filter out 'turn this on' config structs

openshift · Oct 2, 2017 · e357b7d · e357b7d
1 parent a98af42
commit e357b7d
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/pkg/cmd/server/origin/admission/chain_builder.go b/pkg/cmd/server/origin/admission/chain_builder.go
@@ -1,6 +1,9 @@
 package admission
 
 import (
+	"bytes"
+	"io"
+	"io/ioutil"
 	"net"
 	"reflect"
 	"strings"
@@ -16,6 +19,7 @@ import (
 
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
 	"github.com/openshift/origin/pkg/cmd/util/pluginconfig"
 	imageadmission "github.com/openshift/origin/pkg/image/admission"
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
@@ -351,3 +355,50 @@ func dedupe(input []string) []string {
 	}
 	return result
 }
+
+func init() {
+	// add a filter that will remove DefaultAdmissionConfig
+	admission.FactoryFilterFn = filterEnableAdmissionConfigs
+}
+
+func filterEnableAdmissionConfigs(delegate admission.Factory) admission.Factory {
+	return func(config io.Reader) (admission.Interface, error) {
+		config1, config2, err := splitStream(config)
+		if err != nil {
+			return nil, err
+		}
+		// if the config isn't a DefaultAdmissionConfig, then assume we're enabled (we were called after all)
+		// if the config *is* a DefaultAdmissionConfig and it explicitly said
+		obj, err := configlatest.ReadYAML(config1)
+		// if we can't read it, let the plugin deal with it
+		if err != nil {
+			return delegate(config2)
+		}
+		// if nothing was there, let the plugin deal with it
+		if obj == nil {
+			return delegate(config2)
+		}
+		// if it wasn't a DefaultAdmissionConfig object, let the plugin deal with it
+		if _, ok := obj.(*configapi.DefaultAdmissionConfig); !ok {
+			return delegate(config2)
+		}
+
+		// if it was a DefaultAdmissionConfig, then it must have said "enabled" and it wasn't really meant for the
+		// admission plugin
+		return delegate(nil)
+	}
+}
+
+// splitStream reads the stream bytes and constructs two copies of it.
+func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
+	if config == nil || reflect.ValueOf(config).IsNil() {
+		return nil, nil, nil
+	}
+
+	configBytes, err := ioutil.ReadAll(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return bytes.NewBuffer(configBytes), bytes.NewBuffer(configBytes), nil
+}