-
Notifications
You must be signed in to change notification settings - Fork 174
/
pvcsi_admissionhandler.go
102 lines (85 loc) · 3.19 KB
/
pvcsi_admissionhandler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package admissionhandler
import (
"context"
"fmt"
"os"
"strconv"
"k8s.io/client-go/rest"
"sigs.k8s.io/controller-runtime/pkg/client"
crConfig "sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/manager/signals"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service/logger"
)
const (
PVCSIValidationWebhookPath = "/validate"
PVCSIDefaultWebhookPort = 9883
PVCSIDefaultWebhookMetricsBindAddress = "0"
PVCSIWebhookTlsMinVersion = "1.2"
)
func getPVCSIWebhookPort() int {
portStr, ok := os.LookupEnv("PVCSI_WEBHOOK_SERVICE_CONTAINER_PORT")
if !ok {
return DefaultWebhookPort
}
result, err := strconv.ParseInt(portStr, 0, 0)
if err != nil {
panic(fmt.Sprintf("malformed configuration: PVCSI_WEBHOOK_SERVICE_CONTAINER_PORT, expected int: %v", err))
}
return int(result)
}
func getPVCSIMetricsBindAddress() string {
metricsAddr, ok := os.LookupEnv("PVCSI_WEBHOOK_SERVICE_METRICS_BIND_ADDR")
if !ok {
return DefaultWebhookMetricsBindAddress
}
return metricsAddr
}
// startPVCSIWebhookManager starts the webhook server in guest cluster
func startPVCSIWebhookManager(ctx context.Context) {
log := logger.GetLogger(ctx)
webhookPort := getPVCSIWebhookPort()
metricsBindAddress := getPVCSIMetricsBindAddress()
log.Infof("setting up webhook manager with webhookPort %v and metricsBindAddress %v",
webhookPort, metricsBindAddress)
mgr, err := manager.New(crConfig.GetConfigOrDie(), manager.Options{
MetricsBindAddress: metricsBindAddress,
Port: webhookPort})
if err != nil {
log.Fatal(err, "unable to set up overall controller manager")
}
log.Infof("registering validating webhook with the endpoint %v", PVCSIValidationWebhookPath)
// we should not allow TLS < 1.2
mgr.GetWebhookServer().TLSMinVersion = PVCSIWebhookTlsMinVersion
mgr.GetWebhookServer().Register(PVCSIValidationWebhookPath, &webhook.Admission{Handler: &CSIGuestWebhook{
Client: mgr.GetClient(),
clientConfig: mgr.GetConfig(),
}})
if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
log.Fatal(err, "unable to run the webhook manager")
}
}
var _ admission.Handler = &CSIGuestWebhook{}
type CSIGuestWebhook struct {
client.Client
clientConfig *rest.Config
}
func (h *CSIGuestWebhook) Handle(ctx context.Context, req admission.Request) (resp admission.Response) {
log := logger.GetLogger(ctx)
log.Debugf("PV-CSI validation webhook handler called with request: %+v", req)
defer log.Debugf("PV-CSI validation webhook handler completed for the request: %+v", req)
resp = admission.Allowed("")
if req.Kind.Kind == "PersistentVolumeClaim" {
if featureGateBlockVolumeSnapshotEnabled {
admissionResp := validatePVC(ctx, &req.AdmissionRequest)
resp.AdmissionResponse = *admissionResp.DeepCopy()
}
} else if req.Kind.Kind == "VolumeSnapshotClass" || req.Kind.Kind == "VolumeSnapshot" ||
req.Kind.Kind == "VolumeSnapshotContent" {
admissionResp := validateSnapshotOperationGuestRequest(ctx, &req.AdmissionRequest)
resp.AdmissionResponse = *admissionResp.DeepCopy()
}
return
}