-
Notifications
You must be signed in to change notification settings - Fork 60
/
validation.go
43 lines (36 loc) · 1.22 KB
/
validation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package validation
import (
"net/http"
"github.com/rancher/webhook/pkg/admission"
"github.com/rancher/webhook/pkg/auth"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func CheckCreatorID(request *admission.Request, oldObj, newObj metav1.Object) *metav1.Status {
status := &metav1.Status{
Status: "Failure",
Reason: metav1.StatusReasonInvalid,
Code: http.StatusUnprocessableEntity,
}
newAnnotations := newObj.GetAnnotations()
if request.Operation == admissionv1.Create {
// When creating the newObj the annotation must match the user creating it
if newAnnotations[auth.CreatorIDAnn] != request.UserInfo.Username {
status.Message = "creatorID annotation does not match user"
return status
}
return nil
}
// Check that the anno doesn't exist on the update object, the only allowed
// update to this field is deleting it.
if _, ok := newAnnotations[auth.CreatorIDAnn]; !ok {
return nil
}
// Compare old vs new because they need to be the same, no updates are allowed for
// the CreatorIDAnn
if oldObj.GetAnnotations()[auth.CreatorIDAnn] != newAnnotations[auth.CreatorIDAnn] {
status.Message = "creatorID annotation cannot be changed"
return status
}
return nil
}