/app/options/scheme.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
package options

import (
admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
Expand All @@ -20,6 +20,6 @@ func init() {

func addToScheme(scheme *runtime.Scheme) {
utilruntime.Must(corev1.AddToScheme(scheme))
utilruntime.Must(admissionv1beta1.AddToScheme(scheme))
utilruntime.Must(admissionregistrationv1beta1.AddToScheme(scheme))
utilruntime.Must(admissionv1.AddToScheme(scheme))
utilruntime.Must(admissionregistrationv1.AddToScheme(scheme))
}
52 changes: 11 additions & 41 deletions cmd/webhook/app/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,16 @@ import (

"github.com/mattbaird/jsonpatch"
"github.com/open-cluster-management/multicloud-operators-foundation/cmd/webhook/app/options"
"github.com/open-cluster-management/multicloud-operators-foundation/pkg/webhook/denynamespace"
"github.com/open-cluster-management/multicloud-operators-foundation/pkg/webhook/useridentity"
"k8s.io/api/admission/v1beta1"
apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
"k8s.io/api/admission/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
rbaclisters "k8s.io/client-go/listers/rbac/v1"
"k8s.io/klog"
)

var namespaceGVR = metav1.GroupVersionResource{
Group: "",
Version: "v1",
Resource: "namespaces",
}

type admissionHandler struct {
lister rbaclisters.RoleBindingLister
kubeClient kubernetes.Interface
Expand All @@ -34,16 +27,16 @@ type admissionHandler struct {

// toAdmissionResponse is a helper function to create an AdmissionResponse
// with an embedded error
func toAdmissionResponse(err error) *v1beta1.AdmissionResponse {
return &v1beta1.AdmissionResponse{
func toAdmissionResponse(err error) *v1.AdmissionResponse {
return &v1.AdmissionResponse{
Result: &metav1.Status{
Message: err.Error(),
},
}
}

// admitFunc is the type we use for all of our validators and mutators
type admitFunc func(v1beta1.AdmissionReview) *v1beta1.AdmissionResponse
type admitFunc func(v1.AdmissionReview) *v1.AdmissionResponse

// serve handles the http portion of a request prior to handing to an admit
// function
Expand All @@ -64,10 +57,10 @@ func (a *admissionHandler) serve(w io.Writer, r *http.Request, admit admitFunc)
klog.V(2).Info(fmt.Sprintf("handling request: %s", body))

// The AdmissionReview that was sent to the webhook
requestedAdmissionReview := v1beta1.AdmissionReview{}
requestedAdmissionReview := v1.AdmissionReview{}

// The AdmissionReview that will be returned
responseAdmissionReview := v1beta1.AdmissionReview{}
responseAdmissionReview := v1.AdmissionReview{}

deserializer := options.Codecs.UniversalDeserializer()
if _, _, err := deserializer.Decode(body, nil, &requestedAdmissionReview); err != nil {
Expand All @@ -92,10 +85,10 @@ func (a *admissionHandler) serve(w io.Writer, r *http.Request, admit admitFunc)
}
}

func (a *admissionHandler) mutateResource(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
func (a *admissionHandler) mutateResource(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("mutating custom resource")
raw := ar.Request.Object.Raw
crd := apiextensionsv1beta1.CustomResourceDefinition{}
crd := apiextensionsv1.CustomResourceDefinition{}
deserializer := options.Codecs.UniversalDeserializer()
if _, _, err := deserializer.Decode(raw, nil, &crd); err != nil {
klog.Error(err)
Expand All @@ -110,7 +103,7 @@ func (a *admissionHandler) mutateResource(ar v1beta1.AdmissionReview) *v1beta1.A

resAnnotations := useridentity.MergeUserIdentityToAnnotations(ar.Request.UserInfo, annotations, crd.GetNamespace(), a.lister)
crd.SetAnnotations(resAnnotations)
reviewResponse := v1beta1.AdmissionResponse{}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = true

crBytes, err := json.Marshal(crd)
Expand All @@ -129,35 +122,12 @@ func (a *admissionHandler) mutateResource(ar v1beta1.AdmissionReview) *v1beta1.A
return nil
}
reviewResponse.Patch = resBytes
pt := v1beta1.PatchTypeJSONPatch
pt := v1.PatchTypeJSONPatch
reviewResponse.PatchType = &pt
klog.V(2).Infof("Successfully Added user and group for resource: %+v, name: %+v", ar.Request.Resource.Resource, crd.GetName())
return &reviewResponse
}

func (a *admissionHandler) validateResource(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
reviewResponse := v1beta1.AdmissionResponse{
Allowed: true,
}

switch {
case ar.Request.Resource == namespaceGVR:
klog.V(2).Info("validating namespace deletion")
allowedDeny, msg := denynamespace.ShouldDenyDeleteNamespace(ar.Request.Namespace, a.dynamicClient)
reviewResponse.Allowed = !allowedDeny
if allowedDeny {
reviewResponse.Result = &metav1.Status{Message: msg}
}
klog.V(2).Infof("reviewResponse %v", reviewResponse)
}

return &reviewResponse
}

func (a *admissionHandler) serveMutateResource(w http.ResponseWriter, r *http.Request) {
a.serve(w, r, a.mutateResource)
}

func (a *admissionHandler) serverValidateResource(w http.ResponseWriter, r *http.Request) {
a.serve(w, r, a.validateResource)
}
1 change: 0 additions & 1 deletion cmd/webhook/app/start.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ func Run(opts *options.Options, stopCh <-chan struct{}) error {
}

http.HandleFunc("/mutating", ah.serveMutateResource)
http.HandleFunc("/validating", ah.serverValidateResource)

server := &http.Server{
Addr: ":8000",
Expand Down
Loading

0 comments on commit d4024ec

Please sign in to comment.