Skip to content
This repository has been archived by the owner on Oct 31, 2024. It is now read-only.

Commit

Permalink
change admission review to v1
Browse files Browse the repository at this point in the history
Signed-off-by: Jian Qiu <[email protected]>
  • Loading branch information
qiujian16 committed Apr 22, 2021
1 parent 74be9e3 commit 57e4128
Show file tree
Hide file tree
Showing 13 changed files with 299 additions and 139 deletions.
6 changes: 3 additions & 3 deletions deploy/webhook/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ webhooks:
- "*"
resources:
- managedclusters
admissionReviewVersions: ["v1beta1"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 3

Expand Down Expand Up @@ -50,7 +50,7 @@ webhooks:
- "*"
resources:
- managedclusters
admissionReviewVersions: ["v1beta1"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 3

Expand Down Expand Up @@ -79,6 +79,6 @@ webhooks:
- "*"
resources:
- managedclustersetbindings
admissionReviewVersions: ["v1beta1"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 3
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ go 1.15

replace github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1 // ensure compatible between controller-runtime and kube-openapi

replace github.com/openshift/generic-admission-server => github.com/qiujian16/generic-admission-server v1.14.1-0.20210422073840-49ee199c1920

require (
github.com/go-bindata/go-bindata v3.1.2+incompatible
github.com/onsi/ginkgo v1.14.0
Expand Down
8 changes: 6 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -436,8 +436,6 @@ github.com/openshift/build-machinery-go v0.0.0-20210115170933-e575b44a7a94/go.mo
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359 h1:ehSDsWQiUVzJZrSEXMC7ceV9JIPEyTYqrpqu3m4Wa08=
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
github.com/openshift/client-go v0.0.0-20210331195552-cf6c2669e01f/go.mod h1:hHaRJ6vp2MRd/CpuZ1oJkqnMGy5eEnoAkQmKPZKcUPI=
github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480 h1:y47BAJFepK8Xls1c+quIOyc46OXiT9LRiqGVjIaMlSA=
github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480/go.mod h1:OAHL5WnZphlhVEf5fTdeGLvNwMu1B2zCWpmxJpCA35o=
github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638 h1:JVMywK3dwzPAwpTCWIHn2Emx5L11I+0OR15CZXHI4do=
github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638/go.mod h1:pnz961veImKsbn7pQcuFbcVpCQosYiC1fUOjzEDeOLU=
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
Expand Down Expand Up @@ -480,6 +478,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
github.com/prometheus/procfs v0.2.0 h1:wH4vA7pcjKuZzjF7lM8awk4fnuJO6idemZXoKnULUx4=
github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/qiujian16/generic-admission-server v1.14.1-0.20210422073840-49ee199c1920 h1:G8oMBm/ddH5EXknuo/CLODoQ/A2bu+NHR1MSpAd2xhI=
github.com/qiujian16/generic-admission-server v1.14.1-0.20210422073840-49ee199c1920/go.mod h1:m+wYlVQdnPe8JGqoKVpCYnFRIVraqC1SrUowQXh6XlA=
github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
Expand Down Expand Up @@ -919,6 +919,7 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
k8s.io/api v0.18.0-beta.2/go.mod h1:2oeNnWEqcSmaM/ibSh3t7xcIqbkGXhzZdn4ezV9T4m0=
k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
k8s.io/api v0.20.0 h1:WwrYoZNM1W1aQEbyl8HNG+oWGzLpZQBlcerS9BQw9yI=
k8s.io/api v0.20.0/go.mod h1:HyLC5l5eoS/ygQYl1BXBgFzWNlkHiAuyNAbevIn+FKg=
k8s.io/api v0.21.0-rc.0 h1:t/kW96KdNJNamYNqxaxRirahK+FaWJQ6BJPbXm5Jb+o=
Expand All @@ -932,6 +933,7 @@ k8s.io/apiextensions-apiserver v0.21.0-rc.0/go.mod h1:ItIoMBJU1gy93Qwr/B2699r4b0
k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
k8s.io/apimachinery v0.18.0-beta.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
k8s.io/apimachinery v0.19.0/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
k8s.io/apimachinery v0.20.0 h1:jjzbTJRXk0unNS71L7h3lxGDH/2HPxMPaQY+MjECKL8=
k8s.io/apimachinery v0.20.0/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.21.0-rc.0 h1:m9dyzHb8QZAHOZKIz2SiabSif1oLsfgrnwiago/9xJA=
Expand All @@ -944,6 +946,7 @@ k8s.io/apiserver v0.21.0-rc.0/go.mod h1:QlW7+1CZTZtAcKvJ34/n4DIb8sC93FeQpkd1KSU+
k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
k8s.io/client-go v0.18.0-beta.2/go.mod h1:UvuVxHjKWIcgy0iMvF+bwNDW7l0mskTNOaOW1Qv5BMA=
k8s.io/client-go v0.19.0/go.mod h1:H9E/VT95blcFQnlyShFgnFT9ZnJOAceiUHM3MlRC+mU=
k8s.io/client-go v0.19.5/go.mod h1:BSG3iuxI40Bs0nNDLS1JRa/7ReBQDHzf0x8nZZrK0fo=
k8s.io/client-go v0.20.0 h1:Xlax8PKbZsjX4gFvNtt4F5MoJ1V5prDvCuoq9B7iax0=
k8s.io/client-go v0.20.0/go.mod h1:4KWh/g+Ocd8KkCwKF8vUNnmqgv+EVnQDK4MBF4oB5tY=
k8s.io/client-go v0.21.0-rc.0 h1:lsPZHT1ZniXJcwg2udlaTOhAT8wf7BE0rn9Vj0+LWMA=
Expand All @@ -956,6 +959,7 @@ k8s.io/code-generator v0.21.0-rc.0/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64
k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc=
k8s.io/component-base v0.18.0-beta.2/go.mod h1:HVk5FpRnyzQ/MjBr9//e/yEBjTVa2qjGXCTuUzcD7ks=
k8s.io/component-base v0.19.0/go.mod h1:dKsY8BxkA+9dZIAh2aWJLL/UdASFDNtGYTCItL4LM7Y=
k8s.io/component-base v0.19.5/go.mod h1:5N/uv5A7fyr0d+t/b1HynXKkUVPEhc8ljkMaBJv4Tp8=
k8s.io/component-base v0.21.0-rc.0 h1:8YgFPDsIhRx7zCOxikZn77nYRnwxrc9aMiuQDJtK1+g=
k8s.io/component-base v0.21.0-rc.0/go.mod h1:XlP0bM7QJFWRGZYPc5NmphkvsYQ+o7804HWH3GTGjDY=
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
Expand Down
10 changes: 5 additions & 5 deletions pkg/webhook/cluster/mutating_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (

clusterv1 "github.com/open-cluster-management/api/cluster/v1"

admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/rest"
Expand All @@ -30,10 +30,10 @@ func (a *ManagedClusterMutatingAdmissionHook) MutatingResource() (schema.GroupVe
}

// Admit is called by generic-admission-server when the registered REST resource above is called with an admission request.
func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
klog.V(4).Infof("mutate %q operation for object %q", req.Operation, req.Object)

status := &admissionv1beta1.AdmissionResponse{
status := &admissionv1.AdmissionResponse{
Allowed: true,
}

Expand All @@ -44,7 +44,7 @@ func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.Admiss
}

// only mutate create and update operation
if req.Operation != admissionv1beta1.Create && req.Operation != admissionv1beta1.Update {
if req.Operation != admissionv1.Create && req.Operation != admissionv1.Update {
return status
}

Expand All @@ -61,7 +61,7 @@ func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.Admiss
// If LeaseDurationSeconds value is zero, update it to 60 by default
if managedCluster.Spec.LeaseDurationSeconds == 0 {
status.Patch = []byte(defaultLeaseDurationSecondsPatch)
pt := admissionv1beta1.PatchTypeJSONPatch
pt := admissionv1.PatchTypeJSONPatch
status.PatchType = &pt
}

Expand Down
30 changes: 15 additions & 15 deletions pkg/webhook/cluster/mutating_webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,63 +6,63 @@ import (
"testing"

testinghelpers "github.com/open-cluster-management/registration/pkg/helpers/testing"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)

func TestManagedClusterMutate(t *testing.T) {
pt := admissionv1beta1.PatchTypeJSONPatch
pt := admissionv1.PatchTypeJSONPatch
cases := []struct {
name string
request *admissionv1beta1.AdmissionRequest
expectedResponse *admissionv1beta1.AdmissionResponse
request *admissionv1.AdmissionRequest
expectedResponse *admissionv1.AdmissionResponse
allowUpdateAcceptField bool
}{
{
name: "mutate non-managedclusters request",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: metav1.GroupVersionResource{
Group: "test.open-cluster-management.io",
Version: "v1",
Resource: "tests",
},
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
},
},
{
name: "mutate deleting operation",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: managedclustersSchema,
Operation: admissionv1beta1.Delete,
Operation: admissionv1.Delete,
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
},
},
{
name: "mutate a ManagedCluster without LeaseDurationSeconds setting",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: managedclustersSchema,
Operation: admissionv1beta1.Create,
Operation: admissionv1.Create,
Object: newManagedClusterObj(),
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
Patch: []byte(`[{"op": "replace", "path": "/spec/leaseDurationSeconds", "value": 60}]`),
PatchType: &pt,
},
},
{
name: "mutate a ManagedCluster with LeaseDurationSeconds setting",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: managedclustersSchema,
Operation: admissionv1beta1.Create,
Operation: admissionv1.Create,
Object: newManagedClusterObjWithLeaseDurationSeconds(60),
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
},
},
Expand Down
32 changes: 16 additions & 16 deletions pkg/webhook/cluster/validating_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import (

operatorhelpers "github.com/openshift/library-go/pkg/operator/v1helpers"

admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
authenticationv1 "k8s.io/api/authentication/v1"
authorizationv1 "k8s.io/api/authorization/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -43,10 +43,10 @@ func (a *ManagedClusterValidatingAdmissionHook) ValidatingResource() (plural sch
}

// Validate is called by generic-admission-server when the registered REST resource above is called with an admission request.
func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
klog.V(4).Infof("validate %q operation for object %q", admissionSpec.Operation, admissionSpec.Object)

status := &admissionv1beta1.AdmissionResponse{}
status := &admissionv1.AdmissionResponse{}

// only validate the request for managedcluster
if admissionSpec.Resource.Group != "cluster.open-cluster-management.io" ||
Expand All @@ -56,9 +56,9 @@ func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissio
}

switch admissionSpec.Operation {
case admissionv1beta1.Create:
case admissionv1.Create:
return a.validateCreateRequest(admissionSpec)
case admissionv1beta1.Update:
case admissionv1.Update:
return a.validateUpdateRequest(admissionSpec)
default:
status.Allowed = true
Expand All @@ -74,8 +74,8 @@ func (a *ManagedClusterValidatingAdmissionHook) Initialize(kubeClientConfig *res
}

// validateCreateRequest validates create managed cluster operation
func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

// validate ManagedCluster object firstly
managedCluster, err := a.validateManagedClusterObj(request.Object)
Expand Down Expand Up @@ -106,8 +106,8 @@ func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *a
}

// validateUpdateRequest validates update managed cluster operation.
func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

oldManagedCluster := &clusterv1.ManagedCluster{}
if err := json.Unmarshal(request.OldObject.Raw, oldManagedCluster); err != nil {
Expand Down Expand Up @@ -176,8 +176,8 @@ func (a *ManagedClusterValidatingAdmissionHook) validateManagedClusterObj(reques

// allowUpdateHubAcceptsClientField using SubjectAccessReview API to check whether a request user has been authorized to update
// HubAcceptsClient field
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

extra := make(map[string]authorizationv1.ExtraValue)
for k, v := range userInfo.Extra {
Expand Down Expand Up @@ -223,9 +223,9 @@ func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterNa
}

// allowSetClusterSetLabel checks whether a request user has been authorized to set clusterset label
func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo authenticationv1.UserInfo, originalClusterSet, newClusterSet string) *admissionv1beta1.AdmissionResponse {
func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo authenticationv1.UserInfo, originalClusterSet, newClusterSet string) *admissionv1.AdmissionResponse {
if originalClusterSet == newClusterSet {
return &admissionv1beta1.AdmissionResponse{Allowed: true}
return &admissionv1.AdmissionResponse{Allowed: true}
}

if len(originalClusterSet) > 0 {
Expand All @@ -240,15 +240,15 @@ func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo
}
}

return &admissionv1beta1.AdmissionResponse{
return &admissionv1.AdmissionResponse{
Allowed: true,
}
}

// allowUpdateClusterSet checks whether a request user has been authorized to add/remove a ManagedCluster
// to/from the ManagedClusterSet
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateClusterSet(userInfo authenticationv1.UserInfo, clusterSetName string) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateClusterSet(userInfo authenticationv1.UserInfo, clusterSetName string) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

extra := make(map[string]authorizationv1.ExtraValue)
for k, v := range userInfo.Extra {
Expand Down
Loading

0 comments on commit 57e4128

Please sign in to comment.