proof of concept

internal/operations/podsMutation.go

@@ -1,5 +1,64 @@
 package operations
 
+import (
+	"fmt"
+	"log"
+
+	admission "k8s.io/api/admission/v1"
+	v1 "k8s.io/api/core/v1"
+)
+
 func PodsMutation() Hook {
-	return Hook{}
+	return Hook{
+		Create: podMutationCreate(),
+		// default allow
+		Delete: func(r *admission.AdmissionRequest) (*Result, error) {
+			return &Result{Allowed: true}, nil
+		},
+		Update: func(r *admission.AdmissionRequest) (*Result, error) {
+			return &Result{Allowed: true}, nil
+		},
+		Connect: func(r *admission.AdmissionRequest) (*Result, error) {
+			return &Result{Allowed: true}, nil
+		},
+	}
+}
+
+func podMutationCreate() AdmitFunc {
+	return func(r *admission.AdmissionRequest) (*Result, error) {
+		var operations []PatchOperation
+		pod, err := parsePod(r.Object.Raw)
+		if err != nil {
+			return &Result{Msg: err.Error()}, nil
+		}
+
+		// if pod is administratively exempt
+		if func(pod *v1.Pod) bool {
+			for label, value := range pod.Annotations {
+				log.Printf("[TRACE] Checking Metadata: %s=%s", label, value)
+				if label == "AdminNoMutate" && value == "true" {
+					return false
+				}
+			}
+			return true
+		}(pod) {
+			// mutate pod (annotation)
+			metadata := map[string]string{
+				"mutation-status": "pod mutated by mutation-controller",
+			}
+			// add original image to annotations
+			for _, p := range pod.Spec.Containers {
+				metadata[fmt.Sprintf("mutation-original-image-%s", p.Name)] = p.Image
+			}
+			// add annotation stating that the pos had been mutated
+			operations = append(operations, AddPatchOperation("/metadata/annotations", metadata))
+
+			// add image mutation
+		}
+
+		return &Result{
+			Allowed:  true,
+			PatchOps: operations,
+		}, nil
+	}
 }