Add validation on policy permanent ID

Signed-off-by: whitewindmills <jayfantasyhjh@gmail.com>
2024-05-20 15:04:09 +08:00 · 2024-05-20 15:04:09 +08:00 · b7678c92b2
parent 3314771f31
commit b7678c92b2
4 changed files with 24 additions and 2 deletions
--- a/pkg/webhook/clusterpropagationpolicy/mutating.go
+++ b/pkg/webhook/clusterpropagationpolicy/mutating.go
@ -23,6 +23,7 @@ import (
 	"net/http"

 	"github.com/google/uuid"
+	admissionv1 "k8s.io/api/admission/v1"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

 	policyv1alpha1 "github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1"
@ -82,7 +83,7 @@ func (a *MutatingAdmission) Handle(_ context.Context, req admission.Request) adm
 		}
 	}

-	if util.GetLabelValue(policy.Labels, policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel) == "" {
+	if req.Operation == admissionv1.Create {
 		util.MergeLabel(policy, policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel, uuid.New().String())
 	}

--- a/pkg/webhook/clusterpropagationpolicy/validating.go
+++ b/pkg/webhook/clusterpropagationpolicy/validating.go
@ -60,6 +60,16 @@ func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) a
 			klog.Error(err)
 			return admission.Denied(err.Error())
 		}
+
+		if policy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel] !=
+			oldPolicy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel] {
+			return admission.Denied(fmt.Sprintf("label %s is immutable, it can only be set by the system during creation",
+				policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel))
+		}
+	}
+	if _, exist := policy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel]; !exist {
+		return admission.Denied(fmt.Sprintf("label %s is required, it should be set by the mutating admission webhook during creation",
+			policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel))
 	}

 	errs := validation.ValidatePropagationSpec(policy.Spec)
--- a/pkg/webhook/propagationpolicy/mutating.go
+++ b/pkg/webhook/propagationpolicy/mutating.go
@ -23,6 +23,7 @@ import (
 	"net/http"

 	"github.com/google/uuid"
+	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

@ -94,7 +95,7 @@ func (a *MutatingAdmission) Handle(_ context.Context, req admission.Request) adm
 		}
 	}

-	if util.GetLabelValue(policy.Labels, policyv1alpha1.PropagationPolicyPermanentIDLabel) == "" {
+	if req.Operation == admissionv1.Create {
 		util.MergeLabel(policy, policyv1alpha1.PropagationPolicyPermanentIDLabel, uuid.New().String())
 	}

--- a/pkg/webhook/propagationpolicy/validating.go
+++ b/pkg/webhook/propagationpolicy/validating.go
@ -60,6 +60,16 @@ func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) a
 			klog.Error(err)
 			return admission.Denied(err.Error())
 		}
+
+		if policy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel] !=
+			oldPolicy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel] {
+			return admission.Denied(fmt.Sprintf("label %s is immutable, it can only be set by the system during creation",
+				policyv1alpha1.PropagationPolicyPermanentIDLabel))
+		}
+	}
+	if _, exist := policy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel]; !exist {
+		return admission.Denied(fmt.Sprintf("label %s is required, it should be set by the mutating admission webhook during creation",
+			policyv1alpha1.PropagationPolicyPermanentIDLabel))
 	}

 	errs := validation.ValidatePropagationSpec(policy.Spec)