Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2015 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package lifecycle |
| 18 | |
| 19 | import ( |
| 20 | "fmt" |
| 21 | "io" |
| 22 | "time" |
| 23 | |
| 24 | "github.com/golang/glog" |
| 25 | |
| 26 | "k8s.io/api/core/v1" |
| 27 | "k8s.io/apimachinery/pkg/api/errors" |
| 28 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 29 | "k8s.io/apimachinery/pkg/runtime/schema" |
| 30 | utilcache "k8s.io/apimachinery/pkg/util/cache" |
| 31 | "k8s.io/apimachinery/pkg/util/clock" |
| 32 | "k8s.io/apimachinery/pkg/util/sets" |
| 33 | "k8s.io/apiserver/pkg/admission" |
| 34 | "k8s.io/apiserver/pkg/admission/initializer" |
| 35 | "k8s.io/client-go/informers" |
| 36 | "k8s.io/client-go/kubernetes" |
| 37 | corelisters "k8s.io/client-go/listers/core/v1" |
| 38 | ) |
| 39 | |
| 40 | const ( |
| 41 | // Name of admission plug-in |
| 42 | PluginName = "NamespaceLifecycle" |
| 43 | // how long a namespace stays in the force live lookup cache before expiration. |
| 44 | forceLiveLookupTTL = 30 * time.Second |
| 45 | // how long to wait for a missing namespace before re-checking the cache (and then doing a live lookup) |
| 46 | // this accomplishes two things: |
| 47 | // 1. It allows a watch-fed cache time to observe a namespace creation event |
| 48 | // 2. It allows time for a namespace creation to distribute to members of a storage cluster, |
| 49 | // so the live lookup has a better chance of succeeding even if it isn't performed against the leader. |
| 50 | missingNamespaceWait = 50 * time.Millisecond |
| 51 | ) |
| 52 | |
| 53 | // Register registers a plugin |
| 54 | func Register(plugins *admission.Plugins) { |
| 55 | plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) { |
| 56 | return NewLifecycle(sets.NewString(metav1.NamespaceDefault, metav1.NamespaceSystem, metav1.NamespacePublic)) |
| 57 | }) |
| 58 | } |
| 59 | |
| 60 | // Lifecycle is an implementation of admission.Interface. |
| 61 | // It enforces life-cycle constraints around a Namespace depending on its Phase |
| 62 | type Lifecycle struct { |
| 63 | *admission.Handler |
| 64 | client kubernetes.Interface |
| 65 | immortalNamespaces sets.String |
| 66 | namespaceLister corelisters.NamespaceLister |
| 67 | // forceLiveLookupCache holds a list of entries for namespaces that we have a strong reason to believe are stale in our local cache. |
| 68 | // if a namespace is in this cache, then we will ignore our local state and always fetch latest from api server. |
| 69 | forceLiveLookupCache *utilcache.LRUExpireCache |
| 70 | } |
| 71 | |
| 72 | var _ = initializer.WantsExternalKubeInformerFactory(&Lifecycle{}) |
| 73 | var _ = initializer.WantsExternalKubeClientSet(&Lifecycle{}) |
| 74 | |
| 75 | func (l *Lifecycle) Admit(a admission.Attributes) error { |
| 76 | // prevent deletion of immortal namespaces |
| 77 | if a.GetOperation() == admission.Delete && a.GetKind().GroupKind() == v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() && l.immortalNamespaces.Has(a.GetName()) { |
| 78 | return errors.NewForbidden(a.GetResource().GroupResource(), a.GetName(), fmt.Errorf("this namespace may not be deleted")) |
| 79 | } |
| 80 | |
| 81 | // always allow non-namespaced resources |
| 82 | if len(a.GetNamespace()) == 0 && a.GetKind().GroupKind() != v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() { |
| 83 | return nil |
| 84 | } |
| 85 | |
| 86 | if a.GetKind().GroupKind() == v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() { |
| 87 | // if a namespace is deleted, we want to prevent all further creates into it |
| 88 | // while it is undergoing termination. to reduce incidences where the cache |
| 89 | // is slow to update, we add the namespace into a force live lookup list to ensure |
| 90 | // we are not looking at stale state. |
| 91 | if a.GetOperation() == admission.Delete { |
| 92 | l.forceLiveLookupCache.Add(a.GetName(), true, forceLiveLookupTTL) |
| 93 | } |
| 94 | // allow all operations to namespaces |
| 95 | return nil |
| 96 | } |
| 97 | |
| 98 | // always allow deletion of other resources |
| 99 | if a.GetOperation() == admission.Delete { |
| 100 | return nil |
| 101 | } |
| 102 | |
| 103 | // always allow access review checks. Returning status about the namespace would be leaking information |
| 104 | if isAccessReview(a) { |
| 105 | return nil |
| 106 | } |
| 107 | |
| 108 | // we need to wait for our caches to warm |
| 109 | if !l.WaitForReady() { |
| 110 | return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request")) |
| 111 | } |
| 112 | |
| 113 | var ( |
| 114 | exists bool |
| 115 | err error |
| 116 | ) |
| 117 | |
| 118 | namespace, err := l.namespaceLister.Get(a.GetNamespace()) |
| 119 | if err != nil { |
| 120 | if !errors.IsNotFound(err) { |
| 121 | return errors.NewInternalError(err) |
| 122 | } |
| 123 | } else { |
| 124 | exists = true |
| 125 | } |
| 126 | |
| 127 | if !exists && a.GetOperation() == admission.Create { |
| 128 | // give the cache time to observe the namespace before rejecting a create. |
| 129 | // this helps when creating a namespace and immediately creating objects within it. |
| 130 | time.Sleep(missingNamespaceWait) |
| 131 | namespace, err = l.namespaceLister.Get(a.GetNamespace()) |
| 132 | switch { |
| 133 | case errors.IsNotFound(err): |
| 134 | // no-op |
| 135 | case err != nil: |
| 136 | return errors.NewInternalError(err) |
| 137 | default: |
| 138 | exists = true |
| 139 | } |
| 140 | if exists { |
| 141 | glog.V(4).Infof("found %s in cache after waiting", a.GetNamespace()) |
| 142 | } |
| 143 | } |
| 144 | |
| 145 | // forceLiveLookup if true will skip looking at local cache state and instead always make a live call to server. |
| 146 | forceLiveLookup := false |
| 147 | if _, ok := l.forceLiveLookupCache.Get(a.GetNamespace()); ok { |
| 148 | // we think the namespace was marked for deletion, but our current local cache says otherwise, we will force a live lookup. |
| 149 | forceLiveLookup = exists && namespace.Status.Phase == v1.NamespaceActive |
| 150 | } |
| 151 | |
| 152 | // refuse to operate on non-existent namespaces |
| 153 | if !exists || forceLiveLookup { |
| 154 | // as a last resort, make a call directly to storage |
| 155 | namespace, err = l.client.CoreV1().Namespaces().Get(a.GetNamespace(), metav1.GetOptions{}) |
| 156 | switch { |
| 157 | case errors.IsNotFound(err): |
| 158 | return err |
| 159 | case err != nil: |
| 160 | return errors.NewInternalError(err) |
| 161 | } |
| 162 | glog.V(4).Infof("found %s via storage lookup", a.GetNamespace()) |
| 163 | } |
| 164 | |
| 165 | // ensure that we're not trying to create objects in terminating namespaces |
| 166 | if a.GetOperation() == admission.Create { |
| 167 | if namespace.Status.Phase != v1.NamespaceTerminating { |
| 168 | return nil |
| 169 | } |
| 170 | |
| 171 | // TODO: This should probably not be a 403 |
| 172 | return admission.NewForbidden(a, fmt.Errorf("unable to create new content in namespace %s because it is being terminated", a.GetNamespace())) |
| 173 | } |
| 174 | |
| 175 | return nil |
| 176 | } |
| 177 | |
| 178 | // NewLifecycle creates a new namespace Lifecycle admission control handler |
| 179 | func NewLifecycle(immortalNamespaces sets.String) (*Lifecycle, error) { |
| 180 | return newLifecycleWithClock(immortalNamespaces, clock.RealClock{}) |
| 181 | } |
| 182 | |
| 183 | func newLifecycleWithClock(immortalNamespaces sets.String, clock utilcache.Clock) (*Lifecycle, error) { |
| 184 | forceLiveLookupCache := utilcache.NewLRUExpireCacheWithClock(100, clock) |
| 185 | return &Lifecycle{ |
| 186 | Handler: admission.NewHandler(admission.Create, admission.Update, admission.Delete), |
| 187 | immortalNamespaces: immortalNamespaces, |
| 188 | forceLiveLookupCache: forceLiveLookupCache, |
| 189 | }, nil |
| 190 | } |
| 191 | |
| 192 | // SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface. |
| 193 | func (l *Lifecycle) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) { |
| 194 | namespaceInformer := f.Core().V1().Namespaces() |
| 195 | l.namespaceLister = namespaceInformer.Lister() |
| 196 | l.SetReadyFunc(namespaceInformer.Informer().HasSynced) |
| 197 | } |
| 198 | |
| 199 | // SetExternalKubeClientSet implements the WantsExternalKubeClientSet interface. |
| 200 | func (l *Lifecycle) SetExternalKubeClientSet(client kubernetes.Interface) { |
| 201 | l.client = client |
| 202 | } |
| 203 | |
| 204 | // ValidateInitialization implements the InitializationValidator interface. |
| 205 | func (l *Lifecycle) ValidateInitialization() error { |
| 206 | if l.namespaceLister == nil { |
| 207 | return fmt.Errorf("missing namespaceLister") |
| 208 | } |
| 209 | if l.client == nil { |
| 210 | return fmt.Errorf("missing client") |
| 211 | } |
| 212 | return nil |
| 213 | } |
| 214 | |
| 215 | // accessReviewResources are resources which give a view into permissions in a namespace. Users must be allowed to create these |
| 216 | // resources because returning "not found" errors allows someone to search for the "people I'm going to fire in 2017" namespace. |
| 217 | var accessReviewResources = map[schema.GroupResource]bool{ |
| 218 | {Group: "authorization.k8s.io", Resource: "localsubjectaccessreviews"}: true, |
| 219 | } |
| 220 | |
| 221 | func isAccessReview(a admission.Attributes) bool { |
| 222 | return accessReviewResources[a.GetResource().GroupResource()] |
| 223 | } |