-
Notifications
You must be signed in to change notification settings - Fork 455
/
handler.go
109 lines (91 loc) · 4.12 KB
/
handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
// Copyright 2018 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package namespacedeletion
import (
"context"
"fmt"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
gardenerutils "github.com/gardener/gardener/pkg/utils/gardener"
kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
)
// Handler handles namespace deletions.
type Handler struct {
Logger logr.Logger
APIReader client.Reader
Client client.Reader
}
// ValidateCreate returns nil (not implemented by this handler).
func (h *Handler) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
return nil, nil
}
// ValidateUpdate returns nil (not implemented by this handler).
func (h *Handler) ValidateUpdate(_ context.Context, _, _ runtime.Object) (admission.Warnings, error) {
return nil, nil
}
// ValidateDelete validates the namespace deletion.
func (h *Handler) ValidateDelete(ctx context.Context, _ runtime.Object) (admission.Warnings, error) {
ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
defer cancel()
req, err := admission.RequestFromContext(ctx)
if err != nil {
return nil, apierrors.NewInternalError(err)
}
if err := h.admitNamespace(ctx, req.Name); err != nil {
h.Logger.Info("Rejected namespace deletion", "user", req.UserInfo.Username, "reason", err.Error())
return nil, err
}
return nil, nil
}
// admitNamespace does only allow the request if no Shoots exist in this specific namespace anymore.
func (h *Handler) admitNamespace(ctx context.Context, namespaceName string) error {
// Determine project for given namespace.
// TODO: we should use a direct lookup here, as we might falsely allow the request, if our cache is
// out of sync and doesn't know about the project. We should use a field selector for looking up the project
// belonging to a given namespace.
project, namespace, err := gardenerutils.ProjectAndNamespaceFromReader(ctx, h.Client, namespaceName)
if err != nil {
if apierrors.IsNotFound(err) {
return nil
}
return apierrors.NewInternalError(err)
}
if project == nil {
return nil
}
switch {
case namespace.DeletionTimestamp != nil:
return nil
case project.DeletionTimestamp != nil:
// if project is marked for deletion we need to wait until all shoots in the namespace are gone
namespaceInUse, err := kubernetesutils.ResourcesExist(ctx, h.APIReader, gardencorev1beta1.SchemeGroupVersion.WithKind("ShootList"), client.InNamespace(namespace.Name))
if err != nil {
return apierrors.NewInternalError(err)
}
if !namespaceInUse {
return nil
}
return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Namespace"}, namespace.Name, fmt.Errorf("deletion of namespace %q is not permitted (it still contains Shoots)", namespace.Name))
}
// Namespace is not yet marked for deletion and project is not marked as well. We do not admit and respond that
// namespace deletion is only allowed via project deletion.
return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Namespace"}, namespace.Name, fmt.Errorf("direct deletion of namespace %q is not permitted (you must delete the corresponding project %q)", namespace.Name, project.Name))
}