mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-02-14 18:09:58 +00:00
a6b830b1af
* fix(controller): decode old object for delete requests Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * sec(ghsa-2ww6-hf35-mfjm): intercept namespace subresource Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
197 lines
4.9 KiB
Go
197 lines
4.9 KiB
Go
// Copyright 2020-2026 Project Capsule Authors
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package service
|
|
|
|
import (
|
|
"context"
|
|
"net"
|
|
"strings"
|
|
|
|
"github.com/pkg/errors"
|
|
corev1 "k8s.io/api/core/v1"
|
|
"k8s.io/client-go/tools/events"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
|
|
|
|
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
|
|
"github.com/projectcapsule/capsule/pkg/api"
|
|
caperrors "github.com/projectcapsule/capsule/pkg/api/errors"
|
|
evt "github.com/projectcapsule/capsule/pkg/runtime/events"
|
|
"github.com/projectcapsule/capsule/pkg/runtime/handlers"
|
|
)
|
|
|
|
type validating struct{}
|
|
|
|
func Validating() handlers.TypedHandlerWithTenant[*corev1.Service] {
|
|
return &validating{}
|
|
}
|
|
|
|
func (h *validating) OnCreate(
|
|
c client.Client,
|
|
svc *corev1.Service,
|
|
decoder admission.Decoder,
|
|
recorder events.EventRecorder,
|
|
tnt *capsulev1beta2.Tenant,
|
|
) handlers.Func {
|
|
return func(ctx context.Context, req admission.Request) *admission.Response {
|
|
return h.handle(req, recorder, svc, tnt)
|
|
}
|
|
}
|
|
|
|
func (h *validating) OnUpdate(
|
|
c client.Client,
|
|
old *corev1.Service,
|
|
svc *corev1.Service,
|
|
decoder admission.Decoder,
|
|
recorder events.EventRecorder,
|
|
tnt *capsulev1beta2.Tenant,
|
|
) handlers.Func {
|
|
return func(ctx context.Context, req admission.Request) *admission.Response {
|
|
return h.handle(req, recorder, svc, tnt)
|
|
}
|
|
}
|
|
|
|
func (h *validating) OnDelete(
|
|
client.Client,
|
|
*corev1.Service,
|
|
admission.Decoder,
|
|
events.EventRecorder,
|
|
*capsulev1beta2.Tenant,
|
|
) handlers.Func {
|
|
return func(context.Context, admission.Request) *admission.Response {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func (h *validating) handle(
|
|
req admission.Request,
|
|
recorder events.EventRecorder,
|
|
svc *corev1.Service,
|
|
tnt *capsulev1beta2.Tenant,
|
|
) *admission.Response {
|
|
if svc.Spec.Type == corev1.ServiceTypeNodePort && tnt.Spec.ServiceOptions != nil && tnt.Spec.ServiceOptions.AllowedServices != nil && !*tnt.Spec.ServiceOptions.AllowedServices.NodePort {
|
|
recorder.Eventf(
|
|
svc,
|
|
tnt,
|
|
corev1.EventTypeWarning,
|
|
evt.ReasonForbiddenNodePort,
|
|
evt.ActionValidationDenied,
|
|
"Cannot be type of NodePort for the Tenant %s", tnt.GetName(),
|
|
)
|
|
|
|
response := admission.Denied(caperrors.NewNodePortDisabledError().Error())
|
|
|
|
return &response
|
|
}
|
|
|
|
if svc.Spec.Type == corev1.ServiceTypeExternalName && tnt.Spec.ServiceOptions != nil && tnt.Spec.ServiceOptions.AllowedServices != nil && !*tnt.Spec.ServiceOptions.AllowedServices.ExternalName {
|
|
recorder.Eventf(
|
|
svc,
|
|
tnt,
|
|
corev1.EventTypeWarning,
|
|
evt.ReasonForbiddenExternalName,
|
|
evt.ActionValidationDenied,
|
|
"Cannot be type of ExternalName for the Tenant %s", tnt.GetName(),
|
|
)
|
|
|
|
response := admission.Denied(caperrors.NewExternalNameDisabledError().Error())
|
|
|
|
return &response
|
|
}
|
|
|
|
if svc.Spec.Type == corev1.ServiceTypeLoadBalancer && tnt.Spec.ServiceOptions != nil && tnt.Spec.ServiceOptions.AllowedServices != nil && !*tnt.Spec.ServiceOptions.AllowedServices.LoadBalancer {
|
|
recorder.Eventf(
|
|
tnt,
|
|
svc,
|
|
corev1.EventTypeWarning,
|
|
evt.ReasonForbiddenLoadBalancer,
|
|
evt.ActionValidationDenied,
|
|
"Cannot be type of LoadBalancer for the Tenant %s", tnt.GetName(),
|
|
)
|
|
|
|
response := admission.Denied(caperrors.NewLoadBalancerDisabled().Error())
|
|
|
|
return &response
|
|
}
|
|
|
|
if tnt.Spec.ServiceOptions != nil {
|
|
err := api.ValidateForbidden(svc.Annotations, tnt.Spec.ServiceOptions.ForbiddenAnnotations)
|
|
if err != nil {
|
|
err = errors.Wrap(err, "annotations validation failed")
|
|
|
|
recorder.Eventf(
|
|
svc,
|
|
tnt,
|
|
corev1.EventTypeWarning,
|
|
evt.ReasonForbiddenAnnotation,
|
|
evt.ActionValidationDenied,
|
|
err.Error(),
|
|
)
|
|
|
|
response := admission.Denied(err.Error())
|
|
|
|
return &response
|
|
}
|
|
|
|
err = api.ValidateForbidden(svc.Labels, tnt.Spec.ServiceOptions.ForbiddenLabels)
|
|
if err != nil {
|
|
err = errors.Wrap(err, "labels validation failed")
|
|
|
|
recorder.Eventf(
|
|
svc,
|
|
tnt,
|
|
corev1.EventTypeWarning,
|
|
evt.ReasonForbiddenLabel,
|
|
evt.ActionValidationDenied,
|
|
err.Error(),
|
|
)
|
|
|
|
response := admission.Denied(err.Error())
|
|
|
|
return &response
|
|
}
|
|
}
|
|
|
|
if svc.Spec.ExternalIPs == nil || (tnt.Spec.ServiceOptions == nil || tnt.Spec.ServiceOptions.ExternalServiceIPs == nil) {
|
|
return nil
|
|
}
|
|
|
|
ipInCIDR := func(ip net.IP) bool {
|
|
for _, allowed := range tnt.Spec.ServiceOptions.ExternalServiceIPs.Allowed {
|
|
if !strings.Contains(string(allowed), "/") {
|
|
allowed += "/32"
|
|
}
|
|
|
|
_, allowedIP, _ := net.ParseCIDR(string(allowed))
|
|
|
|
if allowedIP.Contains(ip) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
for _, externalIP := range svc.Spec.ExternalIPs {
|
|
ip := net.ParseIP(externalIP)
|
|
|
|
if !ipInCIDR(ip) {
|
|
recorder.Eventf(
|
|
svc,
|
|
tnt,
|
|
corev1.EventTypeWarning,
|
|
evt.ReasonForbiddenExternalServiceIP,
|
|
evt.ActionValidationDenied,
|
|
"External IP %s is forbidden for the Tenant %s", ip.String(), tnt.GetName(),
|
|
)
|
|
|
|
response := admission.Denied(caperrors.NewExternalServiceIPForbidden(tnt.Spec.ServiceOptions.ExternalServiceIPs.Allowed).Error())
|
|
|
|
return &response
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|