github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-05-21 08:42:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(deps): update dependency golangci/golangci-lint to v2 (#1405)

Browse Source 
* chore(deps): update dependency golangci/golangci-lint to v2

* chore(golint): bump v2 and satisfy linters

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
This commit is contained in:
renovate[bot]
2025-04-30 13:45:10 +02:00
committed by GitHub
parent 5a32195091
commit e286dc94a7
44 changed files with 453 additions and 429 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/webhook/defaults/handler.go
View File

@@ -49,12 +49,12 @@ func (h *handler) OnUpdate(client client.Client, decoder admission.Decoder, reco
func (h *handler) mutate(ctx context.Context, req admission.Request, c client.Client, decoder admission.Decoder, recorder record.EventRecorder) *admission.Response {
var response *admission.Response
switch {
case req.Resource == (metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}):
switch req.Resource {
case metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}:
response = mutatePodDefaults(ctx, req, c, decoder, recorder, req.Namespace)
case req.Resource == (metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "persistentvolumeclaims"}):
case metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "persistentvolumeclaims"}:
response = mutatePVCDefaults(ctx, req, c, decoder, recorder, req.Namespace)
case req.Resource == (metav1.GroupVersionResource{Group: "networking.k8s.io", Version: "v1", Resource: "ingresses"}) || req.Resource == (metav1.GroupVersionResource{Group: "networking.k8s.io", Version: "v1beta1", Resource: "ingresses"}):
case metav1.GroupVersionResource{Group: "networking.k8s.io", Version: "v1", Resource: "ingresses"}, metav1.GroupVersionResource{Group: "networking.k8s.io", Version: "v1beta1", Resource: "ingresses"}:
response = mutateIngressDefaults(ctx, req, h.version, c, decoder, recorder, req.Namespace)
}

6
pkg/webhook/ingress/types.go
View File

@@ -79,7 +79,7 @@ func (n NetworkingV1) HostnamePathsPairs() (pairs map[string]sets.Set[string]) {
pairs[host] = sets.New[string]()
}
if http := rule.IngressRuleValue.HTTP; http != nil {
if http := rule.HTTP; http != nil {
for _, path := range http.Paths {
pairs[host].Insert(path.Path)
}
@@ -149,7 +149,7 @@ func (n NetworkingV1Beta1) HostnamePathsPairs() (pairs map[string]sets.Set[strin
pairs[host] = sets.New[string]()
}
if http := rule.IngressRuleValue.HTTP; http != nil {
if http := rule.HTTP; http != nil {
for _, path := range http.Paths {
pairs[host].Insert(path.Path)
}
@@ -217,7 +217,7 @@ func (e Extension) HostnamePathsPairs() (pairs map[string]sets.Set[string]) {
pairs[host] = sets.New[string]()
}
if http := rule.IngressRuleValue.HTTP; http != nil {
if http := rule.HTTP; http != nil {
for _, path := range http.Paths {
pairs[host].Insert(path.Path)
}

2
pkg/webhook/namespace/freezed.go
View File

@@ -35,7 +35,7 @@ func (r *freezedHandler) OnCreate(client client.Client, decoder admission.Decode
return utils.ErroredResponse(err)
}
for _, objectRef := range ns.ObjectMeta.OwnerReferences {
for _, objectRef := range ns.OwnerReferences {
if !capsuleutils.IsTenantOwnerReference(objectRef) {
continue
}

2
pkg/webhook/namespace/patch.go
View File

@@ -57,7 +57,7 @@ func (r *patchHandler) OnUpdate(c client.Client, decoder admission.Decoder, reco
// Extract Tenant from namespace
e := fmt.Sprintf("namespace/%s can not be patched", ns.Name)
if label, ok := ns.ObjectMeta.Labels[ln]; ok {
if label, ok := ns.Labels[ln]; ok {
// retrieving the selected Tenant
tnt := &capsulev1beta2.Tenant{}
if err = c.Get(ctx, types.NamespacedName{Name: label}, tnt); err != nil {

2
pkg/webhook/namespace/prefix.go
View File

@@ -49,7 +49,7 @@ func (r *prefixHandler) OnCreate(clt client.Client, decoder admission.Decoder, r
if r.configuration.ForceTenantPrefix() {
tnt := &capsulev1beta2.Tenant{}
for _, or := range ns.ObjectMeta.OwnerReferences {
for _, or := range ns.OwnerReferences {
if !capsuleutils.IsTenantOwnerReference(or) {
continue
}

2
pkg/webhook/namespace/quota.go
View File

@@ -31,7 +31,7 @@ func (r *quotaHandler) OnCreate(client client.Client, decoder admission.Decoder,
return utils.ErroredResponse(err)
}
for _, objectRef := range ns.ObjectMeta.OwnerReferences {
for _, objectRef := range ns.OwnerReferences {
if !capsuleutils.IsTenantOwnerReference(objectRef) {
continue
}

8
pkg/webhook/namespace/user_metadata.go
View File

@@ -35,7 +35,7 @@ func (r *userMetadataHandler) OnCreate(client client.Client, decoder admission.D
tnt := &capsulev1beta2.Tenant{}
for _, objectRef := range ns.ObjectMeta.OwnerReferences {
for _, objectRef := range ns.OwnerReferences {
if !capsuleutils.IsTenantOwnerReference(objectRef) {
continue
}
@@ -47,7 +47,7 @@ func (r *userMetadataHandler) OnCreate(client client.Client, decoder admission.D
}
if tnt.Spec.NamespaceOptions != nil {
err := api.ValidateForbidden(ns.ObjectMeta.Annotations, tnt.Spec.NamespaceOptions.ForbiddenAnnotations)
err := api.ValidateForbidden(ns.Annotations, tnt.Spec.NamespaceOptions.ForbiddenAnnotations)
if err != nil {
err = errors.Wrap(err, "namespace annotations validation failed")
recorder.Eventf(tnt, corev1.EventTypeWarning, api.ForbiddenAnnotationReason, err.Error())
@@ -56,7 +56,7 @@ func (r *userMetadataHandler) OnCreate(client client.Client, decoder admission.D
return &response
}
err = api.ValidateForbidden(ns.ObjectMeta.Labels, tnt.Spec.NamespaceOptions.ForbiddenLabels)
err = api.ValidateForbidden(ns.Labels, tnt.Spec.NamespaceOptions.ForbiddenLabels)
if err != nil {
err = errors.Wrap(err, "namespace labels validation failed")
recorder.Eventf(tnt, corev1.EventTypeWarning, api.ForbiddenLabelReason, err.Error())
@@ -90,7 +90,7 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder admission.D
tnt := &capsulev1beta2.Tenant{}
for _, objectRef := range newNs.ObjectMeta.OwnerReferences {
for _, objectRef := range newNs.OwnerReferences {
if !capsuleutils.IsTenantOwnerReference(objectRef) {
continue
}

2
pkg/webhook/networkpolicy/validating.go
View File

@@ -67,7 +67,7 @@ func (r *handler) handle(ctx context.Context, req admission.Request, client clie
allowed = true
np := &networkingv1.NetworkPolicy{}
if err = client.Get(ctx, types.NamespacedName{Namespace: req.AdmissionRequest.Namespace, Name: req.AdmissionRequest.Name}, np); err != nil {
if err = client.Get(ctx, types.NamespacedName{Namespace: req.Namespace, Name: req.Name}, np); err != nil {
return false, err
}

72
pkg/webhook/node/user_metadata.go
View File

@@ -42,42 +42,6 @@ func (r *userMetadataHandler) OnDelete(client.Client, admission.Decoder, record.
}
}
func (r *userMetadataHandler) getForbiddenNodeLabels(node *corev1.Node) map[string]string {
forbiddenNodeLabels := make(map[string]string)
forbiddenLabels := r.configuration.ForbiddenUserNodeLabels()
for label, value := range node.GetLabels() {
var forbidden, matched bool
forbidden = forbiddenLabels.ExactMatch(label)
matched = forbiddenLabels.RegexMatch(label)
if forbidden || matched {
forbiddenNodeLabels[label] = value
}
}
return forbiddenNodeLabels
}
func (r *userMetadataHandler) getForbiddenNodeAnnotations(node *corev1.Node) map[string]string {
forbiddenNodeAnnotations := make(map[string]string)
forbiddenAnnotations := r.configuration.ForbiddenUserNodeAnnotations()
for annotation, value := range node.GetAnnotations() {
var forbidden, matched bool
forbidden = forbiddenAnnotations.ExactMatch(annotation)
matched = forbiddenAnnotations.RegexMatch(annotation)
if forbidden || matched {
forbiddenNodeAnnotations[annotation] = value
}
}
return forbiddenNodeAnnotations
}
func (r *userMetadataHandler) OnUpdate(_ client.Client, decoder admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
nodeWebhookSupported, _ := utils.NodeWebhookSupported(r.version)
@@ -125,3 +89,39 @@ func (r *userMetadataHandler) OnUpdate(_ client.Client, decoder admission.Decode
return nil
}
}
func (r *userMetadataHandler) getForbiddenNodeLabels(node *corev1.Node) map[string]string {
forbiddenNodeLabels := make(map[string]string)
forbiddenLabels := r.configuration.ForbiddenUserNodeLabels()
for label, value := range node.GetLabels() {
var forbidden, matched bool
forbidden = forbiddenLabels.ExactMatch(label)
matched = forbiddenLabels.RegexMatch(label)
if forbidden || matched {
forbiddenNodeLabels[label] = value
}
}
return forbiddenNodeLabels
}
func (r *userMetadataHandler) getForbiddenNodeAnnotations(node *corev1.Node) map[string]string {
forbiddenNodeAnnotations := make(map[string]string)
forbiddenAnnotations := r.configuration.ForbiddenUserNodeAnnotations()
for annotation, value := range node.GetAnnotations() {
var forbidden, matched bool
forbidden = forbiddenAnnotations.ExactMatch(annotation)
matched = forbiddenAnnotations.RegexMatch(annotation)
if forbidden || matched {
forbiddenNodeAnnotations[annotation] = value
}
}
return forbiddenNodeAnnotations
}

2
pkg/webhook/ownerreference/patching.go
View File

@@ -145,7 +145,7 @@ func (h *handler) setOwnerRef(ctx context.Context, req admission.Request, client
}
// If we already had TenantName label on NS -> assign to it
if label, ok := ns.ObjectMeta.Labels[ln]; ok {
if label, ok := ns.Labels[ln]; ok {
// retrieving the selected Tenant
tnt := &capsulev1beta2.Tenant{}
if err = client.Get(ctx, types.NamespacedName{Name: label}, tnt); err != nil {

6
pkg/webhook/pod/containerregistry.go
View File

@@ -64,14 +64,14 @@ func (h *containerRegistryHandler) validate(ctx context.Context, c client.Client
if tnt.Spec.ContainerRegistries != nil {
// Evaluate init containers
for _, container := range pod.Spec.InitContainers {
if response := h.VerifyContainerRegistry(recorder, req, container, tnt); response != nil {
if response := h.verifyContainerRegistry(recorder, req, container, tnt); response != nil {
return response
}
}
// Evaluate containers
for _, container := range pod.Spec.Containers {
if response := h.VerifyContainerRegistry(recorder, req, container, tnt); response != nil {
if response := h.verifyContainerRegistry(recorder, req, container, tnt); response != nil {
return response
}
}
@@ -80,7 +80,7 @@ func (h *containerRegistryHandler) validate(ctx context.Context, c client.Client
return nil
}
func (h *containerRegistryHandler) VerifyContainerRegistry(recorder record.EventRecorder, req admission.Request, container corev1.Container, tnt capsulev1beta2.Tenant) *admission.Response {
func (h *containerRegistryHandler) verifyContainerRegistry(recorder record.EventRecorder, req admission.Request, container corev1.Container, tnt capsulev1beta2.Tenant) *admission.Response {
var valid, matched bool
reg := NewRegistry(container.Image)

14
pkg/webhook/pod/containerregistry_registry.go
View File

@@ -49,6 +49,13 @@ func (r registry) Tag() string {
return res
}
type Registry interface {
Registry() string
Repository() string
Image() string
Tag() string
}
func NewRegistry(value string) Registry {
reg := make(registry)
r := regexp.MustCompile(`((?P<registry>[a-zA-Z0-9-._]+(:\d+)?)\/)?(?P<repository>.*\/)?(?P<image>[a-zA-Z0-9-._]+:(?P<tag>[a-zA-Z0-9-._]+))?`)
@@ -62,10 +69,3 @@ func NewRegistry(value string) Registry {
return reg
}
type Registry interface {
Registry() string
Repository() string
Image() string
Tag() string
}

26
pkg/webhook/pod/runtimeclass.go
View File

@@ -24,19 +24,6 @@ func RuntimeClass() capsulewebhook.Handler {
return &runtimeClass{}
}
func (h *runtimeClass) class(ctx context.Context, c client.Client, name string) (client.Object, error) {
if len(name) == 0 {
return nil, nil
}
obj := &nodev1.RuntimeClass{}
if err := c.Get(ctx, types.NamespacedName{Name: name}, obj); err != nil {
return nil, err
}
return obj, nil
}
func (h *runtimeClass) OnCreate(c client.Client, decoder admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.validate(ctx, c, decoder, recorder, req)
@@ -55,6 +42,19 @@ func (h *runtimeClass) OnUpdate(client.Client, admission.Decoder, record.EventRe
}
}
func (h *runtimeClass) class(ctx context.Context, c client.Client, name string) (client.Object, error) {
if len(name) == 0 {
return nil, nil
}
obj := &nodev1.RuntimeClass{}
if err := c.Get(ctx, types.NamespacedName{Name: name}, obj); err != nil {
return nil, err
}
return obj, nil
}
func (h *runtimeClass) validate(ctx context.Context, c client.Client, decoder admission.Decoder, recorder record.EventRecorder, req admission.Request) *admission.Response {
pod := &corev1.Pod{}
if err := decoder.Decode(req, pod); err != nil {

36
pkg/webhook/service/validating.go
View File

@@ -27,6 +27,24 @@ func Handler() capsulewebhook.Handler {
return &handler{}
}
func (r *handler) OnCreate(client client.Client, decoder admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return r.handleService(ctx, client, decoder, req, recorder)
}
}
func (r *handler) OnUpdate(client client.Client, decoder admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return r.handleService(ctx, client, decoder, req, recorder)
}
}
func (r *handler) OnDelete(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (r *handler) handleService(ctx context.Context, clt client.Client, decoder admission.Decoder, req admission.Request, recorder record.EventRecorder) *admission.Response {
svc := &corev1.Service{}
if err := decoder.Decode(req, svc); err != nil {
@@ -124,21 +142,3 @@ func (r *handler) handleService(ctx context.Context, clt client.Client, decoder
return nil
}
func (r *handler) OnCreate(client client.Client, decoder admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return r.handleService(ctx, client, decoder, req, recorder)
}
}
func (r *handler) OnUpdate(client client.Client, decoder admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return r.handleService(ctx, client, decoder, req, recorder)
}
}
func (r *handler) OnDelete(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}

34
pkg/webhook/tenant/containerregistry_regex.go
View File

@@ -23,23 +23,6 @@ func ContainerRegistryRegexHandler() capsulewebhook.Handler {
return &containerRegistryRegexHandler{}
}
func (h *containerRegistryRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.ContainerRegistries != nil && len(tenant.Spec.ContainerRegistries.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.ContainerRegistries.Regex); err != nil {
response := admission.Denied("unable to compile containerRegistries allowedRegex")
return &response
}
}
return nil
}
func (h *containerRegistryRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
if err := h.validate(decoder, req); err != nil {
@@ -65,3 +48,20 @@ func (h *containerRegistryRegexHandler) OnUpdate(_ client.Client, decoder admiss
return nil
}
}
func (h *containerRegistryRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.ContainerRegistries != nil && len(tenant.Spec.ContainerRegistries.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.ContainerRegistries.Regex); err != nil {
response := admission.Denied("unable to compile containerRegistries allowedRegex")
return &response
}
}
return nil
}

36
pkg/webhook/tenant/cordoning.go
View File

@@ -30,6 +30,24 @@ func CordoningHandler(configuration configuration.Configuration) capsulewebhook.
}
}
func (h *cordoningHandler) OnCreate(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.cordonHandler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) OnDelete(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.cordonHandler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) OnUpdate(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.cordonHandler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) cordonHandler(ctx context.Context, clt client.Client, req admission.Request, recorder record.EventRecorder) *admission.Response {
tntList := &capsulev1beta2.TenantList{}
@@ -54,21 +72,3 @@ func (h *cordoningHandler) cordonHandler(ctx context.Context, clt client.Client,
return nil
}
func (h *cordoningHandler) OnCreate(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.cordonHandler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) OnDelete(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.cordonHandler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) OnUpdate(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.cordonHandler(ctx, client, req, recorder)
}
}

32
pkg/webhook/tenant/custom_resource_quota.go
View File

@@ -31,22 +31,6 @@ func ResourceCounterHandler(client client.Client) capsulewebhook.Handler {
}
}
func (r *resourceCounterHandler) getTenantName(ctx context.Context, clt client.Client, req admission.Request) (string, error) {
tntList := &capsulev1beta2.TenantList{}
if err := clt.List(ctx, tntList, client.MatchingFieldsSelector{
Selector: fields.OneTermEqualSelector(".status.namespaces", req.Namespace),
}); err != nil {
return "", err
}
if len(tntList.Items) == 0 {
return "", nil
}
return tntList.Items[0].GetName(), nil
}
func (r *resourceCounterHandler) OnCreate(clt client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
var tntName string
@@ -150,3 +134,19 @@ func (r *resourceCounterHandler) OnUpdate(client.Client, admission.Decoder, reco
return nil
}
}
func (r *resourceCounterHandler) getTenantName(ctx context.Context, clt client.Client, req admission.Request) (string, error) {
tntList := &capsulev1beta2.TenantList{}
if err := clt.List(ctx, tntList, client.MatchingFieldsSelector{
Selector: fields.OneTermEqualSelector(".status.namespaces", req.Namespace),
}); err != nil {
return "", err
}
if len(tntList.Items) == 0 {
return "", nil
}
return tntList.Items[0].GetName(), nil
}

52
pkg/webhook/tenant/forbidden_annotations_regex.go
View File

@@ -23,32 +23,6 @@ func ForbiddenAnnotationsRegexHandler() capsulewebhook.Handler {
return &forbiddenAnnotationsRegexHandler{}
}
func (h *forbiddenAnnotationsRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.NamespaceOptions == nil {
return nil
}
annotationsToCheck := map[string]string{
"labels": tenant.Spec.NamespaceOptions.ForbiddenLabels.Regex,
"annotations": tenant.Spec.NamespaceOptions.ForbiddenAnnotations.Regex,
}
for scope, annotation := range annotationsToCheck {
if _, err := regexp.Compile(tenant.Spec.NamespaceOptions.ForbiddenLabels.Regex); err != nil {
response := admission.Denied(fmt.Sprintf("unable to compile %s regex for forbidden %s", annotation, scope))
return &response
}
}
return nil
}
func (h *forbiddenAnnotationsRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
if err := h.validate(decoder, req); err != nil {
@@ -74,3 +48,29 @@ func (h *forbiddenAnnotationsRegexHandler) OnUpdate(_ client.Client, decoder adm
return nil
}
}
func (h *forbiddenAnnotationsRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.NamespaceOptions == nil {
return nil
}
annotationsToCheck := map[string]string{
"labels": tenant.Spec.NamespaceOptions.ForbiddenLabels.Regex,
"annotations": tenant.Spec.NamespaceOptions.ForbiddenAnnotations.Regex,
}
for scope, annotation := range annotationsToCheck {
if _, err := regexp.Compile(tenant.Spec.NamespaceOptions.ForbiddenLabels.Regex); err != nil {
response := admission.Denied(fmt.Sprintf("unable to compile %s regex for forbidden %s", annotation, scope))
return &response
}
}
return nil
}

34
pkg/webhook/tenant/hostname_regex.go
View File

@@ -23,23 +23,6 @@ func HostnameRegexHandler() capsulewebhook.Handler {
return &hostnameRegexHandler{}
}
func (h *hostnameRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.IngressOptions.AllowedHostnames != nil && len(tenant.Spec.IngressOptions.AllowedHostnames.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.IngressOptions.AllowedHostnames.Regex); err != nil {
response := admission.Denied("unable to compile allowedHostnames allowedRegex")
return &response
}
}
return nil
}
func (h *hostnameRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
if response := h.validate(decoder, req); response != nil {
@@ -65,3 +48,20 @@ func (h *hostnameRegexHandler) OnUpdate(_ client.Client, decoder admission.Decod
return nil
}
}
func (h *hostnameRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.IngressOptions.AllowedHostnames != nil && len(tenant.Spec.IngressOptions.AllowedHostnames.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.IngressOptions.AllowedHostnames.Regex); err != nil {
response := admission.Denied("unable to compile allowedHostnames allowedRegex")
return &response
}
}
return nil
}

34
pkg/webhook/tenant/ingressclass_regex.go
View File

@@ -23,23 +23,6 @@ func IngressClassRegexHandler() capsulewebhook.Handler {
return &ingressClassRegexHandler{}
}
func (h *ingressClassRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.IngressOptions.AllowedClasses != nil && len(tenant.Spec.IngressOptions.AllowedClasses.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.IngressOptions.AllowedClasses.Regex); err != nil {
response := admission.Denied("unable to compile ingressClasses allowedRegex")
return &response
}
}
return nil
}
func (h *ingressClassRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
if response := h.validate(decoder, req); response != nil {
@@ -65,3 +48,20 @@ func (h *ingressClassRegexHandler) OnUpdate(_ client.Client, decoder admission.D
return nil
}
}
func (h *ingressClassRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.IngressOptions.AllowedClasses != nil && len(tenant.Spec.IngressOptions.AllowedClasses.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.IngressOptions.AllowedClasses.Regex); err != nil {
response := admission.Denied("unable to compile ingressClasses allowedRegex")
return &response
}
}
return nil
}

2
pkg/webhook/tenant/protected.go
View File

@@ -32,7 +32,7 @@ func (h *protectedHandler) OnDelete(clt client.Client, _ admission.Decoder, _ re
return func(ctx context.Context, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := clt.Get(ctx, types.NamespacedName{Name: req.AdmissionRequest.Name}, tenant); err != nil {
if err := clt.Get(ctx, types.NamespacedName{Name: req.Name}, tenant); err != nil {
return utils.ErroredResponse(err)
}

36
pkg/webhook/tenant/rolebindings_regex.go
View File

@@ -25,6 +25,24 @@ func RoleBindingRegexHandler() capsulewebhook.Handler {
return &rbRegexHandler{}
}
func (h *rbRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validate(req, decoder)
}
}
func (h *rbRegexHandler) OnDelete(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (h *rbRegexHandler) OnUpdate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validate(req, decoder)
}
}
func (h *rbRegexHandler) validate(req admission.Request, decoder admission.Decoder) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
@@ -48,21 +66,3 @@ func (h *rbRegexHandler) validate(req admission.Request, decoder admission.Decod
return nil
}
func (h *rbRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validate(req, decoder)
}
}
func (h *rbRegexHandler) OnDelete(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (h *rbRegexHandler) OnUpdate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validate(req, decoder)
}
}

36
pkg/webhook/tenant/serviceaccount_format.go
View File

@@ -23,6 +23,24 @@ func ServiceAccountNameHandler() capsulewebhook.Handler {
return &saNameHandler{}
}
func (h *saNameHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validateServiceAccountName(req, decoder)
}
}
func (h *saNameHandler) OnDelete(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (h *saNameHandler) OnUpdate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validateServiceAccountName(req, decoder)
}
}
func (h *saNameHandler) validateServiceAccountName(req admission.Request, decoder admission.Decoder) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
@@ -45,21 +63,3 @@ func (h *saNameHandler) validateServiceAccountName(req admission.Request, decode
return nil
}
func (h *saNameHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validateServiceAccountName(req, decoder)
}
}
func (h *saNameHandler) OnDelete(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (h *saNameHandler) OnUpdate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
return h.validateServiceAccountName(req, decoder)
}
}

34
pkg/webhook/tenant/storageclass_regex.go
View File

@@ -23,23 +23,6 @@ func StorageClassRegexHandler() capsulewebhook.Handler {
return &storageClassRegexHandler{}
}
func (h *storageClassRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.StorageClasses != nil && len(tenant.Spec.StorageClasses.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.StorageClasses.Regex); err != nil {
response := admission.Denied("unable to compile storageClasses allowedRegex")
return &response
}
}
return nil
}
func (h *storageClassRegexHandler) OnCreate(_ client.Client, decoder admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
return func(_ context.Context, req admission.Request) *admission.Response {
if err := h.validate(decoder, req); err != nil {
@@ -65,3 +48,20 @@ func (h *storageClassRegexHandler) OnUpdate(_ client.Client, decoder admission.D
return nil
}
}
func (h *storageClassRegexHandler) validate(decoder admission.Decoder, req admission.Request) *admission.Response {
tenant := &capsulev1beta2.Tenant{}
if err := decoder.Decode(req, tenant); err != nil {
return utils.ErroredResponse(err)
}
if tenant.Spec.StorageClasses != nil && len(tenant.Spec.StorageClasses.Regex) > 0 {
if _, err := regexp.Compile(tenant.Spec.StorageClasses.Regex); err != nil {
response := admission.Denied("unable to compile storageClasses allowedRegex")
return &response
}
}
return nil
}

36
pkg/webhook/tenantresource/objects.go
View File

@@ -26,6 +26,24 @@ func WriteOpsHandler() capsulewebhook.Handler {
return &cordoningHandler{}
}
func (h *cordoningHandler) OnCreate(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (h *cordoningHandler) OnDelete(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.handler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) OnUpdate(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.handler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) handler(ctx context.Context, clt client.Client, req admission.Request, recorder record.EventRecorder) *admission.Response {
tntList := &capsulev1beta2.TenantList{}
@@ -69,21 +87,3 @@ func (h *cordoningHandler) handler(ctx context.Context, clt client.Client, req a
return nil
}
func (h *cordoningHandler) OnCreate(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
return func(context.Context, admission.Request) *admission.Response {
return nil
}
}
func (h *cordoningHandler) OnDelete(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.handler(ctx, client, req, recorder)
}
}
func (h *cordoningHandler) OnUpdate(client client.Client, _ admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
return h.handler(ctx, client, req, recorder)
}
}