working ver

Author: CMGS

admission/cocoonset_validator.go

@@ -11,6 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 
 	cocoonv1 "github.com/cocoonstack/cocoon-common/apis/v1"
+	commonadmission "github.com/cocoonstack/cocoon-common/k8s/admission"
 	"github.com/cocoonstack/cocoon-webhook/metrics"
 )
 
@@ -23,23 +24,23 @@ func (s *Server) validateCocoonSet(ctx context.Context, review *admissionv1.Admi
 	req := review.Request
 
 	if req.Operation != admissionv1.Create && req.Operation != admissionv1.Update {
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	var cs cocoonv1.CocoonSet
 	if err := json.Unmarshal(req.Object.Raw, &cs); err != nil {
 		logger.Warnf(ctx, "decode cocoonset %s/%s: %v", req.Namespace, req.Name, err)
-		return denyResponse(fmt.Sprintf("decode CocoonSet: %v", err))
+		return commonadmission.Deny(fmt.Sprintf("decode CocoonSet: %v", err))
 	}
 
 	if errs := validateCocoonSetSpec(&cs); len(errs) > 0 {
 		msg := "cocoon-webhook: invalid CocoonSet spec: " + strings.Join(errs, "; ")
 		logger.Warnf(ctx, "validate %s/%s DENY: %s", req.Namespace, req.Name, msg)
 		metrics.RecordAdmission(metrics.HandlerCocoonSetValid, metrics.DecisionDeny)
-		return denyResponse(msg)
+		return commonadmission.Deny(msg)
 	}
 	metrics.RecordAdmission(metrics.HandlerCocoonSetValid, metrics.DecisionAllow)
-	return allowResponse()
+	return commonadmission.Allow()
 }
 
 // validateCocoonSetSpec returns the list of human-readable error

admission/pod_mutator.go

@@ -3,13 +3,12 @@ package admission
 import (
 	"context"
 	"encoding/json"
-	"fmt"
-	"strings"
 
 	"github.com/projecteru2/core/log"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 
+	commonadmission "github.com/cocoonstack/cocoon-common/k8s/admission"
 	"github.com/cocoonstack/cocoon-common/meta"
 	"github.com/cocoonstack/cocoon-webhook/affinity"
 	"github.com/cocoonstack/cocoon-webhook/metrics"
@@ -26,33 +25,33 @@ func (s *Server) mutatePod(ctx context.Context, review *admissionv1.AdmissionRev
 
 	if req.Kind.Kind != "Pod" {
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionAllow)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	var pod corev1.Pod
 	if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
 		logger.Warnf(ctx, "decode pod %s/%s: %v", req.Namespace, req.Name, err)
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionError)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	if !meta.HasCocoonToleration(pod.Spec.Tolerations) {
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionAllow)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	if meta.IsOwnedByCocoonSet(pod.OwnerReferences) {
 		// CocoonSet-managed pods come pre-annotated by the operator.
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionAllow)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	if pod.Spec.NodeName != "" {
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionAllow)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
-	pool := podNodePool(&pod)
+	pool := meta.PodNodePool(&pod)
 	name := podDisplayName(&pod, req)
 	res, err := s.store.Reserve(ctx, affinity.ReserveRequest{
 		Pool:       pool,
@@ -65,15 +64,15 @@ func (s *Server) mutatePod(ctx context.Context, review *admissionv1.AdmissionRev
 		// unreachable: log loudly and let the pod through unmutated.
 		logger.Errorf(ctx, err, "reserve affinity for pod %s/%s", req.Namespace, name)
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionAffinityFailed)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 	metrics.RecordReservation(pool)
 
 	patch, err := buildMutatePatch(&pod, res)
 	if err != nil {
 		logger.Errorf(ctx, err, "build mutate patch for pod %s/%s", req.Namespace, name)
 		metrics.RecordAdmission(metrics.HandlerMutate, metrics.DecisionError)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	logger.Infof(ctx, "mutate %s/%s: vm=%s node=%s", req.Namespace, name, res.VMName, res.Node)
@@ -101,63 +100,28 @@ func podDisplayName(pod *corev1.Pod, req *admissionv1.AdmissionRequest) string {
 	return pod.GenerateName + "<unnamed>"
 }
 
-// podNodePool returns the cocoon pool the pod requests. Resolution
-// order: nodeSelector[cocoonstack.io/pool] -> labels[cocoonstack.io/pool]
-// -> annotations[cocoonstack.io/pool] -> default.
-func podNodePool(pod *corev1.Pod) string {
-	if v := pod.Spec.NodeSelector[meta.LabelNodePool]; v != "" {
-		return v
-	}
-	if v := pod.Labels[meta.LabelNodePool]; v != "" {
-		return v
-	}
-	if v := pod.Annotations[meta.LabelNodePool]; v != "" {
-		return v
-	}
-	return meta.DefaultNodePool
-}
-
-// jsonPatchOp is a single RFC 6902 patch operation.
-type jsonPatchOp struct {
-	Op    string `json:"op"`
-	Path  string `json:"path"`
-	Value any    `json:"value,omitempty"`
-}
-
 // buildMutatePatch produces an RFC 6902 JSON patch that writes the
 // VM name annotation and (when present) pins spec.nodeName.
 func buildMutatePatch(pod *corev1.Pod, res affinity.Reservation) ([]byte, error) {
-	var ops []jsonPatchOp
+	var ops []commonadmission.JSONPatchOp
 	if pod.Annotations == nil {
-		ops = append(ops, jsonPatchOp{
+		ops = append(ops, commonadmission.JSONPatchOp{
 			Op:    "add",
 			Path:  "/metadata/annotations",
 			Value: map[string]string{},
 		})
 	}
-	ops = append(ops, jsonPatchOp{
+	ops = append(ops, commonadmission.JSONPatchOp{
 		Op:    "add",
-		Path:  "/metadata/annotations/" + escapeJSONPointer(meta.AnnotationVMName),
+		Path:  "/metadata/annotations/" + commonadmission.EscapeJSONPointer(meta.AnnotationVMName),
 		Value: res.VMName,
 	})
 	if res.Node != "" {
-		ops = append(ops, jsonPatchOp{
+		ops = append(ops, commonadmission.JSONPatchOp{
 			Op:    "add",
 			Path:  "/spec/nodeName",
 			Value: res.Node,
 		})
 	}
-	out, err := json.Marshal(ops)
-	if err != nil {
-		return nil, fmt.Errorf("marshal patch: %w", err)
-	}
-	return out, nil
-}
-
-// escapeJSONPointer escapes the two characters that are reserved in
-// RFC 6901 JSON Pointer paths.
-func escapeJSONPointer(s string) string {
-	s = strings.ReplaceAll(s, "~", "~0")
-	s = strings.ReplaceAll(s, "/", "~1")
-	return s
+	return commonadmission.MarshalPatch(ops)
 }

admission/pod_mutator_test.go

@@ -11,6 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/fake"
 
+	commonadmission "github.com/cocoonstack/cocoon-common/k8s/admission"
 	"github.com/cocoonstack/cocoon-common/meta"
 	"github.com/cocoonstack/cocoon-webhook/affinity"
 )
@@ -57,7 +58,7 @@ func TestPodNodePoolPrecedence(t *testing.T) {
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
 			pod := c.pod
-			if got := podNodePool(&pod); got != c.want {
+			if got := meta.PodNodePool(&pod); got != c.want {
 				t.Errorf("got %q, want %q", got, c.want)
 			}
 		})
@@ -71,7 +72,7 @@ func TestEscapeJSONPointer(t *testing.T) {
 		"plain":                  "plain",
 	}
 	for in, want := range cases {
-		if got := escapeJSONPointer(in); got != want {
+		if got := commonadmission.EscapeJSONPointer(in); got != want {
 			t.Errorf("escape %q = %q, want %q", in, got, want)
 		}
 	}
@@ -197,7 +198,7 @@ func newTestServer(t *testing.T) *Server {
 	t.Helper()
 	client := fake.NewSimpleClientset()
 	store := affinity.NewConfigMapStore(client, fixedNodePicker("node-test"))
-	return NewServer(client, store)
+	return NewServer(store)
 }
 
 func buildPodReview(t *testing.T, pod *corev1.Pod) *admissionv1.AdmissionReview {

admission/response.go

@@ -1,33 +1,27 @@
 package admission
 
 import (
-	"context"
-	"encoding/json"
-	"io"
 	"net/http"
 
-	"github.com/projecteru2/core/log"
-	admissionv1 "k8s.io/api/admission/v1"
-	"k8s.io/client-go/kubernetes"
-
+	commonadmission "github.com/cocoonstack/cocoon-common/k8s/admission"
 	"github.com/cocoonstack/cocoon-webhook/affinity"
 )
 
-const maxAdmissionBody = 10 << 20 // 10 MiB upper bound on request body size.
-
 // Server hosts the admission webhook HTTP handlers. Dependencies are
 // injected so each handler stays trivially testable.
 type Server struct {
-	clientset kubernetes.Interface
-	store     affinity.Store
+	store affinity.Store
 }
 
 // NewServer constructs a Server with the supplied dependencies.
-func NewServer(clientset kubernetes.Interface, store affinity.Store) *Server {
-	return &Server{clientset: clientset, store: store}
+func NewServer(store affinity.Store) *Server {
+	return &Server{store: store}
 }
 
 // Routes returns the HTTP handler exposing every webhook endpoint.
+// Decode / dispatch / encode for the admission endpoints lives in
+// cocoon-common/k8s/admission; the per-endpoint handlers live in
+// this package.
 func (s *Server) Routes() http.Handler {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/mutate", s.handleMutate)
@@ -49,53 +43,13 @@ func (s *Server) handleReadyz(w http.ResponseWriter, _ *http.Request) {
 }
 
 func (s *Server) handleMutate(w http.ResponseWriter, r *http.Request) {
-	s.serveAdmission(w, r, s.mutatePod)
+	commonadmission.Serve(w, r, 0, s.mutatePod)
 }
 
 func (s *Server) handleValidate(w http.ResponseWriter, r *http.Request) {
-	s.serveAdmission(w, r, s.validateWorkload)
+	commonadmission.Serve(w, r, 0, s.validateWorkload)
 }
 
 func (s *Server) handleValidateCocoonSet(w http.ResponseWriter, r *http.Request) {
-	s.serveAdmission(w, r, s.validateCocoonSet)
-}
-
-// serveAdmission decodes an AdmissionReview, dispatches it to the
-// supplied admission function, copies the request UID onto the
-// response (required by the API server), and writes the response.
-func (s *Server) serveAdmission(
-	w http.ResponseWriter,
-	r *http.Request,
-	admit func(context.Context, *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse,
-) {
-	logger := log.WithFunc("serveAdmission")
-	review, err := decodeAdmissionReview(r)
-	if err != nil {
-		logger.Warnf(r.Context(), "decode admission review: %v", err)
-		http.Error(w, "decode admission review", http.StatusBadRequest)
-		return
-	}
-	resp := admit(r.Context(), review)
-	if resp == nil {
-		resp = allowResponse()
-	}
-	resp.UID = review.Request.UID
-	review.Response = resp
-
-	out, err := json.Marshal(review)
-	if err != nil {
-		logger.Error(r.Context(), err, "marshal admission review")
-		http.Error(w, "encode response", http.StatusInternalServerError)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	_, _ = w.Write(out) //nolint:gosec // marshaled JSON API response, not rendered as HTML
-}
-
-func decodeAdmissionReview(r *http.Request) (*admissionv1.AdmissionReview, error) {
-	var review admissionv1.AdmissionReview
-	if err := json.NewDecoder(io.LimitReader(r.Body, maxAdmissionBody)).Decode(&review); err != nil {
-		return nil, err
-	}
-	return &review, nil
+	commonadmission.Serve(w, r, 0, s.validateCocoonSet)
 }

admission/server.go

@@ -11,6 +11,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/utils/ptr"
 
+	commonadmission "github.com/cocoonstack/cocoon-common/k8s/admission"
 	"github.com/cocoonstack/cocoon-common/meta"
 	"github.com/cocoonstack/cocoon-webhook/metrics"
 )
@@ -32,15 +33,15 @@ type scalable interface {
 func (s *Server) validateWorkload(ctx context.Context, review *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
 	req := review.Request
 	if req.Operation != admissionv1.Update {
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 	switch req.Kind.Kind {
 	case "Deployment":
 		return validateScaleDown[appsv1.Deployment](ctx, req)
 	case "StatefulSet":
 		return validateScaleDown[appsv1.StatefulSet](ctx, req)
 	default:
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 }
 
@@ -51,15 +52,15 @@ func validateScaleDown[T scalable](ctx context.Context, req *admissionv1.Admissi
 	var oldObj, newObj T
 	if err := json.Unmarshal(req.OldObject.Raw, &oldObj); err != nil {
 		logger.Warnf(ctx, "decode old %s %s/%s: %v", req.Kind.Kind, req.Namespace, req.Name, err)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 	if err := json.Unmarshal(req.Object.Raw, &newObj); err != nil {
 		logger.Warnf(ctx, "decode new %s %s/%s: %v", req.Kind.Kind, req.Namespace, req.Name, err)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 
 	if !meta.HasCocoonToleration(workloadTolerations(&newObj)) {
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 	return checkScaleDown(ctx, req, workloadReplicas(&oldObj), workloadReplicas(&newObj))
 }
@@ -94,13 +95,13 @@ func workloadTolerations[T scalable](obj *T) []corev1.Toleration {
 func checkScaleDown(ctx context.Context, req *admissionv1.AdmissionRequest, oldReplicas, newReplicas int32) *admissionv1.AdmissionResponse {
 	if newReplicas >= oldReplicas {
 		metrics.RecordAdmission(metrics.HandlerValidate, metrics.DecisionAllow)
-		return allowResponse()
+		return commonadmission.Allow()
 	}
 	msg := fmt.Sprintf(
 		"cocoon-webhook: scale-down blocked for cocoon %s %s/%s (%d -> %d). "+
 			"Use a CocoonHibernation CR to suspend individual agents.",
 		req.Kind.Kind, req.Namespace, req.Name, oldReplicas, newReplicas)
 	log.WithFunc("checkScaleDown").Warn(ctx, msg)
 	metrics.RecordAdmission(metrics.HandlerValidate, metrics.DecisionDeny)
-	return denyResponse(msg)
+	return commonadmission.Deny(msg)
 }