Merge pull request #250 from thatmidwesterncoder/add_validation_for_n…

…odedriver Add Validation on NodeDriver update/delete to prevent machine deletion
rancher · Jun 30, 2023 · c977cf2 · c977cf2
2 parents 56151d6 + 0a8256b
commit c977cf2
Show file tree

Hide file tree

Showing 13 changed files with 913 additions and 6 deletions.
diff --git a/docs.md b/docs.md
@@ -69,6 +69,16 @@ Users can only create/update GlobalRoleBindings with rights less than or equal t
 
 GlobalRoleBindings must refer to a valid global role (i.e. an existing `GlobalRole` object in the `management.cattle.io/v3` apiGroup).
 
+## NodeDriver 
+
+### Validation Checks
+
+Note: checks only run if a node driver is being disabled or deleted
+
+#### Machine Deletion Prevention
+
+This admission webhook prevents the disabling or deletion of a NodeDriver if there are any Nodes that are under management by said driver. If there are _any_ nodes that use the driver the request will be denied.
+
 ## ProjectRoleTemplateBinding 
 
 ### Validation Checks

diff --git a/pkg/admission/admission_test.go b/pkg/admission/admission_test.go
@@ -371,7 +371,7 @@ func (f *fakeValidatingAdmissionHandler) Operations() []v1.OperationType {
 	return f.operations
 }
 
-func (f *fakeValidatingAdmissionHandler) ValidatingWebhook(clientConfig v1.WebhookClientConfig) []v1.ValidatingWebhook {
+func (f *fakeValidatingAdmissionHandler) ValidatingWebhook(_ v1.WebhookClientConfig) []v1.ValidatingWebhook {
 	return nil
 }
 
@@ -401,7 +401,7 @@ func (f *fakeMutatingAdmissionHandler) Admit(req *admission.Request) (*admission
 	return f.admitter.Admit(req)
 }
 
-func (f *fakeMutatingAdmissionHandler) MutatingWebhook(clientConfig v1.WebhookClientConfig) []v1.MutatingWebhook {
+func (f *fakeMutatingAdmissionHandler) MutatingWebhook(_ v1.WebhookClientConfig) []v1.MutatingWebhook {
 	return nil
 }
 
@@ -410,6 +410,6 @@ type fakeAdmitter struct {
 	err      error
 }
 
-func (f *fakeAdmitter) Admit(req *admission.Request) (*admissionv1.AdmissionResponse, error) {
+func (f *fakeAdmitter) Admit(_ *admission.Request) (*admissionv1.AdmissionResponse, error) {
 	return &f.response, f.err
 }
diff --git a/pkg/codegen/main.go b/pkg/codegen/main.go
@@ -40,6 +40,7 @@ func main() {
 					v3.RoleTemplate{},
 					v3.ClusterRoleTemplateBinding{},
 					v3.ProjectRoleTemplateBinding{},
+					v3.Node{},
 				},
 			},
 			"provisioning.cattle.io": {
@@ -63,6 +64,7 @@ func main() {
 				&v3.GlobalRoleBinding{},
 				&v3.RoleTemplate{},
 				&v3.ProjectRoleTemplateBinding{},
+				&v3.NodeDriver{},
 			},
 		},
 		"provisioning.cattle.io": {

diff --git a/pkg/fakes/NodeDriverCache.go b/pkg/fakes/NodeDriverCache.go
diff --git a/pkg/fakes/generator.go b/pkg/fakes/generator.go
@@ -10,3 +10,4 @@ package fakes
 //go:generate mockgen --build_flags=--mod=mod -package fakes -destination ./k8Validation.go "k8s.io/kubernetes/pkg/registry/rbac/validation" AuthorizationRuleResolver
 //go:generate mockgen --build_flags=--mod=mod -package fakes -destination ./RoleCache.go github.com/rancher/wrangler/pkg/generated/controllers/rbac/v1 RoleCache,RoleController
 //go:generate mockgen --build_flags=--mod=mod -package fakes -destination ./RoleBindingCache.go github.com/rancher/wrangler/pkg/generated/controllers/rbac/v1 RoleBindingCache,RoleBindingController
+//go:generate mockgen --build_flags=--mod=mod -package fakes -destination ./NodeDriverCache.go github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3 NodeCache
diff --git a/pkg/generated/controllers/management.cattle.io/v3/interface.go b/pkg/generated/controllers/management.cattle.io/v3/interface.go