k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/registry/admissionregistration/validatingadmissionpolicybinding/strategy.go (about) 1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package validatingadmissionpolicybinding 18 19 import ( 20 "context" 21 22 apiequality "k8s.io/apimachinery/pkg/api/equality" 23 "k8s.io/apimachinery/pkg/runtime" 24 "k8s.io/apimachinery/pkg/util/validation/field" 25 "k8s.io/apiserver/pkg/authorization/authorizer" 26 "k8s.io/apiserver/pkg/storage/names" 27 "k8s.io/kubernetes/pkg/api/legacyscheme" 28 "k8s.io/kubernetes/pkg/apis/admissionregistration" 29 "k8s.io/kubernetes/pkg/apis/admissionregistration/validation" 30 "k8s.io/kubernetes/pkg/registry/admissionregistration/resolver" 31 ) 32 33 // validatingAdmissionPolicyBindingStrategy implements verification logic for ValidatingAdmissionPolicyBinding. 34 type validatingAdmissionPolicyBindingStrategy struct { 35 runtime.ObjectTyper 36 names.NameGenerator 37 authorizer authorizer.Authorizer 38 policyGetter PolicyGetter 39 resourceResolver resolver.ResourceResolver 40 } 41 42 type PolicyGetter interface { 43 // GetValidatingAdmissionPolicy returns a GetValidatingAdmissionPolicy 44 // by its name. There is no namespace because it is cluster-scoped. 45 GetValidatingAdmissionPolicy(ctx context.Context, name string) (*admissionregistration.ValidatingAdmissionPolicy, error) 46 } 47 48 // NewStrategy is the default logic that applies when creating and updating ValidatingAdmissionPolicyBinding objects. 49 func NewStrategy(authorizer authorizer.Authorizer, policyGetter PolicyGetter, resourceResolver resolver.ResourceResolver) *validatingAdmissionPolicyBindingStrategy { 50 return &validatingAdmissionPolicyBindingStrategy{ 51 ObjectTyper: legacyscheme.Scheme, 52 NameGenerator: names.SimpleNameGenerator, 53 authorizer: authorizer, 54 policyGetter: policyGetter, 55 resourceResolver: resourceResolver, 56 } 57 } 58 59 // NamespaceScoped returns false because ValidatingAdmissionPolicyBinding is cluster-scoped resource. 60 func (v *validatingAdmissionPolicyBindingStrategy) NamespaceScoped() bool { 61 return false 62 } 63 64 // PrepareForCreate clears the status of an ValidatingAdmissionPolicyBinding before creation. 65 func (v *validatingAdmissionPolicyBindingStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) { 66 ic := obj.(*admissionregistration.ValidatingAdmissionPolicyBinding) 67 ic.Generation = 1 68 } 69 70 // PrepareForUpdate clears fields that are not allowed to be set by end users on update. 71 func (v *validatingAdmissionPolicyBindingStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) { 72 newIC := obj.(*admissionregistration.ValidatingAdmissionPolicyBinding) 73 oldIC := old.(*admissionregistration.ValidatingAdmissionPolicyBinding) 74 75 // Any changes to the spec increment the generation number, any changes to the 76 // status should reflect the generation number of the corresponding object. 77 // See metav1.ObjectMeta description for more information on Generation. 78 if !apiequality.Semantic.DeepEqual(oldIC.Spec, newIC.Spec) { 79 newIC.Generation = oldIC.Generation + 1 80 } 81 } 82 83 // Validate validates a new ValidatingAdmissionPolicyBinding. 84 func (v *validatingAdmissionPolicyBindingStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList { 85 errs := validation.ValidateValidatingAdmissionPolicyBinding(obj.(*admissionregistration.ValidatingAdmissionPolicyBinding)) 86 if len(errs) == 0 { 87 // if the object is well-formed, also authorize the paramRef 88 if err := v.authorizeCreate(ctx, obj); err != nil { 89 errs = append(errs, field.Forbidden(field.NewPath("spec", "paramRef"), err.Error())) 90 } 91 } 92 return errs 93 } 94 95 // WarningsOnCreate returns warnings for the creation of the given object. 96 func (v *validatingAdmissionPolicyBindingStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { 97 return nil 98 } 99 100 // Canonicalize normalizes the object after validation. 101 func (v *validatingAdmissionPolicyBindingStrategy) Canonicalize(obj runtime.Object) { 102 } 103 104 // AllowCreateOnUpdate is true for ValidatingAdmissionPolicyBinding; this means you may create one with a PUT request. 105 func (v *validatingAdmissionPolicyBindingStrategy) AllowCreateOnUpdate() bool { 106 return false 107 } 108 109 // ValidateUpdate is the default update validation for an end user. 110 func (v *validatingAdmissionPolicyBindingStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { 111 errs := validation.ValidateValidatingAdmissionPolicyBindingUpdate(obj.(*admissionregistration.ValidatingAdmissionPolicyBinding), old.(*admissionregistration.ValidatingAdmissionPolicyBinding)) 112 if len(errs) == 0 { 113 // if the object is well-formed, also authorize the paramRef 114 if err := v.authorizeUpdate(ctx, obj, old); err != nil { 115 errs = append(errs, field.Forbidden(field.NewPath("spec", "paramRef"), err.Error())) 116 } 117 } 118 return errs 119 } 120 121 // WarningsOnUpdate returns warnings for the given update. 122 func (v *validatingAdmissionPolicyBindingStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string { 123 return nil 124 } 125 126 // AllowUnconditionalUpdate is the default update policy for ValidatingAdmissionPolicyBinding objects. Status update should 127 // only be allowed if version match. 128 func (v *validatingAdmissionPolicyBindingStrategy) AllowUnconditionalUpdate() bool { 129 return false 130 }