apiserver: add admission

phosae · Jul 3, 2023 · c2bfa30 · c2bfa30
1 parent d71f5e3
commit c2bfa30
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 2 deletions.
diff --git a/api-aggregation-lib/kustomization.yaml b/api-aggregation-lib/kustomization.yaml
@@ -16,4 +16,4 @@ patches:
       value: ko://github.com/phosae/x-kubernetes/api-aggregation-lib
     - op: replace
       path: /spec/template/spec/containers/0/args
-      value: ["--enable-etcd-storage","--etcd-servers=http://localhost:2379", "--enable-auth", "-v", "6"]
+      value: ["--enable-etcd-storage","--etcd-servers=http://localhost:2379", "--enable-auth", "--enable-admission", "-v", "6"]
diff --git a/api-aggregation-lib/pkg/admisssion/disallow/disallow.go b/api-aggregation-lib/pkg/admisssion/disallow/disallow.go
@@ -0,0 +1,54 @@
+package disallow
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apiserver/pkg/admission"
+
+	hello_zeng_dev "github.com/phosae/x-kubernetes/api/hello.zeng.dev"
+)
+
+// Register registers a plugin
+func Register(plugins *admission.Plugins) {
+	plugins.Register("DisallowFoo", func(config io.Reader) (admission.Interface, error) {
+		return New()
+	})
+}
+
+func New() (*DisallowFoo, error) {
+	return &DisallowFoo{
+		Handler: *admission.NewHandler(admission.Create),
+	}, nil
+}
+
+var _ admission.ValidationInterface = &DisallowFoo{}
+
+type DisallowFoo struct {
+	admission.Handler
+}
+
+func (d *DisallowFoo) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error) {
+	if a.GetKind().GroupKind() != hello_zeng_dev.SchemeGroupVersion.WithKind("Foo").GroupKind() {
+		return nil
+	}
+
+	metaAccessor, err := meta.Accessor(a.GetObject())
+	if err != nil {
+		return err
+	}
+	fooNamespace := metaAccessor.GetNamespace()
+
+	if fooNamespace == "kube-system" {
+		return errors.NewForbidden(
+			a.GetResource().GroupResource(),
+			fmt.Sprintf("%s/%s", a.GetNamespace(), a.GetName()),
+			fmt.Errorf("namespace/%s is not permitted, please change the resource namespace", fooNamespace),
+		)
+	}
+
+	return nil
+}
diff --git a/api-aggregation-lib/pkg/cmd/start.go b/api-aggregation-lib/pkg/cmd/start.go
@@ -13,16 +13,19 @@ import (
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
 	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/options"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
+	"k8s.io/apiserver/pkg/util/feature"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/term"
 	"k8s.io/klog/v2"
 
+	"github.com/phosae/x-kubernetes/api-aggregation-lib/pkg/admisssion/disallow"
 	myapiserver "github.com/phosae/x-kubernetes/api-aggregation-lib/pkg/apiserver"
 	generatedopenapi "github.com/phosae/x-kubernetes/api/generated/openapi"
 	hellov1 "github.com/phosae/x-kubernetes/api/hello.zeng.dev/v1"
@@ -41,6 +44,9 @@ type Options struct {
 	EnableAuth     bool
 	Authentication *genericoptions.DelegatingAuthenticationOptions
 	Authorization  *genericoptions.DelegatingAuthorizationOptions
+
+	EnableAdmission bool
+	Admission       *genericoptions.AdmissionOptions
 }
 
 func (o *Options) Flags() (fs cliflag.NamedFlagSets) {
@@ -56,11 +62,17 @@ func (o *Options) Flags() (fs cliflag.NamedFlagSets) {
 	msfs.BoolVar(&o.EnableAuth, "enable-auth", o.EnableAuth, "If true, enable authn and authz")
 	o.Authentication.AddFlags(fs.FlagSet("apiserver authentication"))
 	o.Authorization.AddFlags(fs.FlagSet("apiserver authorization"))
+
+	msfs.BoolVar(&o.EnableAdmission, "enable-admission", o.EnableAdmission, "If true, enable admission plugins")
 	return fs
 }
 
 // Complete fills in fields required to have valid data
-func (o *Options) Complete() error { return nil }
+func (o *Options) Complete() error {
+	disallow.Register(o.Admission.Plugins)
+	o.Admission.RecommendedPluginOrder = append(o.Admission.RecommendedPluginOrder, "DisallowFoo")
+	return nil
+}
 
 // Validate validates ServerOptions
 func (o Options) Validate(args []string) error {
@@ -154,6 +166,17 @@ func (o Options) ApiserverConfig() (*genericapiserver.RecommendedConfig, error)
 		}
 	}
 
+	if o.EnableAdmission {
+		(&options.CoreAPIOptions{}).ApplyTo(serverConfig) // init SharedInformerFactory
+
+		// we can use LoopbackClientConfig for local resources
+		// client, err := helloclientset.NewForConfig(serverConfig.LoopbackClientConfig)
+		// informerFactory := helloinformers.NewSharedInformerFactory(client, serverConfig.LoopbackClientConfig.Timeout)
+		// initializers := []admission.PluginInitializer{//} */
+
+		o.Admission.ApplyTo(&serverConfig.Config, serverConfig.SharedInformerFactory, serverConfig.ClientConfig, feature.DefaultFeatureGate)
+	}
+
 	return serverConfig, nil
 }
 
@@ -190,6 +213,7 @@ func NewHelloServerCommand(stopCh <-chan struct{}) *cobra.Command {
 		Etcd:           genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(defaultEtcdPathPrefix, nil)),
 		Authentication: genericoptions.NewDelegatingAuthenticationOptions(),
 		Authorization:  genericoptions.NewDelegatingAuthorizationOptions(),
+		Admission:      genericoptions.NewAdmissionOptions(),
 	}
 	opts.Etcd.StorageConfig.EncodeVersioner = runtime.NewMultiGroupVersioner(hellov1.SchemeGroupVersion, schema.GroupKind{Group: hellov1.GroupName})
 	// opts.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf"