use istio client-go library instead of knative (#1661)

use istio client-go library instead of knative bump kubernetes dependency version change code coverage to codecov
2019-12-13 11:26:18 +08:00
parent f249a6e081
commit ea88c8803d
2071 changed files with 354531 additions and 108336 deletions
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/conversion.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/conversion.go
@@ -17,29 +17,23 @@ limitations under the License.
 package generic

 import (
-	"fmt"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/admission"
 )

-// convertor converts objects to the desired version.
-type convertor struct {
-	Scheme *runtime.Scheme
-}
-
 // ConvertToGVK converts object to the desired gvk.
-func (c *convertor) ConvertToGVK(obj runtime.Object, gvk schema.GroupVersionKind) (runtime.Object, error) {
+func ConvertToGVK(obj runtime.Object, gvk schema.GroupVersionKind, o admission.ObjectInterfaces) (runtime.Object, error) {
 	// Unlike other resources, custom resources do not have internal version, so
 	// if obj is a custom resource, it should not need conversion.
 	if obj.GetObjectKind().GroupVersionKind() == gvk {
 		return obj, nil
 	}
-	out, err := c.Scheme.New(gvk)
+	out, err := o.GetObjectCreater().New(gvk)
 	if err != nil {
 		return nil, err
 	}
-	err = c.Scheme.Convert(obj, out, nil)
+	err = o.GetObjectConvertor().Convert(obj, out, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,10 +42,71 @@ func (c *convertor) ConvertToGVK(obj runtime.Object, gvk schema.GroupVersionKind
 	return out, nil
 }

-// Validate checks if the conversion has a scheme.
-func (c *convertor) Validate() error {
-	if c.Scheme == nil {
-		return fmt.Errorf("the convertor requires a scheme")
+// NewVersionedAttributes returns versioned attributes with the old and new object (if non-nil) converted to the requested kind
+func NewVersionedAttributes(attr admission.Attributes, gvk schema.GroupVersionKind, o admission.ObjectInterfaces) (*VersionedAttributes, error) {
+	// convert the old and new objects to the requested version
+	versionedAttr := &VersionedAttributes{
+		Attributes:    attr,
+		VersionedKind: gvk,
 	}
+	if oldObj := attr.GetOldObject(); oldObj != nil {
+		out, err := ConvertToGVK(oldObj, gvk, o)
+		if err != nil {
+			return nil, err
+		}
+		versionedAttr.VersionedOldObject = out
+	}
+	if obj := attr.GetObject(); obj != nil {
+		out, err := ConvertToGVK(obj, gvk, o)
+		if err != nil {
+			return nil, err
+		}
+		versionedAttr.VersionedObject = out
+	}
+	return versionedAttr, nil
+}
+
+// ConvertVersionedAttributes converts VersionedObject and VersionedOldObject to the specified kind, if needed.
+// If attr.VersionedKind already matches the requested kind, no conversion is performed.
+// If conversion is required:
+// * attr.VersionedObject is used as the source for the new object if Dirty=true (and is round-tripped through attr.Attributes.Object, clearing Dirty in the process)
+// * attr.Attributes.Object is used as the source for the new object if Dirty=false
+// * attr.Attributes.OldObject is used as the source for the old object
+func ConvertVersionedAttributes(attr *VersionedAttributes, gvk schema.GroupVersionKind, o admission.ObjectInterfaces) error {
+	// we already have the desired kind, we're done
+	if attr.VersionedKind == gvk {
+		return nil
+	}
+
+	// convert the original old object to the desired GVK
+	if oldObj := attr.Attributes.GetOldObject(); oldObj != nil {
+		out, err := ConvertToGVK(oldObj, gvk, o)
+		if err != nil {
+			return err
+		}
+		attr.VersionedOldObject = out
+	}
+
+	if attr.VersionedObject != nil {
+		// convert the existing versioned object to internal
+		if attr.Dirty {
+			err := o.GetObjectConvertor().Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil)
+			if err != nil {
+				return err
+			}
+		}
+
+		// and back to external
+		out, err := ConvertToGVK(attr.Attributes.GetObject(), gvk, o)
+		if err != nil {
+			return err
+		}
+		attr.VersionedObject = out
+	}
+
+	// Remember we converted to this version
+	attr.VersionedKind = gvk
+	attr.Dirty = false
+
 	return nil
 }
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/interfaces.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/interfaces.go
@@ -19,27 +19,57 @@ package generic
 import (
 	"context"

-	"k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook"
 )

 // Source can list dynamic webhook plugins.
 type Source interface {
-	Webhooks() []v1beta1.Webhook
+	Webhooks() []webhook.WebhookAccessor
 	HasSynced() bool
 }

 // VersionedAttributes is a wrapper around the original admission attributes, adding versioned
 // variants of the object and old object.
 type VersionedAttributes struct {
+	// Attributes holds the original admission attributes
 	admission.Attributes
+	// VersionedOldObject holds Attributes.OldObject (if non-nil), converted to VersionedKind.
+	// It must never be mutated.
 	VersionedOldObject runtime.Object
-	VersionedObject    runtime.Object
+	// VersionedObject holds Attributes.Object (if non-nil), converted to VersionedKind.
+	// If mutated, Dirty must be set to true by the mutator.
+	VersionedObject runtime.Object
+	// VersionedKind holds the fully qualified kind
+	VersionedKind schema.GroupVersionKind
+	// Dirty indicates VersionedObject has been modified since being converted from Attributes.Object
+	Dirty bool
+}
+
+// GetObject overrides the Attributes.GetObject()
+func (v *VersionedAttributes) GetObject() runtime.Object {
+	if v.VersionedObject != nil {
+		return v.VersionedObject
+	}
+	return v.Attributes.GetObject()
+}
+
+// WebhookInvocation describes how to call a webhook, including the resource and subresource the webhook registered for,
+// and the kind that should be sent to the webhook.
+type WebhookInvocation struct {
+	Webhook     webhook.WebhookAccessor
+	Resource    schema.GroupVersionResource
+	Subresource string
+	Kind        schema.GroupVersionKind
 }

 // Dispatcher dispatches webhook call to a list of webhooks with admission attributes as argument.
 type Dispatcher interface {
-	// Dispatch a request to the webhooks using the given webhooks. A non-nil error means the request is rejected.
-	Dispatch(ctx context.Context, a *VersionedAttributes, hooks []*v1beta1.Webhook) error
+	// Dispatch a request to the webhooks. Dispatcher may choose not to
+	// call a hook, either because the rules of the hook does not match, or
+	// the namespaceSelector or the objectSelector of the hook does not
+	// match. A non-nil error means the request is rejected.
+	Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, hooks []webhook.WebhookAccessor) error
 }
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
@@ -21,16 +21,19 @@ import (
 	"fmt"
 	"io"

+	admissionv1 "k8s.io/api/admission/v1"
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	"k8s.io/api/admissionregistration/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
 	genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/namespace"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/object"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/rules"
-	"k8s.io/apiserver/pkg/util/webhook"
+	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
 )
@@ -42,9 +45,9 @@ type Webhook struct {
 	sourceFactory sourceFactory

 	hookSource       Source
-	clientManager    *webhook.ClientManager
-	convertor        *convertor
+	clientManager    *webhookutil.ClientManager
 	namespaceMatcher *namespace.Matcher
+	objectMatcher    *object.Matcher
 	dispatcher       Dispatcher
 }

@@ -54,7 +57,7 @@ var (
 )

 type sourceFactory func(f informers.SharedInformerFactory) Source
-type dispatcherFactory func(cm *webhook.ClientManager) Dispatcher
+type dispatcherFactory func(cm *webhookutil.ClientManager) Dispatcher

 // NewWebhook creates a new generic admission webhook.
 func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory sourceFactory, dispatcherFactory dispatcherFactory) (*Webhook, error) {
@@ -63,24 +66,31 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
 		return nil, err
 	}

-	cm, err := webhook.NewClientManager(admissionv1beta1.SchemeGroupVersion, admissionv1beta1.AddToScheme)
+	cm, err := webhookutil.NewClientManager(
+		[]schema.GroupVersion{
+			admissionv1beta1.SchemeGroupVersion,
+			admissionv1.SchemeGroupVersion,
+		},
+		admissionv1beta1.AddToScheme,
+		admissionv1.AddToScheme,
+	)
 	if err != nil {
 		return nil, err
 	}
-	authInfoResolver, err := webhook.NewDefaultAuthenticationInfoResolver(kubeconfigFile)
+	authInfoResolver, err := webhookutil.NewDefaultAuthenticationInfoResolver(kubeconfigFile)
 	if err != nil {
 		return nil, err
 	}
 	// Set defaults which may be overridden later.
 	cm.SetAuthenticationInfoResolver(authInfoResolver)
-	cm.SetServiceResolver(webhook.NewDefaultServiceResolver())
+	cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver())

 	return &Webhook{
 		Handler:          handler,
 		sourceFactory:    sourceFactory,
 		clientManager:    &cm,
-		convertor:        &convertor{},
 		namespaceMatcher: &namespace.Matcher{},
+		objectMatcher:    &object.Matcher{},
 		dispatcher:       dispatcherFactory(&cm),
 	}, nil
 }
@@ -88,23 +98,16 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
 // SetAuthenticationInfoResolverWrapper sets the
 // AuthenticationInfoResolverWrapper.
 // TODO find a better way wire this, but keep this pull small for now.
-func (a *Webhook) SetAuthenticationInfoResolverWrapper(wrapper webhook.AuthenticationInfoResolverWrapper) {
+func (a *Webhook) SetAuthenticationInfoResolverWrapper(wrapper webhookutil.AuthenticationInfoResolverWrapper) {
 	a.clientManager.SetAuthenticationInfoResolverWrapper(wrapper)
 }

 // SetServiceResolver sets a service resolver for the webhook admission plugin.
 // Passing a nil resolver does not have an effect, instead a default one will be used.
-func (a *Webhook) SetServiceResolver(sr webhook.ServiceResolver) {
+func (a *Webhook) SetServiceResolver(sr webhookutil.ServiceResolver) {
 	a.clientManager.SetServiceResolver(sr)
 }

-// SetScheme sets a serializer(NegotiatedSerializer) which is derived from the scheme
-func (a *Webhook) SetScheme(scheme *runtime.Scheme) {
-	if scheme != nil {
-		a.convertor.Scheme = scheme
-	}
-}
-
 // SetExternalKubeClientSet implements the WantsExternalKubeInformerFactory interface.
 // It sets external ClientSet for admission plugins that need it
 func (a *Webhook) SetExternalKubeClientSet(client clientset.Interface) {
@@ -132,31 +135,83 @@ func (a *Webhook) ValidateInitialization() error {
 	if err := a.clientManager.Validate(); err != nil {
 		return fmt.Errorf("clientManager is not properly setup: %v", err)
 	}
-	if err := a.convertor.Validate(); err != nil {
-		return fmt.Errorf("convertor is not properly setup: %v", err)
-	}
 	return nil
 }

-// ShouldCallHook makes a decision on whether to call the webhook or not by the attribute.
-func (a *Webhook) ShouldCallHook(h *v1beta1.Webhook, attr admission.Attributes) (bool, *apierrors.StatusError) {
-	var matches bool
-	for _, r := range h.Rules {
+// ShouldCallHook returns invocation details if the webhook should be called, nil if the webhook should not be called,
+// or an error if an error was encountered during evaluation.
+func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attributes, o admission.ObjectInterfaces) (*WebhookInvocation, *apierrors.StatusError) {
+	var err *apierrors.StatusError
+	var invocation *WebhookInvocation
+	for _, r := range h.GetRules() {
 		m := rules.Matcher{Rule: r, Attr: attr}
 		if m.Matches() {
-			matches = true
+			invocation = &WebhookInvocation{
+				Webhook:     h,
+				Resource:    attr.GetResource(),
+				Subresource: attr.GetSubresource(),
+				Kind:        attr.GetKind(),
+			}
 			break
 		}
 	}
-	if !matches {
-		return false, nil
+	if invocation == nil && h.GetMatchPolicy() != nil && *h.GetMatchPolicy() == v1beta1.Equivalent {
+		attrWithOverride := &attrWithResourceOverride{Attributes: attr}
+		equivalents := o.GetEquivalentResourceMapper().EquivalentResourcesFor(attr.GetResource(), attr.GetSubresource())
+		// honor earlier rules first
+	OuterLoop:
+		for _, r := range h.GetRules() {
+			// see if the rule matches any of the equivalent resources
+			for _, equivalent := range equivalents {
+				if equivalent == attr.GetResource() {
+					// exclude attr.GetResource(), which we already checked
+					continue
+				}
+				attrWithOverride.resource = equivalent
+				m := rules.Matcher{Rule: r, Attr: attrWithOverride}
+				if m.Matches() {
+					kind := o.GetEquivalentResourceMapper().KindFor(equivalent, attr.GetSubresource())
+					if kind.Empty() {
+						return nil, apierrors.NewInternalError(fmt.Errorf("unable to convert to %v: unknown kind", equivalent))
+					}
+					invocation = &WebhookInvocation{
+						Webhook:     h,
+						Resource:    equivalent,
+						Subresource: attr.GetSubresource(),
+						Kind:        kind,
+					}
+					break OuterLoop
+				}
+			}
+		}
 	}

-	return a.namespaceMatcher.MatchNamespaceSelector(h, attr)
+	if invocation == nil {
+		return nil, nil
+	}
+
+	matches, err := a.namespaceMatcher.MatchNamespaceSelector(h, attr)
+	if !matches || err != nil {
+		return nil, err
+	}
+
+	matches, err = a.objectMatcher.MatchObjectSelector(h, attr)
+	if !matches || err != nil {
+		return nil, err
+	}
+
+	return invocation, nil
 }

+type attrWithResourceOverride struct {
+	admission.Attributes
+	resource schema.GroupVersionResource
+}
+
+func (a *attrWithResourceOverride) GetResource() schema.GroupVersionResource { return a.resource }
+
 // Dispatch is called by the downstream Validate or Admit methods.
-func (a *Webhook) Dispatch(attr admission.Attributes) error {
+func (a *Webhook) Dispatch(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error {
 	if rules.IsWebhookConfigurationResource(attr) {
 		return nil
 	}
@@ -164,42 +219,5 @@ func (a *Webhook) Dispatch(attr admission.Attributes) error {
 		return admission.NewForbidden(attr, fmt.Errorf("not yet ready to handle request"))
 	}
 	hooks := a.hookSource.Webhooks()
-	// TODO: Figure out if adding one second timeout make sense here.
-	ctx := context.TODO()
-
-	var relevantHooks []*v1beta1.Webhook
-	for i := range hooks {
-		call, err := a.ShouldCallHook(&hooks[i], attr)
-		if err != nil {
-			return err
-		}
-		if call {
-			relevantHooks = append(relevantHooks, &hooks[i])
-		}
-	}
-
-	if len(relevantHooks) == 0 {
-		// no matching hooks
-		return nil
-	}
-
-	// convert the object to the external version before sending it to the webhook
-	versionedAttr := VersionedAttributes{
-		Attributes: attr,
-	}
-	if oldObj := attr.GetOldObject(); oldObj != nil {
-		out, err := a.convertor.ConvertToGVK(oldObj, attr.GetKind())
-		if err != nil {
-			return apierrors.NewInternalError(err)
-		}
-		versionedAttr.VersionedOldObject = out
-	}
-	if obj := attr.GetObject(); obj != nil {
-		out, err := a.convertor.ConvertToGVK(obj, attr.GetKind())
-		if err != nil {
-			return apierrors.NewInternalError(err)
-		}
-		versionedAttr.VersionedObject = out
-	}
-	return a.dispatcher.Dispatch(ctx, &versionedAttr, relevantHooks)
+	return a.dispatcher.Dispatch(ctx, attr, o, hooks)
 }