github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-02-14 09:59:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d812a0c7221baf61aec4ceea613ba094045e2820
capsule/internal/webhook/namespace/mutation/handler.go
Oliver Bähler d812a0c722 feat(tenant): add dedicated tenantowner crd (#1764) 
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-12-02 15:21:46 +01:00

153 lines
4.0 KiB
Go
Raw Blame History

// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package mutation
import (
"context"
corev1 "k8s.io/api/core/v1"
"k8s.io/client-go/tools/record"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"github.com/projectcapsule/capsule/internal/webhook"
"github.com/projectcapsule/capsule/internal/webhook/utils"
"github.com/projectcapsule/capsule/pkg/configuration"
"github.com/projectcapsule/capsule/pkg/utils/tenant"
"github.com/projectcapsule/capsule/pkg/utils/users"
)
func NamespaceHandler(configuration configuration.Configuration, handlers ...webhook.TypedHandler[*corev1.Namespace]) webhook.Handler {
return &handler{
cfg: configuration,
handlers: handlers,
}
}
type handler struct {
cfg configuration.Configuration
handlers []webhook.TypedHandler[*corev1.Namespace]
}
//nolint:dupl
func (h *handler) OnCreate(c client.Client, decoder admission.Decoder, recorder record.EventRecorder) webhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
userIsAdmin := users.IsAdminUser(req, h.cfg.Administrators())
if !userIsAdmin && !users.IsCapsuleUser(ctx, c, h.cfg, req.UserInfo.Username, req.UserInfo.Groups) {
return nil
}
ns := &corev1.Namespace{}
if err := decoder.Decode(req, ns); err != nil {
return utils.ErroredResponse(err)
}
tnt, err := tenant.GetTenantByLabels(ctx, c, ns)
if err != nil {
return utils.ErroredResponse(err)
}
if tnt == nil && userIsAdmin {
return nil
}
for _, hndl := range h.handlers {
if response := hndl.OnCreate(c, ns, decoder, recorder)(ctx, req); response != nil {
return response
}
}
return nil
}
}
//nolint:dupl
func (h *handler) OnDelete(c client.Client, decoder admission.Decoder, recorder record.EventRecorder) webhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
userIsAdmin := users.IsAdminUser(req, h.cfg.Administrators())
if !userIsAdmin && !users.IsCapsuleUser(ctx, c, h.cfg, req.UserInfo.Username, req.UserInfo.Groups) {
return nil
}
ns := &corev1.Namespace{}
if err := decoder.Decode(req, ns); err != nil {
return utils.ErroredResponse(err)
}
tnt, err := tenant.GetTenantByLabels(ctx, c, ns)
if err != nil {
return utils.ErroredResponse(err)
}
if tnt == nil && userIsAdmin {
return nil
}
for _, hndl := range h.handlers {
if response := hndl.OnDelete(c, ns, decoder, recorder)(ctx, req); response != nil {
return response
}
}
return nil
}
}
func (h *handler) OnUpdate(c client.Client, decoder admission.Decoder, recorder record.EventRecorder) webhook.Func {
return func(ctx context.Context, req admission.Request) *admission.Response {
userIsAdmin := users.IsAdminUser(req, h.cfg.Administrators())
if !userIsAdmin && !users.IsCapsuleUser(ctx, c, h.cfg, req.UserInfo.Username, req.UserInfo.Groups) {
return nil
}
ns := &corev1.Namespace{}
if err := decoder.Decode(req, ns); err != nil {
return utils.ErroredResponse(err)
}
oldNs := &corev1.Namespace{}
if err := decoder.DecodeRaw(req.OldObject, oldNs); err != nil {
return utils.ErroredResponse(err)
}
tnt, err := tenant.GetTenantByOwnerreferences(ctx, c, oldNs.OwnerReferences)
if err != nil {
return utils.ErroredResponse(err)
}
//nolint:nestif
if userIsAdmin {
if tnt == nil {
tnt, err = tenant.GetTenantByLabels(ctx, c, ns)
if err != nil {
return utils.ErroredResponse(err)
}
if tnt == nil {
return nil
}
}
} else {
if owned := tenant.NamespaceIsOwned(ctx, c, h.cfg, oldNs, tnt, req.UserInfo); !owned {
recorder.Eventf(oldNs, corev1.EventTypeWarning, "NamespacePatch", "Namespace %s can not be patched", oldNs.GetName())
response := admission.Denied("Denied patch request for this namespace")
return &response
}
}
for _, hndl := range h.handlers {
if response := hndl.OnUpdate(c, ns, oldNs, decoder, recorder)(ctx, req); response != nil {
return response
}
}
return nil
}
}
Reference in New Issue View Git Blame Copy Permalink