-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.go
122 lines (100 loc) · 2.97 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package main
import (
"encoding/json"
"fmt"
"html"
"io/ioutil"
"log"
"net/http"
"strings"
"time"
v1beta1 "k8s.io/api/admission/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func handleRoot(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "k8s.gcr.io to registry.k8s.io webhook %q", html.EscapeString(r.URL.Path))
}
func handleMutate(w http.ResponseWriter, r *http.Request) {
// read the body / request
body, err := ioutil.ReadAll(r.Body)
defer r.Body.Close()
if err != nil {
log.Println(err)
w.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(w, "%s", err)
}
// mutate the request
mutated, err := actuallyMutate(body)
if err != nil {
log.Println(err)
w.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(w, "%s", err)
}
// and write it back
w.WriteHeader(http.StatusOK)
w.Write(mutated)
}
func actuallyMutate(body []byte) ([]byte, error) {
// unmarshal request into AdmissionReview struct
admReview := v1beta1.AdmissionReview{}
if err := json.Unmarshal(body, &admReview); err != nil {
return nil, fmt.Errorf("unmarshaling request failed with %s", err)
}
var err error
var pod *corev1.Pod
responseBody := []byte{}
ar := admReview.Request
resp := v1beta1.AdmissionResponse{}
if ar != nil {
// get the Pod object and unmarshal it into its struct, if we cannot, we might as well stop here
if err := json.Unmarshal(ar.Object.Raw, &pod); err != nil {
return nil, fmt.Errorf("unable unmarshal pod json object %v", err)
}
// set response options
resp.Allowed = true
resp.UID = ar.UID
pT := v1beta1.PatchTypeJSONPatch
resp.PatchType = &pT
// the actual mutation is done by a string in JSONPatch style, i.e. we don't _actually_ modify the object, but
// tell K8S how it should modifiy it
p := []map[string]string{}
for i := range pod.Spec.Containers {
if strings.Contains(pod.Spec.Containers[i].Image, "k8s.gcr.io") {
patch := map[string]string{
"op": "replace",
"path": fmt.Sprintf("/spec/containers/%d/image", i),
"value": strings.ReplaceAll(pod.Spec.Containers[i].Image, "k8s.gcr.io", "registry.k8s.io"),
}
p = append(p, patch)
}
}
// parse the []map into JSON
resp.Patch, err = json.Marshal(p)
// Success, of course ;)
resp.Result = &metav1.Status{
Status: "Success",
}
admReview.Response = &resp
// back into JSON so we can return the finished AdmissionReview w/ Response directly
// w/o needing to convert things in the http handler
responseBody, err = json.Marshal(admReview)
if err != nil {
return nil, err // untested section
}
}
return responseBody, nil
}
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", handleRoot)
mux.HandleFunc("/mutate", handleMutate)
s := &http.Server{
Addr: ":8443",
Handler: mux,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20, // 1048576
}
log.Fatal(s.ListenAndServeTLS("/tls/tls.crt", "/tls/tls.key"))
}