From 1fd27d7c036a9d06681c5bea4105f66ae2cc747e Mon Sep 17 00:00:00 2001 From: xujunjie Date: Sun, 20 Feb 2022 18:54:48 +0800 Subject: [PATCH] feat: add webhook for subnet update validation --- pkg/webhook/static_ip.go | 30 ++++++++++++++++++++++++++++++ pkg/webhook/webhook.go | 9 +++++++++ yamls/webhook.yaml | 1 + 3 files changed, 40 insertions(+) diff --git a/pkg/webhook/static_ip.go b/pkg/webhook/static_ip.go index ce3a1405f2e..68af8184eed 100644 --- a/pkg/webhook/static_ip.go +++ b/pkg/webhook/static_ip.go @@ -107,6 +107,36 @@ func (v *ValidatingHook) SubnetCreateHook(ctx context.Context, req admission.Req return ctrlwebhook.Allowed("by pass") } +func (v *ValidatingHook) SubnetUpdateHook(ctx context.Context, req admission.Request) admission.Response { + o := ovnv1.Subnet{} + if err := v.decoder.Decode(req, &o); err != nil { + return ctrlwebhook.Errored(http.StatusBadRequest, err) + } + + oldSubnet := ovnv1.Subnet{} + if err := v.decoder.DecodeRaw(req.OldObject, &oldSubnet); err != nil { + return ctrlwebhook.Errored(http.StatusBadRequest, err) + } + if (o.Spec.Gateway != oldSubnet.Spec.Gateway) && (0 != o.Status.V4UsingIPs || 0 != o.Status.V6UsingIPs) { + err := fmt.Errorf("can't update gateway of cidr when any IPs in Using") + return ctrlwebhook.Errored(http.StatusBadRequest, err) + } + + if err := util.ValidateSubnet(o); err != nil { + return ctrlwebhook.Denied(err.Error()) + } + + subnetList := &ovnv1.SubnetList{} + if err := v.cache.List(ctx, subnetList); err != nil { + return ctrlwebhook.Errored(http.StatusBadRequest, err) + } + if err := util.ValidateCidrConflict(o, subnetList.Items); err != nil { + return ctrlwebhook.Denied(err.Error()) + } + + return ctrlwebhook.Allowed("by pass") +} + func (v *ValidatingHook) validateIp(ctx context.Context, annotations map[string]string, kind, name, namespace string) admission.Response { if err := util.ValidatePodNetwork(annotations); err != nil { klog.Errorf("validate %s %s/%s failed: %v", kind, namespace, name, err) diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index e59f945a762..16dd48b676e 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -16,6 +16,7 @@ import ( var ( createHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc) + updateHooks = make(map[metav1.GroupVersionKind]admission.HandlerFunc) ) type ValidatingHook struct { @@ -43,6 +44,8 @@ func NewValidatingHook(c cache.Cache) (*ValidatingHook, error) { createHooks[podGVK] = v.PodCreateHook createHooks[subnetGVK] = v.SubnetCreateHook + updateHooks[subnetGVK] = v.SubnetUpdateHook + return v, nil } @@ -62,6 +65,12 @@ func (v *ValidatingHook) Handle(ctx context.Context, req admission.Request) (res resp = createHooks[req.Kind](ctx, req) return } + case admissionv1.Update: + if updateHooks[req.Kind] != nil { + klog.Infof("handle update %s %s@%s", req.Kind, req.Name, req.Namespace) + resp = updateHooks[req.Kind](ctx, req) + return + } } resp = ctrlwebhook.Allowed("by pass") return diff --git a/yamls/webhook.yaml b/yamls/webhook.yaml index 9cd78b60d1f..4e6ddd7da5a 100644 --- a/yamls/webhook.yaml +++ b/yamls/webhook.yaml @@ -99,6 +99,7 @@ webhooks: - pods - operations: - CREATE + - UPDATE apiGroups: - "kubeovn.io" apiVersions: