Revert "Add feature flag to enable certain clusters to drain worker nodes (#279)"

This reverts commit f6216b6.

Author: yithian

build/resources.go

@@ -111,17 +111,6 @@ func createRole() *rbacv1.Role {
 			Namespace: *namespace,
 		},
 		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{
-					"",
-				},
-				Resources: []string{
-					"configmaps",
-				},
-				Verbs: []string{
-					"get",
-				},
-			},
 			{
 				APIGroups: []string{
 					"",

build/selectorsyncset.yaml

@@ -41,12 +41,6 @@ objects:
         name: validation-webhook
         namespace: openshift-validation-webhook
       rules:
-      - apiGroups:
-        - ""
-        resources:
-        - configmaps
-        verbs:
-        - get
       - apiGroups:
         - ""
         resources:

pkg/webhooks/add_node.go

@@ -1,40 +1,7 @@
 package webhooks
 
-import (
-	"context"
-	"log"
-
-	"github.com/openshift/managed-cluster-validating-webhooks/config"
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/node"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-)
-
-const allowWorkerNodeCordonConfigMapName = "allow-worker-node-cordon"
+import "github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/node"
 
 func init() {
-	cfg, err := rest.InClusterConfig()
-	if err != nil {
-		log.Println("failed to load config for feature flag, running node webhook without the feature flag")
-		Register(node.WebhookName, func() Webhook { return node.NewWebhook(false) })
-		return
-	}
-
-	client, err := kubernetes.NewForConfig(cfg)
-	if err != nil {
-		log.Println("failed to build kube client for feature flag, running node webhook without the feature flag")
-		Register(node.WebhookName, func() Webhook { return node.NewWebhook(false) })
-		return
-	}
-
-	if _, err := client.CoreV1().ConfigMaps(config.OperatorNamespace).Get(context.TODO(), allowWorkerNodeCordonConfigMapName, metav1.GetOptions{}); err != nil {
-		// The Configmap does not exist or we ran into errors looking for it
-		// Assume this feature flag should be off
-		Register(node.WebhookName, func() Webhook { return node.NewWebhook(false) })
-		return
-	}
-
-	// The ConfigMap exists! Turn on the feature flag
-	Register(node.WebhookName, func() Webhook { return node.NewWebhook(true) })
+	Register(node.WebhookName, func() Webhook { return node.NewWebhook() })
 }

pkg/webhooks/node/node.go

@@ -49,8 +49,7 @@ var (
 
 // NodeWebhook protects various objects from unauthorized manipulation
 type NodeWebhook struct {
-	scheme             *runtime.Scheme
-	allowCordonWorkers bool
+	scheme *runtime.Scheme
 }
 
 func (s *NodeWebhook) Doc() string {
@@ -136,14 +135,6 @@ func (s *NodeWebhook) authorized(request admissionctl.Request) admissionctl.Resp
 
 	//Checks for non-adminGroups non-ceeGroup non-adminGroups users
 	if request.Kind.Kind == "Node" {
-		// If the allowCordonWorkers feature flag is off - deny all node actions
-		if !s.allowCordonWorkers {
-			log.Info("Denying access to modify nodes")
-			ret = admissionctl.Denied("Prevented from modifying Red Hat managed nodes. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support")
-			ret.UID = request.AdmissionRequest.UID
-			return ret
-		}
-
 		node := corev1.Node{}
 		decoder, err := admission.NewDecoder(s.scheme)
 		if err != nil {
@@ -217,9 +208,8 @@ func (s *NodeWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 func (s *NodeWebhook) HypershiftEnabled() bool { return false }
 
 // NewWebhook creates a new webhook
-func NewWebhook(allowCordonWorkers bool) *NodeWebhook {
+func NewWebhook() *NodeWebhook {
 	return &NodeWebhook{
-		scheme:             runtime.NewScheme(),
-		allowCordonWorkers: allowCordonWorkers,
+		scheme: runtime.NewScheme(),
 	}
 }