diff --git a/charts/spiderpool/templates/tls.yaml b/charts/spiderpool/templates/tls.yaml index 940d4274bd..3254858159 100644 --- a/charts/spiderpool/templates/tls.yaml +++ b/charts/spiderpool/templates/tls.yaml @@ -144,6 +144,48 @@ webhooks: - spidercoordinators sideEffects: None {{- end }} +{{- if .Values.spiderpoolController.podResourceInject.enabled }} +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ .Values.spiderpoolController.name | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + path: /mutate--v1-pod + port: {{ .Values.spiderpoolController.webhookPort }} + {{- if (eq .Values.spiderpoolController.tls.method "provided") }} + caBundle: {{ .Values.spiderpoolController.tls.provided.tlsCa | required "missing spiderpoolController.tls.provided.tlsCa" }} + {{- else if (eq .Values.spiderpoolController.tls.method "auto") }} + caBundle: {{ .ca.Cert | b64enc }} + {{- end }} + failurePolicy: Fail + name: pods.spiderpool.spidernet.io + {{- if or .Values.spiderpoolController.podResourceInject.namespacesExclude .Values.spiderpoolController.podResourceInject.namespacesInclude }} + namespaceSelector: + matchExpressions: + {{- if .Values.spiderpoolController.podResourceInject.namespacesExclude }} + - key: kubernetes.io/metadata.name + operator: NotIn + values: {{ toYaml .Values.spiderpoolController.podResourceInject.namespacesExclude | nindent 8 }} + {{- end }} + {{- if .Values.spiderpoolController.podResourceInject.namespacesInclude }} + - key: kubernetes.io/metadata.name + operator: In + values: {{ toYaml .Values.spiderpoolController.podResourceInject.namespacesInclude | nindent 8 }} + {{- end }} + {{- end }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None +{{- end }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration diff --git a/cmd/spiderpool-controller/cmd/daemon.go b/cmd/spiderpool-controller/cmd/daemon.go index e534dbf06f..20db104d63 100644 --- a/cmd/spiderpool-controller/cmd/daemon.go +++ b/cmd/spiderpool-controller/cmd/daemon.go @@ -266,19 +266,12 @@ func initControllerServiceManagers(ctx context.Context) { controllerContext.PodManager = podManager if controllerContext.Cfg.PodResourceInjectConfig.Enabled { - logger.Debug("Begin to init Pod MutatingWebhook") - if err := podmanager.InitPodWebhook(controllerContext.ClientSet.AdmissionregistrationV1(), - controllerContext.CRDManager, controllerContext.Cfg.ControllerDeploymentName, - controllerContext.Cfg.PodResourceInjectConfig.NamespacesExclude, - controllerContext.Cfg.PodResourceInjectConfig.NamespacesInclude); err != nil { + logger.Info("Begin to init Pod MutatingWebhook") + if err := podmanager.InitPodWebhook(controllerContext.CRDManager); err != nil { logger.Fatal(err.Error()) } } else { - logger.Debug("InjectPodNetworkResource is disabled, try to remove the pod part in the MutatingWebhook") - if err := podmanager.RemovePodMutatingWebhook(controllerContext.ClientSet.AdmissionregistrationV1(), - controllerContext.Cfg.ControllerDeploymentName); err != nil { - logger.Error(err.Error()) - } + logger.Info("Pod MutatingWebhook is disabled") } logger.Info("Begin to initialize StatefulSet manager") diff --git a/pkg/podmanager/pod_webhook.go b/pkg/podmanager/pod_webhook.go index 1a1221e51d..2cc086a8f2 100644 --- a/pkg/podmanager/pod_webhook.go +++ b/pkg/podmanager/pod_webhook.go @@ -12,7 +12,6 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" - admissionregistrationv1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) @@ -38,17 +37,10 @@ type podWebhook struct { // InitPodWebhook initializes the pod webhook. // It sets up the mutating webhook for pods and registers it with the manager. // Parameters: -// - client: The Kubernetes client // - mgr: The controller manager -// - mutatingWebhookName: The name of the mutating webhook // // Returns an error if initialization fails. -func InitPodWebhook( - admissionClient admissionregistrationv1.AdmissionregistrationV1Interface, - mgr ctrl.Manager, - mutatingWebhookName string, - webhookNamespaceExclude []string, - webhookNamespaceInclude []string) error { +func InitPodWebhook(mgr ctrl.Manager) error { spiderClient, err := crdclientset.NewForConfig(ctrl.GetConfigOrDie()) if err != nil { return err @@ -58,14 +50,6 @@ func InitPodWebhook( spiderClient: spiderClient, } - if len(webhookNamespaceExclude) != 0 { - PodWebhookExcludeNamespaces = webhookNamespaceExclude - } - - if err = AddPodMutatingWebhook(admissionClient, mutatingWebhookName, webhookNamespaceInclude); err != nil { - return err - } - // setup mutating webhook for pods if err = ctrl.NewWebhookManagedBy(mgr). For(&corev1.Pod{}). diff --git a/pkg/podmanager/utils.go b/pkg/podmanager/utils.go index 015ef20927..bffba0588e 100644 --- a/pkg/podmanager/utils.go +++ b/pkg/podmanager/utils.go @@ -8,14 +8,10 @@ import ( "fmt" crdclientset "github.com/spidernet-io/spiderpool/pkg/k8s/client/clientset/versioned" - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" k8s_resource "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - admissionClientv1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1" - "k8s.io/client-go/util/retry" - "k8s.io/utils/ptr" kubevirtv1 "kubevirt.io/api/core/v1" "github.com/spidernet-io/spiderpool/pkg/constant" @@ -191,141 +187,6 @@ func InjectRdmaResourceToPod(resourceMap map[string]bool, pod *corev1.Pod) { } } -// InitPodMutatingWebhook initializes a mutating webhook for pods based on a template webhook. -// It sets up the webhook configuration including name, admission review versions, failure policy, -// object selector, client config, and rules for pod creation and update operations. -// -// Parameters: -// - from: An admissionregistrationv1.MutatingWebhook object to use as a template -// -// Returns: -// - A new admissionregistrationv1.MutatingWebhook object configured for pod mutation -func InitPodMutatingWebhook(from admissionregistrationv1.MutatingWebhook, webhookNamespaceInclude []string) admissionregistrationv1.MutatingWebhook { - wb := admissionregistrationv1.MutatingWebhook{ - Name: constant.PodMutatingWebhookName, - AdmissionReviewVersions: from.AdmissionReviewVersions, - FailurePolicy: ptr.To(admissionregistrationv1.Fail), - NamespaceSelector: &metav1.LabelSelector{}, - ClientConfig: admissionregistrationv1.WebhookClientConfig{ - CABundle: from.ClientConfig.CABundle, - }, - Rules: []admissionregistrationv1.RuleWithOperations{ - { - Operations: []admissionregistrationv1.OperationType{ - admissionregistrationv1.Create, - admissionregistrationv1.Update, - }, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{""}, - APIVersions: []string{"v1"}, - Resources: []string{"pods"}, - }, - }, - }, - SideEffects: ptr.To(admissionregistrationv1.SideEffectClassNone), - } - - if from.ClientConfig.Service != nil { - wb.ClientConfig.Service = &admissionregistrationv1.ServiceReference{ - Name: from.ClientConfig.Service.Name, - Namespace: from.ClientConfig.Service.Namespace, - Port: from.ClientConfig.Service.Port, - // format: /mutate--- - Path: ptr.To("/mutate--v1-pod"), - } - } - - if len(PodWebhookExcludeNamespaces) != 0 { - wb.NamespaceSelector.MatchExpressions = []metav1.LabelSelectorRequirement{ - { - Key: corev1.LabelMetadataName, - Operator: metav1.LabelSelectorOpNotIn, - Values: PodWebhookExcludeNamespaces, - }, - } - } - - if len(webhookNamespaceInclude) != 0 { - wb.NamespaceSelector.MatchExpressions = append(wb.NamespaceSelector.MatchExpressions, metav1.LabelSelectorRequirement{ - Key: corev1.LabelMetadataName, - Operator: metav1.LabelSelectorOpIn, - Values: webhookNamespaceInclude, - }) - } - return wb -} - -// addPodMutatingWebhook updates the MutatingWebhookConfiguration for pods. -// It retrieves the existing configuration, adds a new webhook for pods, -// and updates the configuration in the Kubernetes API server. -func AddPodMutatingWebhook(admissionClient admissionClientv1.AdmissionregistrationV1Interface, mutatingWebhookName string, webhookNamespaceInclude []string) error { - retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - mwc, err := admissionClient.MutatingWebhookConfigurations().Get(context.TODO(), mutatingWebhookName, metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("failed to get MutatingWebhookConfiguration: %v", err) - } - - if len(mwc.Webhooks) == 0 { - return fmt.Errorf("no any mutating webhook found in MutatingWebhookConfiguration %s", mutatingWebhookName) - } - - var newWebhooks []admissionregistrationv1.MutatingWebhook - for _, wb := range mwc.Webhooks { - // if the webhook already exists, do nothing - if wb.Name == constant.PodMutatingWebhookName { - continue - } - newWebhooks = append(newWebhooks, wb) - } - - podWebhook := InitPodMutatingWebhook(*mwc.Webhooks[0].DeepCopy(), webhookNamespaceInclude) - newWebhooks = append(newWebhooks, podWebhook) - mwc.Webhooks = newWebhooks - - _, updateErr := admissionClient.MutatingWebhookConfigurations().Update(context.TODO(), mwc, metav1.UpdateOptions{}) - return updateErr - }) - if retryErr != nil { - return fmt.Errorf("update MutatingWebhookConfiguration %s failed: %v", mutatingWebhookName, retryErr) - } - - return nil -} - -// RemovePodMutatingWebhook removes the mutating webhook for pods. -// It retrieves the existing configuration, removes the webhook for pods, -// and updates the configuration in the Kubernetes API server. -func RemovePodMutatingWebhook(admissionClient admissionClientv1.AdmissionregistrationV1Interface, mutatingWebhookName string) error { - retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { - mwc, err := admissionClient.MutatingWebhookConfigurations().Get(context.TODO(), mutatingWebhookName, metav1.GetOptions{}) - if err != nil { - return err - } - - var newWebhooks []admissionregistrationv1.MutatingWebhook - for _, wb := range mwc.Webhooks { - if wb.Name != constant.PodMutatingWebhookName { - newWebhooks = append(newWebhooks, wb) - } - } - - if len(newWebhooks) == len(mwc.Webhooks) { - return nil - } - - mwc.Webhooks = newWebhooks - _, err = admissionClient.MutatingWebhookConfigurations().Update(context.TODO(), mwc, metav1.UpdateOptions{}) - if err != nil { - return err - } - return nil - }) - if retryErr != nil { - return fmt.Errorf("removes the mutating webhook for pods: %v", retryErr) - } - return nil -} - func doValidateRdmaResouceAndIPPools(mc v2beta1.SpiderMultusConfig) error { doValidateIPPools := func(name, namespace string, ippools *v2beta1.SpiderpoolPools) error { if ippools == nil { diff --git a/pkg/podmanager/utils_test.go b/pkg/podmanager/utils_test.go index 988d23c403..3db0d454ca 100644 --- a/pkg/podmanager/utils_test.go +++ b/pkg/podmanager/utils_test.go @@ -4,17 +4,13 @@ package podmanager_test import ( - "context" - . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/spidernet-io/spiderpool/pkg/constant" "github.com/spidernet-io/spiderpool/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1" - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes/fake" "k8s.io/utils/ptr" "github.com/spidernet-io/spiderpool/pkg/podmanager" @@ -332,256 +328,4 @@ var _ = Describe("PodManager utils", Label("pod_manager_utils_test"), func() { Expect(err.Error()).To(ContainSubstring("cniType ipvlan is not consistent with macvlan")) }) }) - - Describe("Utils", func() { - Context("initPodMutatingWebhook", func() { - It("should properly initialize pod mutating webhook with full configuration", func() { - // Prepare test data - testCABundle := []byte("test-ca-bundle") - fromWebhook := admissionregistrationv1.MutatingWebhook{ - AdmissionReviewVersions: []string{"v1", "v1beta1"}, - ClientConfig: admissionregistrationv1.WebhookClientConfig{ - CABundle: testCABundle, - Service: &admissionregistrationv1.ServiceReference{ - Name: "test-service", - Namespace: "test-namespace", - Port: ptr.To(int32(443)), - }, - }, - } - - // Call the function under test - podWebhookNamespaceInclude := []string{ - "test", - } - result := podmanager.InitPodMutatingWebhook(fromWebhook, podWebhookNamespaceInclude) - - // Verify results - Expect(result.Name).To(Equal(constant.PodMutatingWebhookName)) - Expect(result.AdmissionReviewVersions).To(Equal(fromWebhook.AdmissionReviewVersions)) - Expect(*result.FailurePolicy).To(Equal(admissionregistrationv1.Fail)) - - // Verify NamespaceSelector - Expect(result.NamespaceSelector).NotTo(BeNil()) - Expect(result.NamespaceSelector.MatchExpressions).To(HaveLen(2)) - Expect(result.NamespaceSelector.MatchExpressions[0].Key).To(Equal(corev1.LabelMetadataName)) - Expect(result.NamespaceSelector.MatchExpressions[0].Operator).To(Equal(metav1.LabelSelectorOpNotIn)) - Expect(result.NamespaceSelector.MatchExpressions[1].Key).To(Equal(corev1.LabelMetadataName)) - Expect(result.NamespaceSelector.MatchExpressions[1].Operator).To(Equal(metav1.LabelSelectorOpIn)) - - // Verify ClientConfig - Expect(result.ClientConfig.CABundle).To(Equal(testCABundle)) - Expect(result.ClientConfig.Service).NotTo(BeNil()) - Expect(result.ClientConfig.Service.Name).To(Equal("test-service")) - Expect(result.ClientConfig.Service.Namespace).To(Equal("test-namespace")) - Expect(*result.ClientConfig.Service.Port).To(Equal(int32(443))) - Expect(*result.ClientConfig.Service.Path).To(Equal("/mutate--v1-pod")) - - // Verify Rules - Expect(result.Rules).To(HaveLen(1)) - Expect(result.Rules[0].Operations).To(ConsistOf( - admissionregistrationv1.Create, - admissionregistrationv1.Update, - )) - Expect(result.Rules[0].Rule.APIGroups).To(Equal([]string{""})) - Expect(result.Rules[0].Rule.APIVersions).To(Equal([]string{"v1"})) - Expect(result.Rules[0].Rule.Resources).To(Equal([]string{"pods"})) - - // Verify SideEffects - Expect(*result.SideEffects).To(Equal(admissionregistrationv1.SideEffectClassNone)) - }) - - It("should properly initialize webhook without Service configuration", func() { - // Prepare test data - fromWebhook := admissionregistrationv1.MutatingWebhook{ - AdmissionReviewVersions: []string{"v1"}, - ClientConfig: admissionregistrationv1.WebhookClientConfig{ - CABundle: []byte("test-ca-bundle"), - }, - } - - // Call the function under test - result := podmanager.InitPodMutatingWebhook(fromWebhook, []string{}) - - // Verify results - Expect(result.ClientConfig.Service).To(BeNil()) - Expect(result.Name).To(Equal(constant.PodMutatingWebhookName)) - }) - }) - }) - - Describe("AddPodMutatingWebhook", func() { - var ( - fakeClient *fake.Clientset - webhookName string - existingConfig *admissionregistrationv1.MutatingWebhookConfiguration - podWebhookNamespaceInclude []string - ) - - BeforeEach(func() { - // Initialize test variables - fakeClient = fake.NewSimpleClientset() - webhookName = "test-webhook-config" - podWebhookNamespaceInclude = []string{ - "test", - } - - // Create a basic webhook configuration - existingConfig = &admissionregistrationv1.MutatingWebhookConfiguration{ - ObjectMeta: metav1.ObjectMeta{ - Name: webhookName, - }, - Webhooks: []admissionregistrationv1.MutatingWebhook{ - { - Name: "existing-webhook", - ClientConfig: admissionregistrationv1.WebhookClientConfig{ - CABundle: []byte("test-ca-bundle"), - Service: &admissionregistrationv1.ServiceReference{ - Name: "webhook-service", - Namespace: "default", - Port: ptr.To(int32(443)), - }, - }, - AdmissionReviewVersions: []string{"v1"}, - }, - }, - } - }) - - Context("when adding pod mutating webhook", func() { - It("should successfully add webhook when it doesn't exist", func() { - // Create initial webhook configuration - _, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Create( - context.TODO(), existingConfig, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - // Call the function under test - err = podmanager.AddPodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName, podWebhookNamespaceInclude) - Expect(err).NotTo(HaveOccurred()) - - // // Verify the webhook was added - updatedConfig, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Get( - context.TODO(), webhookName, metav1.GetOptions{}) - Expect(err).NotTo(HaveOccurred()) - Expect(updatedConfig.Webhooks).To(HaveLen(2)) - Expect(updatedConfig.Webhooks[1].Name).To(Equal(constant.PodMutatingWebhookName)) - }) - - It("should not add webhook when it already exists", func() { - // Add pod webhook to initial configuration - podWebhook := podmanager.InitPodMutatingWebhook(existingConfig.Webhooks[0], podWebhookNamespaceInclude) - existingConfig.Webhooks = append(existingConfig.Webhooks, podWebhook) - - // Create webhook configuration with pod webhook - _, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Create( - context.TODO(), existingConfig, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - // Call the function under test - err = podmanager.AddPodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName, podWebhookNamespaceInclude) - Expect(err).NotTo(HaveOccurred()) - - // // Verify no additional webhook was added - updatedConfig, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Get( - context.TODO(), webhookName, metav1.GetOptions{}) - Expect(err).NotTo(HaveOccurred()) - Expect(updatedConfig.Webhooks).To(HaveLen(2)) - }) - - It("should return error when webhook configuration doesn't exist", func() { - // Call the function under test without creating webhook configuration - err := podmanager.AddPodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName, podWebhookNamespaceInclude) - Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("failed to get MutatingWebhookConfiguration")) - }) - - It("should return error when webhook configuration is empty", func() { - // Create empty webhook configuration - emptyConfig := &admissionregistrationv1.MutatingWebhookConfiguration{ - ObjectMeta: metav1.ObjectMeta{ - Name: webhookName, - }, - } - _, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Create( - context.TODO(), emptyConfig, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - // Call the function under test - err = podmanager.AddPodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName, podWebhookNamespaceInclude) - Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("no any mutating webhook found")) - }) - }) - }) - - var _ = Describe("RemovePodMutatingWebhook", func() { - var ( - // Mock admission client - fakeClient *fake.Clientset - // Test webhook name - webhookName string - ) - - BeforeEach(func() { - // Initialize test variables - // Initialize test variables - fakeClient = fake.NewSimpleClientset() - webhookName = "test-webhook-config" - }) - - Context("when removing pod mutating webhook", func() { - It("should successfully remove the webhook if it exists", func() { - // Prepare existing webhook configuration - existingWebhooks := []admissionregistrationv1.MutatingWebhook{ - {Name: constant.PodMutatingWebhookName}, - {Name: "other-webhook"}, - } - - mwc := &admissionregistrationv1.MutatingWebhookConfiguration{ - ObjectMeta: metav1.ObjectMeta{ - Name: webhookName, - }, - Webhooks: existingWebhooks, - } - - // Setup mock behavior - _, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Create( - context.TODO(), mwc, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - // Execute test - err = podmanager.RemovePodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName) - Expect(err).NotTo(HaveOccurred()) - }) - - It("should return nil if webhook doesn't exist", func() { - // Prepare existing webhook configuration - existingWebhooks := []admissionregistrationv1.MutatingWebhook{ - {Name: "other-webhook"}, - } - - mwc := &admissionregistrationv1.MutatingWebhookConfiguration{ - ObjectMeta: metav1.ObjectMeta{ - Name: webhookName, - }, - Webhooks: existingWebhooks, - } - - // Setup mock behavior - _, err := fakeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Create( - context.TODO(), mwc, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - // Execute test - err = podmanager.RemovePodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName) - Expect(err).NotTo(HaveOccurred()) - }) - - It("should return error when getting webhook configuration fails", func() { - err := podmanager.RemovePodMutatingWebhook(fakeClient.AdmissionregistrationV1(), webhookName) - Expect(err).To(HaveOccurred()) - Expect(err.Error()).To(ContainSubstring("not found")) - }) - }) - }) })