nhyatt/mutating-webhook
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

properly mutate the container

Browse Source
This commit is contained in:
Hyatt 2023-03-24 13:06:58 -05:00
parent 55964f3790
commit bf944cb048
Signed by: nhyatt
GPG Key ID: C50D0BBB5BC40BEA
1 changed files with 50 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
internal/operations/podsMutation.go
View File

@ -2,6 +2,8 @@ package operations
import ( import (
"fmt" "fmt"
"log"
"regexp"
admission "k8s.io/api/admission/v1" admission "k8s.io/api/admission/v1"
core "k8s.io/api/core/v1" core "k8s.io/api/core/v1"
@ -27,21 +29,46 @@ func PodsMutation() Hook {
func podMutationCreate() AdmitFunc { func podMutationCreate() AdmitFunc {
return func(r *admission.AdmissionRequest, cfg *config.Config) (*Result, error) { return func(r *admission.AdmissionRequest, cfg *config.Config) (*Result, error) {
var operations []PatchOperation var (
operations []PatchOperation
mutated bool
)
pod, err := parsePod(r.Object.Raw) pod, err := parsePod(r.Object.Raw)
if err != nil { if err != nil {
return &Result{Msg: err.Error()}, nil return &Result{Msg: err.Error()}, nil
} }
// if pod is administratively exempt // if pod is administratively exempt
if cfg.AllowAdminNoMutate && func(pod *core.Pod) bool { if func(serviceEnabled bool, pod *core.Pod) bool {
for label, value := range pod.Annotations { if serviceEnabled {
if label == "AdminNoMutate" && value == "true" { for label, value := range pod.Annotations {
return false if label == "AdminNoMutate" && value == "true" {
return false
}
} }
} }
return true return true
}(pod) { }(cfg.AllowAdminNoMutate, pod) {
for i, p := range pod.Spec.Containers {
img, mutationOccurred, err := customDockerRegistry(p.Image, cfg)
if err != nil {
return &Result{Msg: err.Error()}, nil
}
if mutationOccurred {
mutated = true
path := fmt.Sprintf("/spec/containers/%d/image", i)
operations = append(operations, ReplacePatchOperation(path, img))
log.Printf("[TRACE] Image has been mutated: %s -> %s", p.Image, img)
} else {
log.Printf("[TRACE] No mutation required for image: %s", p.Image)
}
}
} else {
log.Printf("[TRACE] Mutations administratively disabled.")
}
if mutated {
// mutate pod (annotation) // mutate pod (annotation)
metadata := map[string]string{ metadata := map[string]string{
"mutation-status": "pod mutated by mutation-controller", "mutation-status": "pod mutated by mutation-controller",
@ -52,8 +79,6 @@ func podMutationCreate() AdmitFunc {
} }
// add annotation stating that the pos had been mutated // add annotation stating that the pos had been mutated
operations = append(operations, AddPatchOperation("/metadata/annotations", metadata)) operations = append(operations, AddPatchOperation("/metadata/annotations", metadata))
// add image mutation
} }
return &Result{ return &Result{
@ -62,3 +87,20 @@ func podMutationCreate() AdmitFunc {
}, nil }, nil
} }
} }
func customDockerRegistry(imgPath string, cfg *config.Config) (string, bool, error) {
if len(cfg.DockerhubRegistry) == 0 {
return imgPath, false, nil
}
// regex match official project
reg, err := regexp.Compile(`^([a-z]|\.|_|-)+\:([a-zA-Z0-9]|_|\.|-)+$`)
if err != nil {
return "", false, fmt.Errorf("Unable to parse regex: %v", err)
}
if reg.MatchString(imgPath) {
log.Printf("Official docker image detected: %s", imgPath)
return fmt.Sprintf("%s/library/%s", cfg.DockerhubRegistry, imgPath), true, nil
}
return "", false, nil
}