knative
/
pkg
mirror of https://github.com/knative/pkg.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
pkg/webhook/webhook.go

328 lines
10 KiB
Go
Raw Blame History

/*
Copyright 2017 The Knative Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package webhook
import (
"context"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"net/http"
"time"
// Injection stuff
kubeclient "knative.dev/pkg/client/injection/kube/client"
secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret"
"go.uber.org/zap"
"golang.org/x/sync/errgroup"
"knative.dev/pkg/logging"
"knative.dev/pkg/logging/logkey"
"knative.dev/pkg/system"
certresources "knative.dev/pkg/webhook/certificates/resources"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
corelisters "k8s.io/client-go/listers/core/v1"
)
var (
errMissingNewObject = errors.New("the new object may not be nil")
)
// Options contains the configuration for the webhook
type Options struct {
// ServiceName is the service name of the webhook.
ServiceName string
// SecretName is the name of k8s secret that contains the webhook
// server key/cert and corresponding CA cert that signed them. The
// server key/cert are used to serve the webhook and the CA cert
// is provided to k8s apiserver during admission controller
// registration.
SecretName string
// Port where the webhook is served. Per k8s admission
// registration requirements this should be 443 unless there is
// only a single port for the service.
Port int
// RegistrationDelay controls how long admission registration
// occurs after the webhook is started. This is used to avoid
// potential races where registration completes and k8s apiserver
// invokes the webhook before the HTTP server is started.
RegistrationDelay time.Duration
// StatsReporter reports metrics about the webhook.
// This will be automatically initialized by the constructor if left uninitialized.
StatsReporter StatsReporter
}
// AdmissionController provides the interface for different admission controllers
type AdmissionController interface {
// Path returns the path that this particular admission controller serves on.
Path() string
// Admit is the callback which is invoked when an HTTPS request comes in on Path().
Admit(context.Context, *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse
// Register is called at startup to give the AdmissionController a chance to
// register with the API Server.
Register(context.Context, kubernetes.Interface, []byte) error
}
// Webhook implements the external webhook for validation of
// resources and configuration.
type Webhook struct {
Client kubernetes.Interface
Options Options
Logger *zap.SugaredLogger
admissionControllers map[string]AdmissionController
secretlister corelisters.SecretLister
}
// New constructs a Webhook
func New(
ctx context.Context,
admissionControllers []AdmissionController,
) (*Webhook, error) {
client := kubeclient.Get(ctx)
secretInformer := secretinformer.Get(ctx)
opts := GetOptions(ctx)
if opts == nil {
return nil, errors.New("context must have Options specified")
}
logger := logging.FromContext(ctx)
if opts.StatsReporter == nil {
reporter, err := NewStatsReporter()
if err != nil {
return nil, err
}
opts.StatsReporter = reporter
}
acs := make(map[string]AdmissionController, len(admissionControllers))
for _, ac := range admissionControllers {
if _, ok := acs[ac.Path()]; ok {
return nil, fmt.Errorf("admission controller with conflicting path: %q", ac.Path())
}
acs[ac.Path()] = ac
}
return &Webhook{
Client: client,
Options: *opts,
secretlister: secretInformer.Lister(),
admissionControllers: acs,
Logger: logger,
}, nil
}
// Run implements the admission controller run loop.
func (ac *Webhook) Run(stop <-chan struct{}) error {
logger := ac.Logger
ctx := logging.WithLogger(context.TODO(), logger)
// TODO(mattmoor): Separate out the certificate creation process and use listers
// to fetch this from the secret below.
_, _, caCert, err := getOrGenerateKeyCertsFromSecret(ctx, ac.Client, &ac.Options)
if err != nil {
return err
}
server := &http.Server{
Handler: ac,
Addr: fmt.Sprintf(":%v", ac.Options.Port),
TLSConfig: &tls.Config{
GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
secret, err := ac.secretlister.Secrets(system.Namespace()).Get(ac.Options.SecretName)
if err != nil {
return nil, err
}
serverKey, ok := secret.Data[certresources.ServerKey]
if !ok {
return nil, errors.New("server key missing")
}
serverCert, ok := secret.Data[certresources.ServerCert]
if !ok {
return nil, errors.New("server cert missing")
}
cert, err := tls.X509KeyPair(serverCert, serverKey)
if err != nil {
return nil, err
}
return &cert, nil
},
},
}
logger.Info("Found certificates for webhook...")
if ac.Options.RegistrationDelay != 0 {
logger.Infof("Delaying admission webhook registration for %v", ac.Options.RegistrationDelay)
}
eg, ctx := errgroup.WithContext(ctx)
eg.Go(func() error {
select {
case <-time.After(ac.Options.RegistrationDelay):
// Wait an initial delay before registering
case <-stop:
return nil
}
// Register the webhook, and then periodically check that it is up to date.
for {
for _, c := range ac.admissionControllers {
if err := c.Register(ctx, ac.Client, caCert); err != nil {
logger.Errorw("failed to register webhook", zap.Error(err))
return err
}
}
logger.Info("Successfully registered webhook")
select {
case <-time.After(10 * time.Minute):
case <-stop:
return nil
}
}
})
eg.Go(func() error {
if err := server.ListenAndServeTLS("", ""); err != nil {
logger.Errorw("ListenAndServeTLS for admission webhook returned error", zap.Error(err))
return err
}
return nil
})
select {
case <-stop:
return server.Close()
case <-ctx.Done():
return fmt.Errorf("webhook server bootstrap failed %v", ctx.Err())
}
}
// ServeHTTP implements the external admission webhook for mutating
// serving resources.
func (ac *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) {
var ttStart = time.Now()
logger := ac.Logger
logger.Infof("Webhook ServeHTTP request=%#v", r)
// Verify the content type is accurate.
contentType := r.Header.Get("Content-Type")
if contentType != "application/json" {
http.Error(w, "invalid Content-Type, want `application/json`", http.StatusUnsupportedMediaType)
return
}
var review admissionv1beta1.AdmissionReview
if err := json.NewDecoder(r.Body).Decode(&review); err != nil {
http.Error(w, fmt.Sprintf("could not decode body: %v", err), http.StatusBadRequest)
return
}
logger = logger.With(
zap.String(logkey.Kind, fmt.Sprint(review.Request.Kind)),
zap.String(logkey.Namespace, review.Request.Namespace),
zap.String(logkey.Name, review.Request.Name),
zap.String(logkey.Operation, fmt.Sprint(review.Request.Operation)),
zap.String(logkey.Resource, fmt.Sprint(review.Request.Resource)),
zap.String(logkey.SubResource, fmt.Sprint(review.Request.SubResource)),
zap.String(logkey.UserInfo, fmt.Sprint(review.Request.UserInfo)))
ctx := logging.WithLogger(r.Context(), logger)
if _, ok := ac.admissionControllers[r.URL.Path]; !ok {
http.Error(w, fmt.Sprintf("no admission controller registered for: %s", r.URL.Path), http.StatusBadRequest)
return
}
c := ac.admissionControllers[r.URL.Path]
reviewResponse := c.Admit(ctx, review.Request)
var response admissionv1beta1.AdmissionReview
if reviewResponse != nil {
response.Response = reviewResponse
response.Response.UID = review.Request.UID
}
logger.Infof("AdmissionReview for %#v: %s/%s response=%#v",
review.Request.Kind, review.Request.Namespace, review.Request.Name, reviewResponse)
if err := json.NewEncoder(w).Encode(response); err != nil {
http.Error(w, fmt.Sprintf("could encode response: %v", err), http.StatusInternalServerError)
return
}
if ac.Options.StatsReporter != nil {
// Only report valid requests
ac.Options.StatsReporter.ReportRequest(review.Request, response.Response, time.Since(ttStart))
}
}
func getOrGenerateKeyCertsFromSecret(ctx context.Context, client kubernetes.Interface,
options *Options) (serverKey, serverCert, caCert []byte, err error) {
logger := logging.FromContext(ctx)
secret, err := client.CoreV1().Secrets(system.Namespace()).Get(options.SecretName, metav1.GetOptions{})
if err != nil {
if !apierrors.IsNotFound(err) {
return nil, nil, nil, err
}
logger.Info("Did not find existing secret, creating one")
newSecret, err := certresources.MakeSecret(
ctx, options.SecretName, system.Namespace(), options.ServiceName)
if err != nil {
return nil, nil, nil, err
}
secret, err = client.CoreV1().Secrets(newSecret.Namespace).Create(newSecret)
if err != nil {
if !apierrors.IsAlreadyExists(err) {
return nil, nil, nil, err
}
// OK, so something else might have created, try fetching it instead.
secret, err = client.CoreV1().Secrets(system.Namespace()).Get(options.SecretName, metav1.GetOptions{})
if err != nil {
return nil, nil, nil, err
}
}
}
var ok bool
if serverKey, ok = secret.Data[certresources.ServerKey]; !ok {
return nil, nil, nil, errors.New("server key missing")
}
if serverCert, ok = secret.Data[certresources.ServerCert]; !ok {
return nil, nil, nil, errors.New("server cert missing")
}
if caCert, ok = secret.Data[certresources.CACert]; !ok {
return nil, nil, nil, errors.New("ca cert missing")
}
return serverKey, serverCert, caCert, nil
}
func makeErrorStatus(reason string, args ...interface{}) *admissionv1beta1.AdmissionResponse {
result := apierrors.NewBadRequest(fmt.Sprintf(reason, args...)).Status()
return &admissionv1beta1.AdmissionResponse{
Result: &result,
Allowed: false,
}
}
Reference in New Issue View Git Blame Copy Permalink