...

Source file src/k8s.io/kubernetes/pkg/registry/admissionregistration/validatingadmissionpolicybinding/strategy.go

Documentation: k8s.io/kubernetes/pkg/registry/admissionregistration/validatingadmissionpolicybinding 

     1  /*
     2  Copyright 2022 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package validatingadmissionpolicybinding
    18  
    19  import (
    20  	"context"
    21  
    22  	apiequality "k8s.io/apimachinery/pkg/api/equality"
    23  	"k8s.io/apimachinery/pkg/runtime"
    24  	"k8s.io/apimachinery/pkg/util/validation/field"
    25  	"k8s.io/apiserver/pkg/authorization/authorizer"
    26  	"k8s.io/apiserver/pkg/storage/names"
    27  	"k8s.io/kubernetes/pkg/api/legacyscheme"
    28  	"k8s.io/kubernetes/pkg/apis/admissionregistration"
    29  	"k8s.io/kubernetes/pkg/apis/admissionregistration/validation"
    30  	"k8s.io/kubernetes/pkg/registry/admissionregistration/resolver"
    31  )
    32  
    33  // validatingAdmissionPolicyBindingStrategy implements verification logic for ValidatingAdmissionPolicyBinding.
    34  type validatingAdmissionPolicyBindingStrategy struct {
    35  	runtime.ObjectTyper
    36  	names.NameGenerator
    37  	authorizer       authorizer.Authorizer
    38  	policyGetter     PolicyGetter
    39  	resourceResolver resolver.ResourceResolver
    40  }
    41  
    42  type PolicyGetter interface {
    43  	// GetValidatingAdmissionPolicy returns a GetValidatingAdmissionPolicy
    44  	// by its name. There is no namespace because it is cluster-scoped.
    45  	GetValidatingAdmissionPolicy(ctx context.Context, name string) (*admissionregistration.ValidatingAdmissionPolicy, error)
    46  }
    47  
    48  // NewStrategy is the default logic that applies when creating and updating ValidatingAdmissionPolicyBinding objects.
    49  func NewStrategy(authorizer authorizer.Authorizer, policyGetter PolicyGetter, resourceResolver resolver.ResourceResolver) *validatingAdmissionPolicyBindingStrategy {
    50  	return &validatingAdmissionPolicyBindingStrategy{
    51  		ObjectTyper:      legacyscheme.Scheme,
    52  		NameGenerator:    names.SimpleNameGenerator,
    53  		authorizer:       authorizer,
    54  		policyGetter:     policyGetter,
    55  		resourceResolver: resourceResolver,
    56  	}
    57  }
    58  
    59  // NamespaceScoped returns false because ValidatingAdmissionPolicyBinding is cluster-scoped resource.
    60  func (v *validatingAdmissionPolicyBindingStrategy) NamespaceScoped() bool {
    61  	return false
    62  }
    63  
    64  // PrepareForCreate clears the status of an ValidatingAdmissionPolicyBinding before creation.
    65  func (v *validatingAdmissionPolicyBindingStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
    66  	ic := obj.(*admissionregistration.ValidatingAdmissionPolicyBinding)
    67  	ic.Generation = 1
    68  }
    69  
    70  // PrepareForUpdate clears fields that are not allowed to be set by end users on update.
    71  func (v *validatingAdmissionPolicyBindingStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
    72  	newIC := obj.(*admissionregistration.ValidatingAdmissionPolicyBinding)
    73  	oldIC := old.(*admissionregistration.ValidatingAdmissionPolicyBinding)
    74  
    75  	// Any changes to the spec increment the generation number, any changes to the
    76  	// status should reflect the generation number of the corresponding object.
    77  	// See metav1.ObjectMeta description for more information on Generation.
    78  	if !apiequality.Semantic.DeepEqual(oldIC.Spec, newIC.Spec) {
    79  		newIC.Generation = oldIC.Generation + 1
    80  	}
    81  }
    82  
    83  // Validate validates a new ValidatingAdmissionPolicyBinding.
    84  func (v *validatingAdmissionPolicyBindingStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
    85  	errs := validation.ValidateValidatingAdmissionPolicyBinding(obj.(*admissionregistration.ValidatingAdmissionPolicyBinding))
    86  	if len(errs) == 0 {
    87  		// if the object is well-formed, also authorize the paramRef
    88  		if err := v.authorizeCreate(ctx, obj); err != nil {
    89  			errs = append(errs, field.Forbidden(field.NewPath("spec", "paramRef"), err.Error()))
    90  		}
    91  	}
    92  	return errs
    93  }
    94  
    95  // WarningsOnCreate returns warnings for the creation of the given object.
    96  func (v *validatingAdmissionPolicyBindingStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
    97  	return nil
    98  }
    99  
   100  // Canonicalize normalizes the object after validation.
   101  func (v *validatingAdmissionPolicyBindingStrategy) Canonicalize(obj runtime.Object) {
   102  }
   103  
   104  // AllowCreateOnUpdate is true for ValidatingAdmissionPolicyBinding; this means you may create one with a PUT request.
   105  func (v *validatingAdmissionPolicyBindingStrategy) AllowCreateOnUpdate() bool {
   106  	return false
   107  }
   108  
   109  // ValidateUpdate is the default update validation for an end user.
   110  func (v *validatingAdmissionPolicyBindingStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
   111  	errs := validation.ValidateValidatingAdmissionPolicyBindingUpdate(obj.(*admissionregistration.ValidatingAdmissionPolicyBinding), old.(*admissionregistration.ValidatingAdmissionPolicyBinding))
   112  	if len(errs) == 0 {
   113  		// if the object is well-formed, also authorize the paramRef
   114  		if err := v.authorizeUpdate(ctx, obj, old); err != nil {
   115  			errs = append(errs, field.Forbidden(field.NewPath("spec", "paramRef"), err.Error()))
   116  		}
   117  	}
   118  	return errs
   119  }
   120  
   121  // WarningsOnUpdate returns warnings for the given update.
   122  func (v *validatingAdmissionPolicyBindingStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
   123  	return nil
   124  }
   125  
   126  // AllowUnconditionalUpdate is the default update policy for ValidatingAdmissionPolicyBinding objects. Status update should
   127  // only be allowed if version match.
   128  func (v *validatingAdmissionPolicyBindingStrategy) AllowUnconditionalUpdate() bool {
   129  	return false
   130  }
   131  

View as plain text