Blame - metrics-server/vendor/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission.go - kubeia

blob: 81c24f6a5a683741c7d49bf75fc4b7cbb01bd14b [file] [log] [blame]

Matthias Andreas Benkard	832a54e	2019-01-29 09:27:38 +0100	[diff] [blame]	1	/*
				2	Copyright 2015 The Kubernetes Authors.
				3
				4	Licensed under the Apache License, Version 2.0 (the "License");
				5	you may not use this file except in compliance with the License.
				6	You may obtain a copy of the License at
				7
				8	http://www.apache.org/licenses/LICENSE-2.0
				9
				10	Unless required by applicable law or agreed to in writing, software
				11	distributed under the License is distributed on an "AS IS" BASIS,
				12	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	See the License for the specific language governing permissions and
				14	limitations under the License.
				15	*/
				16
				17	package lifecycle
				18
				19	import (
				20	"fmt"
				21	"io"
				22	"time"
				23
				24	"github.com/golang/glog"
				25
				26	"k8s.io/api/core/v1"
				27	"k8s.io/apimachinery/pkg/api/errors"
				28	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
				29	"k8s.io/apimachinery/pkg/runtime/schema"
				30	utilcache "k8s.io/apimachinery/pkg/util/cache"
				31	"k8s.io/apimachinery/pkg/util/clock"
				32	"k8s.io/apimachinery/pkg/util/sets"
				33	"k8s.io/apiserver/pkg/admission"
				34	"k8s.io/apiserver/pkg/admission/initializer"
				35	"k8s.io/client-go/informers"
				36	"k8s.io/client-go/kubernetes"
				37	corelisters "k8s.io/client-go/listers/core/v1"
				38	)
				39
				40	const (
				41	// Name of admission plug-in
				42	PluginName = "NamespaceLifecycle"
				43	// how long a namespace stays in the force live lookup cache before expiration.
				44	forceLiveLookupTTL = 30 * time.Second
				45	// how long to wait for a missing namespace before re-checking the cache (and then doing a live lookup)
				46	// this accomplishes two things:
				47	// 1. It allows a watch-fed cache time to observe a namespace creation event
				48	// 2. It allows time for a namespace creation to distribute to members of a storage cluster,
				49	// so the live lookup has a better chance of succeeding even if it isn't performed against the leader.
				50	missingNamespaceWait = 50 * time.Millisecond
				51	)
				52
				53	// Register registers a plugin
				54	func Register(plugins *admission.Plugins) {
				55	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
				56	return NewLifecycle(sets.NewString(metav1.NamespaceDefault, metav1.NamespaceSystem, metav1.NamespacePublic))
				57	})
				58	}
				59
				60	// Lifecycle is an implementation of admission.Interface.
				61	// It enforces life-cycle constraints around a Namespace depending on its Phase
				62	type Lifecycle struct {
				63	*admission.Handler
				64	client kubernetes.Interface
				65	immortalNamespaces sets.String
				66	namespaceLister corelisters.NamespaceLister
				67	// forceLiveLookupCache holds a list of entries for namespaces that we have a strong reason to believe are stale in our local cache.
				68	// if a namespace is in this cache, then we will ignore our local state and always fetch latest from api server.
				69	forceLiveLookupCache *utilcache.LRUExpireCache
				70	}
				71
				72	var _ = initializer.WantsExternalKubeInformerFactory(&Lifecycle{})
				73	var _ = initializer.WantsExternalKubeClientSet(&Lifecycle{})
				74
				75	func (l *Lifecycle) Admit(a admission.Attributes) error {
				76	// prevent deletion of immortal namespaces
				77	if a.GetOperation() == admission.Delete && a.GetKind().GroupKind() == v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() && l.immortalNamespaces.Has(a.GetName()) {
				78	return errors.NewForbidden(a.GetResource().GroupResource(), a.GetName(), fmt.Errorf("this namespace may not be deleted"))
				79	}
				80
				81	// always allow non-namespaced resources
				82	if len(a.GetNamespace()) == 0 && a.GetKind().GroupKind() != v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() {
				83	return nil
				84	}
				85
				86	if a.GetKind().GroupKind() == v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() {
				87	// if a namespace is deleted, we want to prevent all further creates into it
				88	// while it is undergoing termination. to reduce incidences where the cache
				89	// is slow to update, we add the namespace into a force live lookup list to ensure
				90	// we are not looking at stale state.
				91	if a.GetOperation() == admission.Delete {
				92	l.forceLiveLookupCache.Add(a.GetName(), true, forceLiveLookupTTL)
				93	}
				94	// allow all operations to namespaces
				95	return nil
				96	}
				97
				98	// always allow deletion of other resources
				99	if a.GetOperation() == admission.Delete {
				100	return nil
				101	}
				102
				103	// always allow access review checks. Returning status about the namespace would be leaking information
				104	if isAccessReview(a) {
				105	return nil
				106	}
				107
				108	// we need to wait for our caches to warm
				109	if !l.WaitForReady() {
				110	return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request"))
				111	}
				112
				113	var (
				114	exists bool
				115	err error
				116	)
				117
				118	namespace, err := l.namespaceLister.Get(a.GetNamespace())
				119	if err != nil {
				120	if !errors.IsNotFound(err) {
				121	return errors.NewInternalError(err)
				122	}
				123	} else {
				124	exists = true
				125	}
				126
				127	if !exists && a.GetOperation() == admission.Create {
				128	// give the cache time to observe the namespace before rejecting a create.
				129	// this helps when creating a namespace and immediately creating objects within it.
				130	time.Sleep(missingNamespaceWait)
				131	namespace, err = l.namespaceLister.Get(a.GetNamespace())
				132	switch {
				133	case errors.IsNotFound(err):
				134	// no-op
				135	case err != nil:
				136	return errors.NewInternalError(err)
				137	default:
				138	exists = true
				139	}
				140	if exists {
				141	glog.V(4).Infof("found %s in cache after waiting", a.GetNamespace())
				142	}
				143	}
				144
				145	// forceLiveLookup if true will skip looking at local cache state and instead always make a live call to server.
				146	forceLiveLookup := false
				147	if _, ok := l.forceLiveLookupCache.Get(a.GetNamespace()); ok {
				148	// we think the namespace was marked for deletion, but our current local cache says otherwise, we will force a live lookup.
				149	forceLiveLookup = exists && namespace.Status.Phase == v1.NamespaceActive
				150	}
				151
				152	// refuse to operate on non-existent namespaces
				153	if !exists \|\| forceLiveLookup {
				154	// as a last resort, make a call directly to storage
				155	namespace, err = l.client.CoreV1().Namespaces().Get(a.GetNamespace(), metav1.GetOptions{})
				156	switch {
				157	case errors.IsNotFound(err):
				158	return err
				159	case err != nil:
				160	return errors.NewInternalError(err)
				161	}
				162	glog.V(4).Infof("found %s via storage lookup", a.GetNamespace())
				163	}
				164
				165	// ensure that we're not trying to create objects in terminating namespaces
				166	if a.GetOperation() == admission.Create {
				167	if namespace.Status.Phase != v1.NamespaceTerminating {
				168	return nil
				169	}
				170
				171	// TODO: This should probably not be a 403
				172	return admission.NewForbidden(a, fmt.Errorf("unable to create new content in namespace %s because it is being terminated", a.GetNamespace()))
				173	}
				174
				175	return nil
				176	}
				177
				178	// NewLifecycle creates a new namespace Lifecycle admission control handler
				179	func NewLifecycle(immortalNamespaces sets.String) (*Lifecycle, error) {
				180	return newLifecycleWithClock(immortalNamespaces, clock.RealClock{})
				181	}
				182
				183	func newLifecycleWithClock(immortalNamespaces sets.String, clock utilcache.Clock) (*Lifecycle, error) {
				184	forceLiveLookupCache := utilcache.NewLRUExpireCacheWithClock(100, clock)
				185	return &Lifecycle{
				186	Handler: admission.NewHandler(admission.Create, admission.Update, admission.Delete),
				187	immortalNamespaces: immortalNamespaces,
				188	forceLiveLookupCache: forceLiveLookupCache,
				189	}, nil
				190	}
				191
				192	// SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface.
				193	func (l *Lifecycle) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
				194	namespaceInformer := f.Core().V1().Namespaces()
				195	l.namespaceLister = namespaceInformer.Lister()
				196	l.SetReadyFunc(namespaceInformer.Informer().HasSynced)
				197	}
				198
				199	// SetExternalKubeClientSet implements the WantsExternalKubeClientSet interface.
				200	func (l *Lifecycle) SetExternalKubeClientSet(client kubernetes.Interface) {
				201	l.client = client
				202	}
				203
				204	// ValidateInitialization implements the InitializationValidator interface.
				205	func (l *Lifecycle) ValidateInitialization() error {
				206	if l.namespaceLister == nil {
				207	return fmt.Errorf("missing namespaceLister")
				208	}
				209	if l.client == nil {
				210	return fmt.Errorf("missing client")
				211	}
				212	return nil
				213	}
				214
				215	// accessReviewResources are resources which give a view into permissions in a namespace. Users must be allowed to create these
				216	// resources because returning "not found" errors allows someone to search for the "people I'm going to fire in 2017" namespace.
				217	var accessReviewResources = map[schema.GroupResource]bool{
				218	{Group: "authorization.k8s.io", Resource: "localsubjectaccessreviews"}: true,
				219	}
				220
				221	func isAccessReview(a admission.Attributes) bool {
				222	return accessReviewResources[a.GetResource().GroupResource()]
				223	}