2019-01-12 04:58:27 +00:00
/ *
Copyright 2017 The Kubernetes Authors .
Licensed under the Apache License , Version 2.0 ( the "License" ) ;
you may not use this file except in compliance with the License .
You may obtain a copy of the License at
http : //www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing , software
distributed under the License is distributed on an "AS IS" BASIS ,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
See the License for the specific language governing permissions and
limitations under the License .
* /
package handlers
import (
"context"
"fmt"
"net/http"
"strings"
"time"
2019-08-30 18:33:25 +00:00
jsonpatch "github.com/evanphx/json-patch"
2019-01-12 04:58:27 +00:00
"k8s.io/apimachinery/pkg/api/errors"
2019-04-07 17:07:55 +00:00
"k8s.io/apimachinery/pkg/api/meta"
2019-12-12 01:27:03 +00:00
metainternalversionscheme "k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme"
2019-01-12 04:58:27 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2020-03-26 21:07:15 +00:00
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
2019-01-12 04:58:27 +00:00
"k8s.io/apimachinery/pkg/apis/meta/v1/validation"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/json"
"k8s.io/apimachinery/pkg/util/mergepatch"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/strategicpatch"
2019-09-27 21:51:53 +00:00
"k8s.io/apimachinery/pkg/util/validation/field"
2019-01-12 04:58:27 +00:00
"k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/audit"
2019-04-07 17:07:55 +00:00
"k8s.io/apiserver/pkg/authorization/authorizer"
2019-08-30 18:33:25 +00:00
"k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager"
2019-01-12 04:58:27 +00:00
"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/features"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/util/dryrun"
utilfeature "k8s.io/apiserver/pkg/util/feature"
2019-04-07 17:07:55 +00:00
utiltrace "k8s.io/utils/trace"
2020-03-26 21:07:15 +00:00
"sigs.k8s.io/yaml"
2019-01-12 04:58:27 +00:00
)
2019-03-04 01:22:32 +00:00
const (
// maximum number of operations a single json patch may contain.
maxJSONPatchOperations = 10000
)
2019-01-12 04:58:27 +00:00
// PatchResource returns a function that will handle a resource patch.
2019-08-30 18:33:25 +00:00
func PatchResource ( r rest . Patcher , scope * RequestScope , admit admission . Interface , patchTypes [ ] string ) http . HandlerFunc {
2019-01-12 04:58:27 +00:00
return func ( w http . ResponseWriter , req * http . Request ) {
// For performance tracking purposes.
2019-12-12 01:27:03 +00:00
trace := utiltrace . New ( "Patch" , utiltrace . Field { Key : "url" , Value : req . URL . Path } , utiltrace . Field { Key : "user-agent" , Value : & lazyTruncatedUserAgent { req } } , utiltrace . Field { Key : "client" , Value : & lazyClientIP { req } } )
2019-01-12 04:58:27 +00:00
defer trace . LogIfLong ( 500 * time . Millisecond )
if isDryRun ( req . URL ) && ! utilfeature . DefaultFeatureGate . Enabled ( features . DryRun ) {
2020-03-26 21:07:15 +00:00
scope . err ( errors . NewBadRequest ( "the dryRun feature is disabled" ) , w , req )
2019-01-12 04:58:27 +00:00
return
}
// Do this first, otherwise name extraction can fail for unrecognized content types
// TODO: handle this in negotiation
contentType := req . Header . Get ( "Content-Type" )
// Remove "; charset=" if included in header.
if idx := strings . Index ( contentType , ";" ) ; idx > 0 {
contentType = contentType [ : idx ]
}
patchType := types . PatchType ( contentType )
// Ensure the patchType is one we support
if ! sets . NewString ( patchTypes ... ) . Has ( contentType ) {
scope . err ( negotiation . NewUnsupportedMediaTypeError ( patchTypes ) , w , req )
return
}
// TODO: we either want to remove timeout or document it (if we
// document, move timeout out of this function and declare it in
// api_installer)
timeout := parseTimeout ( req . URL . Query ( ) . Get ( "timeout" ) )
namespace , name , err := scope . Namer . Name ( req )
if err != nil {
scope . err ( err , w , req )
return
}
2019-09-27 21:51:53 +00:00
ctx , cancel := context . WithTimeout ( req . Context ( ) , timeout )
defer cancel ( )
2019-01-12 04:58:27 +00:00
ctx = request . WithNamespace ( ctx , namespace )
2019-08-30 18:33:25 +00:00
outputMediaType , _ , err := negotiation . NegotiateOutputMediaType ( req , scope . Serializer , scope )
2019-01-12 04:58:27 +00:00
if err != nil {
scope . err ( err , w , req )
return
}
2019-04-07 17:07:55 +00:00
patchBytes , err := limitedReadBody ( req , scope . MaxRequestBodyBytes )
if err != nil {
scope . err ( err , w , req )
return
}
options := & metav1 . PatchOptions { }
2019-12-12 01:27:03 +00:00
if err := metainternalversionscheme . ParameterCodec . DecodeParameters ( req . URL . Query ( ) , scope . MetaGroupVersion , options ) ; err != nil {
2019-01-12 04:58:27 +00:00
err = errors . NewBadRequest ( err . Error ( ) )
scope . err ( err , w , req )
return
}
2019-04-07 17:07:55 +00:00
if errs := validation . ValidatePatchOptions ( options , patchType ) ; len ( errs ) > 0 {
err := errors . NewInvalid ( schema . GroupKind { Group : metav1 . GroupName , Kind : "PatchOptions" } , "" , errs )
2019-01-12 04:58:27 +00:00
scope . err ( err , w , req )
return
}
2019-08-30 18:33:25 +00:00
options . TypeMeta . SetGroupVersionKind ( metav1 . SchemeGroupVersion . WithKind ( "PatchOptions" ) )
2019-01-12 04:58:27 +00:00
ae := request . AuditEventFrom ( ctx )
admit = admission . WithAudit ( admit , ae )
2019-04-07 17:07:55 +00:00
audit . LogRequestPatch ( ae , patchBytes )
2019-01-12 04:58:27 +00:00
trace . Step ( "Recorded the audit event" )
2019-04-07 17:07:55 +00:00
baseContentType := runtime . ContentTypeJSON
2019-08-30 18:33:25 +00:00
if patchType == types . ApplyPatchType {
baseContentType = runtime . ContentTypeYAML
}
2019-04-07 17:07:55 +00:00
s , ok := runtime . SerializerInfoForMediaType ( scope . Serializer . SupportedMediaTypes ( ) , baseContentType )
2019-01-12 04:58:27 +00:00
if ! ok {
2019-04-07 17:07:55 +00:00
scope . err ( fmt . Errorf ( "no serializer defined for %v" , baseContentType ) , w , req )
2019-01-12 04:58:27 +00:00
return
}
gv := scope . Kind . GroupVersion ( )
codec := runtime . NewCodec (
scope . Serializer . EncoderForVersion ( s . Serializer , gv ) ,
scope . Serializer . DecoderToVersion ( s . Serializer , scope . HubGroupVersion ) ,
)
userInfo , _ := request . UserFrom ( ctx )
2019-04-07 17:07:55 +00:00
staticCreateAttributes := admission . NewAttributesRecord (
nil ,
nil ,
scope . Kind ,
namespace ,
name ,
scope . Resource ,
scope . Subresource ,
admission . Create ,
2019-08-30 18:33:25 +00:00
patchToCreateOptions ( options ) ,
2019-04-07 17:07:55 +00:00
dryrun . IsDryRun ( options . DryRun ) ,
userInfo )
staticUpdateAttributes := admission . NewAttributesRecord (
2019-01-12 04:58:27 +00:00
nil ,
nil ,
scope . Kind ,
namespace ,
name ,
scope . Resource ,
scope . Subresource ,
admission . Update ,
2019-08-30 18:33:25 +00:00
patchToUpdateOptions ( options ) ,
2019-01-12 04:58:27 +00:00
dryrun . IsDryRun ( options . DryRun ) ,
userInfo ,
)
2019-04-07 17:07:55 +00:00
mutatingAdmission , _ := admit . ( admission . MutationInterface )
createAuthorizerAttributes := authorizer . AttributesRecord {
User : userInfo ,
ResourceRequest : true ,
Path : req . URL . Path ,
Verb : "create" ,
APIGroup : scope . Resource . Group ,
APIVersion : scope . Resource . Version ,
Resource : scope . Resource . Resource ,
Subresource : scope . Subresource ,
Namespace : namespace ,
Name : name ,
2019-01-12 04:58:27 +00:00
}
p := patcher {
namer : scope . Namer ,
creater : scope . Creater ,
defaulter : scope . Defaulter ,
2019-04-07 17:07:55 +00:00
typer : scope . Typer ,
2019-01-12 04:58:27 +00:00
unsafeConvertor : scope . UnsafeConvertor ,
kind : scope . Kind ,
resource : scope . Resource ,
2019-04-07 17:07:55 +00:00
subresource : scope . Subresource ,
dryRun : dryrun . IsDryRun ( options . DryRun ) ,
2019-08-30 18:33:25 +00:00
objectInterfaces : scope ,
2019-01-12 04:58:27 +00:00
hubGroupVersion : scope . HubGroupVersion ,
2019-08-30 18:33:25 +00:00
createValidation : withAuthorization ( rest . AdmissionToValidateObjectFunc ( admit , staticCreateAttributes , scope ) , scope . Authorizer , createAuthorizerAttributes ) ,
updateValidation : rest . AdmissionToValidateObjectUpdateFunc ( admit , staticUpdateAttributes , scope ) ,
2019-04-07 17:07:55 +00:00
admissionCheck : mutatingAdmission ,
2019-01-12 04:58:27 +00:00
codec : codec ,
timeout : timeout ,
options : options ,
restPatcher : r ,
name : name ,
patchType : patchType ,
2019-04-07 17:07:55 +00:00
patchBytes : patchBytes ,
userAgent : req . UserAgent ( ) ,
2019-01-12 04:58:27 +00:00
trace : trace ,
}
2019-04-07 17:07:55 +00:00
result , wasCreated , err := p . patchResource ( ctx , scope )
2019-01-12 04:58:27 +00:00
if err != nil {
scope . err ( err , w , req )
return
}
trace . Step ( "Object stored in database" )
2019-09-27 21:51:53 +00:00
if err := setObjectSelfLink ( ctx , result , req , scope . Namer ) ; err != nil {
2019-01-12 04:58:27 +00:00
scope . err ( err , w , req )
return
}
trace . Step ( "Self-link added" )
2019-04-07 17:07:55 +00:00
status := http . StatusOK
if wasCreated {
status = http . StatusCreated
}
2019-08-30 18:33:25 +00:00
transformResponseObject ( ctx , scope , trace , req , w , status , outputMediaType , result )
2019-01-12 04:58:27 +00:00
}
}
2019-09-27 21:51:53 +00:00
type mutateObjectUpdateFunc func ( ctx context . Context , obj , old runtime . Object ) error
2019-01-12 04:58:27 +00:00
// patcher breaks the process of patch application and retries into smaller
// pieces of functionality.
// TODO: Use builder pattern to construct this object?
// TODO: As part of that effort, some aspects of PatchResource above could be
// moved into this type.
type patcher struct {
// Pieces of RequestScope
namer ScopeNamer
creater runtime . ObjectCreater
defaulter runtime . ObjectDefaulter
2019-04-07 17:07:55 +00:00
typer runtime . ObjectTyper
2019-01-12 04:58:27 +00:00
unsafeConvertor runtime . ObjectConvertor
resource schema . GroupVersionResource
kind schema . GroupVersionKind
2019-04-07 17:07:55 +00:00
subresource string
dryRun bool
objectInterfaces admission . ObjectInterfaces
2019-01-12 04:58:27 +00:00
hubGroupVersion schema . GroupVersion
// Validation functions
createValidation rest . ValidateObjectFunc
updateValidation rest . ValidateObjectUpdateFunc
2019-04-07 17:07:55 +00:00
admissionCheck admission . MutationInterface
2019-01-12 04:58:27 +00:00
codec runtime . Codec
timeout time . Duration
2019-04-07 17:07:55 +00:00
options * metav1 . PatchOptions
2019-01-12 04:58:27 +00:00
// Operation information
restPatcher rest . Patcher
name string
patchType types . PatchType
2019-04-07 17:07:55 +00:00
patchBytes [ ] byte
userAgent string
2019-01-12 04:58:27 +00:00
trace * utiltrace . Trace
// Set at invocation-time (by applyPatch) and immutable thereafter
namespace string
updatedObjectInfo rest . UpdatedObjectInfo
mechanism patchMechanism
2019-04-07 17:07:55 +00:00
forceAllowCreate bool
2019-01-12 04:58:27 +00:00
}
type patchMechanism interface {
applyPatchToCurrentObject ( currentObject runtime . Object ) ( runtime . Object , error )
2019-04-07 17:07:55 +00:00
createNewObject ( ) ( runtime . Object , error )
2019-01-12 04:58:27 +00:00
}
type jsonPatcher struct {
* patcher
2019-08-30 18:33:25 +00:00
fieldManager * fieldmanager . FieldManager
2019-01-12 04:58:27 +00:00
}
func ( p * jsonPatcher ) applyPatchToCurrentObject ( currentObject runtime . Object ) ( runtime . Object , error ) {
// Encode will convert & return a versioned object in JSON.
currentObjJS , err := runtime . Encode ( p . codec , currentObject )
if err != nil {
return nil , err
}
// Apply the patch.
patchedObjJS , err := p . applyJSPatch ( currentObjJS )
if err != nil {
return nil , err
}
// Construct the resulting typed, unversioned object.
objToUpdate := p . restPatcher . New ( )
if err := runtime . DecodeInto ( p . codec , patchedObjJS , objToUpdate ) ; err != nil {
2019-09-27 21:51:53 +00:00
return nil , errors . NewInvalid ( schema . GroupKind { } , "" , field . ErrorList {
field . Invalid ( field . NewPath ( "patch" ) , string ( patchedObjJS ) , err . Error ( ) ) ,
} )
2019-01-12 04:58:27 +00:00
}
2019-08-30 18:33:25 +00:00
if p . fieldManager != nil {
2020-06-23 22:12:14 +00:00
objToUpdate = p . fieldManager . UpdateNoErrors ( currentObject , objToUpdate , managerOrUserAgent ( p . options . FieldManager , p . userAgent ) )
2019-08-30 18:33:25 +00:00
}
2019-01-12 04:58:27 +00:00
return objToUpdate , nil
}
2019-04-07 17:07:55 +00:00
func ( p * jsonPatcher ) createNewObject ( ) ( runtime . Object , error ) {
return nil , errors . NewNotFound ( p . resource . GroupResource ( ) , p . name )
}
// applyJSPatch applies the patch. Input and output objects must both have
2019-01-12 04:58:27 +00:00
// the external version, since that is what the patch must have been constructed against.
func ( p * jsonPatcher ) applyJSPatch ( versionedJS [ ] byte ) ( patchedJS [ ] byte , retErr error ) {
switch p . patchType {
case types . JSONPatchType :
2019-10-16 05:42:28 +00:00
// sanity check potentially abusive patches
// TODO(liggitt): drop this once golang json parser limits stack depth (https://github.com/golang/go/issues/31789)
if len ( p . patchBytes ) > 1024 * 1024 {
v := [ ] interface { } { }
2019-11-14 18:56:24 +00:00
if err := json . Unmarshal ( p . patchBytes , & v ) ; err != nil {
2019-10-16 05:42:28 +00:00
return nil , errors . NewBadRequest ( fmt . Sprintf ( "error decoding patch: %v" , err ) )
}
}
2019-04-07 17:07:55 +00:00
patchObj , err := jsonpatch . DecodePatch ( p . patchBytes )
2019-01-12 04:58:27 +00:00
if err != nil {
return nil , errors . NewBadRequest ( err . Error ( ) )
}
2019-03-04 01:22:32 +00:00
if len ( patchObj ) > maxJSONPatchOperations {
return nil , errors . NewRequestEntityTooLargeError (
fmt . Sprintf ( "The allowed maximum operations in a JSON patch is %d, got %d" ,
maxJSONPatchOperations , len ( patchObj ) ) )
}
2019-01-12 04:58:27 +00:00
patchedJS , err := patchObj . Apply ( versionedJS )
if err != nil {
return nil , errors . NewGenericServerResponse ( http . StatusUnprocessableEntity , "" , schema . GroupResource { } , "" , err . Error ( ) , 0 , false )
}
return patchedJS , nil
case types . MergePatchType :
2019-10-16 05:42:28 +00:00
// sanity check potentially abusive patches
// TODO(liggitt): drop this once golang json parser limits stack depth (https://github.com/golang/go/issues/31789)
if len ( p . patchBytes ) > 1024 * 1024 {
v := map [ string ] interface { } { }
2019-11-14 18:56:24 +00:00
if err := json . Unmarshal ( p . patchBytes , & v ) ; err != nil {
2019-10-16 05:42:28 +00:00
return nil , errors . NewBadRequest ( fmt . Sprintf ( "error decoding patch: %v" , err ) )
}
}
2019-04-07 17:07:55 +00:00
return jsonpatch . MergePatch ( versionedJS , p . patchBytes )
2019-01-12 04:58:27 +00:00
default :
// only here as a safety net - go-restful filters content-type
return nil , fmt . Errorf ( "unknown Content-Type header for patch: %v" , p . patchType )
}
}
type smpPatcher struct {
* patcher
// Schema
schemaReferenceObj runtime . Object
2019-08-30 18:33:25 +00:00
fieldManager * fieldmanager . FieldManager
2019-01-12 04:58:27 +00:00
}
func ( p * smpPatcher ) applyPatchToCurrentObject ( currentObject runtime . Object ) ( runtime . Object , error ) {
// Since the patch is applied on versioned objects, we need to convert the
// current object to versioned representation first.
currentVersionedObject , err := p . unsafeConvertor . ConvertToVersion ( currentObject , p . kind . GroupVersion ( ) )
if err != nil {
return nil , err
}
versionedObjToUpdate , err := p . creater . New ( p . kind )
if err != nil {
return nil , err
}
2019-04-07 17:07:55 +00:00
if err := strategicPatchObject ( p . defaulter , currentVersionedObject , p . patchBytes , versionedObjToUpdate , p . schemaReferenceObj ) ; err != nil {
2019-01-12 04:58:27 +00:00
return nil , err
}
// Convert the object back to the hub version
2019-04-07 17:07:55 +00:00
newObj , err := p . unsafeConvertor . ConvertToVersion ( versionedObjToUpdate , p . hubGroupVersion )
if err != nil {
return nil , err
}
2019-08-30 18:33:25 +00:00
if p . fieldManager != nil {
2020-06-23 22:12:14 +00:00
newObj = p . fieldManager . UpdateNoErrors ( currentObject , newObj , managerOrUserAgent ( p . options . FieldManager , p . userAgent ) )
2019-08-30 18:33:25 +00:00
}
2019-04-07 17:07:55 +00:00
return newObj , nil
2019-01-12 04:58:27 +00:00
}
2019-04-07 17:07:55 +00:00
func ( p * smpPatcher ) createNewObject ( ) ( runtime . Object , error ) {
return nil , errors . NewNotFound ( p . resource . GroupResource ( ) , p . name )
}
2019-08-30 18:33:25 +00:00
type applyPatcher struct {
patch [ ] byte
options * metav1 . PatchOptions
creater runtime . ObjectCreater
kind schema . GroupVersionKind
fieldManager * fieldmanager . FieldManager
}
func ( p * applyPatcher ) applyPatchToCurrentObject ( obj runtime . Object ) ( runtime . Object , error ) {
force := false
if p . options . Force != nil {
force = * p . options . Force
}
if p . fieldManager == nil {
panic ( "FieldManager must be installed to run apply" )
}
2020-03-26 21:07:15 +00:00
patchObj := & unstructured . Unstructured { Object : map [ string ] interface { } { } }
if err := yaml . Unmarshal ( p . patch , & patchObj . Object ) ; err != nil {
return nil , errors . NewBadRequest ( fmt . Sprintf ( "error decoding YAML: %v" , err ) )
}
return p . fieldManager . Apply ( obj , patchObj , p . options . FieldManager , force )
2019-08-30 18:33:25 +00:00
}
func ( p * applyPatcher ) createNewObject ( ) ( runtime . Object , error ) {
obj , err := p . creater . New ( p . kind )
if err != nil {
2019-09-27 21:51:53 +00:00
return nil , fmt . Errorf ( "failed to create new object: %v" , err )
2019-08-30 18:33:25 +00:00
}
return p . applyPatchToCurrentObject ( obj )
}
2019-04-07 17:07:55 +00:00
// strategicPatchObject applies a strategic merge patch of <patchBytes> to
2019-01-12 04:58:27 +00:00
// <originalObject> and stores the result in <objToUpdate>.
// It additionally returns the map[string]interface{} representation of the
2019-04-07 17:07:55 +00:00
// <originalObject> and <patchBytes>.
2019-01-12 04:58:27 +00:00
// NOTE: Both <originalObject> and <objToUpdate> are supposed to be versioned.
func strategicPatchObject (
defaulter runtime . ObjectDefaulter ,
originalObject runtime . Object ,
2019-04-07 17:07:55 +00:00
patchBytes [ ] byte ,
2019-01-12 04:58:27 +00:00
objToUpdate runtime . Object ,
schemaReferenceObj runtime . Object ,
) error {
originalObjMap , err := runtime . DefaultUnstructuredConverter . ToUnstructured ( originalObject )
if err != nil {
return err
}
patchMap := make ( map [ string ] interface { } )
2019-04-07 17:07:55 +00:00
if err := json . Unmarshal ( patchBytes , & patchMap ) ; err != nil {
2019-01-12 04:58:27 +00:00
return errors . NewBadRequest ( err . Error ( ) )
}
if err := applyPatchToObject ( defaulter , originalObjMap , patchMap , objToUpdate , schemaReferenceObj ) ; err != nil {
return err
}
return nil
}
// applyPatch is called every time GuaranteedUpdate asks for the updated object,
// and is given the currently persisted object as input.
2019-04-07 17:07:55 +00:00
// TODO: rename this function because the name implies it is related to applyPatcher
func ( p * patcher ) applyPatch ( _ context . Context , _ , currentObject runtime . Object ) ( objToUpdate runtime . Object , patchErr error ) {
2019-01-12 04:58:27 +00:00
// Make sure we actually have a persisted currentObject
p . trace . Step ( "About to apply patch" )
2019-04-07 17:07:55 +00:00
currentObjectHasUID , err := hasUID ( currentObject )
if err != nil {
2019-01-12 04:58:27 +00:00
return nil , err
2019-04-07 17:07:55 +00:00
} else if ! currentObjectHasUID {
objToUpdate , patchErr = p . mechanism . createNewObject ( )
} else {
objToUpdate , patchErr = p . mechanism . applyPatchToCurrentObject ( currentObject )
}
if patchErr != nil {
return nil , patchErr
2019-01-12 04:58:27 +00:00
}
2019-04-07 17:07:55 +00:00
objToUpdateHasUID , err := hasUID ( objToUpdate )
2019-01-12 04:58:27 +00:00
if err != nil {
return nil , err
}
2019-04-07 17:07:55 +00:00
if objToUpdateHasUID && ! currentObjectHasUID {
accessor , err := meta . Accessor ( objToUpdate )
if err != nil {
return nil , err
}
return nil , errors . NewConflict ( p . resource . GroupResource ( ) , p . name , fmt . Errorf ( "uid mismatch: the provided object specified uid %s, and no existing object was found" , accessor . GetUID ( ) ) )
}
2019-01-12 04:58:27 +00:00
if err := checkName ( objToUpdate , p . name , p . namespace , p . namer ) ; err != nil {
return nil , err
}
return objToUpdate , nil
}
2019-08-30 18:33:25 +00:00
func ( p * patcher ) admissionAttributes ( ctx context . Context , updatedObject runtime . Object , currentObject runtime . Object , operation admission . Operation , operationOptions runtime . Object ) admission . Attributes {
2019-04-07 17:07:55 +00:00
userInfo , _ := request . UserFrom ( ctx )
2019-08-30 18:33:25 +00:00
return admission . NewAttributesRecord ( updatedObject , currentObject , p . kind , p . namespace , p . name , p . resource , p . subresource , operation , operationOptions , p . dryRun , userInfo )
2019-04-07 17:07:55 +00:00
}
2019-01-12 04:58:27 +00:00
// applyAdmission is called every time GuaranteedUpdate asks for the updated object,
// and is given the currently persisted object and the patched object as input.
2019-04-07 17:07:55 +00:00
// TODO: rename this function because the name implies it is related to applyPatcher
2019-01-12 04:58:27 +00:00
func ( p * patcher ) applyAdmission ( ctx context . Context , patchedObject runtime . Object , currentObject runtime . Object ) ( runtime . Object , error ) {
p . trace . Step ( "About to check admission control" )
2019-04-07 17:07:55 +00:00
var operation admission . Operation
2019-08-30 18:33:25 +00:00
var options runtime . Object
2019-04-07 17:07:55 +00:00
if hasUID , err := hasUID ( currentObject ) ; err != nil {
return nil , err
} else if ! hasUID {
operation = admission . Create
currentObject = nil
2019-08-30 18:33:25 +00:00
options = patchToCreateOptions ( p . options )
2019-04-07 17:07:55 +00:00
} else {
operation = admission . Update
2019-08-30 18:33:25 +00:00
options = patchToUpdateOptions ( p . options )
2019-04-07 17:07:55 +00:00
}
if p . admissionCheck != nil && p . admissionCheck . Handles ( operation ) {
2019-08-30 18:33:25 +00:00
attributes := p . admissionAttributes ( ctx , patchedObject , currentObject , operation , options )
2019-09-27 21:51:53 +00:00
return patchedObject , p . admissionCheck . Admit ( ctx , attributes , p . objectInterfaces )
2019-04-07 17:07:55 +00:00
}
return patchedObject , nil
2019-01-12 04:58:27 +00:00
}
// patchResource divides PatchResource for easier unit testing
2019-08-30 18:33:25 +00:00
func ( p * patcher ) patchResource ( ctx context . Context , scope * RequestScope ) ( runtime . Object , bool , error ) {
2019-01-12 04:58:27 +00:00
p . namespace = request . NamespaceValue ( ctx )
switch p . patchType {
case types . JSONPatchType , types . MergePatchType :
2019-04-07 17:07:55 +00:00
p . mechanism = & jsonPatcher {
patcher : p ,
2019-08-30 18:33:25 +00:00
fieldManager : scope . FieldManager ,
2019-04-07 17:07:55 +00:00
}
2019-01-12 04:58:27 +00:00
case types . StrategicMergePatchType :
schemaReferenceObj , err := p . unsafeConvertor . ConvertToVersion ( p . restPatcher . New ( ) , p . kind . GroupVersion ( ) )
if err != nil {
2019-04-07 17:07:55 +00:00
return nil , false , err
}
p . mechanism = & smpPatcher {
patcher : p ,
schemaReferenceObj : schemaReferenceObj ,
2019-08-30 18:33:25 +00:00
fieldManager : scope . FieldManager ,
2019-01-12 04:58:27 +00:00
}
2019-04-07 17:07:55 +00:00
// this case is unreachable if ServerSideApply is not enabled because we will have already rejected the content type
2019-08-30 18:33:25 +00:00
case types . ApplyPatchType :
p . mechanism = & applyPatcher {
fieldManager : scope . FieldManager ,
patch : p . patchBytes ,
options : p . options ,
creater : p . creater ,
kind : p . kind ,
}
p . forceAllowCreate = true
2019-01-12 04:58:27 +00:00
default :
2019-04-07 17:07:55 +00:00
return nil , false , fmt . Errorf ( "%v: unimplemented patch type" , p . patchType )
2019-01-12 04:58:27 +00:00
}
2019-04-07 17:07:55 +00:00
wasCreated := false
2019-01-12 04:58:27 +00:00
p . updatedObjectInfo = rest . DefaultUpdatedObjectInfo ( nil , p . applyPatch , p . applyAdmission )
2020-03-26 21:07:15 +00:00
requestFunc := func ( ) ( runtime . Object , error ) {
2019-08-30 18:33:25 +00:00
// Pass in UpdateOptions to override UpdateStrategy.AllowUpdateOnCreate
options := patchToUpdateOptions ( p . options )
2019-04-07 17:07:55 +00:00
updateObject , created , updateErr := p . restPatcher . Update ( ctx , p . name , p . updatedObjectInfo , p . createValidation , p . updateValidation , p . forceAllowCreate , options )
wasCreated = created
2019-01-12 04:58:27 +00:00
return updateObject , updateErr
2020-03-26 21:07:15 +00:00
}
result , err := finishRequest ( p . timeout , func ( ) ( runtime . Object , error ) {
result , err := requestFunc ( )
// If the object wasn't committed to storage because it's serialized size was too large,
// it is safe to remove managedFields (which can be large) and try again.
if isTooLargeError ( err ) && p . patchType != types . ApplyPatchType {
if _ , accessorErr := meta . Accessor ( p . restPatcher . New ( ) ) ; accessorErr == nil {
p . updatedObjectInfo = rest . DefaultUpdatedObjectInfo ( nil , p . applyPatch , p . applyAdmission , func ( _ context . Context , obj , _ runtime . Object ) ( runtime . Object , error ) {
accessor , _ := meta . Accessor ( obj )
accessor . SetManagedFields ( nil )
return obj , nil
} )
result , err = requestFunc ( )
}
}
return result , err
2019-01-12 04:58:27 +00:00
} )
2019-04-07 17:07:55 +00:00
return result , wasCreated , err
2019-01-12 04:58:27 +00:00
}
// applyPatchToObject applies a strategic merge patch of <patchMap> to
// <originalMap> and stores the result in <objToUpdate>.
// NOTE: <objToUpdate> must be a versioned object.
func applyPatchToObject (
defaulter runtime . ObjectDefaulter ,
originalMap map [ string ] interface { } ,
patchMap map [ string ] interface { } ,
objToUpdate runtime . Object ,
schemaReferenceObj runtime . Object ,
) error {
patchedObjMap , err := strategicpatch . StrategicMergeMapPatch ( originalMap , patchMap , schemaReferenceObj )
if err != nil {
return interpretStrategicMergePatchError ( err )
}
// Rather than serialize the patched map to JSON, then decode it to an object, we go directly from a map to an object
if err := runtime . DefaultUnstructuredConverter . FromUnstructured ( patchedObjMap , objToUpdate ) ; err != nil {
2019-09-27 21:51:53 +00:00
return errors . NewInvalid ( schema . GroupKind { } , "" , field . ErrorList {
field . Invalid ( field . NewPath ( "patch" ) , fmt . Sprintf ( "%+v" , patchMap ) , err . Error ( ) ) ,
} )
2019-01-12 04:58:27 +00:00
}
// Decoding from JSON to a versioned object would apply defaults, so we do the same here
defaulter . Default ( objToUpdate )
return nil
}
// interpretStrategicMergePatchError interprets the error type and returns an error with appropriate HTTP code.
func interpretStrategicMergePatchError ( err error ) error {
switch err {
case mergepatch . ErrBadJSONDoc , mergepatch . ErrBadPatchFormatForPrimitiveList , mergepatch . ErrBadPatchFormatForRetainKeys , mergepatch . ErrBadPatchFormatForSetElementOrderList , mergepatch . ErrUnsupportedStrategicMergePatchFormat :
return errors . NewBadRequest ( err . Error ( ) )
case mergepatch . ErrNoListOfLists , mergepatch . ErrPatchContentNotMatchRetainKeys :
return errors . NewGenericServerResponse ( http . StatusUnprocessableEntity , "" , schema . GroupResource { } , "" , err . Error ( ) , 0 , false )
default :
return err
}
}
2019-04-07 17:07:55 +00:00
2019-08-30 18:33:25 +00:00
// patchToUpdateOptions creates an UpdateOptions with the same field values as the provided PatchOptions.
func patchToUpdateOptions ( po * metav1 . PatchOptions ) * metav1 . UpdateOptions {
if po == nil {
return nil
}
uo := & metav1 . UpdateOptions {
DryRun : po . DryRun ,
FieldManager : po . FieldManager ,
}
uo . TypeMeta . SetGroupVersionKind ( metav1 . SchemeGroupVersion . WithKind ( "UpdateOptions" ) )
return uo
}
// patchToCreateOptions creates an CreateOptions with the same field values as the provided PatchOptions.
func patchToCreateOptions ( po * metav1 . PatchOptions ) * metav1 . CreateOptions {
if po == nil {
return nil
}
co := & metav1 . CreateOptions {
DryRun : po . DryRun ,
FieldManager : po . FieldManager ,
2019-04-07 17:07:55 +00:00
}
2019-08-30 18:33:25 +00:00
co . TypeMeta . SetGroupVersionKind ( metav1 . SchemeGroupVersion . WithKind ( "CreateOptions" ) )
return co
2019-04-07 17:07:55 +00:00
}