validating

package
v2.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 23, 2022 License: Apache-2.0 Imports: 7 Imported by: 8

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewWebhook 

func NewWebhook(cfg WebhookConfig) (webhook.Webhook, error)

NewWebhook is a validating webhook and will return a webhook ready for a type of resource it will validate the received resources.

Types

type Validator 

type Validator interface {
	// Validate receives a Kubernetes resource object to be validated, it must
	// return an error or a validation result.
	// Also receives the webhook admission review in case it wants more context and
	// information of the review.
	// Validators can be grouped in chains, that's why we have a `StopChain` boolean
	// in the result, to stop executing the validators chain.
	Validate(ctx context.Context, ar *model.AdmissionReview, obj metav1.Object) (result *ValidatorResult, err error)
}

Validator knows how to validate the received kubernetes object.

Example (ChainValidatingWebhook)

chainValidatingWebhook shows how you would create a validating chain. 

package main

import (
	"context"

	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"github.com/slok/kubewebhook/v2/pkg/log"
	"github.com/slok/kubewebhook/v2/pkg/model"
	"github.com/slok/kubewebhook/v2/pkg/webhook/validating"
)

func main() {
	fakeVal := validating.ValidatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*validating.ValidatorResult, error) {
		return &validating.ValidatorResult{Valid: true}, nil
	})

	fakeVal2 := validating.ValidatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*validating.ValidatorResult, error) {
		return &validating.ValidatorResult{Valid: true}, nil
	})

	fakeVal3 := validating.ValidatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*validating.ValidatorResult, error) {
		return &validating.ValidatorResult{Valid: true}, nil
	})

	// Create our webhook using a validator chain.
	_, _ = validating.NewWebhook(validating.WebhookConfig{
		ID:        "podWebhook",
		Obj:       &corev1.Pod{},
		Validator: validating.NewChain(log.Noop, fakeVal, fakeVal2, fakeVal3),
	})

}

Output:
Example (IngressHostValidatingWebhook)

IngressHostValidatingWebhook shows how you would create a ingress validating webhook that checks if an ingress has any rule with an invalid host that doesn't match the valid host regex and if is invalid will not accept the ingress. 

package main

import (
	"context"
	"fmt"
	"regexp"

	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"github.com/slok/kubewebhook/v2/pkg/model"
	"github.com/slok/kubewebhook/v2/pkg/webhook/validating"
)

func main() {
	// Create the regex to validate the hosts.
	validHost := regexp.MustCompile(`^.*\.batman\.best\.superhero\.io$`)

	// Create our validator that will check the host on each rule of the received ingress to
	// allow or disallow the ingress.
	ivh := validating.ValidatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*validating.ValidatorResult, error) {
		ingress, ok := obj.(*extensionsv1beta1.Ingress)
		if !ok {
			return &validating.ValidatorResult{Valid: true}, fmt.Errorf("not an ingress")
		}

		for _, r := range ingress.Spec.Rules {
			if !validHost.MatchString(r.Host) {
				return &validating.ValidatorResult{
					Valid:   false,
					Message: fmt.Sprintf("%s ingress host doesn't match %s regex", r.Host, validHost),
				}, nil
			}
		}

		return &validating.ValidatorResult{
			Valid:   true,
			Message: "all hosts in the ingress are valid",
		}, nil
	})

	// Create webhook (usage of webhook not in this example).
	_, _ = validating.NewWebhook(validating.WebhookConfig{
		ID:        "example",
		Obj:       &extensionsv1beta1.Ingress{},
		Validator: ivh,
	})
}

Output:

func NewChain 

func NewChain(logger log.Logger, validators ...Validator) Validator

NewChain returns a new chain of validators. - If any of the validators returns an error, the chain will end. - If any of the validators returns an stopChain == true, the chain will end. - If any of the validators returns as no valid, the chain will end.

type ValidatorFunc 

type ValidatorFunc func(context.Context, *model.AdmissionReview, metav1.Object) (result *ValidatorResult, err error)

ValidatorFunc is a helper type to create validators from functions.

func (ValidatorFunc) Validate 

func (f ValidatorFunc) Validate(ctx context.Context, ar *model.AdmissionReview, obj metav1.Object) (result *ValidatorResult, err error)

Validate satisfies Validator interface.

type ValidatorResult 

type ValidatorResult struct {
	// StopChain will stop the chain of validators in case there is a chain set.
	StopChain bool
	// Valid tells the apiserver that the resource is correct and it should allow or not.
	Valid bool
	// Message will be used by the apiserver to give more information in case the resource is not valid.
	Message string
	// Warnings are special messages that can be set to warn the user (e.g deprecation messages, almost invalid resources...).
	Warnings []string
}

ValidatorResult is the result of a validator.

type WebhookConfig 

type WebhookConfig struct {
	// ID is the id of the webhook.
	ID string
	// Object is the object of the webhook, to use multiple types on the same webhook or
	// type inference, don't set this field (will be `nil`).
	Obj metav1.Object
	// Validator is the webhook validator.
	Validator Validator
	// Logger is the app logger.
	Logger log.Logger
}

WebhookConfig is the Validating webhook configuration.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.