Merge pull request #16639 from deads2k/server-46-admission

Automatic merge from submit-queue (batch tested with PRs 16657, 16607, 16647, 16639, 16655).

 filter out 'turn this on' config structs for admission

Alternative to #16505 to allow our enablement of config.  I think this aligns more closely with a goal of calling the "normal" https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 path.

Author: openshift-merge-robot

pkg/cmd/server/origin/admission/chain_builder.go

@@ -1,6 +1,9 @@
 package admission
 
 import (
+	"bytes"
+	"io"
+	"io/ioutil"
 	"net"
 	"reflect"
 	"strings"
@@ -16,6 +19,7 @@ import (
 
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
 	"github.com/openshift/origin/pkg/cmd/util/pluginconfig"
 	imageadmission "github.com/openshift/origin/pkg/image/admission"
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
@@ -351,3 +355,50 @@ func dedupe(input []string) []string {
 	}
 	return result
 }
+
+func init() {
+	// add a filter that will remove DefaultAdmissionConfig
+	admission.FactoryFilterFn = filterEnableAdmissionConfigs
+}
+
+func filterEnableAdmissionConfigs(delegate admission.Factory) admission.Factory {
+	return func(config io.Reader) (admission.Interface, error) {
+		config1, config2, err := splitStream(config)
+		if err != nil {
+			return nil, err
+		}
+		// if the config isn't a DefaultAdmissionConfig, then assume we're enabled (we were called after all)
+		// if the config *is* a DefaultAdmissionConfig and it explicitly said
+		obj, err := configlatest.ReadYAML(config1)
+		// if we can't read it, let the plugin deal with it
+		if err != nil {
+			return delegate(config2)
+		}
+		// if nothing was there, let the plugin deal with it
+		if obj == nil {
+			return delegate(config2)
+		}
+		// if it wasn't a DefaultAdmissionConfig object, let the plugin deal with it
+		if _, ok := obj.(*configapi.DefaultAdmissionConfig); !ok {
+			return delegate(config2)
+		}
+
+		// if it was a DefaultAdmissionConfig, then it must have said "enabled" and it wasn't really meant for the
+		// admission plugin
+		return delegate(nil)
+	}
+}
+
+// splitStream reads the stream bytes and constructs two copies of it.
+func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
+	if config == nil || reflect.ValueOf(config).IsNil() {
+		return nil, nil, nil
+	}
+
+	configBytes, err := ioutil.ReadAll(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return bytes.NewBuffer(configBytes), bytes.NewBuffer(configBytes), nil
+}