-
Notifications
You must be signed in to change notification settings - Fork 95
/
main.go
167 lines (139 loc) · 4.2 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
package main
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"os"
"github.com/sirupsen/logrus"
"github.com/slackhq/simple-kubernetes-webhook/pkg/admission"
admissionv1 "k8s.io/api/admission/v1"
)
func main() {
setLogger()
// handle our core application
http.HandleFunc("/validate-pods", ServeValidatePods)
http.HandleFunc("/mutate-pods", ServeMutatePods)
http.HandleFunc("/health", ServeHealth)
// start the server
// listens to clear text http on port 8080 unless TLS env var is set to "true"
if os.Getenv("TLS") == "true" {
cert := "/etc/admission-webhook/tls/tls.crt"
key := "/etc/admission-webhook/tls/tls.key"
logrus.Print("Listening on port 443...")
logrus.Fatal(http.ListenAndServeTLS(":443", cert, key, nil))
} else {
logrus.Print("Listening on port 8080...")
logrus.Fatal(http.ListenAndServe(":8080", nil))
}
}
// ServeHealth returns 200 when things are good
func ServeHealth(w http.ResponseWriter, r *http.Request) {
logrus.WithField("uri", r.RequestURI).Debug("healthy")
fmt.Fprint(w, "OK")
}
// ServeValidatePods validates an admission request and then writes an admission
// review to `w`
func ServeValidatePods(w http.ResponseWriter, r *http.Request) {
logger := logrus.WithField("uri", r.RequestURI)
logger.Debug("received validation request")
in, err := parseRequest(*r)
if err != nil {
logger.Error(err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
adm := admission.Admitter{
Logger: logger,
Request: in.Request,
}
out, err := adm.ValidatePodReview()
if err != nil {
e := fmt.Sprintf("could not generate admission response: %v", err)
logger.Error(e)
http.Error(w, e, http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
jout, err := json.Marshal(out)
if err != nil {
e := fmt.Sprintf("could not parse admission response: %v", err)
logger.Error(e)
http.Error(w, e, http.StatusInternalServerError)
return
}
logger.Debug("sending response")
logger.Debugf("%s", jout)
fmt.Fprintf(w, "%s", jout)
}
// ServeMutatePods returns an admission review with pod mutations as a json patch
// in the review response
func ServeMutatePods(w http.ResponseWriter, r *http.Request) {
logger := logrus.WithField("uri", r.RequestURI)
logger.Debug("received mutation request")
in, err := parseRequest(*r)
if err != nil {
logger.Error(err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
adm := admission.Admitter{
Logger: logger,
Request: in.Request,
}
out, err := adm.MutatePodReview()
if err != nil {
e := fmt.Sprintf("could not generate admission response: %v", err)
logger.Error(e)
http.Error(w, e, http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
jout, err := json.Marshal(out)
if err != nil {
e := fmt.Sprintf("could not parse admission response: %v", err)
logger.Error(e)
http.Error(w, e, http.StatusInternalServerError)
return
}
logger.Debug("sending response")
logger.Debugf("%s", jout)
fmt.Fprintf(w, "%s", jout)
}
// setLogger sets the logger using env vars, it defaults to text logs on
// debug level unless otherwise specified
func setLogger() {
logrus.SetLevel(logrus.DebugLevel)
lev := os.Getenv("LOG_LEVEL")
if lev != "" {
llev, err := logrus.ParseLevel(lev)
if err != nil {
logrus.Fatalf("cannot set LOG_LEVEL to %q", lev)
}
logrus.SetLevel(llev)
}
if os.Getenv("LOG_JSON") == "true" {
logrus.SetFormatter(&logrus.JSONFormatter{})
}
}
// parseRequest extracts an AdmissionReview from an http.Request if possible
func parseRequest(r http.Request) (*admissionv1.AdmissionReview, error) {
if r.Header.Get("Content-Type") != "application/json" {
return nil, fmt.Errorf("Content-Type: %q should be %q",
r.Header.Get("Content-Type"), "application/json")
}
bodybuf := new(bytes.Buffer)
bodybuf.ReadFrom(r.Body)
body := bodybuf.Bytes()
if len(body) == 0 {
return nil, fmt.Errorf("admission request body is empty")
}
var a admissionv1.AdmissionReview
if err := json.Unmarshal(body, &a); err != nil {
return nil, fmt.Errorf("could not parse admission review request: %v", err)
}
if a.Request == nil {
return nil, fmt.Errorf("admission review can't be used: Request field is nil")
}
return &a, nil
}