diff --git a/charts/gardener-extension-admission-gcp/charts/application/templates/rbac.yaml b/charts/gardener-extension-admission-gcp/charts/application/templates/rbac.yaml index ca78c25ae..122ccb6e2 100644 --- a/charts/gardener-extension-admission-gcp/charts/application/templates/rbac.yaml +++ b/charts/gardener-extension-admission-gcp/charts/application/templates/rbac.yaml @@ -9,7 +9,6 @@ rules: - apiGroups: - core.gardener.cloud resources: - - shoots - cloudprofiles - secretbindings verbs: @@ -22,8 +21,6 @@ rules: - secrets verbs: - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/gardener-extension-admission-gcp/charts/application/templates/validatingwebhook-validator.yaml b/charts/gardener-extension-admission-gcp/charts/application/templates/validatingwebhook-validator.yaml index 4aac99f5c..a73399b5e 100644 --- a/charts/gardener-extension-admission-gcp/charts/application/templates/validatingwebhook-validator.yaml +++ b/charts/gardener-extension-admission-gcp/charts/application/templates/validatingwebhook-validator.yaml @@ -48,7 +48,9 @@ webhooks: resources: - secrets failurePolicy: Fail - objectSelector: {} + objectSelector: + matchLabels: + provider.shoot.gardener.cloud/gcp: "true" namespaceSelector: {} sideEffects: None admissionReviewVersions: diff --git a/cmd/gardener-extension-admission-gcp/app/app.go b/cmd/gardener-extension-admission-gcp/app/app.go index 9b84a0165..25949ce12 100644 --- a/cmd/gardener-extension-admission-gcp/app/app.go +++ b/cmd/gardener-extension-admission-gcp/app/app.go @@ -24,10 +24,8 @@ import ( controllercmd "github.com/gardener/gardener/extensions/pkg/controller/cmd" "github.com/gardener/gardener/extensions/pkg/util" - "github.com/gardener/gardener/extensions/pkg/util/index" webhookcmd "github.com/gardener/gardener/extensions/pkg/webhook/cmd" "github.com/gardener/gardener/pkg/apis/core/install" - gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" "github.com/spf13/cobra" componentbaseconfig "k8s.io/component-base/config" logf "sigs.k8s.io/controller-runtime/pkg/log" @@ -78,13 +76,6 @@ func NewAdmissionCommand(ctx context.Context) *cobra.Command { return fmt.Errorf("could not update manager scheme: %v", err) } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gardencorev1beta1.SecretBinding{}, index.SecretRefNamespaceField, index.SecretRefNamespaceIndexerFunc); err != nil { - return err - } - if err := mgr.GetFieldIndexer().IndexField(ctx, &gardencorev1beta1.Shoot{}, index.SecretBindingNameField, index.SecretBindingNameIndexerFunc); err != nil { - return err - } - log.Info("Setting up webhook server") if err := webhookOptions.Completed().AddToManager(mgr); err != nil { diff --git a/example/40-validatingwebhookconfiguration.yaml b/example/40-validatingwebhookconfiguration.yaml index b2241f066..76d57208d 100644 --- a/example/40-validatingwebhookconfiguration.yaml +++ b/example/40-validatingwebhookconfiguration.yaml @@ -40,7 +40,9 @@ webhooks: resources: - secrets failurePolicy: Fail - objectSelector: {} + objectSelector: + matchLabels: + provider.shoot.gardener.cloud/gcp: "true" namespaceSelector: {} sideEffects: None admissionReviewVersions: diff --git a/pkg/admission/validator/secret.go b/pkg/admission/validator/secret.go index 2b4eef1f7..d362174c5 100644 --- a/pkg/admission/validator/secret.go +++ b/pkg/admission/validator/secret.go @@ -19,32 +19,21 @@ import ( "fmt" gcpvalidation "github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp/validation" - "github.com/gardener/gardener-extension-provider-gcp/pkg/gcp" - secretutil "github.com/gardener/gardener/extensions/pkg/util/secret" extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" "sigs.k8s.io/controller-runtime/pkg/client" ) -type secret struct { - client client.Client -} +type secret struct{} // NewSecretValidator returns a new instance of a secret validator. func NewSecretValidator() extensionswebhook.Validator { return &secret{} } -// InjectClient injects the given client into the validator. -func (s *secret) InjectClient(client client.Client) error { - s.client = client - return nil -} - -// Validate checks whether the given new secret is in use by Shoot with provider.type=gcp -// and if yes, it check whether the new secret contains a valid GCP service account. +// Validate checks whether the given new secret contains a valid GCP service account. func (s *secret) Validate(ctx context.Context, newObj, oldObj client.Object) error { secret, ok := newObj.(*corev1.Secret) if !ok { @@ -62,14 +51,5 @@ func (s *secret) Validate(ctx context.Context, newObj, oldObj client.Object) err } } - isInUse, err := secretutil.IsSecretInUseByShoot(ctx, s.client, secret, gcp.Type) - if err != nil { - return err - } - - if !isInUse { - return nil - } - return gcpvalidation.ValidateCloudProviderSecret(secret) } diff --git a/vendor/github.com/gardener/gardener/extensions/pkg/util/index/index.go b/vendor/github.com/gardener/gardener/extensions/pkg/util/index/index.go deleted file mode 100644 index ae5be55b1..000000000 --- a/vendor/github.com/gardener/gardener/extensions/pkg/util/index/index.go +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright (c) 2020 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package index - -import ( - gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" - - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// SecretRefNamespaceField is the field name for the index function that extracts the corresponding field from SecretBinding. -const SecretRefNamespaceField string = "secretRef.namespace" - -// SecretRefNamespaceIndexerFunc extracts the secretRef.namespace field of a SecretBinding. -func SecretRefNamespaceIndexerFunc(rawObj client.Object) []string { - secretBinding, ok := rawObj.(*gardencorev1beta1.SecretBinding) - if !ok { - return []string{} - } - return []string{secretBinding.SecretRef.Namespace} -} - -// SecretBindingNameField is the field name for the index function that extracts the corresponding field from Shoot. -const SecretBindingNameField string = "spec.secretBindingName" - -// SecretBindingNameIndexerFunc extracts the spec.secretBindingName field of a Shoot. -func SecretBindingNameIndexerFunc(rawObj client.Object) []string { - shoot, ok := rawObj.(*gardencorev1beta1.Shoot) - if !ok { - return []string{} - } - return []string{shoot.Spec.SecretBindingName} -} diff --git a/vendor/github.com/gardener/gardener/extensions/pkg/util/secret/secret.go b/vendor/github.com/gardener/gardener/extensions/pkg/util/secret/secret.go deleted file mode 100644 index 77e1075fb..000000000 --- a/vendor/github.com/gardener/gardener/extensions/pkg/util/secret/secret.go +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright (c) 2020 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package secret - -import ( - "context" - - "github.com/gardener/gardener/extensions/pkg/util/index" - gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" - - corev1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// IsSecretInUseByShoot checks whether the given secret is in use by Shoot with the given provider type. -func IsSecretInUseByShoot(ctx context.Context, c client.Client, secret *corev1.Secret, providerType string) (bool, error) { - // TODO: controller-runtime cached client does not support non-exact field matches. - // Once this limitation is removed, we can add client.MatchingFields by secretRef.name and secretRef.namespace. - secretBindings := &gardencorev1beta1.SecretBindingList{} - if err := c.List(ctx, secretBindings, - client.MatchingFields{index.SecretRefNamespaceField: secret.Namespace}); err != nil { - return false, err - } - - for _, secretBinding := range secretBindings.Items { - // Filter out the SecretBindings that do not reference the given secret - if secretBinding.SecretRef.Name != secret.Name { - continue - } - - shoots := &gardencorev1beta1.ShootList{} - if err := c.List(ctx, shoots, - client.InNamespace(secretBinding.Namespace), - client.MatchingFields{index.SecretBindingNameField: secretBinding.Name}); err != nil { - return false, err - } - - for _, shoot := range shoots.Items { - if shoot.Spec.Provider.Type == providerType { - return true, nil - } - } - } - - return false, nil -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 52cbd3e29..d4f31ae61 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -90,8 +90,6 @@ github.com/gardener/gardener/extensions/pkg/predicate github.com/gardener/gardener/extensions/pkg/terraformer github.com/gardener/gardener/extensions/pkg/terraformer/mock github.com/gardener/gardener/extensions/pkg/util -github.com/gardener/gardener/extensions/pkg/util/index -github.com/gardener/gardener/extensions/pkg/util/secret github.com/gardener/gardener/extensions/pkg/webhook github.com/gardener/gardener/extensions/pkg/webhook/cmd github.com/gardener/gardener/extensions/pkg/webhook/context