2019-08-30 18:33:25 +00:00
|
|
|
/*
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
// Package imagepolicy contains an admission controller that configures a webhook to which policy
|
|
|
|
// decisions are delegated.
|
|
|
|
package imagepolicy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
"k8s.io/klog/v2"
|
2019-08-30 18:33:25 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
defaultRetryBackoff = time.Duration(500) * time.Millisecond
|
|
|
|
minRetryBackoff = time.Duration(1)
|
|
|
|
maxRetryBackoff = time.Duration(5) * time.Minute
|
|
|
|
defaultAllowTTL = time.Duration(5) * time.Minute
|
|
|
|
defaultDenyTTL = time.Duration(30) * time.Second
|
|
|
|
minAllowTTL = time.Duration(1) * time.Second
|
|
|
|
maxAllowTTL = time.Duration(30) * time.Minute
|
|
|
|
minDenyTTL = time.Duration(1) * time.Second
|
|
|
|
maxDenyTTL = time.Duration(30) * time.Minute
|
|
|
|
useDefault = time.Duration(0) //sentinel for using default TTL
|
|
|
|
disableTTL = time.Duration(-1) //sentinel for disabling a TTL
|
|
|
|
)
|
|
|
|
|
|
|
|
// imagePolicyWebhookConfig holds config data for imagePolicyWebhook
|
|
|
|
type imagePolicyWebhookConfig struct {
|
|
|
|
KubeConfigFile string `json:"kubeConfigFile"`
|
|
|
|
AllowTTL time.Duration `json:"allowTTL"`
|
|
|
|
DenyTTL time.Duration `json:"denyTTL"`
|
|
|
|
RetryBackoff time.Duration `json:"retryBackoff"`
|
|
|
|
DefaultAllow bool `json:"defaultAllow"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// AdmissionConfig holds config data for admission controllers
|
|
|
|
type AdmissionConfig struct {
|
|
|
|
ImagePolicyWebhook imagePolicyWebhookConfig `json:"imagePolicy"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func normalizeWebhookConfig(config *imagePolicyWebhookConfig) (err error) {
|
|
|
|
config.RetryBackoff, err = normalizeConfigDuration("backoff", time.Millisecond, config.RetryBackoff, minRetryBackoff, maxRetryBackoff, defaultRetryBackoff)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
config.AllowTTL, err = normalizeConfigDuration("allow cache", time.Second, config.AllowTTL, minAllowTTL, maxAllowTTL, defaultAllowTTL)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
config.DenyTTL, err = normalizeConfigDuration("deny cache", time.Second, config.DenyTTL, minDenyTTL, maxDenyTTL, defaultDenyTTL)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func normalizeConfigDuration(name string, scale, value, min, max, defaultValue time.Duration) (time.Duration, error) {
|
|
|
|
// disable with -1 sentinel
|
|
|
|
if value == disableTTL {
|
|
|
|
klog.V(2).Infof("image policy webhook %s disabled", name)
|
|
|
|
return time.Duration(0), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// use default with 0 sentinel
|
|
|
|
if value == useDefault {
|
|
|
|
klog.V(2).Infof("image policy webhook %s using default value", name)
|
|
|
|
return defaultValue, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// convert to s; unmarshalling gives ns
|
|
|
|
value *= scale
|
|
|
|
|
|
|
|
// check value is within range
|
|
|
|
if value < min || value > max {
|
|
|
|
return value, fmt.Errorf("valid value is between %v and %v, got %v", min, max, value)
|
|
|
|
}
|
|
|
|
return value, nil
|
|
|
|
}
|