From 3f60d341552c04dc2b2206c6c4fa0493a7a22044 Mon Sep 17 00:00:00 2001 From: nhyatt Date: Sat, 18 Mar 2023 12:20:10 -0500 Subject: [PATCH] first functional test --- cmd/webhook/httpServer.go | 33 ++++++++------------------- go.mod | 6 ++--- go.sum | 12 +++++----- internal/operations/parsers.go | 26 +++++++++++++++++++++ internal/operations/podsValidation.go | 27 +++++++++++++++++++++- mock-payloads/readme.md | 27 ++++++++++++++++++++++ 6 files changed, 98 insertions(+), 33 deletions(-) create mode 100644 internal/operations/parsers.go create mode 100644 mock-payloads/readme.md diff --git a/cmd/webhook/httpServer.go b/cmd/webhook/httpServer.go index 78709c0..558b370 100644 --- a/cmd/webhook/httpServer.go +++ b/cmd/webhook/httpServer.go @@ -57,7 +57,7 @@ func httpServer(cfg *config.Config) { WriteTimeout: time.Duration(cfg.WebServerWriteTimeout) * time.Second, IdleTimeout: time.Duration(cfg.WebServerIdleTimeout) * time.Second, TLSConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS13, CipherSuites: []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, @@ -72,31 +72,18 @@ func httpServer(cfg *config.Config) { }, } + ah := &admissionHandler{ + decoder: serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer(), + } + // healthcheck - path.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) { - webHealthCheck(w, r) - }) + path.HandleFunc("/healthcheck", webHealthCheck) // pod admission - path.HandleFunc("/api/v1/admit/pod", func(w http.ResponseWriter, r *http.Request) { - ah := &admissionHandler{ - decoder: serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer(), - } - ah.Serve(operations.PodsValidation()) - }) + path.HandleFunc("/api/v1/admit/pod", ah.Serve(operations.PodsValidation())) // deployment admission - path.HandleFunc("/api/v1/admit/deployemnt", func(w http.ResponseWriter, r *http.Request) { - ah := &admissionHandler{ - decoder: serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer(), - } - ah.Serve(operations.DeploymentsValidation()) - }) + path.HandleFunc("/api/v1/admit/deployment", ah.Serve(operations.DeploymentsValidation())) // pod mutation - path.HandleFunc("/api/v1/mutate/pod", func(w http.ResponseWriter, r *http.Request) { - ah := &admissionHandler{ - decoder: serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer(), - } - ah.Serve(operations.PodsMutation()) - }) + path.HandleFunc("/api/v1/mutate/pod", ah.Serve(operations.PodsMutation())) // web root path.HandleFunc("/", webRoot) @@ -148,7 +135,7 @@ func (h *admissionHandler) Serve(hook operations.Hook) http.HandlerFunc { w.Header().Set("Content-Type", "application/json") if r.Method != http.MethodPost { - msg := "malformed admission review: request is nil" + msg := fmt.Sprintf("incorrect method: got request type %s, expected request type %s", r.Method, http.MethodPost) log.Printf("[TRACE] %s", msg) tmpltError(w, http.StatusMethodNotAllowed, msg) return diff --git a/go.mod b/go.mod index efa984d..67fa37a 100644 --- a/go.mod +++ b/go.mod @@ -4,8 +4,8 @@ go 1.19 require ( github.com/hashicorp/logutils v1.0.0 - k8s.io/api v0.26.2 - k8s.io/apimachinery v0.26.2 + k8s.io/api v0.26.3 + k8s.io/apimachinery v0.26.3 ) require ( @@ -20,7 +20,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.90.1 // indirect - k8s.io/utils v0.0.0-20230308161112-d77c459e9343 // indirect + k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 413efeb..cafc477 100644 --- a/go.sum +++ b/go.sum @@ -68,14 +68,14 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -k8s.io/api v0.26.2 h1:dM3cinp3PGB6asOySalOZxEG4CZ0IAdJsrYZXE/ovGQ= -k8s.io/api v0.26.2/go.mod h1:1kjMQsFE+QHPfskEcVNgL3+Hp88B80uj0QtSOlj8itU= -k8s.io/apimachinery v0.26.2 h1:da1u3D5wfR5u2RpLhE/ZtZS2P7QvDgLZTi9wrNZl/tQ= -k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= +k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU= +k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= +k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k= +k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/utils v0.0.0-20230308161112-d77c459e9343 h1:m7tbIjXGcGIAtpmQr7/NAi7RsWoW3E7Zcm4jI1HicTc= -k8s.io/utils v0.0.0-20230308161112-d77c459e9343/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 h1:xMMXJlJbsU8w3V5N2FLDQ8YgU8s1EoULdbQBcAeNJkY= +k8s.io/utils v0.0.0-20230313181309-38a27ef9d749/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= diff --git a/internal/operations/parsers.go b/internal/operations/parsers.go new file mode 100644 index 0000000..dc21595 --- /dev/null +++ b/internal/operations/parsers.go @@ -0,0 +1,26 @@ +package operations + +import ( + "encoding/json" + + dep "k8s.io/api/apps/v1" + pod "k8s.io/api/core/v1" +) + +func parseDeployment(object []byte) (*dep.Deployment, error) { + var dp dep.Deployment + if err := json.Unmarshal(object, &dp); err != nil { + return nil, err + } + + return &dp, nil +} + +func parsePod(object []byte) (*pod.Pod, error) { + var pod pod.Pod + if err := json.Unmarshal(object, &pod); err != nil { + return nil, err + } + + return &pod, nil +} diff --git a/internal/operations/podsValidation.go b/internal/operations/podsValidation.go index eab7744..0faaee5 100644 --- a/internal/operations/podsValidation.go +++ b/internal/operations/podsValidation.go @@ -1,5 +1,30 @@ package operations +import ( + "strings" + + admission "k8s.io/api/admission/v1" +) + func PodsValidation() Hook { - return Hook{} + return Hook{ + Create: podValidationCreate(), + } +} + +func podValidationCreate() AdmitFunc { + return func(r *admission.AdmissionRequest) (*Result, error) { + pod, err := parsePod(r.Object.Raw) + if err != nil { + return &Result{Msg: err.Error()}, nil + } + + for _, c := range pod.Spec.Containers { + if strings.HasSuffix(c.Image, ":latest") { + return &Result{Msg: "You cannot use the tag 'latest' in a container."}, nil + } + } + + return &Result{Allowed: true}, nil + } } diff --git a/mock-payloads/readme.md b/mock-payloads/readme.md new file mode 100644 index 0000000..1c6979f --- /dev/null +++ b/mock-payloads/readme.md @@ -0,0 +1,27 @@ +# Example Curl Requests + +## Pod Admission + +Request +```bash +curl \ + --insecure \ + --silent \ + --request POST \ + --header "Content-Type: application/json" \ + --data @./mock-payloads/pods/test-pod01.json \ + https://localhost:8443/api/v1/admit/pod +``` +Response +```json +{ + "response": { + "uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995", + "allowed": false, + "status": { + "metadata": {}, + "message": "You cannot use the tag 'latest' in a container." + } + } +} +``` \ No newline at end of file