Merge pull request #16639 from deads2k/server-46-admission

Automatic merge from submit-queue (batch tested with PRs 16657, 16607, 16647, 16639, 16655). filter out 'turn this on' config structs for admission Alternative to #16505 to allow our enablement of config. I think this aligns more closely with a goal of calling the "normal" https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 path.
openshift · Oct 4, 2017 · 105055e · 105055e
2 parents 18fad10 + e357b7d
commit 105055e
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 1 deletion.
diff --git a/pkg/cmd/server/origin/admission/chain_builder.go b/pkg/cmd/server/origin/admission/chain_builder.go
@@ -1,6 +1,9 @@
 package admission
 
 import (
+	"bytes"
+	"io"
+	"io/ioutil"
 	"net"
 	"reflect"
 	"strings"
@@ -16,6 +19,7 @@ import (
 
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
 	"github.com/openshift/origin/pkg/cmd/util/pluginconfig"
 	imageadmission "github.com/openshift/origin/pkg/image/admission"
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
@@ -351,3 +355,50 @@ func dedupe(input []string) []string {
 	}
 	return result
 }
+
+func init() {
+	// add a filter that will remove DefaultAdmissionConfig
+	admission.FactoryFilterFn = filterEnableAdmissionConfigs
+}
+
+func filterEnableAdmissionConfigs(delegate admission.Factory) admission.Factory {
+	return func(config io.Reader) (admission.Interface, error) {
+		config1, config2, err := splitStream(config)
+		if err != nil {
+			return nil, err
+		}
+		// if the config isn't a DefaultAdmissionConfig, then assume we're enabled (we were called after all)
+		// if the config *is* a DefaultAdmissionConfig and it explicitly said
+		obj, err := configlatest.ReadYAML(config1)
+		// if we can't read it, let the plugin deal with it
+		if err != nil {
+			return delegate(config2)
+		}
+		// if nothing was there, let the plugin deal with it
+		if obj == nil {
+			return delegate(config2)
+		}
+		// if it wasn't a DefaultAdmissionConfig object, let the plugin deal with it
+		if _, ok := obj.(*configapi.DefaultAdmissionConfig); !ok {
+			return delegate(config2)
+		}
+
+		// if it was a DefaultAdmissionConfig, then it must have said "enabled" and it wasn't really meant for the
+		// admission plugin
+		return delegate(nil)
+	}
+}
+
+// splitStream reads the stream bytes and constructs two copies of it.
+func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
+	if config == nil || reflect.ValueOf(config).IsNil() {
+		return nil, nil, nil
+	}
+
+	configBytes, err := ioutil.ReadAll(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return bytes.NewBuffer(configBytes), bytes.NewBuffer(configBytes), nil
+}
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/patch.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/patch.go
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugins.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugins.go