MutatingWebHookConfiguration for GameServer creation & Validation.

Gopkg.toml

@@ -42,4 +42,8 @@
 
 [[constraint]]
   name = "google.golang.org/grpc"
-  version = "1.8.0"
+  version = "1.8.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mattbaird/jsonpatch"

build/Makefile

@@ -261,6 +261,7 @@ clean-gcloud-config:
 # (defaults virtualbox for Linux and macOS, hyperv for windows) if you so desire.
 minikube-test-cluster: minikube-agones-profile
 	$(MINIKUBE) start --kubernetes-version v1.9.0 --vm-driver $(MINIKUBE_DRIVER) \
+		--extra-config=apiserver.Admission.PluginNames=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
 		--extra-config=apiserver.Authorization.Mode=RBAC
 	# wait until the master is up
 	until docker run --rm $(common_mounts) --network=host -v $(minikube_cert_mount) $(DOCKER_RUN_ARGS) $(build_tag) kubectl cluster-info; \

build/install.yaml

@@ -67,6 +67,42 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 3
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: agones-controller-service
+  namespace: agones-system
+spec:
+  selector:
+    stable.agones.dev/role: controller
+  ports:
+    - port: 443
+      targetPort: 8081
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: agones-mutation-webhook
+  namespace: agones-system
+webhooks:
+  - name: mutations.stable.agones.dev
+    failurePolicy: Fail
+    clientConfig:
+      service:
+        name: agones-controller-service
+        namespace: agones-system
+        path: /mutate
+      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    rules:
+      - apiGroups:
+          - stable.agones.dev
+        resources:
+          - "gameservers"
+        apiVersions:
+          - "v1alpha1"
+        operations:
+          - CREATE
+---
 # Service account, secret, role and rolebinding for sidecar (agones-sdk) pod
 apiVersion: v1
 kind: ServiceAccount
@@ -159,4 +195,4 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: agones-controller
+  name: agones-controller

cmd/controller/Dockerfile

@@ -1,6 +1,7 @@
 FROM alpine:3.7
 
 COPY ./bin/controller /home/agones/controller
+COPY ./certs /home/agones/certs
 RUN apk --update add ca-certificates && \
                 adduser -D agones && \
                 chown -R agones /home/agones && \

cmd/controller/certs/cert.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+echo "Generating certs..."
+echo "Email should be: [email protected]"
+echo "Common Name should be: agones-controller-service.agones-system.svc"
+openssl genrsa -out server.key 2048
+openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
+
+echo "caBundle:"
+base64 -w 0 server.crt
+
+echo "done"

cmd/controller/certs/server.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKTCCAxGgAwIBAgIJAOJP6410wvGSMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGQWdvbmVzMQ8w
+DQYDVQQLDAZBZ29uZXMxNDAyBgNVBAMMK2Fnb25lcy1jb250cm9sbGVyLXNlcnZp
+Y2UuYWdvbmVzLXN5c3RlbS5zdmMxLjAsBgkqhkiG9w0BCQEWH2Fnb25lcy1kaXNj
+dXNzQGdvb2dsZWdyb3Vwcy5jb20wHhcNMTgwMjE0MDQ0NDQ2WhcNMjgwMjEyMDQ0
+NDQ2WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxDzANBgNV
+BAoMBkFnb25lczEPMA0GA1UECwwGQWdvbmVzMTQwMgYDVQQDDCthZ29uZXMtY29u
+dHJvbGxlci1zZXJ2aWNlLmFnb25lcy1zeXN0ZW0uc3ZjMS4wLAYJKoZIhvcNAQkB
+Fh9hZ29uZXMtZGlzY3Vzc0Bnb29nbGVncm91cHMuY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAzgVT90ejxNnwCo/OjMD26fU4drkSefwdQgwibifa
+l8rk6Y0VvOIV1H+lRowe06mWNuR5FOXFA0fXlvxCKKYVQpSPEK2YSyh/aSnJQL6q
+o8eAYTJBkOYLB5CbzIziWeoQfOYN8MlEn8bXJdieJhHH8UnyjtyoTlxzhZmX+pft
+hUdea3VkzO21n4+QE3RX5f132FTFcuqXOUA/pi8ccANGc3zjLeZJvA9odPEhGf7g
+C8eyA68SVcsh+Pjz0lw95APvlMv1jmqURFWcESTLaQ0Fx5KwRyV0ziZmUvAAF2Zx
+DZhHUcoFPHAwTl75NAhnHpMlLNp5L7tcVdyT8B2GRs+slQIDAQABo1AwTjAdBgNV
+HQ4EFgQUgv1nTPaQJSN3Lqm5jIjW4xHmdG0wHwYDVR0jBBgwFoAUgv1nTPaQJSN3
+Lqm5jIjW4xHmdG0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHKEC
+ktEjYNUCA+mysz4orW7pRUvhBHDVSgsY6eEVRLzf/1yIZE0u656kpK6OT7MhJGlU
+KwGSSoUBBzVgUsZjDm7Pgbk4iYzn4M1xLzbLQBr3Mc5zXHefPvbimhD55cLzpVFu
+VQmBmZV2NjU5DuSdRndlcPaNcg/uOcvZK4KY1KCBA3EoAQIkpzHX2iUMoxiRvZVN
+NEwgFTtIGBYn0HfL/vgOsH8fVrMUkuG2vhGdeXBpZiq/BZJbZeN2rCf2gaX1QIv0
+EKbcuFqM98WT5ZVZRtX1Y3Rwevg4mxYJXCuH6FF9W9/Sz294Fy2OBKB8JAVaEx9n
+1/i6fIffGnHTXWHsVQ==
+-----END CERTIFICATE-----

cmd/controller/certs/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzgVT90ejxNnwCo/OjMD26fU4drkSefwdQgwibifal8rk6Y0V
+vOIV1H+lRowe06mWNuR5FOXFA0fXlvxCKKYVQpSPEK2YSyh/aSnJQL6qo8eAYTJB
+kOYLB5CbzIziWeoQfOYN8MlEn8bXJdieJhHH8UnyjtyoTlxzhZmX+pfthUdea3Vk
+zO21n4+QE3RX5f132FTFcuqXOUA/pi8ccANGc3zjLeZJvA9odPEhGf7gC8eyA68S
+Vcsh+Pjz0lw95APvlMv1jmqURFWcESTLaQ0Fx5KwRyV0ziZmUvAAF2ZxDZhHUcoF
+PHAwTl75NAhnHpMlLNp5L7tcVdyT8B2GRs+slQIDAQABAoIBAEoU5GKQ4jTQ4V4K
+5Az8/kyWnx0h46D1pVewoVjW/+WBUdshnmVzLsJgu/+oNxWJb7iBY4C+Np+9X6qt
+PuT7A74TSXaH1bGA+H/KRNIBPb7y6BkLR0RhVCn+N+fP6TzHy/H9j5m75e9GQusa
+/5NU5X7ARnZUpji3SdsKpfm4U/KOV+p2jWSPX7HOBu/KYa1jveCt6JMPQ36KBXkR
+MlVCkADcvAAGuObpa/sm0MA63+ihdeSYhkEXKqxH4Az3PVDLwP80T8f5VqwWYmnq
+L/Bg6HnV5GHnlTXA+WepNbHkokN9G0H6m0Itj4al3bGTB4jeBCJZp5FHW5obJ4qP
+WkcfXcECgYEA8UIZvdNSsSpRZVTe4hhtXncOptFTdoVKIzTuUVKfKe9OB5i32B9u
+4hDNpBDqkgEktg4R8/cn57z6ZUdUCcobjWQbJLXE5wp7Htf7jCGnL2QmIcp20rbF
+HrE2lHr0oNr3MLUruBvArVB3LLGmOEgn3NQw9aJwg/542EDS7x5v3XkCgYEA2pwG
+HiGYXTJfYNg/+SmDuSDWFe4iMPTRw1TT85uGE9UErYPQd8OqYQQOgIAT7xp1z0oq
+6pmsjPO6HZng9oHKeAO/JPeSuXE+bJ8HYKp7W929F+LGJoqitOLPMm/9OovYDCvh
+6+qDY5LNRHdAeTqwwI2yugf4YnBjY6zIfBp5LP0CgYEAyrrv5JqSbzuPQGZMEJPU
+O8Ax+K4Hw52HygPtizqxcsybtjh3rE3loGPcWdS5OE1rquwx299BkjMz+i0xCjTi
+aDLJuFRiDH+7LBT0VTHmSiWPAXAf3zskc4EYyzZzIEQ/2Zc0ELaJd1oZet4hPkQr
+8x3/sjl48QHCTH5UggkCmYkCgYAfK/pPV5kDSQiCpbNRkxLeVglQ7Tjg5Df482KZ
+rQaMU2asW0xhl3v3A34R4rF0+b/sw/WkqC8LlkFmsSd73vwA6v/ZhJfea4BsOqzx
+or2eVtr8yfBZVJFo26KR3ZgtPf2blrJLUpBTpX4xkhOWdcD4Y/wlPLe1SbNSZjPc
+RmYa/QKBgQC6a7zNASP0A0qMPhqyJZlbg4F8WMRtgHFfsy/iLwdiEUGuChQWULkc
+hzPWpjD0zwrSxZtyhSL0b6THnqTiin23OvtINlViZmos5mWW0VeGsbHnJuRa3THy
+EjSkSP4mR7tJlJokboZ+lYL7gABHn2ERnDsqX8oEU6QpDP1rZhYSzg==
+-----END RSA PRIVATE KEY-----

cmd/controller/main.go

@@ -18,13 +18,16 @@ package main
 import (
 	"strings"
 	"time"
+	"os"
+	"path/filepath"
 
 	"agones.dev/agones/pkg"
 	"agones.dev/agones/pkg/client/clientset/versioned"
 	"agones.dev/agones/pkg/client/informers/externalversions"
 	"agones.dev/agones/pkg/gameservers"
 	"agones.dev/agones/pkg/util/runtime"
 	"agones.dev/agones/pkg/util/signals"
+	"agones.dev/agones/pkg/util/webhooks"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
@@ -39,6 +42,8 @@ const (
 	pullSidecarFlag = "always-pull-sidecar"
 	minPortFlag     = "min-port"
 	maxPortFlag     = "max-port"
+	certFileFlag    = "cert-file"
+	keyFileFlag     = "key-file"
 )
 
 func init() {
@@ -47,30 +52,46 @@ func init() {
 
 // main starts the operator for the gameserver CRD
 func main() {
+	exec, err := os.Executable()
+	if err != nil {
+		logrus.WithError(err).Fatal("Could not get executable path")
+	}
+
+	base := filepath.Dir(exec)
 	viper.SetDefault(sidecarFlag, "gcr.io/agones-images/agones-sdk:"+pkg.Version)
 	viper.SetDefault(pullSidecarFlag, false)
+	viper.SetDefault(certFileFlag, filepath.Join(base, "certs/server.crt"))
+	viper.SetDefault(keyFileFlag, filepath.Join(base, "certs/server.key"))
 
 	pflag.String(sidecarFlag, viper.GetString(sidecarFlag), "Flag to overwrite the GameServer sidecar image that is used. Can also use SIDECAR env variable")
 	pflag.Bool(pullSidecarFlag, viper.GetBool(pullSidecarFlag), "For development purposes, set the sidecar image to have a ImagePullPolicy of Always. Can also use ALWAYS_PULL_SIDECAR env variable")
 	pflag.Int32(minPortFlag, 0, "Required. The minimum port that that a GameServer can be allocated to. Can also use MIN_PORT env variable.")
 	pflag.Int32(maxPortFlag, 0, "Required. The maximum port that that a GameServer can be allocated to. Can also use MAX_PORT env variable")
+	pflag.String(keyFileFlag, viper.GetString(keyFileFlag), "Optional. Path to the key file")
+	pflag.String(certFileFlag, viper.GetString(certFileFlag), "Optional. Path to the crt file")
 	pflag.Parse()
 
 	viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
 	runtime.Must(viper.BindEnv(sidecarFlag))
 	runtime.Must(viper.BindEnv(pullSidecarFlag))
 	runtime.Must(viper.BindEnv(minPortFlag))
 	runtime.Must(viper.BindEnv(maxPortFlag))
+	runtime.Must(viper.BindEnv(keyFileFlag))
+	runtime.Must(viper.BindEnv(certFileFlag))
 	runtime.Must(viper.BindPFlags(pflag.CommandLine))
 
 	minPort := int32(viper.GetInt64(minPortFlag))
 	maxPort := int32(viper.GetInt64(maxPortFlag))
 	sidecarImage := viper.GetString(sidecarFlag)
 	alwaysPullSidecar := viper.GetBool(pullSidecarFlag)
+	keyFile := viper.GetString(keyFileFlag)
+	certFile := viper.GetString(certFileFlag)
 
 	logrus.WithField(sidecarFlag, sidecarImage).
 		WithField("minPort", minPort).
 		WithField("maxPort", maxPort).
+		WithField(keyFileFlag, keyFile).
+		WithField(certFileFlag, certFile).
 		WithField("alwaysPullSidecarImage", alwaysPullSidecar).
 		WithField("Version", pkg.Version).Info("starting gameServer operator...")
 
@@ -102,13 +123,21 @@ func main() {
 
 	agonesInformerFactory := externalversions.NewSharedInformerFactory(agonesClient, 30*time.Second)
 	kubeInformationFactory := informers.NewSharedInformerFactory(kubeClient, 30*time.Second)
-	c := gameservers.NewController(minPort, maxPort, sidecarImage, alwaysPullSidecar, kubeClient, kubeInformationFactory, extClient, agonesClient, agonesInformerFactory)
+
+	wh := webhooks.NewWebHook(certFile, keyFile)
+	c := gameservers.NewController(wh, minPort, maxPort, sidecarImage, alwaysPullSidecar, kubeClient, kubeInformationFactory, extClient, agonesClient, agonesInformerFactory)
 
 	stop := signals.NewStopChannel()
 
 	kubeInformationFactory.Start(stop)
 	agonesInformerFactory.Start(stop)
 
+	go func() {
+		if err := wh.Run(stop); err != nil { // nolint: vetshadow
+			logrus.WithError(err).Fatal("could not run webhook server")
+		}
+	}()
+
 	err = c.Run(2, stop)
 	if err != nil {
 		logrus.WithError(err).Fatal("Could not run gameserver controller")

install.yaml

@@ -66,6 +66,42 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 3
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: agones-controller-service
+  namespace: agones-system
+spec:
+  selector:
+    stable.agones.dev/role: controller
+  ports:
+    - port: 443
+      targetPort: 8081
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: agones-mutation-webhook
+  namespace: agones-system
+webhooks:
+  - name: mutations.stable.agones.dev
+    failurePolicy: Fail
+    clientConfig:
+      service:
+        name: agones-controller-service
+        namespace: agones-system
+        path: /mutate
+      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    rules:
+      - apiGroups:
+          - stable.agones.dev
+        resources:
+          - "gameservers"
+        apiVersions:
+          - "v1alpha1"
+        operations:
+          - CREATE
+---
 # Service account, secret, role and rolebinding for sidecar (agones-sdk) pod
 apiVersion: v1
 kind: ServiceAccount

pkg/apis/stable/v1alpha1/types.go

@@ -23,8 +23,10 @@ import (
 )
 
 const (
-	// Creating is when the Pod for the GameServer is being created,
-	// but they have yet to register themselves yet as Ready
+	// PortAllocation is for when a dynamically allocating GameServer
+	// is being created, an open port needs to be allocated
+	PortAllocation State = "PortAllocation"
+	// Creating is before the Pod for the GameServer is being created
 	Creating State = "Creating"
 	// Starting is for when the Pods for the GameServer are being
 	// created but have yet to register themselves as Ready
@@ -161,7 +163,11 @@ func (gs *GameServer) ApplyDefaults() {
 	}
 
 	if gs.Status.State == "" {
-		gs.Status.State = Creating
+		if gs.Spec.PortPolicy == Dynamic {
+			gs.Status.State = PortAllocation
+		} else {
+			gs.Status.State = Creating
+		}
 	}
 
 	// health
@@ -178,6 +184,25 @@ func (gs *GameServer) ApplyDefaults() {
 	}
 }
 
+// Validate validates the GameServer configuration.
+// If a GameServer is invalid there will be > 0 values in
+// the returned array
+func (gs *GameServer) Validate() (bool, []metav1.StatusCause) {
+	var causes []metav1.StatusCause
+
+	// make sure the container value points to a valid container
+	_, _, err := gs.FindGameServerContainer()
+	if err != nil {
+		causes = append(causes, metav1.StatusCause{
+			Type:    metav1.CauseTypeFieldValueInvalid,
+			Field:   "container",
+			Message: err.Error(),
+		})
+	}
+
+	return len(causes) == 0, causes
+}
+
 // FindGameServerContainer returns the container that is specified in
 // spec.gameServer.container. Returns the index and the value.
 // Returns an error if not found