feat: add resource protection webhook (#2168)

Signed-off-by: hongming <coder.scala@gmail.com>
2025-03-19 12:31:33 +08:00
parent 9fab44d0bf
commit 447bc08639
6 changed files with 108 additions and 0 deletions
--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -40,6 +40,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/controller/loginrecord"
 	"kubesphere.io/kubesphere/pkg/controller/namespace"
 	"kubesphere.io/kubesphere/pkg/controller/quota"
 	"kubesphere.io/kubesphere/pkg/controller/resourceprotection"
 	"kubesphere.io/kubesphere/pkg/controller/role"
 	"kubesphere.io/kubesphere/pkg/controller/rolebinding"
 	"kubesphere.io/kubesphere/pkg/controller/roletemplate"
@@ -120,6 +121,7 @@ func init() {
 	// kubectl
 	runtime.Must(controller.Register(&kubectl.Reconciler{}))
 	runtime.Must(controller.Register(&serviceaccounttoken.Reconciler{}))
 	runtime.Must(controller.Register(&resourceprotection.Webhook{}))
 }
 func NewControllerManagerCommand() *cobra.Command {
--- a/config/ks-core/templates/post-patch-system-ns-job.yaml
+++ b/config/ks-core/templates/post-patch-system-ns-job.yaml
@@ -26,6 +26,7 @@ spec:
              do
                kubectl label ns $ns kubesphere.io/workspace=system-workspace
                kubectl label ns $ns kubesphere.io/managed=true
                kubectl label ns $ns kubesphere.io/protected-resource=true
              done
              kubectl get ns -l 'kubesphere.io/workspace,!kubesphere.io/managed' --no-headers -o custom-columns=NAME:.metadata.name | \
              xargs -I {} kubectl label ns {} kubesphere.io/managed=true
--- a/config/ks-core/templates/webhook.yaml
+++ b/config/ks-core/templates/webhook.yaml
@@ -360,6 +360,51 @@ webhooks:
    sideEffects: None
    timeoutSeconds: 30
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: protector.kubesphere.io
 webhooks:
  - admissionReviewVersions:
      - v1
    clientConfig:
      caBundle: {{ b64enc $ca.Cert | quote }}
      service:
        name: ks-controller-manager
        namespace: {{ .Release.Namespace }}
        path: /resource-protector
        port: 443
    failurePolicy: Ignore
    matchPolicy: Exact
    name: protector.kubesphere.io
    namespaceSelector: {}
    objectSelector:
      matchExpressions:
        - key: kubesphere.io/protected-resource
          operator: Exists
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - DELETE
        resources:
          - namespaces
        scope: '*'
      - apiGroups:
          - "tenant.kubesphere.io"
        apiVersions:
          - v1beta1
        operations:
          - DELETE
        resources:
          - workspacetemplates
        scope: '*'
    sideEffects: None
    timeoutSeconds: 30
 {{- if eq (include "multicluster.role" .) "host" }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
--- a/config/ks-core/templates/workspace.yaml
+++ b/config/ks-core/templates/workspace.yaml
@@ -2,6 +2,8 @@
 apiVersion: tenant.kubesphere.io/v1beta1
 kind: WorkspaceTemplate
 metadata:
  labels:
    kubesphere.io/protected-resource: 'true'
  annotations:
    kubesphere.io/creator: admin
    kubesphere.io/description: "system-workspace is a built-in workspace automatically created by KubeSphere. It contains all system components to run KubeSphere."
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -8,6 +8,7 @@ package constants
 import corev1 "k8s.io/api/core/v1"
 const (
 	SystemWorkspace            = "system-workspace"
 	KubeSystemNamespace        = "kube-system"
 	KubeSphereNamespace        = "kubesphere-system"
 	KubeSphereAPIServerName    = "ks-apiserver"
@@ -15,6 +16,7 @@ const (
 	KubeSphereConfigMapDataKey = "kubesphere.yaml"
 	KubectlPodNamePrefix       = "ks-managed-kubectl"
 	ProtectedResourceLabel        = "kubesphere.io/protected-resource"
 	WorkspaceLabelKey             = "kubesphere.io/workspace"
 	DisplayNameAnnotationKey      = "kubesphere.io/alias-name"
 	DescriptionAnnotationKey      = "kubesphere.io/description"
--- a/pkg/controller/resourceprotection/resource_protection_webhook.go
+++ b/pkg/controller/resourceprotection/resource_protection_webhook.go
@@ -0,0 +1,56 @@
 package resourceprotection
 import (
 	"context"
 	"net/http"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"kubesphere.io/kubesphere/pkg/constants"
 	kscontroller "kubesphere.io/kubesphere/pkg/controller"
 )
 const webhookName = "resource-protection-webhook"
 func (w *Webhook) Name() string {
 	return webhookName
 }
 type Webhook struct {
 	client.Client
 }
 func (w *Webhook) SetupWithManager(mgr *kscontroller.Manager) error {
 	w.Client = mgr.GetClient()
 	mgr.GetWebhookServer().Register("/resource-protector", &webhook.Admission{Handler: w})
 	return nil
 }
 func (w *Webhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	if req.Operation == admissionv1.Delete {
 		gvr := req.RequestResource
 		gvk, err := w.RESTMapper().KindFor(schema.GroupVersionResource{
 			Group:    gvr.Group,
 			Version:  gvr.Version,
 			Resource: gvr.Resource,
 		})
 		if err != nil {
 			return webhook.Errored(http.StatusInternalServerError, err)
 		}
 		obj := &unstructured.Unstructured{}
 		obj.SetGroupVersionKind(gvk)
 		if err = w.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, obj); err != nil {
 			return webhook.Errored(http.StatusInternalServerError, err)
 		}
 		if obj.GetLabels()[constants.ProtectedResourceLabel] == "true" {
 			return webhook.Denied("this resource may not be deleted")
 		}
 	}
 	return admission.Allowed("")
 }