feat: add webhook for subnet update validation

kubeovn · Mar 1, 2022 · 222a1fb · 222a1fb
1 parent 725d1a4
commit 222a1fb
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/pkg/webhook/static_ip.go b/pkg/webhook/static_ip.go
@@ -107,6 +107,36 @@ func (v *ValidatingHook) SubnetCreateHook(ctx context.Context, req admission.Req
 	return ctrlwebhook.Allowed("by pass")
 }
 
+func (v *ValidatingHook) SubnetUpdateHook(ctx context.Context, req admission.Request) admission.Response {
+	o := ovnv1.Subnet{}
+	if err := v.decoder.Decode(req, &o); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	oldSubnet := ovnv1.Subnet{}
+	if err := v.decoder.DecodeRaw(req.OldObject, &oldSubnet); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	if (o.Spec.Gateway != oldSubnet.Spec.Gateway) && (0 != o.Status.V4UsingIPs || 0 != o.Status.V6UsingIPs) {
+		err := fmt.Errorf("can't update gateway of cidr when any IPs in Using")
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := util.ValidateSubnet(o); err != nil {
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	subnetList := &ovnv1.SubnetList{}
+	if err := v.cache.List(ctx, subnetList); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	if err := util.ValidateCidrConflict(o, subnetList.Items); err != nil {
+		return ctrlwebhook.Denied(err.Error())
+	}
+
+	return ctrlwebhook.Allowed("by pass")
+}
+
 func (v *ValidatingHook) validateIp(ctx context.Context, annotations map[string]string, kind, name, namespace string) admission.Response {
 	if err := util.ValidatePodNetwork(annotations); err != nil {
 		klog.Errorf("validate %s %s/%s failed: %v", kind, namespace, name, err)

diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -16,6 +16,7 @@ import (
 
 var (
 	createHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc)
+	updateHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc)
 )
 
 type ValidatingHook struct {
@@ -43,6 +44,8 @@ func NewValidatingHook(c cache.Cache) (*ValidatingHook, error) {
 	createHooks[podGVK] = v.PodCreateHook
 	createHooks[subnetGVK] = v.SubnetCreateHook
 
+	updateHooks[subnetGVK] = v.SubnetUpdateHook
+
 	return v, nil
 }
 
@@ -62,6 +65,12 @@ func (v *ValidatingHook) Handle(ctx context.Context, req admission.Request) (res
 			resp = createHooks[req.Kind](ctx, req)
 			return
 		}
+	case admissionv1.Update:
+		if updateHooks[req.Kind] != nil {
+			klog.Infof("handle update %s %s@%s", req.Kind, req.Name, req.Namespace)
+			resp = updateHooks[req.Kind](ctx, req)
+			return
+		}
 	}
 	resp = ctrlwebhook.Allowed("by pass")
 	return

diff --git a/yamls/webhook.yaml b/yamls/webhook.yaml
@@ -99,6 +99,7 @@ webhooks:
         - pods
     - operations:
         - CREATE
+        - UPDATE
       apiGroups:
         - "kubeovn.io"
       apiVersions: