From db8597059224e892d32f5e0f8091dd9720e3b759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Fri, 15 Sep 2023 18:44:20 +0200 Subject: [PATCH] fix(controller): copy ownerreference from oldNs on namespace UPDATE admission requests --- main.go | 2 +- pkg/webhook/namespace/owner_reference.go | 68 ------------------------ pkg/webhook/ownerreference/patching.go | 34 +++++++++++- 3 files changed, 34 insertions(+), 70 deletions(-) delete mode 100644 pkg/webhook/namespace/owner_reference.go diff --git a/main.go b/main.go index ce6039796..d0f7190d0 100644 --- a/main.go +++ b/main.go @@ -237,7 +237,7 @@ func main() { route.TenantResourceObjects(utils.InCapsuleGroups(cfg, tntresource.WriteOpsHandler())), route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())), route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler(), tenant.ForbiddenAnnotationsRegexHandler(), tenant.ProtectedHandler()), - route.OwnerReference(utils.InCapsuleGroups(cfg, namespacewebhook.OwnerReferenceHandler(), ownerreference.Handler(cfg))), + route.OwnerReference(utils.InCapsuleGroups(cfg, ownerreference.Handler(cfg))), route.Cordoning(tenant.CordoningHandler(cfg), tenant.ResourceCounterHandler(manager.GetClient())), route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))), route.Defaults(defaults.Handler(cfg, kubeVersion)), diff --git a/pkg/webhook/namespace/owner_reference.go b/pkg/webhook/namespace/owner_reference.go deleted file mode 100644 index 2fbd4594e..000000000 --- a/pkg/webhook/namespace/owner_reference.go +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright 2020-2023 Project Capsule Authors. -// SPDX-License-Identifier: Apache-2.0 - -package namespace - -import ( - "context" - "fmt" - "net/http" - - corev1 "k8s.io/api/core/v1" - "k8s.io/client-go/tools/record" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - - capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" - "github.com/projectcapsule/capsule/pkg/webhook/utils" -) - -type ownerReferenceHandler struct{} - -func OwnerReferenceHandler() capsulewebhook.Handler { - return &ownerReferenceHandler{} -} - -func (r *ownerReferenceHandler) OnCreate(client.Client, *admission.Decoder, record.EventRecorder) capsulewebhook.Func { - return func(ctx context.Context, req admission.Request) *admission.Response { - return nil - } -} - -func (r *ownerReferenceHandler) OnDelete(client.Client, *admission.Decoder, record.EventRecorder) capsulewebhook.Func { - return func(ctx context.Context, req admission.Request) *admission.Response { - return nil - } -} - -func (r *ownerReferenceHandler) OnUpdate(_ client.Client, decoder *admission.Decoder, _ record.EventRecorder) capsulewebhook.Func { - return func(ctx context.Context, req admission.Request) *admission.Response { - oldNs := &corev1.Namespace{} - if err := decoder.DecodeRaw(req.OldObject, oldNs); err != nil { - return utils.ErroredResponse(err) - } - - if len(oldNs.OwnerReferences) == 0 { - return nil - } - - newNs := &corev1.Namespace{} - if err := decoder.Decode(req, newNs); err != nil { - return utils.ErroredResponse(err) - } - - if len(newNs.OwnerReferences) == 0 { - response := admission.Errored(http.StatusBadRequest, fmt.Errorf("the OwnerReference cannot be removed")) - - return &response - } - - if oldNs.GetOwnerReferences()[0].UID != newNs.GetOwnerReferences()[0].UID { - response := admission.Errored(http.StatusBadRequest, fmt.Errorf("the OwnerReference cannot be changed")) - - return &response - } - - return nil - } -} diff --git a/pkg/webhook/ownerreference/patching.go b/pkg/webhook/ownerreference/patching.go index 629a042e4..989068654 100644 --- a/pkg/webhook/ownerreference/patching.go +++ b/pkg/webhook/ownerreference/patching.go @@ -50,7 +50,39 @@ func (h *handler) OnDelete(client client.Client, decoder *admission.Decoder, rec func (h *handler) OnUpdate(client client.Client, decoder *admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func { return func(ctx context.Context, req admission.Request) *admission.Response { - return nil + oldNs := &corev1.Namespace{} + if err := decoder.DecodeRaw(req.OldObject, oldNs); err != nil { + return utils.ErroredResponse(err) + } + + if len(oldNs.OwnerReferences) == 0 { + return nil + } + + newNs := &corev1.Namespace{} + if err := decoder.Decode(req, newNs); err != nil { + return utils.ErroredResponse(err) + } + + o, err := json.Marshal(newNs.DeepCopy()) + if err != nil { + response := admission.Errored(http.StatusInternalServerError, err) + + return &response + } + + newNs.OwnerReferences = oldNs.OwnerReferences + + c, err := json.Marshal(newNs) + if err != nil { + response := admission.Errored(http.StatusInternalServerError, err) + + return &response + } + + response := admission.PatchResponseFromRaw(o, c) + + return &response } }