|
| 1 | +/* |
| 2 | +Copyright 2014 Google Inc. All rights reserved. |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package serviceaccount |
| 18 | + |
| 19 | +import ( |
| 20 | + "fmt" |
| 21 | + "io" |
| 22 | + |
| 23 | + "code.google.com/p/go-uuid/uuid" |
| 24 | + |
| 25 | + "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" |
| 26 | + "github.com/GoogleCloudPlatform/kubernetes/pkg/api" |
| 27 | + "github.com/GoogleCloudPlatform/kubernetes/pkg/client" |
| 28 | + "github.com/GoogleCloudPlatform/kubernetes/pkg/util" |
| 29 | +) |
| 30 | + |
| 31 | +const DefaultServiceAccountName = "default" |
| 32 | +const DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount" |
| 33 | + |
| 34 | +func init() { |
| 35 | + admission.RegisterPlugin("ServiceAccount", func(client client.Interface, config io.Reader) (admission.Interface, error) { |
| 36 | + return NewServiceAccount(client), nil |
| 37 | + }) |
| 38 | +} |
| 39 | + |
| 40 | +type serviceAccount struct { |
| 41 | + client client.Interface |
| 42 | +} |
| 43 | + |
| 44 | +func NewServiceAccount(client client.Interface) admission.Interface { |
| 45 | + return &serviceAccount{client: client} |
| 46 | +} |
| 47 | + |
| 48 | +func (s *serviceAccount) Admit(a admission.Attributes) (err error) { |
| 49 | + if a.GetOperation() != "CREATE" && a.GetOperation() != "UPDATE" { |
| 50 | + return nil |
| 51 | + } |
| 52 | + |
| 53 | + obj := a.GetObject() |
| 54 | + if obj == nil { |
| 55 | + return nil |
| 56 | + } |
| 57 | + |
| 58 | + pod, ok := obj.(*api.Pod) |
| 59 | + if !ok { |
| 60 | + return nil |
| 61 | + } |
| 62 | + |
| 63 | + if len(pod.Spec.ServiceAccount) == 0 { |
| 64 | + pod.Spec.ServiceAccount = DefaultServiceAccountName |
| 65 | + } |
| 66 | + |
| 67 | + serviceAccount, err := s.client.ServiceAccounts(a.GetNamespace()).Get(pod.Spec.ServiceAccount) |
| 68 | + if err != nil { |
| 69 | + return admission.NewForbidden(a, err) |
| 70 | + } |
| 71 | + |
| 72 | + if len(serviceAccount.APISecret) == 0 { |
| 73 | + return admission.NewForbidden(a, fmt.Errorf("Associated service account %s does not have an APISecret set")) |
| 74 | + } |
| 75 | + |
| 76 | + // Remember all volume names so we can uniquify |
| 77 | + allVolumeNames := util.NewStringSet() |
| 78 | + // Remember secret volume names and mounted volume names so we can cull old API token volumes |
| 79 | + mountedVolumeNames := util.NewStringSet() |
| 80 | + obsoleteVolumeNames := util.NewStringSet() |
| 81 | + |
| 82 | + // Find the volume and volume name for the APISecret if it already exists |
| 83 | + apiSecretVolumeName := "" |
| 84 | + for _, volume := range pod.Spec.Volumes { |
| 85 | + allVolumeNames.Insert(volume.Name) |
| 86 | + if volume.Secret == nil { |
| 87 | + continue |
| 88 | + } |
| 89 | + if volume.Secret.SecretName != serviceAccount.APISecret { |
| 90 | + continue |
| 91 | + } |
| 92 | + apiSecretVolumeName = volume.Name |
| 93 | + break |
| 94 | + } |
| 95 | + |
| 96 | + // Create the volume and volume name for the APISecret |
| 97 | + if len(apiSecretVolumeName) == 0 { |
| 98 | + // TODO: uniquify name against allVolumeNames |
| 99 | + apiSecretVolumeName = fmt.Sprintf("%s-api-secret-%s", serviceAccount.Name, uuid.New()) |
| 100 | + volume := api.Volume{ |
| 101 | + Name: apiSecretVolumeName, |
| 102 | + VolumeSource: api.VolumeSource{ |
| 103 | + Secret: &api.SecretVolumeSource{ |
| 104 | + SecretName: serviceAccount.APISecret, |
| 105 | + }, |
| 106 | + }, |
| 107 | + } |
| 108 | + pod.Spec.Volumes = append(pod.Spec.Volumes, volume) |
| 109 | + } |
| 110 | + |
| 111 | + // Create the prototypical VolumeMount |
| 112 | + volumeMount := api.VolumeMount{ |
| 113 | + Name: apiSecretVolumeName, |
| 114 | + ReadOnly: true, |
| 115 | + MountPath: DefaultAPITokenMountPath, |
| 116 | + } |
| 117 | + |
| 118 | + // Ensure every container mounts the APISecret volume |
| 119 | + for i, container := range pod.Spec.Containers { |
| 120 | + existingContainerMount := false |
| 121 | + for j, volumeMount := range container.VolumeMounts { |
| 122 | + // Mounts at other paths are ignored |
| 123 | + if volumeMount.MountPath != DefaultAPITokenMountPath { |
| 124 | + mountedVolumeNames.Insert(volumeMount.Name) |
| 125 | + continue |
| 126 | + } |
| 127 | + |
| 128 | + // Different volumes mounted at the APISecret path are eligible for cleanup |
| 129 | + if volumeMount.Name != apiSecretVolumeName { |
| 130 | + obsoleteVolumeNames.Insert(volumeMount.Name) |
| 131 | + } |
| 132 | + |
| 133 | + // Overwrite the existing volume mount at that path |
| 134 | + pod.Spec.Containers[i].VolumeMounts[j] = volumeMount |
| 135 | + existingContainerMount = true |
| 136 | + break |
| 137 | + } |
| 138 | + |
| 139 | + if !existingContainerMount { |
| 140 | + pod.Spec.Containers[i].VolumeMounts = append(pod.Spec.Containers[i].VolumeMounts, volumeMount) |
| 141 | + } |
| 142 | + } |
| 143 | + |
| 144 | + // Clean up old APISecret volumes, unless they are used in other VolumeMounts |
| 145 | + obsoleteVolumeNames.Delete(mountedVolumeNames.List()...) |
| 146 | + retainedVolumes := []api.Volume{} |
| 147 | + for _, volume := range pod.Spec.Volumes { |
| 148 | + // Remove secret volumes that we've determined were obsolete APISecrets |
| 149 | + if obsoleteVolumeNames.Has(volume.Name) && volume.VolumeSource.Secret != nil { |
| 150 | + continue |
| 151 | + } |
| 152 | + retainedVolumes = append(retainedVolumes, volume) |
| 153 | + } |
| 154 | + pod.Spec.Volumes = retainedVolumes |
| 155 | + |
| 156 | + return nil |
| 157 | +} |
0 commit comments