Merge pull request #36721 from smarterclayton/initializers

Automatic merge from submit-queue Add initializer support to admission and uninitialized filtering to rest storage Initializers are the opposite of finalizers - they allow API clients to react to object creation and populate fields prior to other clients seeing them. High level description: 1. Add `metadata.initializers` field to all objects 2. By default, filter objects with > 0 initializers from LIST and WATCH to preserve legacy client behavior (known as partially-initialized objects) 3. Add an admission controller that populates .initializer values per type, and denies mutation of initializers except by certain privilege levels (you must have the `initialize` verb on a resource) 4. Allow partially-initialized objects to be viewed via LIST and WATCH for initializer types 5. When creating objects, the object is "held" by the server until the initializers list is empty 6. Allow some creators to bypass initialization (set initializers to `[]`), or to have the result returned immediately when the object is created. The code here should be backwards compatible for all clients because they do not see partially initialized objects unless they GET the resource directly. The watch cache makes checking for partially initialized objects cheap. Some reflectors may need to change to ask for partially-initialized objects. ```release-note Kubernetes resources, when the `Initializers` admission controller is enabled, can be initialized (defaulting or other additive functions) by other agents in the system prior to those resources being visible to other clients. An initialized resource is not visible to clients unless they request (for get, list, or watch) to see uninitialized resources with the `?includeUninitialized=true` query parameter. Once the initializers have completed the resource is then visible. Clients must have the the ability to perform the `initialize` action on a resource in order to modify it prior to initialization being completed. ```
2017-06-03 07:16:52 -07:00
parent e6c74bbaaf b993f7d303
commit 07f85565a2
146 changed files with 1318 additions and 406 deletions
--- a/plugin/BUILD
+++ b/plugin/BUILD
@@ -22,6 +22,7 @@ filegroup(
        "//plugin/pkg/admission/exec:all-srcs",
        "//plugin/pkg/admission/gc:all-srcs",
        "//plugin/pkg/admission/imagepolicy:all-srcs",
+        "//plugin/pkg/admission/initialization:all-srcs",
        "//plugin/pkg/admission/initialresources:all-srcs",
        "//plugin/pkg/admission/limitranger:all-srcs",
        "//plugin/pkg/admission/namespace/autoprovision:all-srcs",
--- a/plugin/pkg/admission/initialization/BUILD
+++ b/plugin/pkg/admission/initialization/BUILD
@@ -0,0 +1,38 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["initialization.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/validation:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
--- a/plugin/pkg/admission/initialization/initialization.go
+++ b/plugin/pkg/admission/initialization/initialization.go
@@ -0,0 +1,173 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package initialization
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/api/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+// Register registers a plugin
+func Register(plugins *admission.Plugins) {
+	plugins.Register("Initializers", func(config io.Reader) (admission.Interface, error) {
+		return NewInitializer(), nil
+	})
+}
+
+type initializerOptions struct {
+	Initializers []string
+}
+
+type initializer struct {
+	resources  map[schema.GroupResource]initializerOptions
+	authorizer authorizer.Authorizer
+}
+
+// NewAlwaysAdmit creates a new always admit admission handler
+func NewInitializer() admission.Interface {
+	return &initializer{
+		resources: map[schema.GroupResource]initializerOptions{
+		//schema.GroupResource{Resource: "pods"}: {Initializers: []string{"Test"}},
+		},
+	}
+}
+
+func (i *initializer) Validate() error {
+	return nil
+}
+
+func (i *initializer) SetAuthorizer(a authorizer.Authorizer) {
+	i.authorizer = a
+}
+
+var initializerFieldPath = field.NewPath("metadata", "initializers")
+
+func (i *initializer) Admit(a admission.Attributes) (err error) {
+	// TODO: sub-resource action should be denied until the object is initialized
+	if len(a.GetSubresource()) > 0 {
+		return nil
+	}
+
+	resource, ok := i.resources[a.GetResource().GroupResource()]
+	if !ok {
+		return nil
+	}
+
+	switch a.GetOperation() {
+	case admission.Create:
+		accessor, err := meta.Accessor(a.GetObject())
+		if err != nil {
+			// objects without meta accessor cannot be checked for initialization, and it is possible to make calls
+			// via our API that don't have ObjectMeta
+			return nil
+		}
+		existing := accessor.GetInitializers()
+		// it must be possible for some users to bypass initialization - for now, check the initialize operation
+		if existing != nil {
+			if err := i.canInitialize(a); err != nil {
+				return err
+			}
+		}
+
+		// TODO: pull this from config
+		accessor.SetInitializers(copiedInitializers(resource.Initializers))
+
+	case admission.Update:
+		accessor, err := meta.Accessor(a.GetObject())
+		if err != nil {
+			// objects without meta accessor cannot be checked for initialization, and it is possible to make calls
+			// via our API that don't have ObjectMeta
+			return nil
+		}
+		updated := accessor.GetInitializers()
+
+		existingAccessor, err := meta.Accessor(a.GetOldObject())
+		if err != nil {
+			// if the old object does not have an accessor, but the new one does, error out
+			return fmt.Errorf("initialized resources must be able to set initializers (%T): %v", a.GetOldObject(), err)
+		}
+		existing := existingAccessor.GetInitializers()
+
+		// because we are called before validation, we need to ensure the update transition is valid.
+		if errs := validation.ValidateInitializersUpdate(updated, existing, initializerFieldPath); len(errs) > 0 {
+			return errors.NewInvalid(a.GetKind().GroupKind(), a.GetName(), errs)
+		}
+
+		// caller must have the ability to mutate un-initialized resources
+		if err := i.canInitialize(a); err != nil {
+			return err
+		}
+
+		// TODO: restrict initialization list changes to specific clients?
+	}
+
+	return nil
+}
+
+func (i *initializer) canInitialize(a admission.Attributes) error {
+	// if no authorizer is present, the initializer plugin allows modification of uninitialized resources
+	if i.authorizer == nil {
+		glog.V(4).Infof("No authorizer provided to initialization admission control, unable to check permissions")
+		return nil
+	}
+	// caller must have the ability to mutate un-initialized resources
+	authorized, reason, err := i.authorizer.Authorize(authorizer.AttributesRecord{
+		Name:            a.GetName(),
+		ResourceRequest: true,
+		User:            a.GetUserInfo(),
+		Verb:            "initialize",
+		Namespace:       a.GetNamespace(),
+		APIGroup:        a.GetResource().Group,
+		APIVersion:      a.GetResource().Version,
+		Resource:        a.GetResource().Resource,
+	})
+	if err != nil {
+		return err
+	}
+	if !authorized {
+		return fmt.Errorf("user must have permission to initialize resources: %s", reason)
+	}
+	return nil
+}
+
+func (i *initializer) Handles(op admission.Operation) bool {
+	return true
+}
+
+func copiedInitializers(names []string) *metav1.Initializers {
+	if len(names) == 0 {
+		return nil
+	}
+	var init []metav1.Initializer
+	for _, name := range names {
+		init = append(init, metav1.Initializer{Name: name})
+	}
+	return &metav1.Initializers{
+		Pending: init,
+	}
+}