Skip to content

Commit

Permalink
issue-747: add ValidatingAdmissionPolicy
Browse files Browse the repository at this point in the history
  • Loading branch information
@shunki-fujita
shunki-fujita committed Oct 25, 2024
1 parent 9e10394 commit b548265
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 0 deletions.
44 changes: 44 additions & 0 deletions charts/moco/templates/generated/generated.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,50 @@ spec:
app.kubernetes.io/name: '{{ include "moco.name" . }}'
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/name: '{{ include "moco.name" . }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ include "moco.chart" . }}'
name: moco-delete-validator
namespace: '{{ .Release.Namespace }}'
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- ""
apiVersions:
- '*'
operations:
- DELETE
resources:
- pods
validations:
- expression: |
!has(oldObject.metadata.annotations) ||
!("moco.cybozu.com/prevent" in oldObject.metadata.annotations) ||
!(oldObject.metadata.annotations["moco.cybozu.com/prevent"] == "delete")
messageExpression: oldObject.metadata.name + ' is protected from deletion'
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/name: '{{ include "moco.name" . }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ include "moco.chart" . }}'
name: moco-delete-validator
namespace: '{{ .Release.Namespace }}'
spec:
policyName: moco-delete-validator
validationActions:
- Deny
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
Expand Down
1 change: 1 addition & 0 deletions config/webhook/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
resources:
- manifests.yaml
- service.yaml
- validate_preventdelete.yaml

configurations:
- kustomizeconfig.yaml
27 changes: 27 additions & 0 deletions config/webhook/validate_preventdelete.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: delete-validator
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: [""]
apiVersions: ["*"]
operations: ["DELETE"]
resources: ["pods"]
validations:
- expression: |
!has(oldObject.metadata.annotations) ||
!("moco.cybozu.com/prevent" in oldObject.metadata.annotations) ||
!(oldObject.metadata.annotations["moco.cybozu.com/prevent"] == "delete")
messageExpression: oldObject.metadata.name + ' is protected from deletion'
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: delete-validator
spec:
policyName: moco-delete-validator
validationActions:
- Deny

0 comments on commit b548265

Please sign in to comment.