Implement the admission framework for VWs

On-behalf-of: @SAP [email protected]
Signed-off-by: Marko Mudrinić <[email protected]>

Author: xmudrii

cmd/virtual-workspaces/command/cmd.go

@@ -44,6 +44,7 @@ import (
 	kcpfeatures "github.com/kcp-dev/kcp/pkg/features"
 	"github.com/kcp-dev/kcp/pkg/server/bootstrap"
 	virtualrootapiserver "github.com/kcp-dev/kcp/pkg/virtual/framework/rootapiserver"
+	virtualoptions "github.com/kcp-dev/kcp/pkg/virtual/options"
 	kcpclientset "github.com/kcp-dev/kcp/sdk/client/clientset/versioned/cluster"
 	kcpinformers "github.com/kcp-dev/kcp/sdk/client/informers/externalversions"
 )
@@ -178,6 +179,13 @@ func Run(ctx context.Context, o *options.Options) error {
 		return err
 	}
 
+	admissionOptions := virtualoptions.NewAdmission()
+	if err := admissionOptions.ApplyTo(&recommendedConfig.Config, func() []virtualrootapiserver.NamedVirtualWorkspace {
+		return rootAPIServerConfig.Extra.VirtualWorkspaces
+	}); err != nil {
+		return err
+	}
+
 	sharedExternalURLGetter := func() string {
 		return o.ShardExternalURL
 	}

pkg/server/virtual.go

@@ -85,6 +85,13 @@ func newVirtualConfig(
 		return nil, err
 	}
 
+	admissionOptions := virtualoptions.NewAdmission()
+	if err := admissionOptions.ApplyTo(&recommendedConfig.Config, func() []virtualrootapiserver.NamedVirtualWorkspace {
+		return c.Extra.VirtualWorkspaces
+	}); err != nil {
+		return nil, err
+	}
+
 	c.Extra.VirtualWorkspaces, err = o.Virtual.VirtualWorkspaces.NewVirtualWorkspaces(
 		config,
 		virtualcommandoptions.DefaultRootPathPrefix,

pkg/virtual/framework/admission/initializers/initializer.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package initializers
+
+import (
+	"k8s.io/apiserver/pkg/admission"
+
+	"github.com/kcp-dev/kcp/pkg/virtual/framework/rootapiserver"
+)
+
+// NewVirtualWorkspacesInitializer returns an admission plugin initializer that injects
+// both virtual workspaces factories into admission plugins.
+func NewVirtualWorkspacesInitializer(
+	virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace,
+) *virtualWorkspacesInitializer {
+	return &virtualWorkspacesInitializer{
+		virtualWorkspaces: virtualWorkspaces,
+	}
+}
+
+type virtualWorkspacesInitializer struct {
+	virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace
+}
+
+func (i *virtualWorkspacesInitializer) Initialize(plugin admission.Interface) {
+	if wants, ok := plugin.(WantsVirtualWorkspaces); ok {
+		wants.SetVirtualWorkspaces(i.virtualWorkspaces)
+	}
+}

pkg/virtual/framework/admission/initializers/interfaces.go

@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package initializers
+
+import (
+	"github.com/kcp-dev/kcp/pkg/virtual/framework/rootapiserver"
+)
+
+// WantsVirtualWorkspaces interface should be implemented by admission plugins
+// that want to have virtual workspaces injected.
+type WantsVirtualWorkspaces interface {
+	SetVirtualWorkspaces(virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace)
+}

pkg/virtual/framework/admission/interface.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package admission
+
+import (
+	"context"
+
+	"k8s.io/apiserver/pkg/admission"
+)
+
+/*
+	These interfaces are supposed to be used by the virtual workspace admission plugins.
+	We're intentionally not using the Kubernetes admission interfaces as those require an
+	additional function, Handle, which we don't need in admission for virtual workspaces.
+*/
+
+// Mutator is an abstract, pluggable interface for Admission Control decisions.
+type Mutator interface {
+	// Admit makes an admission decision based on the request attributes.
+	// Context is used only for timeout/deadline/cancellation and tracing information.
+	Admit(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
+}
+
+// Validator is an abstract, pluggable interface for Admission Control decisions.
+type Validator interface {
+	// Validate makes an admission decision based on the request attributes.  It is NOT allowed to mutate
+	// Context is used only for timeout/deadline/cancellation and tracing information.
+	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
+}
+
+// MutatorValidator is a union of Mutator and Validator interfaces.
+type MutatorValidator interface {
+	Mutator
+	Validator
+}

pkg/virtual/framework/admission/mutatingwebhook/plugin.go

@@ -0,0 +1,91 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package mutatingwebhook
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/admission"
+
+	vwinitializers "github.com/kcp-dev/kcp/pkg/virtual/framework/admission/initializers"
+	virtualcontext "github.com/kcp-dev/kcp/pkg/virtual/framework/context"
+	"github.com/kcp-dev/kcp/pkg/virtual/framework/rootapiserver"
+)
+
+const (
+	PluginName = "apis.kcp.io/VWMutatingWebhook"
+)
+
+type Plugin struct {
+	*admission.Handler
+
+	virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace
+}
+
+var (
+	_ = admission.MutationInterface(&Plugin{})
+	_ = admission.InitializationValidator(&Plugin{})
+	_ = vwinitializers.WantsVirtualWorkspaces(&Plugin{})
+)
+
+func NewMutatingAdmissionWebhook() (*Plugin, error) {
+	return &Plugin{
+		// We're handling all possible operations, it's up to the plugin implemention to decide which one to
+		// handle.
+		Handler: admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
+	}, nil
+}
+
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(_ io.Reader) (admission.Interface, error) {
+		return NewMutatingAdmissionWebhook()
+	})
+}
+
+func (p *Plugin) Admit(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error {
+	if err := p.ValidateInitialization(); err != nil {
+		return kerrors.NewInternalError(fmt.Errorf("error validating MutatingWebhook initialization: %w", err))
+	}
+
+	virtualWorkspaceName, _ := virtualcontext.VirtualWorkspaceNameFrom(ctx)
+	if virtualWorkspaceName == "" {
+		return kerrors.NewBadRequest("path not resolved to a valid virtual workspace")
+	}
+
+	for _, vw := range p.virtualWorkspaces() {
+		if vw.Name == virtualWorkspaceName {
+			return vw.VirtualWorkspace.Admit(ctx, attr, o)
+		}
+	}
+
+	return nil
+}
+
+func (p *Plugin) ValidateInitialization() error {
+	if p.virtualWorkspaces == nil {
+		return errors.New("missing virtualWorkspaces")
+	}
+	return nil
+}
+
+func (p *Plugin) SetVirtualWorkspaces(virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace) {
+	p.virtualWorkspaces = virtualWorkspaces
+}

pkg/virtual/framework/admission/plugins/plugins.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package plugins
+
+import (
+	"k8s.io/apiserver/pkg/admission"
+
+	"github.com/kcp-dev/kcp/pkg/virtual/framework/admission/mutatingwebhook"
+	"github.com/kcp-dev/kcp/pkg/virtual/framework/admission/validatingwebhook"
+)
+
+// AllOrderedPlugins is the list of all the plugins in order.
+var AllOrderedPlugins = []string{
+	mutatingwebhook.PluginName,
+	validatingwebhook.PluginName,
+}
+
+// RegisterAllVWAdmissionPlugins registers all admission plugins.
+// The order of registration is irrelevant, see AllOrderedPlugins for execution order.
+func RegisterAllVWAdmissionPlugins(plugins *admission.Plugins) {
+	mutatingwebhook.Register(plugins)
+	validatingwebhook.Register(plugins)
+}

pkg/virtual/framework/admission/validatingwebhook/plugin.go

@@ -0,0 +1,91 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingwebhook
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/admission"
+
+	vwinitializers "github.com/kcp-dev/kcp/pkg/virtual/framework/admission/initializers"
+	virtualcontext "github.com/kcp-dev/kcp/pkg/virtual/framework/context"
+	"github.com/kcp-dev/kcp/pkg/virtual/framework/rootapiserver"
+)
+
+const (
+	PluginName = "apis.kcp.io/qqqqqq"
+)
+
+type Plugin struct {
+	*admission.Handler
+
+	virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace
+}
+
+var (
+	_ = admission.ValidationInterface(&Plugin{})
+	_ = admission.InitializationValidator(&Plugin{})
+	_ = vwinitializers.WantsVirtualWorkspaces(&Plugin{})
+)
+
+func NewValidatingAdmissionWebhook() (*Plugin, error) {
+	return &Plugin{
+		// We're handling all possible operations, it's up to the plugin implemention to decide which one to
+		// handle.
+		Handler: admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
+	}, nil
+}
+
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(_ io.Reader) (admission.Interface, error) {
+		return NewValidatingAdmissionWebhook()
+	})
+}
+
+func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error) {
+	if err := p.ValidateInitialization(); err != nil {
+		return kerrors.NewInternalError(fmt.Errorf("error validating MutatingWebhook initialization: %w", err))
+	}
+
+	virtualWorkspaceName, _ := virtualcontext.VirtualWorkspaceNameFrom(ctx)
+	if virtualWorkspaceName == "" {
+		return kerrors.NewBadRequest("path not resolved to a valid virtual workspace")
+	}
+
+	for _, vw := range p.virtualWorkspaces() {
+		if vw.Name == virtualWorkspaceName {
+			return vw.VirtualWorkspace.Validate(ctx, a, o)
+		}
+	}
+
+	return nil
+}
+
+func (p *Plugin) ValidateInitialization() error {
+	if p.virtualWorkspaces == nil {
+		return errors.New("missing virtualWorkspaces")
+	}
+	return nil
+}
+
+func (p *Plugin) SetVirtualWorkspaces(virtualWorkspaces func() []rootapiserver.NamedVirtualWorkspace) {
+	p.virtualWorkspaces = virtualWorkspaces
+}