Merge pull request #4964 from whitewindmills/validation-on-policy-id

Add validation on policy permanent ID
karmada-io · May 23, 2024 · ef14a98 · ef14a98
2 parents a9f9020 + b7678c9
commit ef14a98
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 2 deletions.
diff --git a/pkg/webhook/clusterpropagationpolicy/mutating.go b/pkg/webhook/clusterpropagationpolicy/mutating.go
@@ -23,6 +23,7 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
+	admissionv1 "k8s.io/api/admission/v1"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	policyv1alpha1 "github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1"
@@ -82,7 +83,7 @@ func (a *MutatingAdmission) Handle(_ context.Context, req admission.Request) adm
 		}
 	}
 
-	if util.GetLabelValue(policy.Labels, policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel) == "" {
+	if req.Operation == admissionv1.Create {
 		util.MergeLabel(policy, policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel, uuid.New().String())
 	}
 

diff --git a/pkg/webhook/clusterpropagationpolicy/validating.go b/pkg/webhook/clusterpropagationpolicy/validating.go
@@ -60,6 +60,16 @@ func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) a
 			klog.Error(err)
 			return admission.Denied(err.Error())
 		}
+
+		if policy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel] !=
+			oldPolicy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel] {
+			return admission.Denied(fmt.Sprintf("label %s is immutable, it can only be set by the system during creation",
+				policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel))
+		}
+	}
+	if _, exist := policy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel]; !exist {
+		return admission.Denied(fmt.Sprintf("label %s is required, it should be set by the mutating admission webhook during creation",
+			policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel))
 	}
 
 	errs := validation.ValidatePropagationSpec(policy.Spec)

diff --git a/pkg/webhook/propagationpolicy/mutating.go b/pkg/webhook/propagationpolicy/mutating.go
@@ -23,6 +23,7 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
+	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
@@ -94,7 +95,7 @@ func (a *MutatingAdmission) Handle(_ context.Context, req admission.Request) adm
 		}
 	}
 
-	if util.GetLabelValue(policy.Labels, policyv1alpha1.PropagationPolicyPermanentIDLabel) == "" {
+	if req.Operation == admissionv1.Create {
 		util.MergeLabel(policy, policyv1alpha1.PropagationPolicyPermanentIDLabel, uuid.New().String())
 	}
 

diff --git a/pkg/webhook/propagationpolicy/validating.go b/pkg/webhook/propagationpolicy/validating.go
@@ -60,6 +60,16 @@ func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) a
 			klog.Error(err)
 			return admission.Denied(err.Error())
 		}
+
+		if policy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel] !=
+			oldPolicy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel] {
+			return admission.Denied(fmt.Sprintf("label %s is immutable, it can only be set by the system during creation",
+				policyv1alpha1.PropagationPolicyPermanentIDLabel))
+		}
+	}
+	if _, exist := policy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel]; !exist {
+		return admission.Denied(fmt.Sprintf("label %s is required, it should be set by the mutating admission webhook during creation",
+			policyv1alpha1.PropagationPolicyPermanentIDLabel))
 	}
 
 	errs := validation.ValidatePropagationSpec(policy.Spec)