From 0dc7a28eddcdcf085959af80a588451ce3ccd4dc Mon Sep 17 00:00:00 2001 From: Sunil Thaha Date: Thu, 15 Feb 2024 14:10:50 +1000 Subject: [PATCH] feat(webhook): add webhook to validate kepler resource Previously, when user created kepler with name other `kepler`, k8s API server would accept the resource and create it. The operator then updates the status of the resource to be `invalid`. This is now changed by adding Validating webhook that rejects the resource if the name does not match `kepler`. Signed-off-by: Sunil Thaha --- Makefile | 3 + PROJECT | 5 +- ...r-operator-webhook-service_v1_service.yaml | 23 +++++ ...kepler-operator.clusterserviceversion.yaml | 61 +++++++++++++- ...stem.sustainable.computing.io_keplers.yaml | 10 +++ cmd/manager/main.go | 17 ++++ config/certmanager/certificate.yaml | 39 +++++++++ config/certmanager/kustomization.yaml | 5 ++ config/certmanager/kustomizeconfig.yaml | 16 ++++ config/crd/kustomization.yaml | 2 +- config/default/kustomization.yaml | 4 +- config/default/manager_webhook_patch.yaml | 25 ++++++ config/default/webhookcainjection_patch.yaml | 29 +++++++ config/manifests/kustomization.yaml | 32 +++---- config/webhook/kustomization.yaml | 6 ++ config/webhook/kustomizeconfig.yaml | 25 ++++++ config/webhook/manifests.yaml | 52 ++++++++++++ config/webhook/service.yaml | 21 +++++ pkg/api/v1alpha1/kepler_webhook.go | 84 +++++++++++++++++++ pkg/api/v1alpha1/zz_generated.deepcopy.go | 2 +- pkg/controllers/kepler.go | 5 +- 21 files changed, 442 insertions(+), 24 deletions(-) create mode 100644 bundle/manifests/kepler-operator-webhook-service_v1_service.yaml create mode 100644 config/certmanager/certificate.yaml create mode 100644 config/certmanager/kustomization.yaml create mode 100644 config/certmanager/kustomizeconfig.yaml create mode 100644 config/default/manager_webhook_patch.yaml create mode 100644 config/default/webhookcainjection_patch.yaml create mode 100644 config/webhook/kustomization.yaml create mode 100644 config/webhook/kustomizeconfig.yaml create mode 100644 config/webhook/manifests.yaml create mode 100644 config/webhook/service.yaml create mode 100644 pkg/api/v1alpha1/kepler_webhook.go diff --git a/Makefile b/Makefile index 319ecd16..3bd073f1 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,9 @@ else GOBIN=$(shell go env GOBIN) endif +# WEBHOOKS +ENABLE_WEBHOOKS ?= true # enable webhooks by default + # Setting GOENV GOOS := $(shell go env GOOS) GOARCH := $(shell go env GOARCH) diff --git a/PROJECT b/PROJECT index 179bbea5..8625b9a3 100644 --- a/PROJECT +++ b/PROJECT @@ -9,11 +9,14 @@ repo: github.com/sustainable.computing.io/kepler-operator resources: - api: crdVersion: v1 - namespaced: true controller: true domain: sustainable.computing.io group: kepler.system kind: Kepler path: github.com/sustainable.computing.io/kepler-operator/api/v1alpha1 version: v1alpha1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 version: "3" diff --git a/bundle/manifests/kepler-operator-webhook-service_v1_service.yaml b/bundle/manifests/kepler-operator-webhook-service_v1_service.yaml new file mode 100644 index 00000000..7ea9c80d --- /dev/null +++ b/bundle/manifests/kepler-operator-webhook-service_v1_service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: kepler-operator + app.kubernetes.io/instance: webhook-service + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: service + app.kubernetes.io/part-of: kepler-operator + name: kepler-operator-webhook-service +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/component: manager + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/part-of: kepler-operator +status: + loadBalancer: {} diff --git a/bundle/manifests/kepler-operator.clusterserviceversion.yaml b/bundle/manifests/kepler-operator.clusterserviceversion.yaml index 1c8f6d28..20437377 100644 --- a/bundle/manifests/kepler-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kepler-operator.clusterserviceversion.yaml @@ -27,7 +27,7 @@ metadata: capabilities: Basic Install categories: Monitoring containerImage: quay.io/sustainable_computing_io/kepler-operator:0.10.0 - createdAt: "2024-01-16T09:18:34Z" + createdAt: "2024-02-15T04:47:16Z" description: 'Deploys and Manages Kepler on Kubernetes ' operators.operatorframework.io/builder: operator-sdk-v1.27.0 operators.operatorframework.io/internal-objects: |- @@ -270,6 +270,9 @@ spec: periodSeconds: 20 name: manager ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP - containerPort: 8080 name: metrics protocol: TCP @@ -291,6 +294,10 @@ spec: capabilities: drop: - ALL + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true securityContext: runAsNonRoot: true serviceAccountName: kepler-operator-controller-manager @@ -366,3 +373,55 @@ spec: name: kepler replaces: kepler-operator.v0.9.2 version: 0.10.0 + webhookdefinitions: + - admissionReviewVersions: + - v1 + containerPort: 443 + conversionCRDs: + - keplers.kepler.system.sustainable.computing.io + deploymentName: kepler-operator-controller + generateName: ckeplers.kb.io + sideEffects: None + targetPort: 9443 + type: ConversionWebhook + webhookPath: /convert + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: kepler-operator-controller + failurePolicy: Fail + generateName: mkepler.kb.io + rules: + - apiGroups: + - kepler.system.sustainable.computing.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - keplers + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-kepler-system-sustainable-computing-io-v1alpha1-kepler + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: kepler-operator-controller + failurePolicy: Fail + generateName: vkepler.kb.io + rules: + - apiGroups: + - kepler.system.sustainable.computing.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - keplers + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-kepler-system-sustainable-computing-io-v1alpha1-kepler diff --git a/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml b/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml index b60f6bcf..4204d599 100644 --- a/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml +++ b/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml @@ -6,6 +6,16 @@ metadata: creationTimestamp: null name: keplers.kepler.system.sustainable.computing.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kepler-operator-webhook-service + namespace: kepler-operator-system + path: /convert + conversionReviewVersions: + - v1 group: kepler.system.sustainable.computing.io names: kind: Kepler diff --git a/cmd/manager/main.go b/cmd/manager/main.go index cfab734b..7206982f 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -18,6 +18,7 @@ package main import ( "flag" + "fmt" "os" "strings" @@ -169,6 +170,15 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "kepler-internal") os.Exit(1) } + + // Setup webhooks + if os.Getenv("ENABLE_WEBHOOKS") != "false" { + if err = setupWebhooks(mgr); err != nil { + setupLog.Error(err, "unable to create webhook") + os.Exit(1) + } + } + //+kubebuilder:scaffold:builder if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { @@ -186,3 +196,10 @@ func main() { os.Exit(1) } } + +func setupWebhooks(mgr ctrl.Manager) error { + if err := (&keplersystemv1alpha1.Kepler{}).SetupWebhookWithManager(mgr); err != nil { + return fmt.Errorf("unable to create webhook: %v", err) + } + return nil +} diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml new file mode 100644 index 00000000..92b36798 --- /dev/null +++ b/config/certmanager/certificate.yaml @@ -0,0 +1,39 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/name: issuer + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: kepler-operator + app.kubernetes.io/part-of: kepler-operator + app.kubernetes.io/managed-by: kustomize + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: certificate + app.kubernetes.io/instance: serving-cert + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: kepler-operator + app.kubernetes.io/part-of: kepler-operator + app.kubernetes.io/managed-by: kustomize + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml new file mode 100644 index 00000000..bebea5a5 --- /dev/null +++ b/config/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml new file mode 100644 index 00000000..90d7c313 --- /dev/null +++ b/config/certmanager/kustomizeconfig.yaml @@ -0,0 +1,16 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index fdf1da23..4d4f6536 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -9,7 +9,7 @@ resources: patchesStrategicMerge: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_keplers.yaml +- patches/webhook_in_keplers.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 412302b5..fa298e61 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -18,7 +18,7 @@ bases: - ../manager # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -#- ../webhook +- ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. @@ -34,7 +34,7 @@ patchesStrategicMerge: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -#- manager_webhook_patch.yaml +- manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml new file mode 100644 index 00000000..1c378047 --- /dev/null +++ b/config/default/manager_webhook_patch.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + # NOTE: this will be removed by the manager kustomization.yaml + # since OLM will add the volume + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml new file mode 100644 index 00000000..f992f958 --- /dev/null +++ b/config/default/webhookcainjection_patch.yaml @@ -0,0 +1,29 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/name: mutatingwebhookconfiguration + app.kubernetes.io/instance: mutating-webhook-configuration + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: kepler-operator + app.kubernetes.io/part-of: kepler-operator + app.kubernetes.io/managed-by: kustomize + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/name: validatingwebhookconfiguration + app.kubernetes.io/instance: validating-webhook-configuration + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: kepler-operator + app.kubernetes.io/part-of: kepler-operator + app.kubernetes.io/managed-by: kustomize + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index e3dbc982..596609d1 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -9,19 +9,19 @@ resources: # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. # These patches remove the unnecessary "cert" volume and its manager container volumeMount. -#patchesJson6902: -#- target: -# group: apps -# version: v1 -# kind: Deployment -# name: controller-manager -# namespace: system -# patch: |- -# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 -# # Remove the "cert" volume, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing volumes in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/volumes/0 +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: controller-manager + namespace: system + patch: |- + # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. + # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. + - op: remove + path: /spec/template/spec/containers/0/volumeMounts/0 + # Remove the "cert" volume, since OLM will create and mount a set of certs. + # Update the indices in this path if adding or removing volumes in the manager's Deployment. + - op: remove + path: /spec/template/spec/volumes/0 diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml new file mode 100644 index 00000000..9cf26134 --- /dev/null +++ b/config/webhook/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- manifests.yaml +- service.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml new file mode 100644 index 00000000..25e21e3c --- /dev/null +++ b/config/webhook/kustomizeconfig.yaml @@ -0,0 +1,25 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: +- path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 00000000..84d59a3a --- /dev/null +++ b/config/webhook/manifests.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-kepler-system-sustainable-computing-io-v1alpha1-kepler + failurePolicy: Fail + name: mkepler.kb.io + rules: + - apiGroups: + - kepler.system.sustainable.computing.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - keplers + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-kepler-system-sustainable-computing-io-v1alpha1-kepler + failurePolicy: Fail + name: vkepler.kb.io + rules: + - apiGroups: + - kepler.system.sustainable.computing.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - keplers + sideEffects: None diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml new file mode 100644 index 00000000..65b196ae --- /dev/null +++ b/config/webhook/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: service + app.kubernetes.io/instance: webhook-service + app.kubernetes.io/component: webhook + app.kubernetes.io/created-by: kepler-operator + app.kubernetes.io/part-of: kepler-operator + app.kubernetes.io/managed-by: kustomize + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/component: manager + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/part-of: kepler-operator diff --git a/pkg/api/v1alpha1/kepler_webhook.go b/pkg/api/v1alpha1/kepler_webhook.go new file mode 100644 index 00000000..e5dd6bdb --- /dev/null +++ b/pkg/api/v1alpha1/kepler_webhook.go @@ -0,0 +1,84 @@ +/* +Copyright 2023. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "fmt" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +const ( + KeplerInstanceName = "kepler" +) + +// log is for logging in this package. +var keplerlog = logf.Log.WithName("kepler-resource") + +func (r *Kepler) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +//+kubebuilder:webhook:path=/mutate-kepler-system-sustainable-computing-io-v1alpha1-kepler,mutating=true,failurePolicy=fail,sideEffects=None,groups=kepler.system.sustainable.computing.io,resources=keplers,verbs=create;update,versions=v1alpha1,name=mkepler.kb.io,admissionReviewVersions=v1 + +var _ webhook.Defaulter = &Kepler{} + +// Default implements webhook.Defaulter so a webhook will be registered for the type +func (r *Kepler) Default() { + keplerlog.Info("default", "name", r.Name) + + // TODO(user): fill in your defaulting logic. +} + +// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. +//+kubebuilder:webhook:path=/validate-kepler-system-sustainable-computing-io-v1alpha1-kepler,mutating=false,failurePolicy=fail,sideEffects=None,groups=kepler.system.sustainable.computing.io,resources=keplers,verbs=create;update,versions=v1alpha1,name=vkepler.kb.io,admissionReviewVersions=v1 + +var _ webhook.Validator = &Kepler{} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (r *Kepler) ValidateCreate() (admission.Warnings, error) { + keplerlog.Info("validate create", "name", r.Name) + if r.Name != KeplerInstanceName { + return nil, apierrors.NewBadRequest(fmt.Sprintf("invalid name %q; name must be %q", r.Name, KeplerInstanceName)) + } + + // TODO(user): fill in your validation logic upon object creation. + return nil, nil +} + +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type +func (r *Kepler) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { + keplerlog.Info("validate update", "name", r.Name) + + // TODO(user): fill in your validation logic upon object update. + return nil, nil +} + +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type +func (r *Kepler) ValidateDelete() (admission.Warnings, error) { + keplerlog.Info("validate delete", "name", r.Name) + + // TODO(user): fill in your validation logic upon object deletion. + return nil, nil +} diff --git a/pkg/api/v1alpha1/zz_generated.deepcopy.go b/pkg/api/v1alpha1/zz_generated.deepcopy.go index 6b650b2d..821d301f 100644 --- a/pkg/api/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/api/v1alpha1/zz_generated.deepcopy.go @@ -23,7 +23,7 @@ package v1alpha1 import ( "k8s.io/api/core/v1" - runtime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. diff --git a/pkg/controllers/kepler.go b/pkg/controllers/kepler.go index 2b10f480..c7d4f13d 100644 --- a/pkg/controllers/kepler.go +++ b/pkg/controllers/kepler.go @@ -84,8 +84,9 @@ func (r *KeplerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr return ctrl.Result{}, nil } - // TODO: have admission webhook decline all but `kepler` instance - if kepler.Name != "kepler" { + // NOTE: validating webhook should ensure that this isn't possible, however, + // if the webhook is removed, we should mark the instance as invalid. + if kepler.Name != v1alpha1.KeplerInstanceName { return r.setInvalidStatus(ctx, req) }