Skip to content

K
kubesphere

水淹萌龙 / kubesphere
与 Fork 源项目一致

Fork自 KubeSphere / kubesphere

通知 1
Star 0
Fork 0
K
kubesphere
切换分支/标签
查找文件 普通视图历史永久链接Permalink
webhook.go 6.2 KB
Newer Older
Z
add license header (#2761)  
zryfish 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 
/*
Copyright 2020 KubeSphere Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
D
network: support network isolate  
Duan Jiong 已提交
17 18 19 20 21 
package nsnetworkpolicy

import (
	"context"
	corev1 "k8s.io/api/core/v1"
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
22 23 24 25 26 27 28 29 
	k8snet "k8s.io/api/networking/v1"
	"k8s.io/apimachinery/pkg/util/intstr"
	"k8s.io/apimachinery/pkg/util/validation"
	"k8s.io/apimachinery/pkg/util/validation/field"
	networkv1alpha1 "kubesphere.io/kubesphere/pkg/apis/network/v1alpha1"
	"net"
	"net/http"
	"sigs.k8s.io/controller-runtime/pkg/client"
D
network: support network isolate  
Duan Jiong 已提交
30 31 32 
	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
33 34 
type NSNPValidator struct {
	Client  client.Client
D
network: support network isolate  
Duan Jiong 已提交
35 36 37 
	decoder *admission.Decoder
}
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
38 39 
func (v *NSNPValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
	nsnp := &networkv1alpha1.NamespaceNetworkPolicy{}
D
network: support network isolate  
Duan Jiong 已提交
40
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
41 
	err := v.decoder.Decode(req, nsnp)
D
network: support network isolate  
Duan Jiong 已提交
42 43 44 45 
	if err != nil {
		return admission.Errored(http.StatusBadRequest, err)
	}
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
46 47 48 49 50 
	allErrs := field.ErrorList{}
	allErrs = append(allErrs, v.ValidateNSNPSpec(&nsnp.Spec, field.NewPath("spec"))...)

	if len(allErrs) != 0 {
		return admission.Denied(allErrs.ToAggregate().Error())
D
network: support network isolate  
Duan Jiong 已提交
51 52 53 54 55 
	}

	return admission.Allowed("")
}
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
56 57 
func (v *NSNPValidator) InjectDecoder(d *admission.Decoder) error {
	v.decoder = d
D
network: support network isolate  
Duan Jiong 已提交
58 59 
	return nil
}
D
fix nsnp webhook to validate all fileds in it  
Duan Jiong 已提交
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 

// ValidateNetworkPolicyPort validates a NetworkPolicyPort
func (v *NSNPValidator) ValidateNetworkPolicyPort(port *k8snet.NetworkPolicyPort, portPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	if port.Protocol != nil && *port.Protocol != corev1.ProtocolTCP && *port.Protocol != corev1.ProtocolUDP && *port.Protocol != corev1.ProtocolSCTP {
		allErrs = append(allErrs, field.NotSupported(portPath.Child("protocol"), *port.Protocol, []string{string(corev1.ProtocolTCP), string(corev1.ProtocolUDP), string(corev1.ProtocolSCTP)}))
	}
	if port.Port != nil {
		if port.Port.Type == intstr.Int {
			for _, msg := range validation.IsValidPortNum(int(port.Port.IntVal)) {
				allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.IntVal, msg))
			}
		} else {
			for _, msg := range validation.IsValidPortName(port.Port.StrVal) {
				allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.StrVal, msg))
			}
		}
	}

	return allErrs
}

func (v *NSNPValidator) ValidateServiceSelector(serviceSelector *networkv1alpha1.ServiceSelector, fldPath *field.Path) field.ErrorList {
	service := &corev1.Service{}
	allErrs := field.ErrorList{}

	err := v.Client.Get(context.TODO(), client.ObjectKey{Namespace: serviceSelector.Namespace, Name: serviceSelector.Name}, service)
	if err != nil {
		allErrs = append(allErrs, field.Invalid(fldPath, serviceSelector, "cannot get service"))
		return allErrs
	}

	if len(service.Spec.Selector) <= 0 {
		allErrs = append(allErrs, field.Invalid(fldPath, serviceSelector, "service should have selector"))
	}

	return allErrs
}

// ValidateCIDR validates whether a CIDR matches the conventions expected by net.ParseCIDR
func ValidateCIDR(cidr string) (*net.IPNet, error) {
	_, net, err := net.ParseCIDR(cidr)
	if err != nil {
		return nil, err
	}
	return net, nil
}

// ValidateIPBlock validates a cidr and the except fields of an IpBlock NetworkPolicyPeer
func (v *NSNPValidator) ValidateIPBlock(ipb *k8snet.IPBlock, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	if len(ipb.CIDR) == 0 || ipb.CIDR == "" {
		allErrs = append(allErrs, field.Required(fldPath.Child("cidr"), ""))
		return allErrs
	}
	cidrIPNet, err := ValidateCIDR(ipb.CIDR)
	if err != nil {
		allErrs = append(allErrs, field.Invalid(fldPath.Child("cidr"), ipb.CIDR, "not a valid CIDR"))
		return allErrs
	}
	exceptCIDR := ipb.Except
	for i, exceptIP := range exceptCIDR {
		exceptPath := fldPath.Child("except").Index(i)
		exceptCIDR, err := ValidateCIDR(exceptIP)
		if err != nil {
			allErrs = append(allErrs, field.Invalid(exceptPath, exceptIP, "not a valid CIDR"))
			return allErrs
		}
		if !cidrIPNet.Contains(exceptCIDR.IP) {
			allErrs = append(allErrs, field.Invalid(exceptPath, exceptCIDR.IP, "not within CIDR range"))
		}
	}
	return allErrs
}

// ValidateNSNPPeer validates a NetworkPolicyPeer
func (v *NSNPValidator) ValidateNSNPPeer(peer *networkv1alpha1.NetworkPolicyPeer, peerPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	numPeers := 0

	if peer.ServiceSelector != nil {
		numPeers++
		allErrs = append(allErrs, v.ValidateServiceSelector(peer.ServiceSelector, peerPath.Child("service"))...)
	}
	if peer.NamespaceSelector != nil {
		numPeers++
	}
	if peer.IPBlock != nil {
		numPeers++
		allErrs = append(allErrs, v.ValidateIPBlock(peer.IPBlock, peerPath.Child("ipBlock"))...)
	}

	if numPeers == 0 {
		allErrs = append(allErrs, field.Required(peerPath, "must specify a peer"))
	} else if numPeers > 1 && peer.IPBlock != nil {
		allErrs = append(allErrs, field.Forbidden(peerPath, "may not specify both ipBlock and another peer"))
	}

	return allErrs
}

func (v *NSNPValidator) ValidateNSNPSpec(spec *networkv1alpha1.NamespaceNetworkPolicySpec, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}

	// Validate ingress rules.
	for i, ingress := range spec.Ingress {
		ingressPath := fldPath.Child("ingress").Index(i)
		for i, port := range ingress.Ports {
			portPath := ingressPath.Child("ports").Index(i)
			allErrs = append(allErrs, v.ValidateNetworkPolicyPort(&port, portPath)...)
		}
		for i, from := range ingress.From {
			fromPath := ingressPath.Child("from").Index(i)
			allErrs = append(allErrs, v.ValidateNSNPPeer(&from, fromPath)...)
		}
	}
	// Validate egress rules
	for i, egress := range spec.Egress {
		egressPath := fldPath.Child("egress").Index(i)
		for i, port := range egress.Ports {
			portPath := egressPath.Child("ports").Index(i)
			allErrs = append(allErrs, v.ValidateNetworkPolicyPort(&port, portPath)...)
		}
		for i, to := range egress.To {
			toPath := egressPath.Child("to").Index(i)
			allErrs = append(allErrs, v.ValidateNSNPPeer(&to, toPath)...)
		}
	}

	return allErrs
}