Merge pull request #12653 from JacobTanenbaum/IngressAdmissionController

OpenShift Bot · web-flow · commit ff53795a924c · 2017-02-04T05:52:11.000-05:00
Merged by openshift-bot
diff --git a/docs/man/man1/openshift-start-kubernetes-apiserver.1 b/docs/man/man1/openshift-start-kubernetes-apiserver.1
@@ -26,7 +26,7 @@ This command launches an instance of the Kubernetes apiserver (kube\-apiserver).
 
 .PP
 \fB\-\-admission\-control\fP="AlwaysAdmit"
-    Ordered list of plug\-ins to do admission control of resources into cluster. Comma\-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, BuildByStrategy, ClusterResourceOverride, DefaultStorageClass, DenyEscalatingExec, DenyExecOnPrivileged, ExternalIPRanger, ImagePolicyWebhook, InitialResources, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OriginNamespaceLifecycle, OriginPodNodeEnvironment, OwnerReferencesPermissionEnforcement, PersistentVolumeLabel, PodNodeConstraints, PodNodeSelector, PodSecurityPolicy, ProjectRequestLimit, ResourceQuota, RunOnceDuration, SCCExecRestrictions, SecurityContextConstraint, SecurityContextDeny, ServiceAccount, openshift.io/BuildConfigSecretInjector, openshift.io/ClusterResourceQuota, openshift.io/ImageLimitRange, openshift.io/ImagePolicy, openshift.io/JenkinsBootstrapper, openshift.io/OriginResourceQuota, openshift.io/RestrictSubjectBindings, openshift.io/RestrictedEndpointsAdmission.
+    Ordered list of plug\-ins to do admission control of resources into cluster. Comma\-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, BuildByStrategy, ClusterResourceOverride, DefaultStorageClass, DenyEscalatingExec, DenyExecOnPrivileged, ExternalIPRanger, ImagePolicyWebhook, InitialResources, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OriginNamespaceLifecycle, OriginPodNodeEnvironment, OwnerReferencesPermissionEnforcement, PersistentVolumeLabel, PodNodeConstraints, PodNodeSelector, PodSecurityPolicy, ProjectRequestLimit, ResourceQuota, RunOnceDuration, SCCExecRestrictions, SecurityContextConstraint, SecurityContextDeny, ServiceAccount, openshift.io/BuildConfigSecretInjector, openshift.io/ClusterResourceQuota, openshift.io/ImageLimitRange, openshift.io/ImagePolicy, openshift.io/IngressAdmission, openshift.io/JenkinsBootstrapper, openshift.io/OriginResourceQuota, openshift.io/RestrictSubjectBindings, openshift.io/RestrictedEndpointsAdmission.
 
 .PP
 \fB\-\-admission\-control\-config\-file\fP=""
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -69,6 +69,7 @@ import (
 	imageadmission "github.com/openshift/origin/pkg/image/admission"
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
 	imageapi "github.com/openshift/origin/pkg/image/api"
+	ingressadmission "github.com/openshift/origin/pkg/ingress/admission"
 	accesstokenregistry "github.com/openshift/origin/pkg/oauth/registry/oauthaccesstoken"
 	accesstokenetcd "github.com/openshift/origin/pkg/oauth/registry/oauthaccesstoken/etcd"
 	projectauth "github.com/openshift/origin/pkg/project/auth"
@@ -361,6 +362,7 @@ var (
 		"SCCExecRestrictions",
 		"PersistentVolumeLabel",
 		"OwnerReferencesPermissionEnforcement",
+		ingressadmission.IngressAdmission,
 		// NOTE: quotaadmission and ClusterResourceQuota must be the last 2 plugins.
 		// DO NOT ADD ANY PLUGINS AFTER THIS LINE!
 		quotaadmission.PluginName,
@@ -398,6 +400,7 @@ var (
 		"SCCExecRestrictions",
 		"PersistentVolumeLabel",
 		"OwnerReferencesPermissionEnforcement",
+		ingressadmission.IngressAdmission,
 		// NOTE: quotaadmission and ClusterResourceQuota must be the last 2 plugins.
 		// DO NOT ADD ANY PLUGINS AFTER THIS LINE!
 		quotaadmission.PluginName,
diff --git a/pkg/cmd/server/start/admission.go b/pkg/cmd/server/start/admission.go
@@ -17,6 +17,7 @@ import (
 	_ "github.com/openshift/origin/pkg/build/admission/strategyrestrictions"
 	_ "github.com/openshift/origin/pkg/image/admission"
 	_ "github.com/openshift/origin/pkg/image/admission/imagepolicy"
+	_ "github.com/openshift/origin/pkg/ingress/admission"
 	_ "github.com/openshift/origin/pkg/project/admission/lifecycle"
 	_ "github.com/openshift/origin/pkg/project/admission/nodeenv"
 	_ "github.com/openshift/origin/pkg/project/admission/requestlimit"
@@ -71,6 +72,7 @@ var (
 		"OwnerReferencesPermissionEnforcement",
 		quotaadmission.PluginName,
 		"openshift.io/ClusterResourceQuota",
+		"openshift.io/IngressAdmission",
 	)
 
 	// defaultOffPlugins includes plugins which require explicit configuration to run
diff --git a/pkg/ingress/admission/api/install/install.go b/pkg/ingress/admission/api/install/install.go
@@ -0,0 +1,50 @@
+package install
+
+import (
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	"github.com/openshift/origin/pkg/ingress/admission/api"
+	"github.com/openshift/origin/pkg/ingress/admission/api/v1"
+)
+
+const importPrefix = "github.com/openshift/origin/pkg/scheduler/admission/api"
+
+var accessor = meta.NewAccessor()
+
+// availableVersions lists all known external versions for this group from most perferred to least preferred
+var availableVersions = []unversioned.GroupVersion{v1.SchemeGroupVersion}
+
+func init() {
+	if err := enableVersions(availableVersions); err != nil {
+		panic(err)
+	}
+}
+
+// TODO: enableVersions should be centralized rather than spread in each API
+// group.
+// We can combine registered.RegisterVersions, registered.EnableVersions and
+// registered.RegisterGroup once we hae moved enableVersions there.
+func enableVersions(externalVersions []unversioned.GroupVersion) error {
+	addVersionsToScheme(externalVersions...)
+	return nil
+}
+
+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
+	// add the internal version to Scheme
+	api.AddToScheme(configapi.Scheme)
+	// add the enabled external versions to Scheme
+	for _, v := range externalVersions {
+		switch v {
+		case v1.SchemeGroupVersion:
+			v1.AddToScheme(configapi.Scheme)
+
+		default:
+			glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v)
+			continue
+		}
+	}
+}
diff --git a/pkg/ingress/admission/api/register.go b/pkg/ingress/admission/api/register.go
@@ -0,0 +1,33 @@
+package api
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) unversioned.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource
+func Resource(resource string) unversioned.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&IngressAdmissionConfig{},
+	)
+	return nil
+}
+
+func (obj *IngressAdmissionConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
diff --git a/pkg/ingress/admission/api/types.go b/pkg/ingress/admission/api/types.go
@@ -0,0 +1,20 @@
+package api
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+)
+
+// IngressAdmissionConfig is the configuration for the the ingress
+// controller limiter plugin. It changes the behavior of ingress
+// objects to behave better with openshift routes and routers.
+// *NOTE* This has security implications in the router when handling
+// ingress objects
+type IngressAdmissionConfig struct {
+	unversioned.TypeMeta
+
+	// AllowHostnameChanges when false or unset openshift does not
+	// allow changing or adding hostnames to ingress objects. If set
+	// to true then hostnames can be added or modified which has
+	// security implications in the router.
+	AllowHostnameChanges bool
+}
diff --git a/pkg/ingress/admission/api/v1/defaults_test.go b/pkg/ingress/admission/api/v1/defaults_test.go
@@ -0,0 +1,63 @@
+package v1_test
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/util/diff"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	v1 "github.com/openshift/origin/pkg/cmd/server/api/v1"
+	_ "github.com/openshift/origin/pkg/ingress/admission/api/install"
+
+	ingressv1 "github.com/openshift/origin/pkg/ingress/admission/api/v1"
+)
+
+func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
+	data, err := runtime.Encode(configapi.Codecs.LegacyCodec(v1.SchemeGroupVersion), obj)
+	if err != nil {
+		t.Errorf("%v\n %#v", err, obj)
+		return nil
+	}
+	obj2, err := runtime.Decode(configapi.Codecs.UniversalDecoder(), data)
+	if err != nil {
+		t.Errorf("%v\nData: %s\nSource: %#v", err, string(data), obj)
+		return nil
+	}
+	obj3 := reflect.New(reflect.TypeOf(obj).Elem()).Interface().(runtime.Object)
+	err = configapi.Scheme.Convert(obj2, obj3, nil)
+	if err != nil {
+		t.Errorf("%v\nSourceL %#v", err, obj2)
+		return nil
+	}
+	return obj3
+}
+
+func TestDefaults(t *testing.T) {
+	tests := []struct {
+		original *ingressv1.IngressAdmissionConfig
+		expected *ingressv1.IngressAdmissionConfig
+	}{
+		{
+			original: &ingressv1.IngressAdmissionConfig{},
+			expected: &ingressv1.IngressAdmissionConfig{
+				AllowHostnameChanges: false,
+			},
+		},
+	}
+	for i, test := range tests {
+		t.Logf("test %d", i)
+		original := test.original
+		expected := test.expected
+		obj2 := roundTrip(t, runtime.Object(original))
+		got, ok := obj2.(*ingressv1.IngressAdmissionConfig)
+		if !ok {
+			t.Errorf("unexpected object: %v", got)
+			t.FailNow()
+		}
+		if !reflect.DeepEqual(got, expected) {
+			t.Errorf("got different than expected:\nA:\t%#v\nB:\t%#v\n\nDiff:\n%s\n\n%s", got, expected, diff.ObjectDiff(expected, got), diff.ObjectGoPrintSideBySide(expected, got))
+		}
+	}
+}
diff --git a/pkg/ingress/admission/api/v1/register.go b/pkg/ingress/admission/api/v1/register.go
@@ -0,0 +1,23 @@
+package v1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: "v1"}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&IngressAdmissionConfig{},
+	)
+	return nil
+}
+
+func (obj *IngressAdmissionConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
diff --git a/pkg/ingress/admission/api/v1/swagger_doc.go b/pkg/ingress/admission/api/v1/swagger_doc.go
@@ -0,0 +1,15 @@
+package v1
+
+// This file contains methods that can be used by the go-restful package to generate Swagger
+// documentation for the object types found in 'types.go' This file is automatically generated
+// by hack/update-generated-swagger-descriptions.sh and should be run after a full build of OpenShift.
+// ==== DO NOT EDIT THIS FILE MANUALLY ====
+
+var map_IngressAdmissionConfig = map[string]string{
+	"": "IngressAdmissionConfig is the configuration for the the ingress controller limiter plugin. It changes the behavior of ingress objects to behave better with openshift routes and routers. *NOTE* This has security implications in the router when handling ingress objects",
+	"allowHostnameChanges": "AllowHostnameChanges when false or unset openshift does not allow changing or adding hostnames to ingress objects. If set to true then hostnames can be added or modified which has security implications in the router.",
+}
+
+func (IngressAdmissionConfig) SwaggerDoc() map[string]string {
+	return map_IngressAdmissionConfig
+}
diff --git a/pkg/ingress/admission/api/v1/types.go b/pkg/ingress/admission/api/v1/types.go
@@ -0,0 +1,20 @@
+package v1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+)
+
+// IngressAdmissionConfig is the configuration for the the ingress
+// controller limiter plugin. It changes the behavior of ingress
+// objects to behave better with openshift routes and routers.
+// *NOTE* This has security implications in the router when handling
+// ingress objects
+type IngressAdmissionConfig struct {
+	unversioned.TypeMeta `json:",inline"`
+
+	// AllowHostnameChanges when false or unset openshift does not
+	// allow changing or adding hostnames to ingress objects. If set
+	// to true then hostnames can be added or modified which has
+	// security implications in the router.
+	AllowHostnameChanges bool `json:"allowHostnameChanges"`
+}
diff --git a/pkg/ingress/admission/ingress_admission.go b/pkg/ingress/admission/ingress_admission.go
@@ -0,0 +1,96 @@
+// This plugin supplements upstream Ingress admission validation
+// It takes care of current Openshift specific constraints on Ingress resources
+package admission
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+
+	"k8s.io/client-go/pkg/util/sets"
+	kadmission "k8s.io/kubernetes/pkg/admission"
+	kextensions "k8s.io/kubernetes/pkg/apis/extensions"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+
+	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
+	"github.com/openshift/origin/pkg/ingress/admission/api"
+)
+
+const (
+	IngressAdmission = "openshift.io/IngressAdmission"
+)
+
+func init() {
+	kadmission.RegisterPlugin(IngressAdmission, func(clien clientset.Interface, config io.Reader) (kadmission.Interface, error) {
+		pluginConfig, err := readConfig(config)
+		if err != nil {
+			return nil, err
+		}
+		return NewIngressAdmission(pluginConfig), nil
+	})
+}
+
+type ingressAdmission struct {
+	*kadmission.Handler
+	config *api.IngressAdmissionConfig
+}
+
+func NewIngressAdmission(config *api.IngressAdmissionConfig) *ingressAdmission {
+	return &ingressAdmission{
+		Handler: kadmission.NewHandler(kadmission.Create, kadmission.Update),
+		config:  config,
+	}
+}
+
+func readConfig(reader io.Reader) (*api.IngressAdmissionConfig, error) {
+	if reader == nil || reflect.ValueOf(reader).IsNil() {
+		return nil, nil
+	}
+	obj, err := configlatest.ReadYAML(reader)
+	if err != nil {
+		return nil, err
+	}
+	if obj == nil {
+		return nil, nil
+	}
+	config, ok := obj.(*api.IngressAdmissionConfig)
+	if !ok {
+		return nil, fmt.Errorf("unexpected config object: %#v", obj)
+	}
+	// No validation needed since config is just list of strings
+	return config, nil
+}
+
+func (r *ingressAdmission) Admit(a kadmission.Attributes) error {
+	if a.GetResource().GroupResource() == kextensions.Resource("ingresses") && a.GetOperation() == kadmission.Update {
+		if r.config == nil || r.config.AllowHostnameChanges == false {
+			oldIngress, ok := a.GetOldObject().(*kextensions.Ingress)
+			if !ok {
+				return nil
+			}
+			newIngress, ok := a.GetObject().(*kextensions.Ingress)
+			if !ok {
+				return nil
+			}
+			if !haveHostnamesChanged(oldIngress, newIngress) {
+				return fmt.Errorf("cannot change hostname")
+			}
+		}
+	}
+	return nil
+}
+
+func haveHostnamesChanged(oldIngress, newIngress *kextensions.Ingress) bool {
+	hostnameSet := sets.NewString()
+	for _, element := range oldIngress.Spec.Rules {
+		hostnameSet.Insert(element.Host)
+	}
+
+	for _, element := range newIngress.Spec.Rules {
+		if present := hostnameSet.Has(element.Host); !present {
+			return false
+		}
+	}
+
+	return true
+}
diff --git a/pkg/ingress/admission/ingress_admission_test.go b/pkg/ingress/admission/ingress_admission_test.go
