Add Mutating Webhook PodImageSpec (#305)

* updated webhook

* update webhook to use jsonpatch

* a few minor updates

* optimize podimagespec webhook logic

* remove unused code paths

* add regex unit tests

* add unit tests for pod contains regex match

* provide rbac permissions

* fix a couple bugs

* Added UID to response return and a few minor updated

* go fmt

---------

Co-authored-by: Linh Nguyen <[email protected]>
Co-authored-by: Lisa Rashidi-Ranjbar <[email protected]>
Co-authored-by: Christoph Blecker <[email protected]>

Author: 4 people

build/resources.go

@@ -162,6 +162,55 @@ func createRoleBinding() *rbacv1.RoleBinding {
 	}
 }
 
+func createClusterRole() *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ClusterRole",
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: roleName,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{
+					"imageregistry.operator.openshift.io",
+				},
+				Resources: []string{
+					"configs",
+				},
+				Verbs: []string{
+					"get",
+				},
+			},
+		},
+	}
+}
+
+func createClusterRoleBinding() *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ClusterRoleBinding",
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("%s:%s", roleName, serviceAccountName),
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      serviceAccountName,
+				Namespace: *namespace,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			Name:     roleName,
+			Kind:     "ClusterRole",
+			APIGroup: rbacv1.GroupName,
+		},
+	}
+}
+
 func createPrometheusRole() *rbacv1.Role {
 	return &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
@@ -779,6 +828,8 @@ func main() {
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createServiceAccount()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createRole()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createRoleBinding()})
+		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createClusterRole()})
+		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createClusterRoleBinding()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createPrometheusRole()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createPromethusRoleBinding()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createServiceMonitor()})

build/selectorsyncset.yaml

@@ -67,6 +67,31 @@ objects:
       - kind: ServiceAccount
         name: validation-webhook
         namespace: openshift-validation-webhook
+    - apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        creationTimestamp: null
+        name: validation-webhook
+      rules:
+      - apiGroups:
+        - imageregistry.operator.openshift.io
+        resources:
+        - configs
+        verbs:
+        - get
+    - apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        creationTimestamp: null
+        name: validation-webhook:validation-webhook
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: validation-webhook
+      subjects:
+      - kind: ServiceAccount
+        name: validation-webhook
+        namespace: openshift-validation-webhook
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: Role
       metadata:

config/package/resources.yaml.gotmpl

@@ -269,6 +269,36 @@ webhooks:
   timeoutSeconds: 2
 ---
 apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    package-operator.run/phase: webhooks
+    service.beta.openshift.io/inject-cabundle: "false"
+  creationTimestamp: null
+  name: sre-podimagespec-mutation
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: '{{.config.serviceca | b64enc }}'
+    url: https://validation-webhook.{{.package.metadata.namespace}}.svc.cluster.local/podimagespec-mutation
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: podimagespec-mutation.managed.openshift.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+    scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 2
+---
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:

go.mod

@@ -16,6 +16,7 @@ require (
 	k8s.io/api v0.26.2
 	k8s.io/apiextensions-apiserver v0.26.1
 	k8s.io/apimachinery v0.26.2
+	k8s.io/client-go v0.26.2
 	k8s.io/klog/v2 v2.110.1
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.14.6
@@ -70,7 +71,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/client-go v0.26.2 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

pkg/k8sutil/k8sutil.go

@@ -5,6 +5,9 @@ import (
 	"os"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -25,6 +28,22 @@ var (
 	ErrRunLocal     = fmt.Errorf("operator run mode forced to local")
 )
 
+// KubeClient creates a new kubeclient that interacts with the Kube api with the service account secrets
+func KubeClient(s *runtime.Scheme) (client.Client, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := client.New(config, client.Options{
+		Scheme: s,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
 func isRunModeLocal() bool {
 	return os.Getenv(ForceRunModeEnv) == string(LocalRunMode)
 }

pkg/webhooks/add_podimagespec.go

@@ -0,0 +1,9 @@
+package webhooks
+
+import (
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/podimagespec"
+)
+
+func init() {
+	Register(podimagespec.WebhookName, func() Webhook { return podimagespec.NewWebhook() })
+}