-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ingress admission controller to restrict hostname updates #12653
Merged
openshift-bot
merged 8 commits into
openshift:master
from
JacobTanenbaum:IngressAdmissionController
Feb 4, 2017
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
997aa2b
add admission controller to restrict updates to ingresss objects host…
JacobTanenbaum 4de290c
updated generated docs
JacobTanenbaum 720dab1
added swagger docs and verified the gofmt
JacobTanenbaum 8cffcc2
took out the decription in api/v1/types.go because govet.sh complained
JacobTanenbaum 2695daa
addresses Ben's initial comments
JacobTanenbaum be1017e
Changed using a map to k8s.io/apimachinery/pkg/utils/sets and added a…
JacobTanenbaum 8c59f37
Attempt at resolving
JacobTanenbaum dfd9fae
updated man page
JacobTanenbaum File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| package install | ||
|
|
||
| import ( | ||
| "github.com/golang/glog" | ||
|
|
||
| "k8s.io/kubernetes/pkg/api/meta" | ||
| "k8s.io/kubernetes/pkg/api/unversioned" | ||
|
|
||
| configapi "github.com/openshift/origin/pkg/cmd/server/api" | ||
| "github.com/openshift/origin/pkg/ingress/admission/api" | ||
| "github.com/openshift/origin/pkg/ingress/admission/api/v1" | ||
| ) | ||
|
|
||
| const importPrefix = "github.com/openshift/origin/pkg/scheduler/admission/api" | ||
|
|
||
| var accessor = meta.NewAccessor() | ||
|
|
||
| // availableVersions lists all known external versions for this group from most perferred to least preferred | ||
| var availableVersions = []unversioned.GroupVersion{v1.SchemeGroupVersion} | ||
|
|
||
| func init() { | ||
| if err := enableVersions(availableVersions); err != nil { | ||
| panic(err) | ||
| } | ||
| } | ||
|
|
||
| // TODO: enableVersions should be centralized rather than spread in each API | ||
| // group. | ||
| // We can combine registered.RegisterVersions, registered.EnableVersions and | ||
| // registered.RegisterGroup once we hae moved enableVersions there. | ||
| func enableVersions(externalVersions []unversioned.GroupVersion) error { | ||
| addVersionsToScheme(externalVersions...) | ||
| return nil | ||
| } | ||
|
|
||
| func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) { | ||
| // add the internal version to Scheme | ||
| api.AddToScheme(configapi.Scheme) | ||
| // add the enabled external versions to Scheme | ||
| for _, v := range externalVersions { | ||
| switch v { | ||
| case v1.SchemeGroupVersion: | ||
| v1.AddToScheme(configapi.Scheme) | ||
|
|
||
| default: | ||
| glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v) | ||
| continue | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| package api | ||
|
|
||
| import ( | ||
| "k8s.io/kubernetes/pkg/api/unversioned" | ||
| "k8s.io/kubernetes/pkg/runtime" | ||
| ) | ||
|
|
||
| // SchemeGroupVersion is group version used to register these objects | ||
| var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: runtime.APIVersionInternal} | ||
|
|
||
| // Kind takes an unqualified kind and returns back a Group qualified GroupKind | ||
| func Kind(kind string) unversioned.GroupKind { | ||
| return SchemeGroupVersion.WithKind(kind).GroupKind() | ||
| } | ||
|
|
||
| // Resource takes an unqualified resource and returns back a Group qualified GroupResource | ||
| func Resource(resource string) unversioned.GroupResource { | ||
| return SchemeGroupVersion.WithResource(resource).GroupResource() | ||
| } | ||
|
|
||
| var ( | ||
| SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) | ||
| AddToScheme = SchemeBuilder.AddToScheme | ||
| ) | ||
|
|
||
| func addKnownTypes(scheme *runtime.Scheme) error { | ||
| scheme.AddKnownTypes(SchemeGroupVersion, | ||
| &IngressAdmissionConfig{}, | ||
| ) | ||
| return nil | ||
| } | ||
|
|
||
| func (obj *IngressAdmissionConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| package api | ||
|
|
||
| import ( | ||
| "k8s.io/kubernetes/pkg/api/unversioned" | ||
| ) | ||
|
|
||
| // IngressAdmissionConfig is the configuration for the the ingress | ||
| // controller limiter plugin. It changes the behavior of ingress | ||
| // objects to behave better with openshift routes and routers. | ||
| // *NOTE* This has security implications in the router when handling | ||
| // ingress objects | ||
| type IngressAdmissionConfig struct { | ||
| unversioned.TypeMeta | ||
|
|
||
| // AllowHostnameChanges when false or unset openshift does not | ||
| // allow changing or adding hostnames to ingress objects. If set | ||
| // to true then hostnames can be added or modified which has | ||
| // security implications in the router. | ||
| AllowHostnameChanges bool | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| package v1_test | ||
|
|
||
| import ( | ||
| "reflect" | ||
| "testing" | ||
|
|
||
| "k8s.io/kubernetes/pkg/runtime" | ||
| "k8s.io/kubernetes/pkg/util/diff" | ||
|
|
||
| configapi "github.com/openshift/origin/pkg/cmd/server/api" | ||
| v1 "github.com/openshift/origin/pkg/cmd/server/api/v1" | ||
| _ "github.com/openshift/origin/pkg/ingress/admission/api/install" | ||
|
|
||
| ingressv1 "github.com/openshift/origin/pkg/ingress/admission/api/v1" | ||
| ) | ||
|
|
||
| func roundTrip(t *testing.T, obj runtime.Object) runtime.Object { | ||
| data, err := runtime.Encode(configapi.Codecs.LegacyCodec(v1.SchemeGroupVersion), obj) | ||
| if err != nil { | ||
| t.Errorf("%v\n %#v", err, obj) | ||
| return nil | ||
| } | ||
| obj2, err := runtime.Decode(configapi.Codecs.UniversalDecoder(), data) | ||
| if err != nil { | ||
| t.Errorf("%v\nData: %s\nSource: %#v", err, string(data), obj) | ||
| return nil | ||
| } | ||
| obj3 := reflect.New(reflect.TypeOf(obj).Elem()).Interface().(runtime.Object) | ||
| err = configapi.Scheme.Convert(obj2, obj3, nil) | ||
| if err != nil { | ||
| t.Errorf("%v\nSourceL %#v", err, obj2) | ||
| return nil | ||
| } | ||
| return obj3 | ||
| } | ||
|
|
||
| func TestDefaults(t *testing.T) { | ||
| tests := []struct { | ||
| original *ingressv1.IngressAdmissionConfig | ||
| expected *ingressv1.IngressAdmissionConfig | ||
| }{ | ||
| { | ||
| original: &ingressv1.IngressAdmissionConfig{}, | ||
| expected: &ingressv1.IngressAdmissionConfig{ | ||
| AllowHostnameChanges: false, | ||
| }, | ||
| }, | ||
| } | ||
| for i, test := range tests { | ||
| t.Logf("test %d", i) | ||
| original := test.original | ||
| expected := test.expected | ||
| obj2 := roundTrip(t, runtime.Object(original)) | ||
| got, ok := obj2.(*ingressv1.IngressAdmissionConfig) | ||
| if !ok { | ||
| t.Errorf("unexpected object: %v", got) | ||
| t.FailNow() | ||
| } | ||
| if !reflect.DeepEqual(got, expected) { | ||
| t.Errorf("got different than expected:\nA:\t%#v\nB:\t%#v\n\nDiff:\n%s\n\n%s", got, expected, diff.ObjectDiff(expected, got), diff.ObjectGoPrintSideBySide(expected, got)) | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| package v1 | ||
|
|
||
| import ( | ||
| "k8s.io/kubernetes/pkg/api/unversioned" | ||
| "k8s.io/kubernetes/pkg/runtime" | ||
| ) | ||
|
|
||
| // SchemeGroupVersion is group version used to register these objects | ||
| var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: "v1"} | ||
|
|
||
| var ( | ||
| SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) | ||
| AddToScheme = SchemeBuilder.AddToScheme | ||
| ) | ||
|
|
||
| func addKnownTypes(scheme *runtime.Scheme) error { | ||
| scheme.AddKnownTypes(SchemeGroupVersion, | ||
| &IngressAdmissionConfig{}, | ||
| ) | ||
| return nil | ||
| } | ||
|
|
||
| func (obj *IngressAdmissionConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| package v1 | ||
|
|
||
| // This file contains methods that can be used by the go-restful package to generate Swagger | ||
| // documentation for the object types found in 'types.go' This file is automatically generated | ||
| // by hack/update-generated-swagger-descriptions.sh and should be run after a full build of OpenShift. | ||
| // ==== DO NOT EDIT THIS FILE MANUALLY ==== | ||
|
|
||
| var map_IngressAdmissionConfig = map[string]string{ | ||
| "": "IngressAdmissionConfig is the configuration for the the ingress controller limiter plugin. It changes the behavior of ingress objects to behave better with openshift routes and routers. *NOTE* This has security implications in the router when handling ingress objects", | ||
| "allowHostnameChanges": "AllowHostnameChanges when false or unset openshift does not allow changing or adding hostnames to ingress objects. If set to true then hostnames can be added or modified which has security implications in the router.", | ||
| } | ||
|
|
||
| func (IngressAdmissionConfig) SwaggerDoc() map[string]string { | ||
| return map_IngressAdmissionConfig | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| package v1 | ||
|
|
||
| import ( | ||
| "k8s.io/kubernetes/pkg/api/unversioned" | ||
| ) | ||
|
|
||
| // IngressAdmissionConfig is the configuration for the the ingress | ||
| // controller limiter plugin. It changes the behavior of ingress | ||
| // objects to behave better with openshift routes and routers. | ||
| // *NOTE* This has security implications in the router when handling | ||
| // ingress objects | ||
| type IngressAdmissionConfig struct { | ||
| unversioned.TypeMeta `json:",inline"` | ||
|
|
||
| // AllowHostnameChanges when false or unset openshift does not | ||
| // allow changing or adding hostnames to ingress objects. If set | ||
| // to true then hostnames can be added or modified which has | ||
| // security implications in the router. | ||
| AllowHostnameChanges bool `json:"allowHostnameChanges"` | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| // This plugin supplements upstream Ingress admission validation | ||
| // It takes care of current Openshift specific constraints on Ingress resources | ||
| package admission | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "io" | ||
| "reflect" | ||
|
|
||
| "k8s.io/client-go/pkg/util/sets" | ||
| kadmission "k8s.io/kubernetes/pkg/admission" | ||
| kextensions "k8s.io/kubernetes/pkg/apis/extensions" | ||
| clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" | ||
|
|
||
| configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest" | ||
| "github.com/openshift/origin/pkg/ingress/admission/api" | ||
| ) | ||
|
|
||
| const ( | ||
| IngressAdmission = "openshift.io/IngressAdmission" | ||
| ) | ||
|
|
||
| func init() { | ||
| kadmission.RegisterPlugin(IngressAdmission, func(clien clientset.Interface, config io.Reader) (kadmission.Interface, error) { | ||
| pluginConfig, err := readConfig(config) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return NewIngressAdmission(pluginConfig), nil | ||
| }) | ||
| } | ||
|
|
||
| type ingressAdmission struct { | ||
| *kadmission.Handler | ||
| config *api.IngressAdmissionConfig | ||
| } | ||
|
|
||
| func NewIngressAdmission(config *api.IngressAdmissionConfig) *ingressAdmission { | ||
| return &ingressAdmission{ | ||
| Handler: kadmission.NewHandler(kadmission.Create, kadmission.Update), | ||
| config: config, | ||
| } | ||
| } | ||
|
|
||
| func readConfig(reader io.Reader) (*api.IngressAdmissionConfig, error) { | ||
| if reader == nil || reflect.ValueOf(reader).IsNil() { | ||
| return nil, nil | ||
| } | ||
| obj, err := configlatest.ReadYAML(reader) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| if obj == nil { | ||
| return nil, nil | ||
| } | ||
| config, ok := obj.(*api.IngressAdmissionConfig) | ||
| if !ok { | ||
| return nil, fmt.Errorf("unexpected config object: %#v", obj) | ||
| } | ||
| // No validation needed since config is just list of strings | ||
| return config, nil | ||
| } | ||
|
|
||
| func (r *ingressAdmission) Admit(a kadmission.Attributes) error { | ||
| if a.GetResource().GroupResource() == kextensions.Resource("ingresses") && a.GetOperation() == kadmission.Update { | ||
| if r.config == nil || r.config.AllowHostnameChanges == false { | ||
| oldIngress, ok := a.GetOldObject().(*kextensions.Ingress) | ||
| if !ok { | ||
| return nil | ||
| } | ||
| newIngress, ok := a.GetObject().(*kextensions.Ingress) | ||
| if !ok { | ||
| return nil | ||
| } | ||
| if !haveHostnamesChanged(oldIngress, newIngress) { | ||
| return fmt.Errorf("cannot change hostname") | ||
| } | ||
| } | ||
| } | ||
| return nil | ||
| } | ||
|
|
||
| func haveHostnamesChanged(oldIngress, newIngress *kextensions.Ingress) bool { | ||
| hostnameSet := sets.NewString() | ||
| for _, element := range oldIngress.Spec.Rules { | ||
| hostnameSet.Insert(element.Host) | ||
| } | ||
|
|
||
| for _, element := range newIngress.Spec.Rules { | ||
| if present := hostnameSet.Has(element.Host); !present { | ||
| return false | ||
| } | ||
| } | ||
|
|
||
| return true | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comments here as earlier file