fix webhook for top-level resources (FairwindsOps#576)

* fix webhook for top-level resources * delete unused code * unused imports
michaelniemand · Jun 25, 2021 · 8385fd1 · 8385fd1
1 parent ccc795d
commit 8385fd1
Showing 1 changed file with 27 additions and 49 deletions.
diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -16,8 +16,6 @@ package webhook
 
 import (
  "context"
- "encoding/json"
- "errors"
  "fmt"
  "net/http"
 
@@ -56,37 +54,11 @@ func NewWebhook(mgr manager.Manager, validator Validator) {
  mgr.GetWebhookServer().Register(path, &webhook.Admission{Handler: &validator})
 }
 
-// GetObjectFromRawRequest returns the pod object and the controller's object from the raw json bytes.
-func GetObjectFromRawRequest(raw []byte) (corev1.Pod, interface{}, error) {
- pod := corev1.Pod{}
- var originalObject interface{}
-
- decoded := map[string]interface{}{}
- err := json.Unmarshal(raw, &decoded)
- if err != nil {
- return pod, originalObject, err
- }
- podMap := kube.GetPodSpec(decoded)
- if podMap == nil {
- return pod, originalObject, errors.New("Object does not contain pods")
- }
- encoded, err := json.Marshal(podMap)
- if err != nil {
- return pod, originalObject, err
- }
- err = json.Unmarshal(encoded, &pod.Spec)
- if err != nil {
- return pod, originalObject, err
- }
- originalObject = decoded
- return pod, originalObject, err
-}
-
-func (v *Validator) handleInternal(req admission.Request) (*validator.PodResult, error) {
- pod := corev1.Pod{}
- var originalObject interface{}
+func (v *Validator) handleInternal(req admission.Request) (*validator.Result, error) {
+ var controller kube.GenericResource
  var err error
  if req.AdmissionRequest.Kind.Kind == "Pod" {
+ pod := corev1.Pod{}
  err := v.decoder.Decode(req, &pod)
  if err != nil {
  return nil, err
@@ -95,58 +67,64 @@ func (v *Validator) handleInternal(req admission.Request) (*validator.PodResult,
  logrus.Infof("Allowing owned pod %s/%s to pass through webhook", pod.ObjectMeta.Namespace, pod.ObjectMeta.Name)
  return nil, nil
  }
- originalObject = pod
+ controller, err = kube.NewGenericResourceFromPod(pod, pod)
  } else {
- pod, originalObject, err = GetObjectFromRawRequest(req.Object.Raw)
+ controller, err = kube.NewGenericResourceFromBytes(req.Object.Raw)
  }
- controller, err := kube.NewGenericResourceFromPod(pod, originalObject)
  if err != nil {
  return nil, err
  }
- controller.Kind = req.AdmissionRequest.Kind.Kind
- var controllerResult validator.Result
  // TODO: consider enabling multi-resource checks
- controllerResult, err = validator.ApplyAllSchemaChecks(&v.Config, nil, controller)
+ controllerResult, err := validator.ApplyAllSchemaChecks(&v.Config, nil, controller)
  if err != nil {
  return nil, err
  }
- return controllerResult.PodResult, nil
+ return &controllerResult, nil
 }
 
 // Handle for Validator to run validation checks.
 func (v *Validator) Handle(ctx context.Context, req admission.Request) admission.Response {
  logrus.Info("Starting request")
- podResult, err := v.handleInternal(req)
+ result, err := v.handleInternal(req)
  if err != nil {
  logrus.Errorf("Error validating request: %v", err)
  return admission.Errored(http.StatusBadRequest, err)
  }
  allowed := true
  reason := ""
- if podResult != nil {
- numDangers := podResult.GetSummary().Dangers
+ if result != nil {
+ numDangers := result.GetSummary().Dangers
  if numDangers > 0 {
  allowed = false
- reason = getFailureReason(*podResult)
+ reason = getFailureReason(*result)
  }
- logrus.Infof("%d validation errors found when validating %s", numDangers, podResult.Name)
+ logrus.Infof("%d validation errors found when validating %s", numDangers, result.Name)
  }
  return admission.ValidationResponse(allowed, reason)
 }
 
-func getFailureReason(podResult validator.PodResult) string {
+func getFailureReason(result validator.Result) string {
  reason := "\nPolaris prevented this deployment due to configuration problems:\n"
 
- for _, message := range podResult.Results {
+ for _, message := range result.Results {
  if !message.Success && message.Severity == config.SeverityDanger {
- reason += fmt.Sprintf("- Pod: %s\n", message.Message)
+ reason += fmt.Sprintf("- %s: %s\n", result.Kind, message.Message)
  }
  }
 
- for _, containerResult := range podResult.ContainerResults {
- for _, message := range containerResult.Results {
+ podResult := result.PodResult
+ if podResult != nil {
+ for _, message := range podResult.Results {
  if !message.Success && message.Severity == config.SeverityDanger {
- reason += fmt.Sprintf("- Container %s: %s\n", containerResult.Name, message.Message)
+ reason += fmt.Sprintf("- Pod: %s\n", message.Message)
+ }
+ }
+
+ for _, containerResult := range podResult.ContainerResults {
+ for _, message := range containerResult.Results {
+ if !message.Success && message.Severity == config.SeverityDanger {
+ reason += fmt.Sprintf("- Container %s: %s\n", containerResult.Name, message.Message)
+ }
  }
  }
  }