-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add mutating webhook to set fsGroupChangePolicy field (#582)
* Add mutating webhook to set fsGroupChangePolicy field * Added decoder, debug logging * Fix path * Add missing name * Fix typo * Add sample podAnnotator * Try defaulter * Do webhook registration earlier * Add webhook server configuration annotations * Test cert-dir annotation * Remove webhook-server annotation * Fix typo * Logging * Add webhook server * Naming * Formatting * Try different registration * Move registration after start * Try registering FsGroupPolicySetter again * Move registration back up again * ... * use port 9443 again * Update annotation * Add scheme * Fix setting FSGroupChangePolicy * Remove samples * Make webhook configurable * Remove useless check * Since fsGroup is set by default, also enable webhook by default * Move code * Remove webhook.Options (we're using the default port anyway)
- Loading branch information
Showing
2 changed files
with
76 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
package webhooks | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"net/http" | ||
|
||
"github.com/go-logr/logr" | ||
appsv1 "k8s.io/api/apps/v1" | ||
v1 "k8s.io/api/core/v1" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
|
||
"sigs.k8s.io/controller-runtime/pkg/webhook/admission" | ||
) | ||
|
||
// +kubebuilder:webhook:path=/mutate-apps-v1-statefulset,mutating=true,failurePolicy=ignore,groups=apps,resources=statefulsets,verbs=create;update,versions=v1,name=fsgroupchangepolicy.postgres.fits.cloud | ||
|
||
// FsGroupChangePolicySetter Adds securityContext.fsGroupChangePolicy=OnRootMismatch when the securityContext.fsGroup field is set | ||
type FsGroupChangePolicySetter struct { | ||
SvcClient client.Client | ||
Decoder *admission.Decoder | ||
Log logr.Logger | ||
} | ||
|
||
func (a *FsGroupChangePolicySetter) Handle(ctx context.Context, req admission.Request) admission.Response { | ||
log := a.Log.WithValues("name", req.Name, "ns", req.Namespace) | ||
log.V(1).Info("handling admission request") | ||
|
||
sts := &appsv1.StatefulSet{} | ||
err := a.Decoder.Decode(req, sts) | ||
if err != nil { | ||
log.Error(err, "failed to decode request") | ||
return admission.Errored(http.StatusBadRequest, err) | ||
} | ||
|
||
// when the fsGroup field is set, also set the fsGroupChangePolicy to OnRootMismatch | ||
if sts.Spec.Template.Spec.SecurityContext != nil && sts.Spec.Template.Spec.SecurityContext.FSGroup != nil { | ||
p := v1.FSGroupChangeOnRootMismatch | ||
sts.Spec.Template.Spec.SecurityContext.FSGroupChangePolicy = &p | ||
log.V(1).Info("Mutating StatefulSet", "sts", sts) | ||
} | ||
|
||
marshaledSts, err := json.Marshal(sts) | ||
if err != nil { | ||
log.Error(err, "failed to marshal response") | ||
return admission.Errored(http.StatusInternalServerError, err) | ||
} | ||
|
||
log.V(1).Info("done") | ||
return admission.PatchResponseFromRaw(req.Object.Raw, marshaledSts) | ||
} |