forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrest.go
99 lines (89 loc) · 3.57 KB
/
rest.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package podsecuritypolicyselfsubjectreview
import (
"context"
"fmt"
"sort"
kapierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
kapi "k8s.io/kubernetes/pkg/apis/core"
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/serviceaccount"
"github.com/golang/glog"
securityapi "github.com/openshift/origin/pkg/security/apis/security"
securityvalidation "github.com/openshift/origin/pkg/security/apis/security/validation"
podsecuritypolicysubjectreview "github.com/openshift/origin/pkg/security/apiserver/registry/podsecuritypolicysubjectreview"
scc "github.com/openshift/origin/pkg/security/apiserver/securitycontextconstraints"
)
// REST implements the RESTStorage interface in terms of an Registry.
type REST struct {
sccMatcher scc.SCCMatcher
client clientset.Interface
}
var _ rest.Creater = &REST{}
var _ rest.Scoper = &REST{}
// NewREST creates a new REST for policies..
func NewREST(m scc.SCCMatcher, c clientset.Interface) *REST {
return &REST{sccMatcher: m, client: c}
}
// New creates a new PodSecurityPolicySelfSubjectReview object
func (r *REST) New() runtime.Object {
return &securityapi.PodSecurityPolicySelfSubjectReview{}
}
func (s *REST) NamespaceScoped() bool {
return true
}
// Create registers a given new pspssr instance to r.registry.
func (r *REST) Create(ctx context.Context, obj runtime.Object, _ rest.ValidateObjectFunc, _ bool) (runtime.Object, error) {
pspssr, ok := obj.(*securityapi.PodSecurityPolicySelfSubjectReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a PodSecurityPolicySelfSubjectReview: %#v", obj))
}
if errs := securityvalidation.ValidatePodSecurityPolicySelfSubjectReview(pspssr); len(errs) > 0 {
return nil, kapierrors.NewInvalid(kapi.Kind("PodSecurityPolicySelfSubjectReview"), "", errs)
}
userInfo, ok := apirequest.UserFrom(ctx)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("no user data associated with context"))
}
ns, ok := apirequest.NamespaceFrom(ctx)
if !ok {
return nil, kapierrors.NewBadRequest("namespace parameter required.")
}
matchedConstraints, err := r.sccMatcher.FindApplicableSCCs(userInfo, ns)
if err != nil {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("unable to find SecurityContextConstraints: %v", err))
}
saName := pspssr.Spec.Template.Spec.ServiceAccountName
if len(saName) > 0 {
saUserInfo := serviceaccount.UserInfo(ns, saName, "")
saConstraints, err := r.sccMatcher.FindApplicableSCCs(saUserInfo, ns)
if err != nil {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("unable to find SecurityContextConstraints: %v", err))
}
matchedConstraints = append(matchedConstraints, saConstraints...)
}
scc.DeduplicateSecurityContextConstraints(matchedConstraints)
sort.Sort(scc.ByPriority(matchedConstraints))
var namespace *kapi.Namespace
for _, constraint := range matchedConstraints {
var (
provider scc.SecurityContextConstraintsProvider
err error
)
if provider, namespace, err = scc.CreateProviderFromConstraint(ns, namespace, constraint, r.client); err != nil {
glog.Errorf("Unable to create provider for constraint: %v", err)
continue
}
filled, err := podsecuritypolicysubjectreview.FillPodSecurityPolicySubjectReviewStatus(&pspssr.Status, provider, pspssr.Spec.Template.Spec, constraint)
if err != nil {
glog.Errorf("unable to fill PodSecurityPolicySelfSubjectReview from constraint %v", err)
continue
}
if filled {
return pspssr, nil
}
}
return pspssr, nil
}