forked from kubernetes/kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 1
/
validation.go
123 lines (106 loc) · 4.62 KB
/
validation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package validation
import (
"strings"
genericvalidation "k8s.io/apimachinery/pkg/api/validation"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/apiserver/pkg/util/webhook"
"k8s.io/kubernetes/pkg/apis/auditregistration"
)
// ValidateAuditSink validates the AuditSinks
func ValidateAuditSink(as *auditregistration.AuditSink) field.ErrorList {
allErrs := genericvalidation.ValidateObjectMeta(&as.ObjectMeta, false, genericvalidation.NameIsDNSSubdomain, field.NewPath("metadata"))
allErrs = append(allErrs, ValidateAuditSinkSpec(as.Spec, field.NewPath("spec"))...)
return allErrs
}
// ValidateAuditSinkSpec validates the sink spec for audit
func ValidateAuditSinkSpec(s auditregistration.AuditSinkSpec, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
allErrs = append(allErrs, ValidatePolicy(s.Policy, fldPath.Child("policy"))...)
allErrs = append(allErrs, ValidateWebhook(s.Webhook, fldPath.Child("webhook"))...)
return allErrs
}
// ValidateWebhook validates the webhook
func ValidateWebhook(w auditregistration.Webhook, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
if w.Throttle != nil {
allErrs = append(allErrs, ValidateWebhookThrottleConfig(w.Throttle, fldPath.Child("throttle"))...)
}
cc := w.ClientConfig
switch {
case (cc.URL == nil) == (cc.Service == nil):
allErrs = append(allErrs, field.Required(fldPath.Child("clientConfig"), "exactly one of url or service is required"))
case cc.URL != nil:
allErrs = append(allErrs, webhook.ValidateWebhookURL(fldPath.Child("clientConfig").Child("url"), *cc.URL, false)...)
case cc.Service != nil:
allErrs = append(allErrs, webhook.ValidateWebhookService(fldPath.Child("clientConfig").Child("service"), cc.Service.Name, cc.Service.Namespace, cc.Service.Path)...)
}
return allErrs
}
// ValidateWebhookThrottleConfig validates the throttle config
func ValidateWebhookThrottleConfig(c *auditregistration.WebhookThrottleConfig, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
if c.QPS != nil && *c.QPS <= 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("qps"), c.QPS, "qps must be a positive number"))
}
if c.Burst != nil && *c.Burst <= 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("burst"), c.Burst, "burst must be a positive number"))
}
return allErrs
}
// ValidatePolicy validates the audit policy
func ValidatePolicy(policy auditregistration.Policy, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
allErrs = append(allErrs, validateStages(policy.Stages, fldPath.Child("stages"))...)
allErrs = append(allErrs, validateLevel(policy.Level, fldPath.Child("level"))...)
if policy.Level != auditregistration.LevelNone && len(policy.Stages) == 0 {
return field.ErrorList{field.Required(fldPath.Child("stages"), "")}
}
return allErrs
}
var validLevels = sets.NewString(
string(auditregistration.LevelNone),
string(auditregistration.LevelMetadata),
string(auditregistration.LevelRequest),
string(auditregistration.LevelRequestResponse),
)
var validStages = sets.NewString(
string(auditregistration.StageRequestReceived),
string(auditregistration.StageResponseStarted),
string(auditregistration.StageResponseComplete),
string(auditregistration.StagePanic),
)
func validateLevel(level auditregistration.Level, fldPath *field.Path) field.ErrorList {
if string(level) == "" {
return field.ErrorList{field.Required(fldPath, "")}
}
if !validLevels.Has(string(level)) {
return field.ErrorList{field.NotSupported(fldPath, level, validLevels.List())}
}
return nil
}
func validateStages(stages []auditregistration.Stage, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
for i, stage := range stages {
if !validStages.Has(string(stage)) {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), string(stage), "allowed stages are "+strings.Join(validStages.List(), ",")))
}
}
return allErrs
}
// ValidateAuditSinkUpdate validates an update to the object
func ValidateAuditSinkUpdate(newC, oldC *auditregistration.AuditSink) field.ErrorList {
return ValidateAuditSink(newC)
}