-
Notifications
You must be signed in to change notification settings - Fork 173
/
validatepvcannotationfortkgsha.go
87 lines (77 loc) · 4.15 KB
/
validatepvcannotationfortkgsha.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package admissionhandler
import (
"context"
"encoding/json"
admissionv1 "k8s.io/api/admission/v1"
corev1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"sigs.k8s.io/vsphere-csi-driver/v2/pkg/csi/service/common"
"sigs.k8s.io/vsphere-csi-driver/v2/pkg/csi/service/logger"
)
const (
CreatePVCWithInvalidAnnotation = "Create PVC with invalid annotation " + common.AnnGuestClusterRequestedTopology
AddPVCAnnotation = "Add a new PVC Annotation"
UpdatePVCAnnotation = "Update the PVC Annotation"
RemovePVCAnnotation = "Remove the PVC Annotation"
)
func validatePVCAnnotationForTKGSHA(ctx context.Context, request admission.Request) admission.Response {
log := logger.GetLogger(ctx)
log.Debugf("validatePVCAnnotationForTKGSHA called with the request %v", request)
newPVC := corev1.PersistentVolumeClaim{}
if err := json.Unmarshal(request.Object.Raw, &newPVC); err != nil {
reason := "skipped validation when failed to deserialize PVC from new request object"
log.Warn(reason)
return admission.Allowed(reason)
}
if request.Operation == admissionv1.Create {
// disallow PVC Create with AnnGuestClusterRequestedTopology key but empty value
annGuestClusterRequestedTopologyValue, ok := newPVC.Annotations[common.AnnGuestClusterRequestedTopology]
if ok && annGuestClusterRequestedTopologyValue == "" {
return admission.Denied(CreatePVCWithInvalidAnnotation)
}
} else if request.Operation == admissionv1.Update {
oldPVC := corev1.PersistentVolumeClaim{}
if err := json.Unmarshal(request.OldObject.Raw, &oldPVC); err != nil {
reason := "skipped validation when failed to deserialize PVC from old request object"
log.Warn(reason)
return admission.Allowed(reason)
}
// disallow PVC Update on AnnGuestClusterRequestedTopology
oldAnnGuestClusterRequestedTopologyValue, oldOk := oldPVC.Annotations[common.AnnGuestClusterRequestedTopology]
newAnnGuestClusterRequestedTopologyValue, newOk := newPVC.Annotations[common.AnnGuestClusterRequestedTopology]
if oldOk && newOk {
// disallow changing AnnGuestClusterRequestedTopology to a different value
if oldAnnGuestClusterRequestedTopologyValue != newAnnGuestClusterRequestedTopologyValue {
return admission.Denied(UpdatePVCAnnotation + ", " + common.AnnGuestClusterRequestedTopology)
}
} else if oldOk {
// disallow removing the annotation of AnnGuestClusterRequestedTopology in an existing PVC
return admission.Denied(RemovePVCAnnotation + ", " + common.AnnGuestClusterRequestedTopology)
} else if newOk {
// disallow adding an annotation of AnnGuestClusterRequestedTopology in an existing PVC
return admission.Denied(AddPVCAnnotation + ", " + common.AnnGuestClusterRequestedTopology)
}
// disallow PVC Update on AnnVolumeAccessibleTopology to another non-empty value
oldAnnVolumeAccessibleTopologyValue, oldOk := oldPVC.Annotations[common.AnnVolumeAccessibleTopology]
newAnnVolumeAccessibleTopologyValue, newOk := newPVC.Annotations[common.AnnVolumeAccessibleTopology]
if oldOk && newOk {
if oldAnnVolumeAccessibleTopologyValue != newAnnVolumeAccessibleTopologyValue {
// disallow changing AnnVolumeAccessibleTopology to another a different value except
// only allow changing AnnVolumeAccessibleTopology from an empty value to a non-empty value
if !(oldAnnVolumeAccessibleTopologyValue == "" && newAnnVolumeAccessibleTopologyValue != "") {
return admission.Denied(UpdatePVCAnnotation + ", " + common.AnnVolumeAccessibleTopology)
}
}
} else if oldOk {
// disallow removing the annotation of AnnVolumeAccessibleTopology in an existing PVC
return admission.Denied(RemovePVCAnnotation + ", " + common.AnnVolumeAccessibleTopology)
} else if newOk {
// Note: allow adding an annotation of AnnVolumeAccessibleTopology in an existing PVC for now;
// We can prevent SV DevOps from doing that by checking request.userInfo if necessary
log.Debugf("Allowing adding an annotation, %v, in an existing PVC for now. "+
"Might be denied later if necessary", common.AnnVolumeAccessibleTopology)
}
}
log.Debugf("validatePVCAnnotationForTKGSHA completed for the request %v", request)
return admission.Allowed("")
}