feat: image PullPolicy webhook enforcer

api/v1alpha1/domain/imagepullpolicy.go

@@ -0,0 +1,51 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package domain
+
+import (
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	podAllowedImagePullPolicyAnnotation = "capsule.clastix.io/allowed-image-pull-policy"
+)
+
+type ImagePullPolicy interface {
+	IsPolicySupported(policy string) bool
+	AllowedPullPolicies() []string
+}
+
+type imagePullPolicyValidator struct {
+	allowedPolicies []string
+}
+
+func (i imagePullPolicyValidator) IsPolicySupported(policy string) bool {
+	for _, allowed := range i.allowedPolicies {
+		if strings.EqualFold(allowed, policy) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (i imagePullPolicyValidator) AllowedPullPolicies() []string {
+	return i.allowedPolicies
+}
+
+func NewImagePullPolicy(object metav1.Object) ImagePullPolicy {
+	annotations := object.GetAnnotations()
+
+	v, ok := annotations[podAllowedImagePullPolicyAnnotation]
+	// the Tenant doesn't enforce the allowed image pull policy, returning nil
+	if !ok {
+		return nil
+	}
+
+	return &imagePullPolicyValidator{
+		allowedPolicies: strings.Split(v, ","),
+	}
+}

main.go

@@ -28,6 +28,7 @@ import (
 	"github.com/clastix/capsule/pkg/configuration"
 	"github.com/clastix/capsule/pkg/indexer"
 	"github.com/clastix/capsule/pkg/webhook"
+	"github.com/clastix/capsule/pkg/webhook/imagepullpolicy"
 	"github.com/clastix/capsule/pkg/webhook/ingress"
 	"github.com/clastix/capsule/pkg/webhook/namespacequota"
 	"github.com/clastix/capsule/pkg/webhook/networkpolicies"
@@ -153,6 +154,7 @@ func main() {
 		networkpolicies.Webhook(utils.InCapsuleGroups(cfg, networkpolicies.Handler())),
 		tenantprefix.Webhook(utils.InCapsuleGroups(cfg, tenantprefix.Handler(cfg, webhookRecorder))),
 		tenant.Webhook(tenant.Handler(cfg)),
+		imagepullpolicy.Webhook(imagepullpolicy.Handler()),
 	)
 	if err = webhook.Register(manager, webhooksList...); err != nil {
 		setupLog.Error(err, "unable to setup webhooks")

pkg/webhook/imagepullpolicy/errors.go

@@ -0,0 +1,27 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package imagepullpolicy
+
+import (
+	"fmt"
+	"strings"
+)
+
+type podPriorityClassForbidden struct {
+	usedPullPolicy      string
+	allowedPullPolicies []string
+	containerName       string
+}
+
+func NewImagePullPolicyForbidden(usedPullPolicy, containerName string, allowedPullPolicies []string) error {
+	return &podPriorityClassForbidden{
+		usedPullPolicy:      usedPullPolicy,
+		containerName:       containerName,
+		allowedPullPolicies: allowedPullPolicies,
+	}
+}
+
+func (f podPriorityClassForbidden) Error() (err string) {
+	return fmt.Sprintf("the ImagePullPolicy %s for container %s is not allowed, use one of the followings: %s", f.usedPullPolicy, f.containerName, strings.Join(f.allowedPullPolicies, ", "))
+}

pkg/webhook/imagepullpolicy/validating.go

@@ -0,0 +1,98 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package imagepullpolicy
+
+import (
+	"context"
+	"net/http"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/api/v1alpha1/domain"
+	capsulewebhook "github.com/clastix/capsule/pkg/webhook"
+)
+
+// +kubebuilder:webhook:path=/validating-imagepullpolicy,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=validating-image-pull-policy.capsule.clastix.io
+
+type webhook struct {
+	handler capsulewebhook.Handler
+}
+
+func Webhook(handler capsulewebhook.Handler) capsulewebhook.Webhook {
+	return &webhook{handler: handler}
+}
+
+func (w *webhook) GetHandler() capsulewebhook.Handler {
+	return w.handler
+}
+
+func (w *webhook) GetName() string {
+	return "ImagePullPolicy"
+}
+
+func (w *webhook) GetPath() string {
+	return "/validating-imagepullpolicy"
+}
+
+type handler struct{}
+
+func Handler() capsulewebhook.Handler {
+	return &handler{}
+}
+
+func (r *handler) OnCreate(c client.Client, decoder *admission.Decoder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) admission.Response {
+		var pod = &corev1.Pod{}
+
+		if err := decoder.Decode(req, pod); err != nil {
+			return admission.Errored(http.StatusBadRequest, err)
+		}
+
+		var tntList = &v1alpha1.TenantList{}
+
+		if err := c.List(ctx, tntList, client.MatchingFieldsSelector{
+			Selector: fields.OneTermEqualSelector(".status.namespaces", pod.Namespace),
+		}); err != nil {
+			return admission.Errored(http.StatusBadRequest, err)
+		}
+		// the Pod is not running in a Namespace managed by a Tenant
+		if len(tntList.Items) == 0 {
+			return admission.Allowed("")
+		}
+
+		tnt := tntList.Items[0]
+
+		policy := domain.NewImagePullPolicy(&tnt)
+		// if Tenant doesn't enforce the pull policy, exit
+		if policy == nil {
+			return admission.Allowed("")
+		}
+
+		for _, container := range pod.Spec.Containers {
+			usedPullPolicy := string(container.ImagePullPolicy)
+
+			if !policy.IsPolicySupported(usedPullPolicy) {
+				return admission.Denied(NewImagePullPolicyForbidden(usedPullPolicy, container.Name, policy.AllowedPullPolicies()).Error())
+			}
+		}
+
+		return admission.Allowed("")
+	}
+}
+
+func (r *handler) OnUpdate(client client.Client, decoder *admission.Decoder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) admission.Response {
+		return admission.Allowed("")
+	}
+}
+
+func (r *handler) OnDelete(client client.Client, decoder *admission.Decoder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) admission.Response {
+		return admission.Allowed("")
+	}
+}