diff --git a/pkg/http-server/webhook-scan-logs.go b/pkg/http-server/webhook-scan-logs.go index 517dd0806..db79afe21 100644 --- a/pkg/http-server/webhook-scan-logs.go +++ b/pkg/http-server/webhook-scan-logs.go @@ -175,14 +175,14 @@ func (g *APIHandler) getLogReasoning(log dblogs.WebhookScanLog) string { if !log.Allowed { err := json.Unmarshal([]byte(log.DeniableViolations), &violations) if err != nil { - zap.S().Errorf("Failed to deserialize deniable violations summary. Error: %v", err.Error()) + zap.S().Errorf("failed to deserialize deniable violations summary. Error: %v", err.Error()) return "" } } else { var violationStore results.ViolationStore err := json.Unmarshal([]byte(log.ViolationsSummary), &violationStore) if err != nil { - zap.S().Errorf("Failed to deserialize violations summary. Error: %v", err.Error()) + zap.S().Errorf("failed to deserialize violations summary. Error: %v", err.Error()) return "" } @@ -218,13 +218,13 @@ func (g *APIHandler) getLogRequest(log dblogs.WebhookScanLog) string { err := json.Unmarshal([]byte(log.Request), &review) if err != nil { - zap.S().Errorf("Failed to deserialize request. Error: %v", err.Error()) + zap.S().Errorf("failed to deserialize request. Error: %v", err.Error()) return "{}" } result, err := json.Marshal(review.Request) if err != nil { - zap.S().Errorf("Failed to serialize request. Error: %v", err.Error()) + zap.S().Errorf("failed to serialize request. Error: %v", err.Error()) return "{}" } diff --git a/pkg/http-server/webhook-scan.go b/pkg/http-server/webhook-scan.go index 30775fbc3..ff88b7fc1 100644 --- a/pkg/http-server/webhook-scan.go +++ b/pkg/http-server/webhook-scan.go @@ -33,11 +33,20 @@ import ( func (g *APIHandler) validateK8SWebhook(w http.ResponseWriter, r *http.Request) { var ( - params = mux.Vars(r) - apiKey = params["apiKey"] - validatingWebhook = admissionWebhook.NewValidatingWebhook(g.configFile) + params = mux.Vars(r) + apiKey = params["apiKey"] ) + // Read the request into byte array + body, err := ioutil.ReadAll(r.Body) + if err != nil { + msg := fmt.Sprintf("failed to read validating admission webhook request body, error: '%v'", err) + apiErrorResponse(w, msg, http.StatusBadRequest) + return + } + zap.S().Debugf("scanning configuration webhook request: %+v", string(body)) + + validatingWebhook := admissionWebhook.NewValidatingWebhook(g.configFile, body) // Validate if authorized (API key is specified and matched the server one (saved in an environment variable) if err := validatingWebhook.Authorize(apiKey); err != nil { switch err { @@ -51,16 +60,6 @@ func (g *APIHandler) validateK8SWebhook(w http.ResponseWriter, r *http.Request) return } - // Read the request into byte array - body, err := ioutil.ReadAll(r.Body) - if err != nil { - msg := fmt.Sprintf("failed to read validating admission webhook request body, error: '%v'", err) - apiErrorResponse(w, msg, http.StatusBadRequest) - return - } - - zap.S().Debugf("scanning configuration webhook request: %+v", string(body)) - // decode incoming admission review request requestedAdmissionReview, err := validatingWebhook.DecodeAdmissionReviewRequest(body) if err != nil { @@ -92,6 +91,6 @@ func (g *APIHandler) sendResponseAdmissionReview(w http.ResponseWriter, admissio return } - zap.S().Debugf("Response result: %+v", string(respBytes)) + zap.S().Debugf("response result: %+v", string(respBytes)) apiResponse(w, string(respBytes), http.StatusOK) } diff --git a/pkg/k8s/admission-webhook/validating-webhook.go b/pkg/k8s/admission-webhook/validating-webhook.go index 3a3bcf710..a6dfc894c 100644 --- a/pkg/k8s/admission-webhook/validating-webhook.go +++ b/pkg/k8s/admission-webhook/validating-webhook.go @@ -47,10 +47,11 @@ type ValidatingWebhook struct { } // NewValidatingWebhook returns a new, empty ValidatingWebhook struct -func NewValidatingWebhook(configFile string) AdmissionWebhook { +func NewValidatingWebhook(configFile string, body []byte) AdmissionWebhook { return ValidatingWebhook{ - configFile: configFile, - dblogger: dblogs.NewWebhookScanLogger(), + configFile: configFile, + dblogger: dblogs.NewWebhookScanLogger(), + requestBody: body, } } @@ -106,7 +107,6 @@ func (w ValidatingWebhook) DecodeAdmissionReviewRequest(requestBody []byte) (adm deserializer = codecs.UniversalDeserializer() requestedAdmissionReview admissionv1.AdmissionReview ) - w.requestBody = requestBody admissionv1.AddToScheme(scheme) // decode incoming admission request