Skip to content

Commit

Permalink
Firewall: immutable table name
Browse files Browse the repository at this point in the history
  • Loading branch information
@cheina97 @adamjensenbot
cheina97 authored and adamjensenbot committed Dec 5, 2023
1 parent 4ea4194 commit 1923408
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 1 deletion.
16 changes: 15 additions & 1 deletion pkg/liqo-controller-manager/webhooks/firewallconfiguration/firewallconfiguration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"encoding/json"
"net/http"

v1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/client"
Expand Down Expand Up @@ -100,7 +101,9 @@ func (w *webhookMutate) Handle(_ context.Context, req admission.Request) admissi
//
//nolint:gocritic // The signature of this method is imposed by controller runtime.
func (w *webhookValidate) Handle(ctx context.Context, req admission.Request) admission.Response {
firewallConfiguration, err := w.DecodeFirewallConfiguration(req.Object)
var err error
var firewallConfiguration, oldFirewallConfiguration *networkingv1alpha1.FirewallConfiguration
firewallConfiguration, err = w.DecodeFirewallConfiguration(req.Object)
if err != nil {
klog.Errorf("Failed decoding FirewallConfiguration object: %v", err)
return admission.Errored(http.StatusBadRequest, err)
Expand All @@ -109,6 +112,17 @@ func (w *webhookValidate) Handle(ctx context.Context, req admission.Request) adm
family := firewallConfiguration.Spec.Table.Family
chains := firewallConfiguration.Spec.Table.Chains

if req.Operation == v1.Update {
oldFirewallConfiguration, err = w.DecodeFirewallConfiguration(req.OldObject)
if err != nil {
klog.Errorf("Failed decoding FirewallConfiguration object: %v", err)
return admission.Errored(http.StatusBadRequest, err)
}
if err := checkImmutableTableName(firewallConfiguration, oldFirewallConfiguration); err != nil {
return admission.Denied(err.Error())
}
}

if err := checkUniqueTableName(ctx, w.cl, firewallConfiguration); err != nil {
return admission.Denied(err.Error())
}
Expand Down
8 changes: 8 additions & 0 deletions pkg/liqo-controller-manager/webhooks/firewallconfiguration/table.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,14 @@ func checkUniqueChainName(chains []firewallapi.Chain) error {
return nil
}

// checkImmutableTableName checks if the table name is immutable.
func checkImmutableTableName(fwcfg, oldFwcfg *networkingv1alpha1.FirewallConfiguration) error {
if oldFwcfg.Spec.Table.Name != fwcfg.Spec.Table.Name {
return fmt.Errorf("table name is immutable")
}
return nil
}

func checkUniqueTableName(ctx context.Context, cl client.Client, currentFwcfg *networkingv1alpha1.FirewallConfiguration) error {
if currentFwcfg == nil {
return fmt.Errorf("firewallconfiguration is nil")
Expand Down

0 comments on commit 1923408

Please sign in to comment.