Add webhook handling for k8s components when v1alpha1 dws are used

Duplicate code for checking RBAC for Kubernetes/OpenShift components to
accomodate v1alpha1 DevWorkspaces as well.

Signed-off-by: Angel Misevski <[email protected]>

Author: amisevsk

webhook/workspace/handler/kubernetes.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"strings"
 
+	dwv1 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha1"
 	dwv2 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
 	authv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -168,3 +169,64 @@ func getKubeLikeComponent(component *dwv2.Component) (*dwv2.K8sLikeComponent, er
 	}
 	return nil, fmt.Errorf("component does not specify kubernetes or openshift fields")
 }
+
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx context.Context, req admission.Request, wksp *dwv1.DevWorkspace) error {
+	kubeComponents := getKubeComponentsFromWorkspace_v1alpha1(wksp)
+	for componentName, component := range kubeComponents {
+		if component.Uri != "" {
+			return fmt.Errorf("kubenetes components specified via URI are unsupported")
+		}
+		if component.Inlined == "" {
+			return fmt.Errorf("kubernetes component does not define inlined content")
+		}
+		if err := h.validatePermissionsOnObject(ctx, req, componentName, component.Inlined); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx context.Context, req admission.Request, newWksp, oldWksp *dwv1.DevWorkspace) error {
+	newKubeComponents := getKubeComponentsFromWorkspace_v1alpha1(newWksp)
+	oldKubeComponents := getKubeComponentsFromWorkspace_v1alpha1(oldWksp)
+
+	for componentName, newComponent := range newKubeComponents {
+		if newComponent.Uri != "" {
+			return fmt.Errorf("kubenetes components specified via URI are unsupported")
+		}
+		if newComponent.Inlined == "" {
+			return fmt.Errorf("kubernetes component does not define inlined content")
+		}
+
+		oldComponent, ok := oldKubeComponents[componentName]
+		if !ok || oldComponent.Inlined != newComponent.Inlined {
+			// Review new components
+			if err := h.validatePermissionsOnObject(ctx, req, componentName, newComponent.Inlined); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func getKubeComponentsFromWorkspace_v1alpha1(wksp *dwv1.DevWorkspace) map[string]dwv1.K8sLikeComponent {
+	kubeComponents := map[string]dwv1.K8sLikeComponent{}
+	for _, component := range wksp.Spec.Template.Components {
+		kubeComponent, err := getKubeLikeComponent_v1alpha1(&component)
+		if err != nil {
+			continue
+		}
+		kubeComponents[kubeComponent.Name] = *kubeComponent
+	}
+	return kubeComponents
+}
+
+func getKubeLikeComponent_v1alpha1(component *dwv1.Component) (*dwv1.K8sLikeComponent, error) {
+	if component.Kubernetes != nil {
+		return &component.Kubernetes.K8sLikeComponent, nil
+	}
+	if component.Openshift != nil {
+		return &component.Openshift.K8sLikeComponent, nil
+	}
+	return nil, fmt.Errorf("component does not specify kubernetes or openshift fields")
+}

webhook/workspace/handler/workspace.go

@@ -29,7 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-func (h *WebhookHandler) MutateWorkspaceV1alpha1OnCreate(_ context.Context, req admission.Request) admission.Response {
+func (h *WebhookHandler) MutateWorkspaceV1alpha1OnCreate(ctx context.Context, req admission.Request) admission.Response {
 	wksp := &dwv1.DevWorkspace{}
 	err := h.Decoder.Decode(req, wksp)
 	if err != nil {
@@ -38,6 +38,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha1OnCreate(_ context.Context, req
 
 	wksp.Labels = maputils.Append(wksp.Labels, constants.DevWorkspaceCreatorLabel, req.UserInfo.UID)
 
+	if err := h.validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx, req, wksp); err != nil {
+		return admission.Denied(err.Error())
+	}
+
 	return h.returnPatched(req, wksp)
 }
 
@@ -65,7 +69,7 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnCreate(ctx context.Context, re
 	return h.returnPatched(req, wksp)
 }
 
-func (h *WebhookHandler) MutateWorkspaceV1alpha1OnUpdate(_ context.Context, req admission.Request) admission.Response {
+func (h *WebhookHandler) MutateWorkspaceV1alpha1OnUpdate(ctx context.Context, req admission.Request) admission.Response {
 	newWksp := &dwv1.DevWorkspace{}
 	oldWksp := &dwv1.DevWorkspace{}
 	err := h.parse(req, oldWksp, newWksp)
@@ -82,6 +86,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha1OnUpdate(_ context.Context, req
 		return admission.Denied(msg)
 	}
 
+	if err := h.validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx, req, newWksp, oldWksp); err != nil {
+		return admission.Denied(err.Error())
+	}
+
 	oldCreator, found := oldWksp.Labels[constants.DevWorkspaceCreatorLabel]
 	if !found {
 		return admission.Denied(fmt.Sprintf("label '%s' is missing. Please recreate devworkspace to get it initialized", constants.DevWorkspaceCreatorLabel))