[controller] Add a webhook to validate storage class operations (#36)

Signed-off-by: Viktor Kramarenko <viktor.kramarenko@flant.com> Signed-off-by: Aleksandr Zimin <alexandr.zimin@flant.com> Co-authored-by: Aleksandr Zimin <alexandr.zimin@flant.com>
deckhouse · Apr 26, 2024 · f135ad4 · f135ad4
1 parent c01d127
commit f135ad4
Show file tree

Hide file tree

Showing 9 changed files with 272 additions and 161 deletions.
diff --git a/images/webhooks/src/go.mod b/images/webhooks/src/go.mod
@@ -1,50 +1,50 @@
 module webhooks
 
-go 1.21
+go 1.22.1
+
+toolchain go1.22.2
 
 require (
 	github.com/sirupsen/logrus v1.9.3
-	github.com/slok/kubewebhook/v2 v2.5.0
-	k8s.io/api v0.29.0
-	k8s.io/apimachinery v0.29.0
-	k8s.io/client-go v0.29.0
-	k8s.io/klog/v2 v2.110.1
+	github.com/slok/kubewebhook/v2 v2.6.0
+	k8s.io/api v0.30.0
+	k8s.io/apimachinery v0.30.0
+	k8s.io/client-go v0.30.0
+	k8s.io/klog/v2 v2.120.1
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect
-	gomodules.xyz/orderedmap v0.1.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/oauth2 v0.19.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/term v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
+	k8s.io/utils v0.0.0-20240423183400-0849a56e8f22 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
diff --git a/images/webhooks/src/go.sum b/images/webhooks/src/go.sum
diff --git a/images/webhooks/src/handlers/func.go b/images/webhooks/src/handlers/func.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2024 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package handlers
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/slok/kubewebhook/v2/pkg/log"
+
+	kwhhttp "github.com/slok/kubewebhook/v2/pkg/http"
+	"github.com/slok/kubewebhook/v2/pkg/model"
+	kwhmutating "github.com/slok/kubewebhook/v2/pkg/webhook/mutating"
+	kwhvalidating "github.com/slok/kubewebhook/v2/pkg/webhook/validating"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func GetMutatingWebhookHandler(mutationFunc func(ctx context.Context, _ *model.AdmissionReview, obj metav1.Object) (*kwhmutating.MutatorResult, error), mutatorID string, obj metav1.Object, logger log.Logger) (http.Handler, error) {
+	mutatorFunc := kwhmutating.MutatorFunc(mutationFunc)
+
+	mutatingWebhookConfig := kwhmutating.WebhookConfig{
+		ID:      mutatorID,
+		Obj:     obj,
+		Mutator: mutatorFunc,
+		Logger:  logger,
+	}
+
+	mutationWebhook, err := kwhmutating.NewWebhook(mutatingWebhookConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	mutationWebhookHandler, err := kwhhttp.HandlerFor(kwhhttp.HandlerConfig{Webhook: mutationWebhook, Logger: logger})
+
+	return mutationWebhookHandler, err
+
+}
+
+func GetValidatingWebhookHandler(validationFunc func(ctx context.Context, _ *model.AdmissionReview, obj metav1.Object) (*kwhvalidating.ValidatorResult, error), validatorID string, obj metav1.Object, logger log.Logger) (http.Handler, error) {
+	validatorFunc := kwhvalidating.ValidatorFunc(validationFunc)
+
+	validatingWebhookConfig := kwhvalidating.WebhookConfig{
+		ID:        validatorID,
+		Obj:       obj,
+		Validator: validatorFunc,
+		Logger:    logger,
+	}
+
+	mutationWebhook, err := kwhvalidating.NewWebhook(validatingWebhookConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	mutationWebhookHandler, err := kwhhttp.HandlerFor(kwhhttp.HandlerConfig{Webhook: mutationWebhook, Logger: logger})
+
+	return mutationWebhookHandler, err
+
+}
diff --git a/...ooks/src/validators/storageClassUpdate.go → images/webhooks/src/handlers/lscValidator.go b/...ooks/src/validators/storageClassUpdate.go → images/webhooks/src/handlers/lscValidator.go
@@ -14,39 +14,40 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package validators
+package handlers
 
 import (
 	"context"
 	"fmt"
+	"webhooks/v1alpha1"
+
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
-	"webhooks/v1alpha1"
 
 	"github.com/slok/kubewebhook/v2/pkg/model"
 	kwhvalidating "github.com/slok/kubewebhook/v2/pkg/webhook/validating"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func StorageClassUpdate(ctx context.Context, _ *model.AdmissionReview, obj metav1.Object) (*kwhvalidating.ValidatorResult, error) {
-	sc, ok := obj.(*v1alpha1.LocalStorageClass)
+func LSCValidate(ctx context.Context, _ *model.AdmissionReview, obj metav1.Object) (*kwhvalidating.ValidatorResult, error) {
+	lsc, ok := obj.(*v1alpha1.LocalStorageClass)
 	if !ok {
 		// If not a storage class just continue the validation chain(if there is one) and do nothing.
 		return &kwhvalidating.ValidatorResult{}, nil
 	}
 
 	thickExists := false
 	thinExists := false
-	for _, lvmGroup := range sc.Spec.LVM.LVMVolumeGroups {
+	for _, lvmGroup := range lsc.Spec.LVM.LVMVolumeGroups {
 		if lvmGroup.Thin == nil {
 			thickExists = true
 		} else {
 			thinExists = true
 		}
 	}
 
-	if sc.Spec.IsDefault == true {
+	if lsc.Spec.IsDefault == true {
 		config, err := rest.InClusterConfig()
 		if err != nil {
 			klog.Fatal(err.Error())
@@ -60,7 +61,7 @@ func StorageClassUpdate(ctx context.Context, _ *model.AdmissionReview, obj metav
 		storageClasses, _ := staticClient.StorageV1().StorageClasses().List(context.TODO(), metav1.ListOptions{})
 		for _, storageClass := range storageClasses.Items {
 			for label, value := range storageClass.GetObjectMeta().GetAnnotations() {
-				if label == "storageclass.kubernetes.io/is-default-class" && value == "true" && storageClass.Name != sc.Name {
+				if label == "storageclass.kubernetes.io/is-default-class" && value == "true" && storageClass.Name != lsc.Name {
 					klog.Infof("Default StorageClass already set: %s", storageClass.Name)
 					return &kwhvalidating.ValidatorResult{Valid: false, Message: fmt.Sprintf("Default StorageClass already set: %s", storageClass.Name)},
 						nil
@@ -69,12 +70,12 @@ func StorageClassUpdate(ctx context.Context, _ *model.AdmissionReview, obj metav
 		}
 	}
 
-	if thinExists && sc.Spec.LVM.Type == "Thick" {
+	if thinExists && lsc.Spec.LVM.Type == "Thick" {
 		return &kwhvalidating.ValidatorResult{Valid: false, Message: "there must be only thick pools with Thick LVM type"},
 			nil
 	}
 
-	if thickExists && sc.Spec.LVM.Type == "Thin" {
+	if thickExists && lsc.Spec.LVM.Type == "Thin" {
 		return &kwhvalidating.ValidatorResult{Valid: false, Message: "there must be only thin pools with Thin LVM type"},
 			nil
 	}

diff --git a/...ks/src/validators/podSchedulerMutation.go → ...hooks/src/handlers/podSchedulerMutator.go b/...ks/src/validators/podSchedulerMutation.go → ...hooks/src/handlers/podSchedulerMutator.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package validators
+package handlers
 
 import (
 	"context"
@@ -34,7 +34,7 @@ const (
 	schedulerName             = "sds-local-volume"
 )
 
-func PodSchedulerMutation(ctx context.Context, _ *model.AdmissionReview, obj metav1.Object) (*kwhmutating.MutatorResult, error) {
+func PodSchedulerMutate(ctx context.Context, _ *model.AdmissionReview, obj metav1.Object) (*kwhmutating.MutatorResult, error) {
 	pod, ok := obj.(*corev1.Pod)
 	if !ok {
 		// If not a pod just continue the mutation chain(if there is one) and do nothing.

diff --git a/images/webhooks/src/handlers/scValidator.go b/images/webhooks/src/handlers/scValidator.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2024 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package handlers
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/klog/v2"
+
+	"github.com/slok/kubewebhook/v2/pkg/model"
+	kwhvalidating "github.com/slok/kubewebhook/v2/pkg/webhook/validating"
+	storagev1 "k8s.io/api/storage/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	localCSIProvisioner = "local.csi.storage.deckhouse.io"
+	allowedUserName     = "system:serviceaccount:d8-sds-local-volume:sds-local-volume-controller"
+)
+
+func SCValidate(ctx context.Context, arReview *model.AdmissionReview, obj metav1.Object) (*kwhvalidating.ValidatorResult, error) {
+	sc, ok := obj.(*storagev1.StorageClass)
+	if !ok {
+		// If not a storage class just continue the validation chain(if there is one) and do nothing.
+		return &kwhvalidating.ValidatorResult{}, nil
+	}
+
+	if sc.Provisioner == localCSIProvisioner {
+		if arReview.UserInfo.Username == allowedUserName {
+			klog.Infof("User %s is allowed to manage storage classes with provisioner %s", arReview.UserInfo.Username, localCSIProvisioner)
+			return &kwhvalidating.ValidatorResult{Valid: true},
+				nil
+		} else {
+			klog.Infof("User %s is not allowed to manage storage classes with provisioner %s", arReview.UserInfo.Username, localCSIProvisioner)
+			return &kwhvalidating.ValidatorResult{Valid: false, Message: fmt.Sprintf("Manual operations with StorageClass with provisioner %s are not allowed. Please use LocalStorageClass instead.", localCSIProvisioner)},
+				nil
+		}
+	} else {
+		return &kwhvalidating.ValidatorResult{Valid: true},
+			nil
+	}
+
+}
diff --git a/images/webhooks/src/main.go b/images/webhooks/src/main.go
@@ -19,16 +19,15 @@ package main
 import (
 	"flag"
 	"fmt"
-	"github.com/sirupsen/logrus"
-	kwhhttp "github.com/slok/kubewebhook/v2/pkg/http"
-	kwhlogrus "github.com/slok/kubewebhook/v2/pkg/log/logrus"
-	kwhmutating "github.com/slok/kubewebhook/v2/pkg/webhook/mutating"
-	kwhvalidating "github.com/slok/kubewebhook/v2/pkg/webhook/validating"
-	corev1 "k8s.io/api/core/v1"
 	"net/http"
 	"os"
+	"webhooks/handlers"
 	"webhooks/v1alpha1"
-	"webhooks/validators"
+
+	"github.com/sirupsen/logrus"
+	kwhlogrus "github.com/slok/kubewebhook/v2/pkg/log/logrus"
+	corev1 "k8s.io/api/core/v1"
+	storagev1 "k8s.io/api/storage/v1"
 )
 
 type config struct {
@@ -53,7 +52,10 @@ func initFlags() config {
 }
 
 const (
-	port = ":8443"
+	port                  = ":8443"
+	PodSchedulerMutatorID = "PodSchedulerMutation"
+	LSCValidatorId        = "LSCValidator"
+	SCValidatorId         = "SCValidator"
 )
 
 func main() {
@@ -63,51 +65,28 @@ func main() {
 
 	cfg := initFlags()
 
-	pscmMF := kwhmutating.MutatorFunc(validators.PodSchedulerMutation)
-
-	pscmMCfg := kwhmutating.WebhookConfig{
-		ID:      "PodSchedulerMutation",
-		Obj:     &corev1.Pod{},
-		Mutator: pscmMF,
-		Logger:  logger,
-	}
-	pscmWh, err := kwhmutating.NewWebhook(pscmMCfg)
+	podSchedulerMutatingWebHookHandler, err := handlers.GetMutatingWebhookHandler(handlers.PodSchedulerMutate, PodSchedulerMutatorID, &corev1.Pod{}, logger)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "error creating webhook: %s", err)
+		fmt.Fprintf(os.Stderr, "error creating podSchedulerMutatingWebHookHandler: %s", err)
 		os.Exit(1)
 	}
 
-	// Get the handler for our webhook.
-	pscmWhHandler, err := kwhhttp.HandlerFor(kwhhttp.HandlerConfig{Webhook: pscmWh, Logger: logger})
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error creating webhook handler: %s", err)
-		os.Exit(1)
-	}
-
-	scuMF := kwhvalidating.ValidatorFunc(validators.StorageClassUpdate)
-
-	scuMCfg := kwhvalidating.WebhookConfig{
-		ID:        "StorageClassUpdate",
-		Obj:       &v1alpha1.LocalStorageClass{},
-		Validator: scuMF,
-		Logger:    logger,
-	}
-	scuWh, err := kwhvalidating.NewWebhook(scuMCfg)
+	lscValidatingWebhookHandler, err := handlers.GetValidatingWebhookHandler(handlers.LSCValidate, LSCValidatorId, &v1alpha1.LocalStorageClass{}, logger)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "error creating webhook: %s", err)
+		fmt.Fprintf(os.Stderr, "error creating lscValidatingWebhookHandler: %s", err)
 		os.Exit(1)
 	}
 
-	// Get the handler for our webhook.
-	scuWhHandler, err := kwhhttp.HandlerFor(kwhhttp.HandlerConfig{Webhook: scuWh, Logger: logger})
+	scValidatingWebhookHandler, err := handlers.GetValidatingWebhookHandler(handlers.SCValidate, SCValidatorId, &storagev1.StorageClass{}, logger)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "error creating webhook handler: %s", err)
+		fmt.Fprintf(os.Stderr, "error creating scValidatingWebhookHandler: %s", err)
 		os.Exit(1)
 	}
 
 	mux := http.NewServeMux()
-	mux.Handle("/pod-scheduler-mutation", pscmWhHandler)
-	mux.Handle("/storage-class-update", scuWhHandler)
+	mux.Handle("/pod-scheduler-mutate", podSchedulerMutatingWebHookHandler)
+	mux.Handle("/lsc-validate", lscValidatingWebhookHandler)
+	mux.Handle("/sc-validate", scValidatingWebhookHandler)
 	mux.HandleFunc("/healthz", httpHandlerHealthz)
 
 	logger.Infof("Listening on %s", port)