webhook/pkg/injector/webhook.go - infra/sanddune - Git at Google

 // Copyright 2020 The gVisor Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 // Package injector handles mutating webhook operations.
 package injector

 import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"os"

 	"github.com/mattbaird/jsonpatch"
 	"gvisor.dev/gvisor/pkg/log"
 	admv1beta1 "k8s.io/api/admission/v1beta1"
 	admregv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubeclientset "k8s.io/client-go/kubernetes"
 )

 const (
 	// Name is the name of the admission webhook service. The admission
 	// webhook must be exposed in the following service; this is mainly for
 	// the server certificate.
 	Name = "gvisor-injection-admission-webhook"

 	// serviceNamespace is the namespace of the admission webhook service.
 	serviceNamespace = "e2e"

 	fullName = Name + "." + serviceNamespace + ".svc"
 )

 // CreateConfiguration creates MutatingWebhookConfiguration and registers the
 // webhook admission controller with the kube-apiserver. The webhook will only
 // take effect on pods in the namespaces selected by `podNsSelector`. If `podNsSelector`
 // is empty, the webhook will take effect on all pods.
 func CreateConfiguration(clientset kubeclientset.Interface, selector *metav1.LabelSelector) error {
 	fail := admregv1beta1.Fail

 	config := &admregv1beta1.MutatingWebhookConfiguration{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: Name,
 		},
 		Webhooks: []admregv1beta1.MutatingWebhook{
 			{
 				Name: fullName,
 				ClientConfig: admregv1beta1.WebhookClientConfig{
 					Service: &admregv1beta1.ServiceReference{
 						Name:      Name,
 						Namespace: serviceNamespace,
 					},
 					CABundle: caCert,
 				},
 				Rules: []admregv1beta1.RuleWithOperations{
 					{
 						Operations: []admregv1beta1.OperationType{
 							admregv1beta1.Create,
 						},
 						Rule: admregv1beta1.Rule{
 							APIGroups:   []string{"*"},
 							APIVersions: []string{"*"},
 							Resources:   []string{"pods"},
 						},
 					},
 				},
 				FailurePolicy:     &fail,
 				NamespaceSelector: selector,
 			},
 		},
 	}
 	log.Infof("Creating MutatingWebhookConfiguration %q", config.Name)
 	if _, err := clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Create(config); err != nil {
 		if !apierrors.IsAlreadyExists(err) {
 			return fmt.Errorf("failed to create MutatingWebhookConfiguration %q: %s", config.Name, err)
 		}
 		log.Infof("MutatingWebhookConfiguration %q already exists; use the existing one", config.Name)
 	}
 	return nil
 }

 // GetTLSConfig retrieves the CA cert that signed the cert used by the webhook.
 func GetTLSConfig() *tls.Config {
 	serverCert, err := tls.X509KeyPair(serverCert, serverKey)
 	if err != nil {
 		log.Warningf("Failed to generate X509 key pair: %v", err)
 		os.Exit(1)
 	}
 	return &tls.Config{
 		Certificates: []tls.Certificate{serverCert},
 	}
 }

 // Admit performs admission checks and mutations on Pods.
 func Admit(writer http.ResponseWriter, req *http.Request) {
 	review := &admv1beta1.AdmissionReview{}
 	if err := json.NewDecoder(req.Body).Decode(review); err != nil {
 		log.Infof("Failed with error (%v) to decode Admit request: %+v", err, *req)
 		writer.WriteHeader(http.StatusBadRequest)
 		return
 	}

 	log.Debugf("admitPod: %+v", review)
 	var err error
 	review.Response, err = admitPod(review.Request)
 	if err != nil {
 		log.Warningf("admitPod failed: %v", err)
 		review.Response = &admv1beta1.AdmissionResponse{
 			Result: &metav1.Status{
 				Reason:  metav1.StatusReasonInvalid,
 				Message: err.Error(),
 			},
 		}
 		sendResponse(writer, review)
 		return
 	}

 	log.Debugf("Processed admission review: %+v", review)
 	sendResponse(writer, review)
 }

 func sendResponse(writer http.ResponseWriter, response interface{}) {
 	b, err := json.Marshal(response)
 	if err != nil {
 		log.Warningf("Failed with error (%v) to marshal response: %+v", err, response)
 		writer.WriteHeader(http.StatusInternalServerError)
 		return
 	}

 	writer.WriteHeader(http.StatusOK)
 	writer.Write(b)
 }

 func admitPod(req *admv1beta1.AdmissionRequest) (*admv1beta1.AdmissionResponse, error) {
 	// Verify that the request is indeed a Pod.
 	resource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
 	if req.Resource != resource {
 		return nil, fmt.Errorf("unexpected resource %+v in pod admission", req.Resource)
 	}

 	// Decode the request into a Pod.
 	pod := &v1.Pod{}
 	if err := json.Unmarshal(req.Object.Raw, pod); err != nil {
 		return nil, fmt.Errorf("failed to decode pod object %s/%s", req.Namespace, req.Name)
 	}

 	// Copy first to change it.
 	podCopy := pod.DeepCopy()
 	updatePod(podCopy)
 	patch, err := createPatch(req.Object.Raw, podCopy)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create patch for pod %s/%s (generatedName: %s)", pod.Namespace, pod.Name, pod.GenerateName)
 	}

 	log.Debugf("Patched pod %s/%s (generateName: %s): %+v", pod.Namespace, pod.Name, pod.GenerateName, podCopy)
 	patchType := admv1beta1.PatchTypeJSONPatch
 	return &admv1beta1.AdmissionResponse{
 		Allowed:   true,
 		Patch:     patch,
 		PatchType: &patchType,
 	}, nil
 }

 func updatePod(pod *v1.Pod) {
 	gvisor := "gvisor"
 	pod.Spec.RuntimeClassName = &gvisor

 	// We don't run SELinux test for gvisor.
 	// If SELinuxOptions are specified, this is usually for volume test to pass
 	// on SELinux. This can be safely ignored.
 	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SELinuxOptions != nil {
 		pod.Spec.SecurityContext.SELinuxOptions = nil
 	}
 	for i := range pod.Spec.Containers {
 		c := &pod.Spec.Containers[i]
 		if c.SecurityContext != nil && c.SecurityContext.SELinuxOptions != nil {
 			c.SecurityContext.SELinuxOptions = nil
 		}
 	}
 	for i := range pod.Spec.InitContainers {
 		c := &pod.Spec.InitContainers[i]
 		if c.SecurityContext != nil && c.SecurityContext.SELinuxOptions != nil {
 			c.SecurityContext.SELinuxOptions = nil
 		}
 	}
 }

 func createPatch(old []byte, newObj interface{}) ([]byte, error) {
 	new, err := json.Marshal(newObj)
 	if err != nil {
 		return nil, err
 	}
 	patch, err := jsonpatch.CreatePatch(old, new)
 	if err != nil {
 		return nil, err
 	}
 	return json.Marshal(patch)
 }
	// Copyright 2020 The gVisor Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	// Package injector handles mutating webhook operations.
	package injector

	import (
	"crypto/tls"
	"encoding/json"
	"fmt"
	"net/http"
	"os"

	"github.com/mattbaird/jsonpatch"
	"gvisor.dev/gvisor/pkg/log"
	admv1beta1 "k8s.io/api/admission/v1beta1"
	admregv1beta1 "k8s.io/api/admissionregistration/v1beta1"
	v1 "k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	kubeclientset "k8s.io/client-go/kubernetes"
	)

	const (
	// Name is the name of the admission webhook service. The admission
	// webhook must be exposed in the following service; this is mainly for
	// the server certificate.
	Name = "gvisor-injection-admission-webhook"

	// serviceNamespace is the namespace of the admission webhook service.
	serviceNamespace = "e2e"

	fullName = Name + "." + serviceNamespace + ".svc"
	)

	// CreateConfiguration creates MutatingWebhookConfiguration and registers the
	// webhook admission controller with the kube-apiserver. The webhook will only
	// take effect on pods in the namespaces selected by `podNsSelector`. If `podNsSelector`
	// is empty, the webhook will take effect on all pods.
	func CreateConfiguration(clientset kubeclientset.Interface, selector *metav1.LabelSelector) error {
	fail := admregv1beta1.Fail

	config := &admregv1beta1.MutatingWebhookConfiguration{
	ObjectMeta: metav1.ObjectMeta{
	Name: Name,
	},
	Webhooks: []admregv1beta1.MutatingWebhook{
	{
	Name: fullName,
	ClientConfig: admregv1beta1.WebhookClientConfig{
	Service: &admregv1beta1.ServiceReference{
	Name: Name,
	Namespace: serviceNamespace,
	},
	CABundle: caCert,
	},
	Rules: []admregv1beta1.RuleWithOperations{
	{
	Operations: []admregv1beta1.OperationType{
	admregv1beta1.Create,
	},
	Rule: admregv1beta1.Rule{
	APIGroups: []string{"*"},
	APIVersions: []string{"*"},
	Resources: []string{"pods"},
	},
	},
	},
	FailurePolicy: &fail,
	NamespaceSelector: selector,
	},
	},
	}
	log.Infof("Creating MutatingWebhookConfiguration %q", config.Name)
	if _, err := clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Create(config); err != nil {
	if !apierrors.IsAlreadyExists(err) {
	return fmt.Errorf("failed to create MutatingWebhookConfiguration %q: %s", config.Name, err)
	}
	log.Infof("MutatingWebhookConfiguration %q already exists; use the existing one", config.Name)
	}
	return nil
	}

	// GetTLSConfig retrieves the CA cert that signed the cert used by the webhook.
	func GetTLSConfig() *tls.Config {
	serverCert, err := tls.X509KeyPair(serverCert, serverKey)
	if err != nil {
	log.Warningf("Failed to generate X509 key pair: %v", err)
	os.Exit(1)
	}
	return &tls.Config{
	Certificates: []tls.Certificate{serverCert},
	}
	}

	// Admit performs admission checks and mutations on Pods.
	func Admit(writer http.ResponseWriter, req *http.Request) {
	review := &admv1beta1.AdmissionReview{}
	if err := json.NewDecoder(req.Body).Decode(review); err != nil {
	log.Infof("Failed with error (%v) to decode Admit request: %+v", err, *req)
	writer.WriteHeader(http.StatusBadRequest)
	return
	}

	log.Debugf("admitPod: %+v", review)
	var err error
	review.Response, err = admitPod(review.Request)
	if err != nil {
	log.Warningf("admitPod failed: %v", err)
	review.Response = &admv1beta1.AdmissionResponse{
	Result: &metav1.Status{
	Reason: metav1.StatusReasonInvalid,
	Message: err.Error(),
	},
	}
	sendResponse(writer, review)
	return
	}

	log.Debugf("Processed admission review: %+v", review)
	sendResponse(writer, review)
	}

	func sendResponse(writer http.ResponseWriter, response interface{}) {
	b, err := json.Marshal(response)
	if err != nil {
	log.Warningf("Failed with error (%v) to marshal response: %+v", err, response)
	writer.WriteHeader(http.StatusInternalServerError)
	return
	}

	writer.WriteHeader(http.StatusOK)
	writer.Write(b)
	}

	func admitPod(req admv1beta1.AdmissionRequest) (admv1beta1.AdmissionResponse, error) {
	// Verify that the request is indeed a Pod.
	resource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	if req.Resource != resource {
	return nil, fmt.Errorf("unexpected resource %+v in pod admission", req.Resource)
	}

	// Decode the request into a Pod.
	pod := &v1.Pod{}
	if err := json.Unmarshal(req.Object.Raw, pod); err != nil {
	return nil, fmt.Errorf("failed to decode pod object %s/%s", req.Namespace, req.Name)
	}

	// Copy first to change it.
	podCopy := pod.DeepCopy()
	updatePod(podCopy)
	patch, err := createPatch(req.Object.Raw, podCopy)
	if err != nil {
	return nil, fmt.Errorf("failed to create patch for pod %s/%s (generatedName: %s)", pod.Namespace, pod.Name, pod.GenerateName)
	}

	log.Debugf("Patched pod %s/%s (generateName: %s): %+v", pod.Namespace, pod.Name, pod.GenerateName, podCopy)
	patchType := admv1beta1.PatchTypeJSONPatch
	return &admv1beta1.AdmissionResponse{
	Allowed: true,
	Patch: patch,
	PatchType: &patchType,
	}, nil
	}

	func updatePod(pod *v1.Pod) {
	gvisor := "gvisor"
	pod.Spec.RuntimeClassName = &gvisor

	// We don't run SELinux test for gvisor.
	// If SELinuxOptions are specified, this is usually for volume test to pass
	// on SELinux. This can be safely ignored.
	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SELinuxOptions != nil {
	pod.Spec.SecurityContext.SELinuxOptions = nil
	}
	for i := range pod.Spec.Containers {
	c := &pod.Spec.Containers[i]
	if c.SecurityContext != nil && c.SecurityContext.SELinuxOptions != nil {
	c.SecurityContext.SELinuxOptions = nil
	}
	}
	for i := range pod.Spec.InitContainers {
	c := &pod.Spec.InitContainers[i]
	if c.SecurityContext != nil && c.SecurityContext.SELinuxOptions != nil {
	c.SecurityContext.SELinuxOptions = nil
	}
	}
	}

	func createPatch(old []byte, newObj interface{}) ([]byte, error) {
	new, err := json.Marshal(newObj)
	if err != nil {
	return nil, err
	}
	patch, err := jsonpatch.CreatePatch(old, new)
	if err != nil {
	return nil, err
	}
	return json.Marshal(patch)
	}