forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
admission.go
116 lines (93 loc) · 3.97 KB
/
admission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package lifecycle
import (
"fmt"
"io"
"github.com/golang/glog"
"github.com/kubernetes-incubator/service-catalog/pkg/apis/servicecatalog"
informers "github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/internalversion"
internalversion "github.com/kubernetes-incubator/service-catalog/pkg/client/listers_generated/servicecatalog/internalversion"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apiserver/pkg/admission"
scadmission "github.com/kubernetes-incubator/service-catalog/pkg/apiserver/admission"
)
const (
// PluginName is name of admission plug-in
PluginName = "ServiceInstanceCredentialsLifecycle"
)
// Register registers a plugin
func Register(plugins *admission.Plugins) {
plugins.Register(PluginName, func(io.Reader) (admission.Interface, error) {
return NewCredentialsBlocker()
})
}
// enforceNoNewCredentialsForDeletedInstance is an implementation of admission.Interface.
// If creating new ServiceInstanceCredentials or updating an existing
// set of credentials, fail the operation if the ServiceInstance is
// marked for deletion
type enforceNoNewCredentialsForDeletedInstance struct {
*admission.Handler
instanceLister internalversion.ServiceInstanceLister
}
var _ = scadmission.WantsInternalServiceCatalogInformerFactory(&enforceNoNewCredentialsForDeletedInstance{})
func (b *enforceNoNewCredentialsForDeletedInstance) Admit(a admission.Attributes) error {
// we need to wait for our caches to warm
if !b.WaitForReady() {
return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request"))
}
// We only care about credentials
if a.GetResource().Group != servicecatalog.GroupName || a.GetResource().GroupResource() != servicecatalog.Resource("serviceinstancecredentials") {
return nil
}
// We don't want to deal with any sub resources
if a.GetSubresource() != "" {
return nil
}
credentials, ok := a.GetObject().(*servicecatalog.ServiceInstanceCredential)
if !ok {
return apierrors.NewBadRequest("Resource was marked with kind ServiceInstanceCredentials but was unable to be converted")
}
instanceRef := credentials.Spec.ServiceInstanceRef
instance, err := b.instanceLister.ServiceInstances(credentials.Namespace).Get(instanceRef.Name)
// block the credentials operation if the ServiceInstance is being deleted
if err == nil && instance.DeletionTimestamp != nil {
warning := fmt.Sprintf("ServiceInstanceCredentials %s/%s references an instance that is being deleted: %s/%s",
credentials.Namespace,
credentials.Name,
credentials.Namespace,
instanceRef.Name)
glog.Info(warning, err)
return admission.NewForbidden(a, fmt.Errorf(warning))
}
return nil
}
func (b *enforceNoNewCredentialsForDeletedInstance) SetInternalServiceCatalogInformerFactory(f informers.SharedInformerFactory) {
instanceInformer := f.Servicecatalog().InternalVersion().ServiceInstances()
b.instanceLister = instanceInformer.Lister()
b.SetReadyFunc(instanceInformer.Informer().HasSynced)
}
func (b *enforceNoNewCredentialsForDeletedInstance) Validate() error {
if b.instanceLister == nil {
return fmt.Errorf("missing instanceLister")
}
return nil
}
// NewCredentialsBlocker creates a new admission control handler that
// blocks creation of a ServiceInstanceCredential if the instance
// is being deleted
func NewCredentialsBlocker() (admission.Interface, error) {
return &enforceNoNewCredentialsForDeletedInstance{
Handler: admission.NewHandler(admission.Create),
}, nil
}