/
rule_matcher.go
121 lines (97 loc) · 3.2 KB
/
rule_matcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// this file is copy of https://github.com/kubernetes/kubernetes/blob/f247e75980061d7cf83c63c0fb1f12c7060c599f/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/rules/rules.go
// with some modifications for the webhook matching use-case.
package matchers
import (
"strings"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// ruleMatcher determines if the Attr matches the Rule.
type ruleMatcher struct {
rule admissionregistrationv1.RuleWithOperations
gvr schema.GroupVersionResource
namespace string
subresource string
}
// Matches returns if the resource matches the Rule.
func (r *ruleMatcher) Matches() bool {
return r.scope() &&
r.operation() &&
r.group() &&
r.version() &&
r.resource()
}
func exactOrWildcard(items []string, requested string) bool {
for _, item := range items {
if item == "*" {
return true
}
if item == requested {
return true
}
}
return false
}
var namespaceResource = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"}
func (r *ruleMatcher) scope() bool {
if r.rule.Scope == nil || *r.rule.Scope == admissionregistrationv1.AllScopes {
return true
}
switch *r.rule.Scope {
case admissionregistrationv1.NamespacedScope:
// first make sure that we are not requesting a namespace object (namespace objects are cluster-scoped)
return r.gvr != namespaceResource && r.namespace != metav1.NamespaceNone
case admissionregistrationv1.ClusterScope:
// also return true if the request is for a namespace object (namespace objects are cluster-scoped)
return r.gvr == namespaceResource || r.namespace == metav1.NamespaceNone
default:
return false
}
}
func (r *ruleMatcher) group() bool {
return exactOrWildcard(r.rule.APIGroups, r.gvr.Group)
}
func (r *ruleMatcher) version() bool {
return exactOrWildcard(r.rule.APIVersions, r.gvr.Version)
}
func (r *ruleMatcher) operation() bool {
for _, op := range r.rule.Operations {
switch op {
case admissionregistrationv1.OperationAll, admissionregistrationv1.Create, admissionregistrationv1.Update:
return true
}
}
return false
}
func splitResource(resSub string) (res, sub string) {
parts := strings.SplitN(resSub, "/", 2)
if len(parts) == 2 {
return parts[0], parts[1]
}
return parts[0], ""
}
func (r *ruleMatcher) resource() bool {
opRes, opSub := r.gvr.Resource, r.subresource
for _, res := range r.rule.Resources {
res, sub := splitResource(res)
resMatch := res == "*" || res == opRes
subMatch := sub == "*" || sub == opSub
if resMatch && subMatch {
return true
}
}
return false
}