k3s/pkg/kubeapiserver/admission/initializer.go

/*
Copyright 2016 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package admission

import (
	"net/url"

	"k8s.io/apimachinery/pkg/api/meta"
	"k8s.io/apiserver/pkg/admission"
	"k8s.io/apiserver/pkg/authorization/authorizer"
	"k8s.io/kubernetes/pkg/apis/admissionregistration"
	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
	"k8s.io/kubernetes/pkg/quota"
)

// TODO add a `WantsToRun` which takes a stopCh.  Might make it generic.

// WantsInternalKubeClientSet defines a function which sets ClientSet for admission plugins that need it
type WantsInternalKubeClientSet interface {
	SetInternalKubeClientSet(internalclientset.Interface)
	admission.Validator
}

// WantsInternalKubeInformerFactory defines a function which sets InformerFactory for admission plugins that need it
type WantsInternalKubeInformerFactory interface {
	SetInternalKubeInformerFactory(informers.SharedInformerFactory)
	admission.Validator
}

// WantsAuthorizer defines a function which sets Authorizer for admission plugins that need it.
type WantsAuthorizer interface {
	SetAuthorizer(authorizer.Authorizer)
	admission.Validator
}

// WantsCloudConfig defines a function which sets CloudConfig for admission plugins that need it.
type WantsCloudConfig interface {
	SetCloudConfig([]byte)
}

// WantsRESTMapper defines a function which sets RESTMapper for admission plugins that need it.
type WantsRESTMapper interface {
	SetRESTMapper(meta.RESTMapper)
}

// WantsQuotaRegistry defines a function which sets quota registry for admission plugins that need it.
type WantsQuotaRegistry interface {
	SetQuotaRegistry(quota.Registry)
	admission.Validator
}

// WantsServiceResolver defines a fuction that accepts a ServiceResolver for
// admission plugins that need to make calls to services.
type WantsServiceResolver interface {
	SetServiceResolver(ServiceResolver)
}

// WantsClientCert defines a fuction that accepts a cert & key for admission
// plugins that need to make calls and prove their identity.
type WantsClientCert interface {
	SetClientCert(cert, key []byte)
}

// WantsWebhookSource defines a function that accepts a webhook lister for the
// dynamic webhook plugin.
type WantsWebhookSource interface {
	SetWebhookSource(WebhookSource)
}

// ServiceResolver knows how to convert a service reference into an actual
// location.
type ServiceResolver interface {
	ResolveEndpoint(namespace, name string) (*url.URL, error)
}

// WebhookSource can list dynamic webhook plugins.
type WebhookSource interface {
	List() ([]admissionregistration.ExternalAdmissionHook, error)
}

type PluginInitializer struct {
	internalClient  internalclientset.Interface
	informers       informers.SharedInformerFactory
	authorizer      authorizer.Authorizer
	cloudConfig     []byte
	restMapper      meta.RESTMapper
	quotaRegistry   quota.Registry
	serviceResolver ServiceResolver
	webhookSource   WebhookSource

	// for proving we are apiserver in call-outs
	clientCert []byte
	clientKey  []byte
}

var _ admission.PluginInitializer = &PluginInitializer{}

// NewPluginInitializer constructs new instance of PluginInitializer
// TODO: switch these parameters to use the builder pattern or just make them
// all public, this construction method is pointless boilerplate.
func NewPluginInitializer(internalClient internalclientset.Interface,
	sharedInformers informers.SharedInformerFactory,
	authz authorizer.Authorizer,
	cloudConfig []byte,
	restMapper meta.RESTMapper,
	quotaRegistry quota.Registry) *PluginInitializer {
	return &PluginInitializer{
		internalClient: internalClient,
		informers:      sharedInformers,
		authorizer:     authz,
		cloudConfig:    cloudConfig,
		restMapper:     restMapper,
		quotaRegistry:  quotaRegistry,
	}
}

// SetServiceResolver sets the service resolver which is needed by some plugins.
func (i *PluginInitializer) SetServiceResolver(s ServiceResolver) *PluginInitializer {
	i.serviceResolver = s
	return i
}

// SetClientCert sets the client cert & key (identity used for calling out to
// web hooks) which is needed by some plugins.
func (i *PluginInitializer) SetClientCert(cert, key []byte) *PluginInitializer {
	i.clientCert = cert
	i.clientKey = key
	return i
}

// SetWebhookSource sets the webhook source-- admittedly this is probably
// specific to the external admission hook plugin.
func (i *PluginInitializer) SetWebhookSource(w WebhookSource) *PluginInitializer {
	i.webhookSource = w
	return i
}

// Initialize checks the initialization interfaces implemented by each plugin
// and provide the appropriate initialization data
func (i *PluginInitializer) Initialize(plugin admission.Interface) {
	if wants, ok := plugin.(WantsInternalKubeClientSet); ok {
		wants.SetInternalKubeClientSet(i.internalClient)
	}

	if wants, ok := plugin.(WantsInternalKubeInformerFactory); ok {
		wants.SetInternalKubeInformerFactory(i.informers)
	}

	if wants, ok := plugin.(WantsAuthorizer); ok {
		wants.SetAuthorizer(i.authorizer)
	}

	if wants, ok := plugin.(WantsCloudConfig); ok {
		wants.SetCloudConfig(i.cloudConfig)
	}

	if wants, ok := plugin.(WantsRESTMapper); ok {
		wants.SetRESTMapper(i.restMapper)
	}

	if wants, ok := plugin.(WantsQuotaRegistry); ok {
		wants.SetQuotaRegistry(i.quotaRegistry)
	}

	if wants, ok := plugin.(WantsServiceResolver); ok {
		if i.serviceResolver == nil {
			panic("An admission plugin wants the service resolver, but it was not provided.")
		}
		wants.SetServiceResolver(i.serviceResolver)
	}

	if wants, ok := plugin.(WantsClientCert); ok {
		if i.clientCert == nil || i.clientKey == nil {
			panic("An admission plugin wants a client cert/key, but they were not provided.")
		}
		wants.SetClientCert(i.clientCert, i.clientKey)
	}

	if wants, ok := plugin.(WantsWebhookSource); ok {
		if i.webhookSource == nil {
			panic("An admission plugin wants a webhook source, but it was not provided.")
		}
		wants.SetWebhookSource(i.webhookSource)
	}
}
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`/*`
			`Copyright 2016 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package admission`

			`import (`
Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`"net/url"`

add gc admission plugin that prevents user who doesn't have delete permission of the owner from setting blockOwnerDeletion 2017-03-25 01:13:57 +00:00			`"k8s.io/apimachinery/pkg/api/meta"`
move admission to genericapiserver 2017-01-17 21:42:13 +00:00			`"k8s.io/apiserver/pkg/admission"`
mechanicals 2017-01-04 15:39:05 +00:00			`"k8s.io/apiserver/pkg/authorization/authorizer"`
Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`"k8s.io/kubernetes/pkg/apis/admissionregistration"`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"`
Switch admission to use shared informers 2017-02-15 19:00:29 +00:00			`informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"`
ResourceQuota admission control injects registry 2017-05-18 18:00:02 +00:00			`"k8s.io/kubernetes/pkg/quota"`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`)`

			// TODO add a `WantsToRun` which takes a stopCh. Might make it generic.

update names for kube plugin initializer to avoid conflicts 2017-03-06 14:12:58 +00:00			`// WantsInternalKubeClientSet defines a function which sets ClientSet for admission plugins that need it`
			`type WantsInternalKubeClientSet interface {`
			`SetInternalKubeClientSet(internalclientset.Interface)`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`admission.Validator`
			`}`

update names for kube plugin initializer to avoid conflicts 2017-03-06 14:12:58 +00:00			`// WantsInternalKubeInformerFactory defines a function which sets InformerFactory for admission plugins that need it`
			`type WantsInternalKubeInformerFactory interface {`
			`SetInternalKubeInformerFactory(informers.SharedInformerFactory)`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`admission.Validator`
			`}`

			`// WantsAuthorizer defines a function which sets Authorizer for admission plugins that need it.`
			`type WantsAuthorizer interface {`
			`SetAuthorizer(authorizer.Authorizer)`
			`admission.Validator`
			`}`

Fix Multizone pv creation on GCE When Multizone is enabled static PV creation on GCE fails because Cloud provider configuration is not available in admission plugins. 2017-01-26 16:04:23 +00:00			`// WantsCloudConfig defines a function which sets CloudConfig for admission plugins that need it.`
			`type WantsCloudConfig interface {`
			`SetCloudConfig([]byte)`
			`}`

add gc admission plugin that prevents user who doesn't have delete permission of the owner from setting blockOwnerDeletion 2017-03-25 01:13:57 +00:00			`// WantsRESTMapper defines a function which sets RESTMapper for admission plugins that need it.`
			`type WantsRESTMapper interface {`
			`SetRESTMapper(meta.RESTMapper)`
			`}`

ResourceQuota admission control injects registry 2017-05-18 18:00:02 +00:00			`// WantsQuotaRegistry defines a function which sets quota registry for admission plugins that need it.`
			`type WantsQuotaRegistry interface {`
			`SetQuotaRegistry(quota.Registry)`
			`admission.Validator`
			`}`

Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`// WantsServiceResolver defines a fuction that accepts a ServiceResolver for`
			`// admission plugins that need to make calls to services.`
			`type WantsServiceResolver interface {`
			`SetServiceResolver(ServiceResolver)`
			`}`

			`// WantsClientCert defines a fuction that accepts a cert & key for admission`
			`// plugins that need to make calls and prove their identity.`
			`type WantsClientCert interface {`
			`SetClientCert(cert, key []byte)`
			`}`

			`// WantsWebhookSource defines a function that accepts a webhook lister for the`
			`// dynamic webhook plugin.`
			`type WantsWebhookSource interface {`
			`SetWebhookSource(WebhookSource)`
			`}`

			`// ServiceResolver knows how to convert a service reference into an actual`
			`// location.`
			`type ServiceResolver interface {`
			`ResolveEndpoint(namespace, name string) (*url.URL, error)`
			`}`

			`// WebhookSource can list dynamic webhook plugins.`
			`type WebhookSource interface {`
			`List() ([]admissionregistration.ExternalAdmissionHook, error)`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`}`

Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`type PluginInitializer struct {`
			`internalClient internalclientset.Interface`
			`informers informers.SharedInformerFactory`
			`authorizer authorizer.Authorizer`
			`cloudConfig []byte`
			`restMapper meta.RESTMapper`
			`quotaRegistry quota.Registry`
			`serviceResolver ServiceResolver`
			`webhookSource WebhookSource`

			`// for proving we are apiserver in call-outs`
			`clientCert []byte`
			`clientKey []byte`
			`}`

			`var _ admission.PluginInitializer = &PluginInitializer{}`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00
			`// NewPluginInitializer constructs new instance of PluginInitializer`
Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`// TODO: switch these parameters to use the builder pattern or just make them`
			`// all public, this construction method is pointless boilerplate.`
ResourceQuota admission control injects registry 2017-05-18 18:00:02 +00:00			`func NewPluginInitializer(internalClient internalclientset.Interface,`
			`sharedInformers informers.SharedInformerFactory,`
			`authz authorizer.Authorizer,`
			`cloudConfig []byte,`
			`restMapper meta.RESTMapper,`
Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`quotaRegistry quota.Registry) *PluginInitializer {`
			`return &PluginInitializer{`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`internalClient: internalClient,`
			`informers: sharedInformers,`
			`authorizer: authz,`
Fix Multizone pv creation on GCE When Multizone is enabled static PV creation on GCE fails because Cloud provider configuration is not available in admission plugins. 2017-01-26 16:04:23 +00:00			`cloudConfig: cloudConfig,`
add gc admission plugin that prevents user who doesn't have delete permission of the owner from setting blockOwnerDeletion 2017-03-25 01:13:57 +00:00			`restMapper: restMapper,`
ResourceQuota admission control injects registry 2017-05-18 18:00:02 +00:00			`quotaRegistry: quotaRegistry,`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`}`
			`}`

Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`// SetServiceResolver sets the service resolver which is needed by some plugins.`
			`func (i PluginInitializer) SetServiceResolver(s ServiceResolver) PluginInitializer {`
			`i.serviceResolver = s`
			`return i`
			`}`

			`// SetClientCert sets the client cert & key (identity used for calling out to`
			`// web hooks) which is needed by some plugins.`
			`func (i PluginInitializer) SetClientCert(cert, key []byte) PluginInitializer {`
			`i.clientCert = cert`
			`i.clientKey = key`
			`return i`
			`}`

			`// SetWebhookSource sets the webhook source-- admittedly this is probably`
			`// specific to the external admission hook plugin.`
			`func (i PluginInitializer) SetWebhookSource(w WebhookSource) PluginInitializer {`
			`i.webhookSource = w`
			`return i`
			`}`

refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`// Initialize checks the initialization interfaces implemented by each plugin`
			`// and provide the appropriate initialization data`
Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00			`func (i *PluginInitializer) Initialize(plugin admission.Interface) {`
update names for kube plugin initializer to avoid conflicts 2017-03-06 14:12:58 +00:00			`if wants, ok := plugin.(WantsInternalKubeClientSet); ok {`
			`wants.SetInternalKubeClientSet(i.internalClient)`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`}`

update names for kube plugin initializer to avoid conflicts 2017-03-06 14:12:58 +00:00			`if wants, ok := plugin.(WantsInternalKubeInformerFactory); ok {`
			`wants.SetInternalKubeInformerFactory(i.informers)`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`}`

			`if wants, ok := plugin.(WantsAuthorizer); ok {`
			`wants.SetAuthorizer(i.authorizer)`
			`}`
Fix Multizone pv creation on GCE When Multizone is enabled static PV creation on GCE fails because Cloud provider configuration is not available in admission plugins. 2017-01-26 16:04:23 +00:00
			`if wants, ok := plugin.(WantsCloudConfig); ok {`
			`wants.SetCloudConfig(i.cloudConfig)`
			`}`
add gc admission plugin that prevents user who doesn't have delete permission of the owner from setting blockOwnerDeletion 2017-03-25 01:13:57 +00:00
			`if wants, ok := plugin.(WantsRESTMapper); ok {`
			`wants.SetRESTMapper(i.restMapper)`
			`}`
ResourceQuota admission control injects registry 2017-05-18 18:00:02 +00:00
			`if wants, ok := plugin.(WantsQuotaRegistry); ok {`
			`wants.SetQuotaRegistry(i.quotaRegistry)`
			`}`
Implement dynamic admission webhooks Also fix a bug in rest client 2017-05-24 22:31:34 +00:00
			`if wants, ok := plugin.(WantsServiceResolver); ok {`
			`if i.serviceResolver == nil {`
			`panic("An admission plugin wants the service resolver, but it was not provided.")`
			`}`
			`wants.SetServiceResolver(i.serviceResolver)`
			`}`

			`if wants, ok := plugin.(WantsClientCert); ok {`
			`if i.clientCert == nil \|\| i.clientKey == nil {`
			`panic("An admission plugin wants a client cert/key, but they were not provided.")`
			`}`
			`wants.SetClientCert(i.clientCert, i.clientKey)`
			`}`

			`if wants, ok := plugin.(WantsWebhookSource); ok {`
			`if i.webhookSource == nil {`
			`panic("An admission plugin wants a webhook source, but it was not provided.")`
			`}`
			`wants.SetWebhookSource(i.webhookSource)`
			`}`
refactored admission to avoid internal client references 2016-12-21 21:16:16 +00:00			`}`