admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix iam admission webhook (#2008)

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-04-14 00:15:18 +08:00
committed by GitHub
parent 864b244cc3
commit bb9e12be3d
4 changed files with 37 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/samples/iam_v1alpha2_user.yaml
View File

@@ -6,4 +6,4 @@ metadata:
name: admin name: admin
spec: spec:
email: admin@kubesphere.io email: admin@kubesphere.io
password: $2a$04$wr/XmTQ99uQpgi335xPyoOM08h34ZQk265pdqHMv5Yw6Xo2vfiO/6 password: P@88w0rd

18
config/webhook/iam.yaml
View File

@@ -1,5 +1,3 @@
---
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
@@ -53,3 +51,19 @@ webhooks:
- UPDATE - UPDATE
resources: resources:
- users - users
---
apiVersion: v1
kind: Service
metadata:
name: webhook-service
namespace: kubesphere-system
spec:
ports:
- port: 443
targetPort: 443
selector:
app: ks-controller-manager
tier: backend

1
pkg/apis/iam/v1alpha2/register.go
View File

@@ -50,6 +50,7 @@ func Resource(resource string) schema.GroupResource {
func addKnownTypes(scheme *runtime.Scheme) error { func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion, scheme.AddKnownTypes(SchemeGroupVersion,
&User{}, &User{},
&UserList{},
&Role{}, &Role{},
&RoleList{}, &RoleList{},
&RoleBinding{}, &RoleBinding{},

29
pkg/controller/user/user_webhook.go
View File

@@ -21,7 +21,6 @@ package user
import ( import (
"context" "context"
"encoding/json" "encoding/json"
"fmt"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
"net/http" "net/http"
@@ -51,28 +50,26 @@ func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admi
return admission.Errored(http.StatusBadRequest, err) return admission.Errored(http.StatusBadRequest, err)
} }
email := user.Spec.Email
allUsers := v1alpha2.UserList{} allUsers := v1alpha2.UserList{}
err = a.Client.List(ctx, &v1alpha2.UserList{}, &client.ListOptions{}) err = a.Client.List(ctx, &allUsers, &client.ListOptions{})
if err != nil { if err != nil {
return admission.Errored(http.StatusInternalServerError, err) return admission.Errored(http.StatusInternalServerError, err)
} }
found := emailAlreadyExist(allUsers, email) alreadyExist := emailAlreadyExist(allUsers, user)
if !found { if alreadyExist {
return admission.Denied(fmt.Sprintf("email %s must be unique", email)) return admission.Denied("user email already exists")
} }
return admission.Allowed("") return admission.Allowed("")
} }
func emailAlreadyExist(users v1alpha2.UserList, email string) bool { func emailAlreadyExist(users v1alpha2.UserList, user *v1alpha2.User) bool {
for _, user := range users.Items { for _, exist := range users.Items {
if user.Spec.Email == email { if exist.Spec.Email == user.Spec.Email && exist.Name != user.Name {
return true return true
} }
} }
@@ -109,3 +106,15 @@ func hashPassword(password string) (string, error) {
bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
return string(bytes), err return string(bytes), err
} }
// InjectDecoder injects the decoder.
func (a *PasswordCipher) InjectDecoder(d *admission.Decoder) error {
a.decoder = d
return nil
}
// InjectDecoder injects the decoder.
func (a *EmailValidator) InjectDecoder(d *admission.Decoder) error {
a.decoder = d
return nil
}