Skip to content

Commit

Permalink
add ephemeraljob validating webhook, add validation&ut
Browse files Browse the repository at this point in the history
Signed-off-by: Abner-1 <Abner199709@gmail.com>
  • Loading branch information
ABNER-1 committed May 20, 2024
1 parent 1bc8d85 commit fc48f67
Show file tree
Hide file tree
Showing 8 changed files with 976 additions and 1 deletion.
21 changes: 21 additions & 0 deletions config/webhook/manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,27 @@ webhooks:
resources:
- daemonsets
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-apps-kruise-io-v1alpha1-ephemeraljob
failurePolicy: Fail
name: vephemeraljobs.kb.io
rules:
- apiGroups:
- apps.kruise.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- ephemeraljobs
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
Expand Down
25 changes: 25 additions & 0 deletions pkg/webhook/add_ephemeraljob.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package webhook

import (
"github.com/openkruise/kruise/pkg/webhook/ephemeraljob/validating"
)

func init() {
addHandlers(validating.HandlerGetterMap)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
/*
Copyright 2021 The Kruise Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package validating

import (
"context"
"net/http"

"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/apis/core/validation"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
"github.com/openkruise/kruise/pkg/webhook/util/convertor"
)

// EphemeralJobCreateUpdateHandler handles EphemeralJob
type EphemeralJobCreateUpdateHandler struct {
// Decoder decodes objects
Decoder *admission.Decoder
}

var _ admission.Handler = &EphemeralJobCreateUpdateHandler{}

func NewHandler(mgr manager.Manager) admission.Handler {
return &EphemeralJobCreateUpdateHandler{Decoder: admission.NewDecoder(mgr.GetScheme())}
}

// Handle handles admission requests.
func (h *EphemeralJobCreateUpdateHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
obj := &appsv1alpha1.EphemeralJob{}

err := h.Decoder.Decode(req, obj)
if err != nil {
return admission.Errored(http.StatusBadRequest, err)
}

if err := validate(obj); err != nil {
klog.Warningf("Error validate EphemeralJob %s: %v", obj.Name, err)
return admission.Errored(http.StatusBadRequest, err)
}

return admission.ValidationResponse(true, "allowed")
}

func validate(obj *appsv1alpha1.EphemeralJob) error {
ecs, err := convertor.ConvertEphemeralContainer(obj.Spec.Template.EphemeralContainers)
if err != nil {
return err
}
// don't validate EphemeralContainer TargetContainerName
allErrs := validateEphemeralContainers(ecs, field.NewPath("ephemeralContainers"), validation.PodValidationOptions{})
return allErrs.ToAggregate()
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
package validating

import (
"context"
"fmt"
"net/http"
"reflect"
"testing"

admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
)

var scheme = runtime.NewScheme()

func init() {
scheme = runtime.NewScheme()
_ = alpha1.AddToScheme(scheme)
}

func getFailedJSON() string {
return `{
"apiVersion": "apps.kruise.io/v1alpha1",
"kind": "EphemeralJob",
"metadata": {
"creationTimestamp": "2024-05-09T08:29:50Z",
"generation": 1,
"name": "ephermeraljob-sample",
"namespace": "test"
},
"spec": {
"parallelism": 1,
"replicas": 1,
"selector": {
"matchLabels": {
"app": "test-2"
}
},
"template": {
"ephemeralContainers": {
"ephemeralContainerCommon": {
"image": "busybox",
"imagePullPolicy": "IfNotPresent",
"name": "debugger",
"securityContext": {
"capabilities": {
"add": [
"SYS_ADMIN",
"NET_ADMIN"
]
}
},
"terminationMessagePolicy": "File"
},
"targetContainerName": "test"
}
},
"ttlSecondsAfterFinished": 1800
}
}`
}

func getOKJSON(targetContainerName string) string {
return fmt.Sprintf(`{
"apiVersion": "apps.kruise.io/v1alpha1",
"kind": "EphemeralJob",
"metadata": {
"name": "ephermeraljob-sample",
"namespace": "test"
},
"spec": {
"parallelism": 1,
"replicas": 1,
"selector": {
"matchLabels": {
"app": "test-2"
}
},
"template": {
"ephemeralContainers": [{
"image": "busybox",
"imagePullPolicy": "IfNotPresent",
"name": "debugger",
"securityContext": {
"capabilities": {
"add": [
"SYS_ADMIN",
"NET_ADMIN"
]
}
},
"terminationMessagePolicy": "File",
"targetContainerName": "%v"
}]
},
"ttlSecondsAfterFinished": 1800
}
}`, targetContainerName)
}

func TestEphemeralJobCreateUpdateHandler_Handle(t *testing.T) {
type args struct {
req admission.Request
}
tests := []struct {
name string
args args
wantOK bool
}{
{
name: "failed case",
wantOK: false,
args: args{
req: admission.Request{
AdmissionRequest: admissionv1.AdmissionRequest{
Operation: admissionv1.Create,
Object: runtime.RawExtension{
Raw: []byte(getFailedJSON()),
},
},
},
},
},
{
name: "ok case with empty targetContainerName",
wantOK: true,
args: args{
req: admission.Request{
AdmissionRequest: admissionv1.AdmissionRequest{
Operation: admissionv1.Create,
Object: runtime.RawExtension{
Raw: []byte(getOKJSON("")),
},
},
},
},
},
{
name: "ok case with targetContainerName",
wantOK: true,
args: args{
req: admission.Request{
AdmissionRequest: admissionv1.AdmissionRequest{
Operation: admissionv1.Create,
Object: runtime.RawExtension{
Raw: []byte(getOKJSON("test")),
},
},
},
},
},
}

d := admission.NewDecoder(scheme)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
h := &EphemeralJobCreateUpdateHandler{
Decoder: d,
}
if got := h.Handle(context.TODO(), tt.args.req); !reflect.DeepEqual(got.Allowed, tt.wantOK) {
t.Errorf("Handle() = %v, want %v", got.Result.Code == http.StatusOK, tt.wantOK)
} else if !got.Allowed {
t.Log(got.Result.Message)
}
})
}
}
Loading

0 comments on commit fc48f67

Please sign in to comment.