Prevent deletion of local and fleet-local namespaces

Signed-off-by: Dharmit Shah <dharmit.shah@suse.com>

Author: dharmit

pkg/resources/core/v1/namespace/deleteNamespace.go

@@ -0,0 +1,17 @@
+package namespace
+
+import (
+	"github.com/rancher/webhook/pkg/admission"
+	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/utils/trace"
+)
+
+// deleteNamespaceAdmitter handles namespace deletion scenarios
+type deleteNamespaceAdmitter struct{}
+
+func (d deleteNamespaceAdmitter) Admit(request *admission.Request) (*admissionv1.AdmissionResponse, error) {
+	listTrace := trace.New("Namespace Admit", trace.Field{Key: "user", Value: request.UserInfo.Username})
+	defer listTrace.LogIfLong(admission.SlowTraceDuration)
+
+	return admission.ResponseBadRequest("can't delete local cluster"), nil
+}

pkg/resources/core/v1/namespace/validator.go

@@ -18,6 +18,7 @@ var projectsGVR = schema.GroupVersionResource{
 
 // Validator validates the namespace admission request.
 type Validator struct {
+	deleteNamespaceAdmitter    deleteNamespaceAdmitter
 	psaAdmitter                psaLabelAdmitter
 	projectNamespaceAdmitter   projectNamespaceAdmitter
 	requestWithinLimitAdmitter requestLimitAdmitter
@@ -26,6 +27,7 @@ type Validator struct {
 // NewValidator returns a new validator used for validation of namespace requests.
 func NewValidator(sar authorizationv1.SubjectAccessReviewInterface) *Validator {
 	return &Validator{
+		deleteNamespaceAdmitter: deleteNamespaceAdmitter{},
 		psaAdmitter: psaLabelAdmitter{
 			sar: sar,
 		},
@@ -49,6 +51,7 @@ func (v *Validator) Operations() []admissionv1.OperationType {
 	return []admissionv1.OperationType{
 		admissionv1.Update,
 		admissionv1.Create,
+		admissionv1.Delete,
 	}
 }
 
@@ -87,7 +90,19 @@ func (v *Validator) ValidatingWebhook(clientConfig admissionv1.WebhookClientConf
 	}
 	kubeSystemCreateWebhook.FailurePolicy = admission.Ptr(admissionv1.Ignore)
 
-	return []admissionv1.ValidatingWebhook{*standardWebhook, *createWebhook, *kubeSystemCreateWebhook}
+	deleteNamespaceWebhook := admission.NewDefaultValidatingWebhook(v, clientConfig, admissionv1.ClusterScope, []admissionv1.OperationType{admissionv1.Delete})
+	deleteNamespaceWebhook.Name = admission.CreateWebhookName(v, "delete-namespace")
+	deleteNamespaceWebhook.NamespaceSelector = &metav1.LabelSelector{
+		MatchExpressions: []metav1.LabelSelectorRequirement{
+			{
+				Key:      corev1.LabelMetadataName,
+				Operator: metav1.LabelSelectorOpIn,
+				Values:   []string{"fleet-local", "local"},
+			},
+		},
+	}
+
+	return []admissionv1.ValidatingWebhook{*deleteNamespaceWebhook, *standardWebhook, *createWebhook, *kubeSystemCreateWebhook}
 }
 
 // Admitters returns the psaAdmitter and the projectNamespaceAdmitter for namespaces.