forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
endpoint_admission.go
123 lines (107 loc) · 3.15 KB
/
endpoint_admission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package admission
import (
"fmt"
"io"
"net"
"reflect"
"k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/admission/initializer"
"k8s.io/apiserver/pkg/authorization/authorizer"
kapi "k8s.io/kubernetes/pkg/apis/core"
)
const RestrictedEndpointsPluginName = "openshift.io/RestrictedEndpointsAdmission"
func RegisterRestrictedEndpoints(plugins *admission.Plugins) {
plugins.Register(RestrictedEndpointsPluginName,
func(config io.Reader) (admission.Interface, error) {
return NewRestrictedEndpointsAdmission(nil), nil
})
}
type restrictedEndpointsAdmission struct {
*admission.Handler
authorizer authorizer.Authorizer
restrictedNetworks []*net.IPNet
}
var _ = initializer.WantsAuthorizer(&restrictedEndpointsAdmission{})
// ParseSimpleCIDRRules parses a list of CIDR strings
func ParseSimpleCIDRRules(rules []string) (networks []*net.IPNet, err error) {
for _, s := range rules {
_, cidr, err := net.ParseCIDR(s)
if err != nil {
return nil, err
}
networks = append(networks, cidr)
}
return networks, nil
}
// NewRestrictedEndpointsAdmission creates a new endpoints admission plugin.
func NewRestrictedEndpointsAdmission(restrictedNetworks []*net.IPNet) *restrictedEndpointsAdmission {
return &restrictedEndpointsAdmission{
Handler: admission.NewHandler(admission.Create, admission.Update),
restrictedNetworks: restrictedNetworks,
}
}
func (r *restrictedEndpointsAdmission) SetAuthorizer(a authorizer.Authorizer) {
r.authorizer = a
}
func (r *restrictedEndpointsAdmission) ValidateInitialization() error {
if r.authorizer == nil {
return fmt.Errorf("missing authorizer")
}
return nil
}
func (r *restrictedEndpointsAdmission) findRestrictedIP(ep *kapi.Endpoints) string {
for _, subset := range ep.Subsets {
for _, addr := range subset.Addresses {
ip := net.ParseIP(addr.IP)
if ip == nil {
continue
}
for _, net := range r.restrictedNetworks {
if net.Contains(ip) {
return addr.IP
}
}
}
}
return ""
}
func (r *restrictedEndpointsAdmission) checkAccess(attr admission.Attributes) (bool, error) {
authzAttr := authorizer.AttributesRecord{
User: attr.GetUserInfo(),
Verb: "create",
Namespace: attr.GetNamespace(),
Resource: "endpoints",
Subresource: "restricted",
APIGroup: kapi.GroupName,
Name: attr.GetName(),
ResourceRequest: true,
}
authorized, _, err := r.authorizer.Authorize(authzAttr)
return authorized == authorizer.DecisionAllow, err
}
// Admit determines if the endpoints object should be admitted
func (r *restrictedEndpointsAdmission) Admit(a admission.Attributes) error {
if a.GetResource().GroupResource() != kapi.Resource("endpoints") {
return nil
}
ep, ok := a.GetObject().(*kapi.Endpoints)
if !ok {
return nil
}
old, ok := a.GetOldObject().(*kapi.Endpoints)
if ok && reflect.DeepEqual(ep.Subsets, old.Subsets) {
return nil
}
restrictedIP := r.findRestrictedIP(ep)
if restrictedIP == "" {
return nil
}
allow, err := r.checkAccess(a)
if err != nil {
return err
}
if !allow {
return admission.NewForbidden(a, fmt.Errorf("endpoint address %s is not allowed", restrictedIP))
}
return nil
}