refactor(kube-api-rewriter): rewrite owner refs (#108)

Signed-off-by: Dmitry Lopatin <[email protected]>
deckhouse · May 31, 2024 · 9426767 · 9426767
1 parent 2dd0301
commit 9426767
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 41 deletions.
diff --git a/images/kube-api-proxy/pkg/rewriter/rbac.go b/images/kube-api-proxy/pkg/rewriter/rbac.go
@@ -8,10 +8,18 @@ import (
 )
 
 const (
-	ClusterRoleKind     = "ClusterRole"
-	ClusterRoleListKind = "ClusterRoleList"
-	RoleKind            = "Role"
-	RoleListKind        = "RoleList"
+	ClusterRoleKind             = "ClusterRole"
+	ClusterRoleListKind         = "ClusterRoleList"
+	RoleKind                    = "Role"
+	RoleListKind                = "RoleList"
+	RoleBindingKind             = "RoleBinding"
+	RoleBindingListKind         = "RoleBindingList"
+	PodDisruptionBudgetKind     = "PodDisruptionBudget"
+	PodDisruptionBudgetListKind = "PodDisruptionBudgetList"
+	ControllerRevisionKind      = "ControllerRevision"
+	ControllerRevisionListKind  = "ControllerRevisionList"
+	DeploymentKind              = "Deployment"
+	DeploymentListKind          = "DeploymentList"
 )
 
 func RewriteClusterRoleOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) {

diff --git a/images/kube-api-proxy/pkg/rewriter/rule_rewriter.go b/images/kube-api-proxy/pkg/rewriter/rule_rewriter.go
@@ -191,6 +191,15 @@ func (rw *RuleBasedRewriter) RewriteJSONPayload(targetReq *TargetRequest, obj []
 		return obj, err
 	}
 
+	if shouldRewriteOwnerReferences(kind) {
+		rwrBytes, err = RewriteOwnerReferences(rw.Rules, rwrBytes, action)
+	}
+
+	// Return obj bytes as-is in case of the error.
+	if err != nil {
+		return obj, err
+	}
+
 	return rwrBytes, nil
 }
 
@@ -209,3 +218,17 @@ func (rw *RuleBasedRewriter) RewritePatch(targetReq *TargetRequest, obj []byte)
 
 	return obj, nil
 }
+
+func shouldRewriteOwnerReferences(resourceType string) bool {
+	switch resourceType {
+	case CRDKind, CRDListKind,
+		RoleKind, RoleListKind,
+		RoleBindingKind, RoleBindingListKind,
+		PodDisruptionBudgetKind, PodDisruptionBudgetListKind,
+		ControllerRevisionKind, ControllerRevisionListKind,
+		DeploymentKind, DeploymentListKind:
+		return true
+	}
+
+	return false
+}
diff --git a/images/kube-api-proxy/pkg/rewriter/target_request.go b/images/kube-api-proxy/pkg/rewriter/target_request.go
@@ -113,6 +113,7 @@ func (tr *TargetRequest) RawQuery() string {
 // ShouldRewriteRequest returns true if incoming payload should
 // be rewritten.
 func (tr *TargetRequest) ShouldRewriteRequest() bool {
+
 	// Consider known webhook should be rewritten. Unknown paths will be passed as-is.
 	if tr.webhookRule != nil {
 		return true
@@ -126,28 +127,12 @@ func (tr *TargetRequest) ShouldRewriteRequest() bool {
 		if tr.targetEndpoint == nil {
 			// Pass resources without rules as is, except some special types.
 
-			if tr.originEndpoint.IsCore {
-				switch tr.originEndpoint.ResourceType {
-				case "pods":
-					return true
-				}
-			}
-
-			switch tr.originEndpoint.ResourceType {
-			case "mutatingwebhookconfigurations",
-				"validatingwebhookconfigurations",
-				"clusterroles",
-				"roles":
-				return true
-			}
-
 			// Rewrite request body when creating CRD.
 			if tr.originEndpoint.ResourceType == "customresourcedefinitions" && tr.originEndpoint.Name == "" {
 				return true
 			}
 
-			// Should not rewrite request if path is not rewritten.
-			return false
+			return shouldRewriteResource(tr.originEndpoint.ResourceType, tr.originEndpoint.IsCore)
 		}
 	}
 
@@ -171,16 +156,6 @@ func (tr *TargetRequest) ShouldRewriteResponse() bool {
 		return false
 	}
 
-	// Some core resources should be rewritten.
-	if tr.originEndpoint.IsCore {
-		switch tr.originEndpoint.ResourceType {
-		case "pods":
-			return true
-			// pods should be rewritten
-		}
-		return false
-	}
-
 	if tr.originEndpoint.IsCRD {
 		// Rewrite CRD List.
 		if tr.originEndpoint.Name == "" {
@@ -203,16 +178,7 @@ func (tr *TargetRequest) ShouldRewriteResponse() bool {
 		return true
 	}
 
-	// Rewrite special resources.
-	switch tr.originEndpoint.ResourceType {
-	// Webhook configurations should be rewritten.
-	case "mutatingwebhookconfigurations",
-		"validatingwebhookconfigurations",
-		"clusterroles":
-		return true
-	}
-
-	return false
+	return shouldRewriteResource(tr.originEndpoint.ResourceType, tr.originEndpoint.IsCore)
 }
 
 func (tr *TargetRequest) ResourceForLog() string {
@@ -276,3 +242,38 @@ func (tr *TargetRequest) ResourceForLog() string {
 
 	return "UNKNOWN"
 }
+
+func shouldRewriteResource(kind string, isCore bool) bool {
+	// Some core resources should be rewritten.
+	if isCore {
+		switch kind {
+		case "pods",
+			"configmaps",
+			"secrets",
+			"services",
+			"serviceaccounts":
+
+			return true
+		}
+		return false
+	}
+
+	// Rewrite special resources.
+	switch kind {
+	case "mutatingwebhookconfigurations",
+		"validatingwebhookconfigurations",
+		"clusterroles",
+		"roles",
+		"rolebindings",
+		"clusterrolebindings",
+		"deployments",
+		"statefulsets",
+		"daemonsets",
+		"poddisruptionbudgets",
+		"controllerrevisions":
+
+		return true
+	}
+
+	return false
+}