Merge pull request #14 from StrongMonkey/add-fleet-mutating-webhook

Add fleet mutating webhook
rancher · Nov 23, 2020 · 7956e6a · 7956e6a
2 parents e3995eb + 938754f
commit 7956e6a
Show file tree

Hide file tree

Showing 23 changed files with 796 additions and 584 deletions.
diff --git a/go.mod b/go.mod
@@ -28,11 +28,11 @@ replace (
 )
 
 require (
-	github.com/rancher/dynamiclistener v0.2.1-0.20200910203214-85f32491cb09
+	github.com/gorilla/mux v1.7.3
+	github.com/rancher/dynamiclistener v0.2.1-0.20201110045217-9b1b7d3132e8
 	github.com/rancher/lasso v0.0.0-20200905045615-7fcb07d6a20b
 	github.com/rancher/rancher/pkg/apis v0.0.0-20200910005616-198ec5bdf52d
-	github.com/rancher/wrangler v0.7.3-0.20201004050240-264809ad4ab9
-	github.com/rancher/wrangler-api v0.6.1-0.20200427172631-a7c2f09b783e
+	github.com/rancher/wrangler v0.7.3-0.20201113175531-e43374b2929a
 	github.com/sirupsen/logrus v1.6.0
 	k8s.io/api v0.19.0
 	k8s.io/apimachinery v0.19.0

diff --git a/go.sum b/go.sum
@@ -303,6 +303,7 @@ github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEo
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20191106031601-ce3c9ade29de/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
@@ -508,14 +509,13 @@ github.com/rancher/apimachinery v0.19.0-rancher1 h1:8eD7WxSeGk6UmvQptygPJ59jhRXo
 github.com/rancher/apimachinery v0.19.0-rancher1/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
 github.com/rancher/client-go v1.19.0-rancher.1 h1:O6NXYfWsavvTgSQP5/xchVjxG+34hWWMVp31fF+91C8=
 github.com/rancher/client-go v1.19.0-rancher.1/go.mod h1:H9E/VT95blcFQnlyShFgnFT9ZnJOAceiUHM3MlRC+mU=
-github.com/rancher/dynamiclistener v0.2.1-0.20200910203214-85f32491cb09 h1:Rh+7vXWJF/bA5ZLtUEBbOQX/wBQ9cFvtUoMOJXrJqVY=
-github.com/rancher/dynamiclistener v0.2.1-0.20200910203214-85f32491cb09/go.mod h1:qr0QfhwzcVCR+Ao9WyfnE+jmOpfEAdRhXtNOZGJ3nCQ=
+github.com/rancher/dynamiclistener v0.2.1-0.20201110045217-9b1b7d3132e8 h1:B4dt8sHPyt+hzYzFoWtKWTppls0KzSu2jEIV2jyY4sY=
+github.com/rancher/dynamiclistener v0.2.1-0.20201110045217-9b1b7d3132e8/go.mod h1:qr0QfhwzcVCR+Ao9WyfnE+jmOpfEAdRhXtNOZGJ3nCQ=
 github.com/rancher/eks-operator v0.1.0-rc22 h1:wPX+aP/kJ3q9wA7qiZ8jEDbRZ6PV6cWnodemKbWXmcw=
 github.com/rancher/eks-operator v0.1.0-rc22/go.mod h1:TrTF54+K2X6QLhVFspIfawYcPnVNLSIBrgCvpE1BiqM=
 github.com/rancher/lasso v0.0.0-20200427171700-e0509f89f319/go.mod h1:6Dw19z1lDIpL887eelVjyqH/mna1hfR61ddCFOG78lw=
 github.com/rancher/lasso v0.0.0-20200513231433-d0ce66327a25/go.mod h1:6Dw19z1lDIpL887eelVjyqH/mna1hfR61ddCFOG78lw=
 github.com/rancher/lasso v0.0.0-20200515155337-a34e1e26ad91/go.mod h1:G6Vv2aj6xB2YjTVagmu4NkhBvbE8nBcGykHRENH6arI=
-github.com/rancher/lasso v0.0.0-20200820172840-0e4cc0ef5cb0 h1:ng7i8n0kzTGnXyvVK+nkb+sLm06BBNdsbd2aqJAP3lM=
 github.com/rancher/lasso v0.0.0-20200820172840-0e4cc0ef5cb0/go.mod h1:OhBBBO1pBwYp0hacWdnvSGOj+XE9yMLOLnaypIlic18=
 github.com/rancher/lasso v0.0.0-20200905045615-7fcb07d6a20b h1:DQLpu44dsR+2qYvg1wyYadk108MWMHUOqvb2z4274Vs=
 github.com/rancher/lasso v0.0.0-20200905045615-7fcb07d6a20b/go.mod h1:OhBBBO1pBwYp0hacWdnvSGOj+XE9yMLOLnaypIlic18=
@@ -530,12 +530,8 @@ github.com/rancher/wrangler v0.6.2-0.20200427172034-da9b142ae061/go.mod h1:n5Du/
 github.com/rancher/wrangler v0.6.2-0.20200515155908-1923f3f8ec3f/go.mod h1:NmtmlLkchboIksYJuBemwcP4RBfv8FpeyhVoWXB9Wdc=
 github.com/rancher/wrangler v0.6.2-0.20200714200521-c61fae623942/go.mod h1:8LdIqAQPHysxNlHqmKbUiDIx9ULt9IHUauh9aOnr67k=
 github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQcYs4YSDjsme52OZtQU4jHPmLlIiM93aj2c8c/W8=
-github.com/rancher/wrangler v0.6.2-0.20200909050541-7465f10bdac7 h1:gtMTBRZjOHwhEtQytyh9ku9DaF4m0Aumh6Xw9hG4DRI=
-github.com/rancher/wrangler v0.6.2-0.20200909050541-7465f10bdac7/go.mod h1:I7qe4DZNMOLKVa9ax7DJdBZ0XtKOppLF/dalhPX3vaE=
-github.com/rancher/wrangler v0.7.2 h1:GlUIFKO26qq1ICMf1CjAGBr2uP52GQX3E0E69zkW88Q=
-github.com/rancher/wrangler v0.7.2/go.mod h1:goezjesEKwMxHLfltdjg9DW0xWV7txQee6vOuSDqXAI=
-github.com/rancher/wrangler v0.7.3-0.20201004050240-264809ad4ab9 h1:JvayfYhLqUHoh+U0QalrjLE0V4Os8JusJW9MVCoeHiM=
-github.com/rancher/wrangler v0.7.3-0.20201004050240-264809ad4ab9/go.mod h1:goezjesEKwMxHLfltdjg9DW0xWV7txQee6vOuSDqXAI=
+github.com/rancher/wrangler v0.7.3-0.20201113175531-e43374b2929a h1:mlxEam9x6k4dS7pUytXKYwjeMf1qOmAOm2kOOcBZicI=
+github.com/rancher/wrangler v0.7.3-0.20201113175531-e43374b2929a/go.mod h1:goezjesEKwMxHLfltdjg9DW0xWV7txQee6vOuSDqXAI=
 github.com/rancher/wrangler-api v0.6.1-0.20200427172631-a7c2f09b783e h1:UJpGtw6IKs0dHPTF+6Wd12lskeCZZAejl8/ie/fc1+0=
 github.com/rancher/wrangler-api v0.6.1-0.20200427172631-a7c2f09b783e/go.mod h1:2lcWR98q8HU3U4mVETnXc8quNG0uXxrt8vKd6cAa/30=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
@@ -919,6 +915,7 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 k8s.io/api v0.19.0 h1:XyrFIJqTYZJ2DU7FBE/bSPz7b1HvbVBuBf07oeo6eTc=
 k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
+k8s.io/apiextensions-apiserver v0.19.0 h1:jlY13lvZp+0p9fRX2khHFdiT9PYzT7zUrANz6R1NKtY=
 k8s.io/apiextensions-apiserver v0.19.0/go.mod h1:znfQxNpjqz/ZehvbfMg5N6fvBJW5Lqu5HVLTJQdP4Fs=
 k8s.io/apiserver v0.19.0 h1:jLhrL06wGAADbLUUQm8glSLnAGP6c7y5R3p19grkBoY=
 k8s.io/apiserver v0.19.0/go.mod h1:XvzqavYj73931x7FLtyagh8WibHpePJ1QwWrSJs2CLk=
@@ -942,6 +939,7 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+k8s.io/kube-aggregator v0.19.0 h1:rL4fsftMaqkKjaibArYDaBeqN41CHaJzgRJjUB9IrIg=
 k8s.io/kube-aggregator v0.19.0/go.mod h1:1Ln45PQggFAG8xOqWPIYMxUq8WNtpPnYsbUJ39DpF/A=
 k8s.io/kube-controller-manager v0.19.0/go.mod h1:uGZyiHK73NxNEN5EZv/Esm3fbCOzeq4ndttMexVZ1L0=
 k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ=

diff --git a/main.go b/main.go
@@ -6,7 +6,8 @@ import (
 	"context"
 	"os"
 
-	"github.com/rancher/webhook/pkg/admission"
+	"github.com/rancher/webhook/pkg/server"
+	_ "github.com/rancher/wrangler/pkg/generated/controllers/admissionregistration.k8s.io"
 	"github.com/rancher/wrangler/pkg/kubeconfig"
 	"github.com/rancher/wrangler/pkg/ratelimit"
 	"github.com/rancher/wrangler/pkg/signals"
@@ -28,7 +29,7 @@ func run() error {
 	cfg.RateLimiter = ratelimit.None
 
 	ctx := signals.SetupSignalHandler(context.Background())
-	if err := admission.ListenAndServe(ctx, cfg); err != nil {
+	if err := server.ListenAndServe(ctx, cfg); err != nil {
 		return err
 	}
 

diff --git a/pkg/admission/validation.go b/pkg/admission/validation.go
diff --git a/pkg/auth/escalation.go b/pkg/auth/escalation.go
@@ -6,8 +6,9 @@ import (
 
 	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
-	k8srbacv1 "github.com/rancher/webhook/pkg/generated/controllers/rbac.authorization.k8s.io/v1"
+	k8srbacv1 "github.com/rancher/wrangler/pkg/generated/controllers/rbac/v1"
 	"github.com/rancher/wrangler/pkg/webhook"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -30,14 +31,14 @@ type EscalationChecker struct {
 	ruleSolver    validation.AuthorizationRuleResolver
 }
 
-// confirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting
+// ConfirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting
 // to grant
-func (ec *EscalationChecker) confirmNoEscalation(response *webhook.Response, request *webhook.Request, rules []rbacv1.PolicyRule, namespace string) error {
+func (ec *EscalationChecker) ConfirmNoEscalation(response *webhook.Response, request *webhook.Request, rules []rbacv1.PolicyRule, namespace string) error {
 	userInfo := &user.DefaultInfo{
 		Name:   request.UserInfo.Username,
 		UID:    request.UserInfo.UID,
 		Groups: request.UserInfo.Groups,
-		Extra:  toExtraString(request.UserInfo.Extra),
+		Extra:  ToExtraString(request.UserInfo.Extra),
 	}
 
 	globaleCtx := k8srequest.WithNamespace(k8srequest.WithUser(context.Background(), userInfo), namespace)
@@ -55,8 +56,8 @@ func (ec *EscalationChecker) confirmNoEscalation(response *webhook.Response, req
 	return nil
 }
 
-// rulesFromTemplate gets all rules from the template and all referenced templates
-func (ec *EscalationChecker) rulesFromTemplate(rt *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error) {
+// RulesFromTemplate gets all rules from the template and all referenced templates
+func (ec *EscalationChecker) RulesFromTemplate(rt *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error) {
 	var rules []rbacv1.PolicyRule
 	var err error
 	templatesSeen := make(map[string]bool)
@@ -99,3 +100,11 @@ func (ec *EscalationChecker) gatherRules(rt *rancherv3.RoleTemplate, rules []rba
 	}
 	return rules, nil
 }
+
+func ToExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string {
+	result := make(map[string][]string)
+	for k, v := range extra {
+		result[k] = v
+	}
+	return result
+}
diff --git a/pkg/authentication/rolegetter.go → pkg/auth/rolegetter.go b/pkg/authentication/rolegetter.go → pkg/auth/rolegetter.go
@@ -1,7 +1,7 @@
-package authentication
+package auth
 
 import (
-	wranglerv1 "github.com/rancher/wrangler-api/pkg/generated/controllers/rbac/v1"
+	wranglerv1 "github.com/rancher/wrangler/pkg/generated/controllers/rbac/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )

diff --git a/pkg/clients/clients.go b/pkg/clients/clients.go
@@ -0,0 +1,58 @@
+package clients
+
+import (
+	"context"
+
+	"github.com/rancher/webhook/pkg/auth"
+	"github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io"
+	managementv3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
+	"github.com/rancher/wrangler/pkg/clients"
+	"github.com/rancher/wrangler/pkg/schemes"
+	v1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/client-go/rest"
+	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
+)
+
+type Clients struct {
+	clients.Clients
+
+	Management        managementv3.Interface
+	EscalationChecker *auth.EscalationChecker
+}
+
+func New(ctx context.Context, rest *rest.Config) (*Clients, error) {
+	clients, err := clients.NewFromConfig(rest, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := schemes.Register(v1.AddToScheme); err != nil {
+		return nil, err
+	}
+
+	mgmt, err := management.NewFactoryFromConfigWithOptions(rest, clients.FactoryOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = mgmt.Start(ctx, 5); err != nil {
+		return nil, err
+	}
+
+	rbacRestGetter := auth.RBACRestGetter{
+		Roles:               clients.RBAC.Role().Cache(),
+		RoleBindings:        clients.RBAC.RoleBinding().Cache(),
+		ClusterRoles:        clients.RBAC.ClusterRole().Cache(),
+		ClusterRoleBindings: clients.RBAC.ClusterRoleBinding().Cache(),
+	}
+
+	ruleResolver := rbacregistryvalidation.NewDefaultRuleResolver(rbacRestGetter, rbacRestGetter, rbacRestGetter, rbacRestGetter)
+	escalationChecker := auth.NewEscalationChecker(ruleResolver,
+		mgmt.Management().V3().RoleTemplate().Cache(), clients.RBAC.ClusterRole().Cache())
+
+	return &Clients{
+		Clients:           *clients,
+		Management:        mgmt.Management().V3(),
+		EscalationChecker: escalationChecker,
+	}, nil
+}
diff --git a/pkg/codegen/main.go b/pkg/codegen/main.go
@@ -6,7 +6,6 @@ import (
 	v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	controllergen "github.com/rancher/wrangler/pkg/controller-gen"
 	"github.com/rancher/wrangler/pkg/controller-gen/args"
-	v1 "k8s.io/api/rbac/v1"
 )
 
 func main() {
@@ -17,15 +16,11 @@ func main() {
 		Groups: map[string]args.Group{
 			"management.cattle.io": {
 				Types: []interface{}{
+					v3.Cluster{},
 					v3.GlobalRole{},
 					v3.RoleTemplate{},
 				},
 			},
-			"rbac.authorization.k8s.io": {
-				Types: []interface{}{
-					v1.ClusterRole{},
-				},
-			},
 		},
 	})
 }