Merge pull request #143 from mengqiy/admissionwebhook-1.11

Merge branch admissionwebhook-1.11 back to master
kubernetes-sigs · Sep 14, 2018 · 8d93cc7 · 8d93cc7
2 parents 419794c + fabe80d
commit 8d93cc7
Show file tree

Hide file tree

Showing 63 changed files with 4,854 additions and 2,010 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/example/controller.go b/example/controller.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+
+	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+// reconcileReplicaSet reconciles ReplicaSets
+type reconcileReplicaSet struct {
+	// client can be used to retrieve objects from the APIServer.
+	client client.Client
+	log    logr.Logger
+}
+
+// Implement reconcile.Reconciler so the controller can reconcile objects
+var _ reconcile.Reconciler = &reconcileReplicaSet{}
+
+func (r *reconcileReplicaSet) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	// set up a convinient log object so we don't have to type request over and over again
+	log := r.log.WithValues("request", request)
+
+	// Fetch the ReplicaSet from the cache
+	rs := &appsv1.ReplicaSet{}
+	err := r.client.Get(context.TODO(), request.NamespacedName, rs)
+	if errors.IsNotFound(err) {
+		log.Error(nil, "Could not find ReplicaSet")
+		return reconcile.Result{}, nil
+	}
+
+	if err != nil {
+		log.Error(err, "Could not fetch ReplicaSet")
+		return reconcile.Result{}, err
+	}
+
+	// Print the ReplicaSet
+	log.Info("Reconciling ReplicaSet", "container name", rs.Spec.Template.Spec.Containers[0].Name)
+
+	// Set the label if it is missing
+	if rs.Labels == nil {
+		rs.Labels = map[string]string{}
+	}
+	if rs.Labels["hello"] == "world" {
+		return reconcile.Result{}, nil
+	}
+
+	// Update the ReplicaSet
+	rs.Labels["hello"] = "world"
+	err = r.client.Update(context.TODO(), rs)
+	if err != nil {
+		log.Error(err, "Could not write ReplicaSet")
+		return reconcile.Result{}, err
+	}
+
+	return reconcile.Result{}, nil
+}
diff --git a/example/main.go b/example/main.go
@@ -17,29 +17,26 @@ limitations under the License.
 package main
 
 import (
-	"context"
 	"flag"
 	"os"
 
-	"github.com/go-logr/logr"
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apitypes "k8s.io/apimachinery/pkg/types"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
 	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
 	"sigs.k8s.io/controller-runtime/pkg/source"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission/builder"
 )
 
-var (
-	log = logf.Log.WithName("example-controller")
-)
+var log = logf.Log.WithName("example-controller")
 
 func main() {
 	flag.Parse()
@@ -75,56 +72,64 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
-		entryLog.Error(err, "unable to run manager")
+	// Setup webhooks
+	mutatingWebhook, err := builder.NewWebhookBuilder().
+		Name("mutating.k8s.io").
+		Mutating().
+		Operations(admissionregistrationv1beta1.Create, admissionregistrationv1beta1.Update).
+		WithManager(mgr).
+		ForType(&corev1.Pod{}).
+		Handlers(&podAnnotator{}).
+		Build()
+	if err != nil {
+		entryLog.Error(err, "unable to setup mutating webhook")
 		os.Exit(1)
 	}
-}
-
-// reconcileReplicaSet reconciles ReplicaSets
-type reconcileReplicaSet struct {
-	client client.Client
-	log    logr.Logger
-}
-
-// Implement reconcile.Reconciler so the controller can reconcile objects
-var _ reconcile.Reconciler = &reconcileReplicaSet{}
-
-func (r *reconcileReplicaSet) Reconcile(request reconcile.Request) (reconcile.Result, error) {
-	// set up a convinient log object so we don't have to type request over and over again
-	log := r.log.WithValues("request", request)
-
-	// Fetch the ReplicaSet from the cache
-	rs := &appsv1.ReplicaSet{}
-	err := r.client.Get(context.TODO(), request.NamespacedName, rs)
-	if errors.IsNotFound(err) {
-		log.Error(nil, "Could not find ReplicaSet")
-		return reconcile.Result{}, nil
-	}
 
+	validatingWebhook, err := builder.NewWebhookBuilder().
+		Name("validating.k8s.io").
+		Validating().
+		Operations(admissionregistrationv1beta1.Create, admissionregistrationv1beta1.Update).
+		WithManager(mgr).
+		ForType(&corev1.Pod{}).
+		Handlers(&podValidator{}).
+		Build()
 	if err != nil {
-		log.Error(err, "Could not fetch ReplicaSet")
-		return reconcile.Result{}, err
+		entryLog.Error(err, "unable to setup validating webhook")
+		os.Exit(1)
 	}
 
-	// Print the ReplicaSet
-	log.Info("Reconciling ReplicaSet", "container name", rs.Spec.Template.Spec.Containers[0].Name)
-
-	// Set the label if it is missing
-	if rs.Labels == nil {
-		rs.Labels = map[string]string{}
-	}
-	if rs.Labels["hello"] == "world" {
-		return reconcile.Result{}, nil
+	as, err := webhook.NewServer("foo-admission-server", mgr, webhook.ServerOptions{
+		Port:    9876,
+		CertDir: "/tmp/cert",
+		BootstrapOptions: &webhook.BootstrapOptions{
+			Secret: &apitypes.NamespacedName{
+				Namespace: "default",
+				Name:      "foo-admission-server-secret",
+			},
+
+			Service: &webhook.Service{
+				Namespace: "default",
+				Name:      "foo-admission-server-service",
+				// Selectors should select the pods that runs this webhook server.
+				Selectors: map[string]string{
+					"app": "foo-admission-server",
+				},
+			},
+		},
+	})
+	if err != nil {
+		entryLog.Error(err, "unable to create a new webhook server")
+		os.Exit(1)
 	}
-
-	// Update the ReplicaSet
-	rs.Labels["hello"] = "world"
-	err = r.client.Update(context.TODO(), rs)
+	err = as.Register(mutatingWebhook, validatingWebhook)
 	if err != nil {
-		log.Error(err, "Could not write ReplicaSet")
-		return reconcile.Result{}, err
+		entryLog.Error(err, "unable to register webhooks in the admission server")
+		os.Exit(1)
 	}
 
-	return reconcile.Result{}, nil
+	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
+		entryLog.Error(err, "unable to run manager")
+		os.Exit(1)
+	}
 }
diff --git a/example/mutatingwebhook.go b/example/mutatingwebhook.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"net/http"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission/types"
+)
+
+// podAnnotator annotates Pods
+type podAnnotator struct {
+	client  client.Client
+	decoder types.Decoder
+}
+
+// Implement admission.Handler so the controller can handle admission request.
+var _ admission.Handler = &podAnnotator{}
+
+// podAnnotator adds an annotation to every incoming pods.
+func (a *podAnnotator) Handle(ctx context.Context, req types.Request) types.Response {
+	pod := &corev1.Pod{}
+
+	err := a.decoder.Decode(req, pod)
+	if err != nil {
+		return admission.ErrorResponse(http.StatusBadRequest, err)
+	}
+	copy := pod.DeepCopy()
+
+	err = a.mutatePodsFn(ctx, copy)
+	if err != nil {
+		return admission.ErrorResponse(http.StatusInternalServerError, err)
+	}
+	return admission.PatchResponse(pod, copy)
+}
+
+// mutatePodsFn add an annotation to the given pod
+func (a *podAnnotator) mutatePodsFn(ctx context.Context, pod *corev1.Pod) error {
+	if pod.Annotations == nil {
+		pod.Annotations = map[string]string{}
+	}
+	pod.Annotations["example-mutating-admission-webhook"] = "foo"
+	return nil
+}
+
+// podValidator implements inject.Client.
+// A client will be automatically injected.
+var _ inject.Client = &podValidator{}
+
+// InjectClient injects the client.
+func (v *podAnnotator) InjectClient(c client.Client) error {
+	v.client = c
+	return nil
+}
+
+// podValidator implements inject.Decoder.
+// A decoder will be automatically injected.
+var _ inject.Decoder = &podValidator{}
+
+// InjectDecoder injects the decoder.
+func (v *podAnnotator) InjectDecoder(d types.Decoder) error {
+	v.decoder = d
+	return nil
+}