feat: add webhook to check subnet deletion.

pkg/webhook/static_ip.go

@@ -86,57 +86,6 @@ func (v *ValidatingHook) PodCreateHook(ctx context.Context, req admission.Reques
 	return v.validateIp(ctx, o.GetAnnotations(), o.Kind, o.GetName(), o.GetNamespace())
 }
 
-func (v *ValidatingHook) SubnetCreateHook(ctx context.Context, req admission.Request) admission.Response {
-	o := ovnv1.Subnet{}
-	if err := v.decoder.Decode(req, &o); err != nil {
-		return ctrlwebhook.Errored(http.StatusBadRequest, err)
-	}
-
-	if err := util.ValidateSubnet(o); err != nil {
-		return ctrlwebhook.Denied(err.Error())
-	}
-
-	subnetList := &ovnv1.SubnetList{}
-	if err := v.cache.List(ctx, subnetList); err != nil {
-		return ctrlwebhook.Errored(http.StatusBadRequest, err)
-	}
-	if err := util.ValidateCidrConflict(o, subnetList.Items); err != nil {
-		return ctrlwebhook.Denied(err.Error())
-	}
-
-	return ctrlwebhook.Allowed("by pass")
-}
-
-func (v *ValidatingHook) SubnetUpdateHook(ctx context.Context, req admission.Request) admission.Response {
-	o := ovnv1.Subnet{}
-	if err := v.decoder.Decode(req, &o); err != nil {
-		return ctrlwebhook.Errored(http.StatusBadRequest, err)
-	}
-
-	oldSubnet := ovnv1.Subnet{}
-	if err := v.decoder.DecodeRaw(req.OldObject, &oldSubnet); err != nil {
-		return ctrlwebhook.Errored(http.StatusBadRequest, err)
-	}
-	if (o.Spec.Gateway != oldSubnet.Spec.Gateway) && (0 != o.Status.V4UsingIPs || 0 != o.Status.V6UsingIPs) {
-		err := fmt.Errorf("can't update gateway of cidr when any IPs in Using")
-		return ctrlwebhook.Errored(http.StatusBadRequest, err)
-	}
-
-	if err := util.ValidateSubnet(o); err != nil {
-		return ctrlwebhook.Denied(err.Error())
-	}
-
-	subnetList := &ovnv1.SubnetList{}
-	if err := v.cache.List(ctx, subnetList); err != nil {
-		return ctrlwebhook.Errored(http.StatusBadRequest, err)
-	}
-	if err := util.ValidateCidrConflict(o, subnetList.Items); err != nil {
-		return ctrlwebhook.Denied(err.Error())
-	}
-
-	return ctrlwebhook.Allowed("by pass")
-}
-
 func (v *ValidatingHook) validateIp(ctx context.Context, annotations map[string]string, kind, name, namespace string) admission.Response {
 	if err := util.ValidatePodNetwork(annotations); err != nil {
 		klog.Errorf("validate %s %s/%s failed: %v", kind, namespace, name, err)

pkg/webhook/subnet.go

@@ -0,0 +1,77 @@
+package webhook
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	ovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
+	"github.com/kubeovn/kube-ovn/pkg/util"
+)
+
+func (v *ValidatingHook) SubnetCreateHook(ctx context.Context, req admission.Request) admission.Response {
+	o := ovnv1.Subnet{}
+	if err := v.decoder.Decode(req, &o); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := util.ValidateSubnet(o); err != nil {
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	subnetList := &ovnv1.SubnetList{}
+	if err := v.cache.List(ctx, subnetList); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	if err := util.ValidateCidrConflict(o, subnetList.Items); err != nil {
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	return ctrlwebhook.Allowed("by pass")
+}
+
+func (v *ValidatingHook) SubnetUpdateHook(ctx context.Context, req admission.Request) admission.Response {
+	o := ovnv1.Subnet{}
+	if err := v.decoder.Decode(req, &o); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	oldSubnet := ovnv1.Subnet{}
+	if err := v.decoder.DecodeRaw(req.OldObject, &oldSubnet); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	if (o.Spec.Gateway != oldSubnet.Spec.Gateway) && (0 != o.Status.V4UsingIPs || 0 != o.Status.V6UsingIPs) {
+		err := fmt.Errorf("can't update gateway of cidr when any IPs in Using")
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	if err := util.ValidateSubnet(o); err != nil {
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	subnetList := &ovnv1.SubnetList{}
+	if err := v.cache.List(ctx, subnetList); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	if err := util.ValidateCidrConflict(o, subnetList.Items); err != nil {
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	return ctrlwebhook.Allowed("by pass")
+}
+
+func (v *ValidatingHook) SubnetDeleteHook(ctx context.Context, req admission.Request) admission.Response {
+	subnet := ovnv1.Subnet{}
+	if err := v.decoder.DecodeRaw(req.OldObject, &subnet); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	if 0 != subnet.Status.V4UsingIPs || 0 != subnet.Status.V6UsingIPs {
+		err := fmt.Errorf("can't delete subnet when any IPs in Using")
+		return ctrlwebhook.Denied(err.Error())
+	}
+	return ctrlwebhook.Allowed("by pass")
+}
+

pkg/webhook/webhook.go

@@ -17,6 +17,7 @@ import (
 var (
 	createHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc)
 	updateHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc)
+	deleteHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc)
 )
 
 type ValidatingHook struct {
@@ -46,6 +47,8 @@ func NewValidatingHook(c cache.Cache) (*ValidatingHook, error) {
 
 	updateHooks[subnetGVK] = v.SubnetUpdateHook
 
+	deleteHooks[subnetGVK] = v.SubnetDeleteHook
+
 	return v, nil
 }
 
@@ -71,6 +74,12 @@ func (v *ValidatingHook) Handle(ctx context.Context, req admission.Request) (res
 			resp = updateHooks[req.Kind](ctx, req)
 			return
 		}
+	case admissionv1.Delete:
+		if deleteHooks[req.Kind] != nil {
+			klog.Infof("handle delete %s %s@%s", req.Kind, req.Name, req.Namespace)
+			resp = deleteHooks[req.Kind](ctx, req)
+			return
+		}
 	}
 	resp = ctrlwebhook.Allowed("by pass")
 	return

yamls/webhook.yaml

@@ -100,6 +100,7 @@ webhooks:
     - operations:
         - CREATE
         - UPDATE
+        - DELETE
       apiGroups:
         - "kubeovn.io"
       apiVersions: