github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-06 01:06:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a5af7bb34ea1c377ece9cef5a8ff9e75dc775849
polaris/pkg/webhook/webhook.go
jdesouza a5af7bb34e INS-1950: Go 1.26 and bump libs for polaris (#1172) 
* Go 1.26

* Go 1.26

* Go 1.26

* Go 1.26
2026-02-24 12:22:14 -03:00

167 lines
5.7 KiB
Go
Raw Blame History

// Copyright 2019 FairwindsOps Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package webhook
import (
"context"
"encoding/json"
"fmt"
"net/http"
"strings"
"github.com/fairwindsops/controller-utils/pkg/controller"
"github.com/fairwindsops/polaris/pkg/config"
"github.com/fairwindsops/polaris/pkg/kube"
validator "github.com/fairwindsops/polaris/pkg/validator"
"github.com/sirupsen/logrus"
"k8s.io/apimachinery/pkg/runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
// Validator validates k8s resources.
type Validator struct {
Client client.Client
decoder *admission.Decoder
Config config.Configuration
}
// NewValidateWebhook creates a validating admission webhook for the apiType.
func NewValidateWebhook(mgr manager.Manager, c config.Configuration) {
path := "/validate"
decoder := admission.NewDecoder(runtime.NewScheme())
validator := Validator{
Client: mgr.GetClient(),
decoder: &decoder,
Config: c,
}
mgr.GetWebhookServer().Register(path, &webhook.Admission{Handler: &validator})
}
func (v *Validator) handleInternal(ctx context.Context, req admission.Request) (*validator.Result, kube.GenericResource, error) {
return GetValidatedResults(ctx, req.AdmissionRequest.Kind.Kind, v.decoder, req, v.Config)
}
// GetValidatedResults returns the validated results.
func GetValidatedResults(ctx context.Context, kind string, decoder *admission.Decoder, req admission.Request, config config.Configuration) (*validator.Result, kube.GenericResource, error) {
var resource kube.GenericResource
var err error
rawBytes := req.Object.Raw
if req.Operation == "DELETE" {
rawBytes = req.OldObject.Raw // Object.Raw is empty for DELETEs
}
var decoded map[string]any
err = json.Unmarshal(rawBytes, &decoded)
if err != nil {
logrus.Errorf("Error unmarshaling JSON")
return nil, resource, err
}
if ownerReferences, ok := decoded["metadata"].(map[string]any)["ownerReferences"].([]any); ok && len(ownerReferences) > 0 {
allOwnersReferenceValid := true
dynamicClient, restMapper, _, _, err := kube.GetKubeClient(context.Background(), "")
if err != nil {
logrus.Errorf("getting the kubernetes client: %v", err)
return nil, resource, err
}
for _, ownerReference := range ownerReferences {
ownerReference := ownerReference.(map[string]any)
ctrl, err := kube.GetObject(context.Background(), req.Namespace, ownerReference["kind"].(string), ownerReference["apiVersion"].(string), ownerReference["name"].(string), dynamicClient, restMapper)
if err != nil {
logrus.Infof("error retrieving owner for object %s - running checks: %v", req.Name, err)
allOwnersReferenceValid = false
break
} else {
err = controller.ValidateIfControllerMatches(decoded, ctrl.Object)
if err != nil {
logrus.Infof("object %s has an owner but the owner is invalid - running checks: %v", req.Name, err)
allOwnersReferenceValid = false
break
}
}
if allOwnersReferenceValid {
logrus.Infof("object %s has owner(s) and the owner(s) are valid - skipping", req.Name)
return nil, resource, nil
}
}
} else {
logrus.Infof("Object %s has no owner - running checks", req.Name)
}
resource, err = kube.NewGenericResourceFromBytes(req.Object.Raw)
if err != nil {
logrus.Errorf("Failed to create resource: %v", err)
return nil, resource, err
}
resourceResult, err := validator.ApplyAllSchemaChecks(ctx, &config, nil, resource)
if err != nil {
return nil, resource, err
}
return &resourceResult, resource, nil
}
// Handle for Validator to run validation checks.
func (v *Validator) Handle(ctx context.Context, req admission.Request) admission.Response {
logrus.Info("Starting admission request")
result, _, err := v.handleInternal(ctx, req)
if err != nil {
logrus.Errorf("Error validating request: %v", err)
return admission.Errored(http.StatusBadRequest, err)
}
allowed := true
reason := ""
if result != nil {
numDangers := result.GetSummary().Dangers
if numDangers > 0 {
allowed = false
reason = getFailureReason(*result)
}
logrus.Infof("%d validation errors found when validating %s", numDangers, result.Name)
}
return admission.ValidationResponse(allowed, reason)
}
func getFailureReason(result validator.Result) string {
var reason strings.Builder
reason.WriteString("\nPolaris prevented this deployment due to configuration problems:\n")
for _, message := range result.Results {
if !message.Success && message.Severity == config.SeverityDanger {
reason.WriteString(fmt.Sprintf("- %s: %s\n", result.Kind, message.Message))
}
}
podResult := result.PodResult
if podResult != nil {
for _, message := range podResult.Results {
if !message.Success && message.Severity == config.SeverityDanger {
reason.WriteString(fmt.Sprintf("- Pod: %s\n", message.Message))
}
}
for _, containerResult := range podResult.ContainerResults {
for _, message := range containerResult.Results {
if !message.Success && message.Severity == config.SeverityDanger {
reason.WriteString(fmt.Sprintf("- Container %s: %s\n", containerResult.Name, message.Message))
}
}
}
}
return reason.String()
}
Reference in New Issue View Git Blame Copy Permalink