Exclude CNI, CSI namespaces from mutation
This commit is contained in:
parent
700af5259b
commit
81fe2eb69f
@ -10,6 +10,18 @@ from sanic.response import json
|
|||||||
from image_mutation import mutate_image
|
from image_mutation import mutate_image
|
||||||
from harbor_wrapper import Harbor
|
from harbor_wrapper import Harbor
|
||||||
|
|
||||||
|
mutation_excluded_namespaces = set([
|
||||||
|
# Do not fiddle with CNI stuff
|
||||||
|
"kube-system", # kube-proxy hosted here
|
||||||
|
"tigera-operator",
|
||||||
|
"calico-system",
|
||||||
|
|
||||||
|
# Do not fiddle with CSI stuff
|
||||||
|
"longhorn-system",
|
||||||
|
|
||||||
|
# Don't touch Harbor itself
|
||||||
|
"harbor-operator",
|
||||||
|
])
|
||||||
harbor = Harbor(os.environ["HARBOR_URI"])
|
harbor = Harbor(os.environ["HARBOR_URI"])
|
||||||
cached_registries = set()
|
cached_registries = set()
|
||||||
app = Sanic("admission_control")
|
app = Sanic("admission_control")
|
||||||
@ -18,6 +30,12 @@ app = Sanic("admission_control")
|
|||||||
@app.post("/")
|
@app.post("/")
|
||||||
async def admission_control_handler(request):
|
async def admission_control_handler(request):
|
||||||
patches = []
|
patches = []
|
||||||
|
pod_namespace = request.json["request"]["object"]["metadata"]["namespace"]
|
||||||
|
pod_name = request.json["request"]["object"]["metadata"].get("name", "")
|
||||||
|
pod_ref = "%s/%s" % (pod_namespace, pod_name)
|
||||||
|
if pod_namespace in mutation_excluded_namespaces:
|
||||||
|
print("Pod %s not mutated by namespace exclusion" % pod_ref)
|
||||||
|
else:
|
||||||
for index, container in enumerate(request.json["request"]["object"]["spec"]["containers"]):
|
for index, container in enumerate(request.json["request"]["object"]["spec"]["containers"]):
|
||||||
mutated_image = mutate_image(container["image"], harbor.hostname, cached_registries)
|
mutated_image = mutate_image(container["image"], harbor.hostname, cached_registries)
|
||||||
patches.append({
|
patches.append({
|
||||||
@ -25,10 +43,8 @@ async def admission_control_handler(request):
|
|||||||
"path": "/spec/containers/%d/image" % index,
|
"path": "/spec/containers/%d/image" % index,
|
||||||
"value": mutated_image,
|
"value": mutated_image,
|
||||||
})
|
})
|
||||||
print("Substituting %s with %s for pod %s/%s" % (
|
print("Substituting %s with %s for pod %s" % (
|
||||||
container["image"], mutated_image,
|
container["image"], mutated_image, pod_ref))
|
||||||
request.json["request"]["object"]["metadata"]["namespace"],
|
|
||||||
request.json["request"]["object"]["metadata"]["name"]))
|
|
||||||
response = {
|
response = {
|
||||||
"apiVersion": "admission.k8s.io/v1",
|
"apiVersion": "admission.k8s.io/v1",
|
||||||
"kind": "AdmissionReview",
|
"kind": "AdmissionReview",
|
||||||
|
Loading…
Reference in New Issue
Block a user