-
Notifications
You must be signed in to change notification settings - Fork 386
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Switch traceflow CRD validation to webhook validation.
Currently, the traceflow CRD validation is executed in run-time, which is less user-friendly than the webhook validation. I moved most of the validation to the webhook validation. Signed-off-by: shi0rik0 <anguuan@outlook.com>
- Loading branch information
Showing
12 changed files
with
370 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| // Copyright 2023 Antrea Authors | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package traceflow | ||
|
|
||
| import ( | ||
| "encoding/json" | ||
| "fmt" | ||
| "net" | ||
|
|
||
| admv1 "k8s.io/api/admission/v1" | ||
| apierrors "k8s.io/apimachinery/pkg/api/errors" | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| "k8s.io/klog/v2" | ||
|
|
||
| crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" | ||
| "antrea.io/antrea/pkg/util/k8s" | ||
| ) | ||
|
|
||
| func (c *Controller) Validate(review *admv1.AdmissionReview) *admv1.AdmissionResponse { | ||
| newResponse := func(allowed bool, deniedReason string) *admv1.AdmissionResponse { | ||
| resp := &admv1.AdmissionResponse{ | ||
| UID: review.Request.UID, | ||
| Allowed: allowed, | ||
| } | ||
| if !allowed { | ||
| resp.Result = &metav1.Status{ | ||
| Message: deniedReason, | ||
| } | ||
| } | ||
| return resp | ||
| } | ||
|
|
||
| klog.V(2).InfoS("Validating Traceflow", "request", review.Request) | ||
|
|
||
| var newObj, oldObj crdv1alpha1.Traceflow | ||
| if review.Request.Object.Raw != nil { | ||
| if err := json.Unmarshal(review.Request.Object.Raw, &newObj); err != nil { | ||
| klog.ErrorS(err, "Error de-serializing current Traceflow") | ||
| return newResponse(false, err.Error()) | ||
| } | ||
| } | ||
| if review.Request.OldObject.Raw != nil { | ||
| if err := json.Unmarshal(review.Request.OldObject.Raw, &oldObj); err != nil { | ||
| klog.ErrorS(err, "Error de-serializing old Traceflow") | ||
| return newResponse(false, err.Error()) | ||
| } | ||
| } | ||
|
|
||
| switch review.Request.Operation { | ||
| case admv1.Create: | ||
| klog.V(2).InfoS("Validating CREATE request for Traceflow") | ||
| allowed, deniedReason := c.validateCreate(&newObj) | ||
| return newResponse(allowed, deniedReason) | ||
| case admv1.Update: | ||
| klog.V(2).InfoS("Validating UPDATE request for Traceflow") | ||
| allowed, deniedReason := c.validateUpdate(&oldObj, &newObj) | ||
| return newResponse(allowed, deniedReason) | ||
| default: | ||
| err := fmt.Errorf("invalid request operation %s for Traceflow", review.Request.Operation) | ||
| klog.ErrorS(err, "Failed to validate Traceflow") | ||
| return newResponse(false, err.Error()) | ||
| } | ||
| } | ||
|
|
||
| func (c *Controller) validateCreate(tf *crdv1alpha1.Traceflow) (allowed bool, deniedReason string) { | ||
| if tf.Spec.Destination.IP != "" { | ||
| destIP := net.ParseIP(tf.Spec.Destination.IP) | ||
| if destIP == nil { | ||
| return false, fmt.Sprintf("destination IP is not valid: %s", tf.Spec.Destination.IP) | ||
| } | ||
| } | ||
| if !tf.Spec.LiveTraffic { | ||
| srcPod, err := c.podLister.Pods(tf.Spec.Source.Namespace).Get(tf.Spec.Source.Pod) | ||
| if err != nil { | ||
| if apierrors.IsNotFound(err) { | ||
| err = fmt.Errorf("requested source Pod %s not found", k8s.NamespacedName(tf.Spec.Source.Namespace, tf.Spec.Source.Pod)) | ||
| } | ||
| return false, err.Error() | ||
| } | ||
| if srcPod.Spec.HostNetwork { | ||
| return false, "using hostNetwork Pod as source in non-live-traffic Traceflow is not supported" | ||
| } | ||
| } | ||
| if tf.Spec.Source.Pod == "" && tf.Spec.Destination.Pod == "" { | ||
| return false, fmt.Sprintf("Traceflow %s has neither source nor destination Pod specified", tf.Name) | ||
| } | ||
| return true, "" | ||
| } | ||
|
|
||
| func (c *Controller) validateUpdate(oldTf, newTf *crdv1alpha1.Traceflow) (allowed bool, deniedReason string) { | ||
| return c.validateCreate(newTf) | ||
| } |
Oops, something went wrong.