Add validation webhook for service profiles (linkerd#2623)

Add validation webhook for service profiles Fixes linkerd#2075 Todo in a follow-up PRs: remove the SP check from the CLI check. Signed-off-by: Alejandro Pedraza <[email protected]> Signed-off-by: [email protected] <[email protected]>
KatherineMelnyk · Apr 5, 2019 · 6e9519c · 6e9519c
1 parent 4ddfa62
commit 6e9519c
Show file tree

Hide file tree

Showing 41 changed files with 2,280 additions and 544 deletions.
diff --git a/Dockerfile-proxy b/Dockerfile-proxy
@@ -11,7 +11,7 @@ RUN (proxy=$(bin/fetch-proxy $PROXY_VERSION) && \
     echo "$version" >version.txt)
 
 ## compile proxy-identity agent
-FROM gcr.io/linkerd-io/go-deps:f39dc9a4 as golang
+FROM gcr.io/linkerd-io/go-deps:3f016933 as golang
 WORKDIR /go/src/github.com/linkerd/linkerd2
 ENV CGO_ENABLED=0 GOOS=linux
 COPY pkg/flags pkg/flags

diff --git a/Gopkg.lock b/Gopkg.lock
@@ -1326,6 +1326,7 @@
     "k8s.io/client-go/kubernetes",
     "k8s.io/client-go/kubernetes/fake",
     "k8s.io/client-go/kubernetes/scheme",
+    "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1",
     "k8s.io/client-go/kubernetes/typed/authentication/v1",
     "k8s.io/client-go/kubernetes/typed/authorization/v1",
     "k8s.io/client-go/listers/core/v1",

diff --git a/chart/templates/sp_validator.yaml b/chart/templates/sp_validator.yaml
@@ -0,0 +1,109 @@
+{{with .Values -}}
+---
+###
+### Service Profile Validator
+###
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: {{.Namespace}}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Namespace}}-sp-validator
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["list"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["create", "get", "delete"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Namespace}}-sp-validator
+subjects:
+- kind: ServiceAccount
+  name: linkerd-sp-validator
+  namespace: {{.Namespace}}
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: linkerd-{{.Namespace}}-sp-validator
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: sp-validator
+  annotations:
+    {{.CreatedByAnnotation}}: {{.CliVersion}}
+spec:
+  type: ClusterIP
+  selector:
+    {{.ControllerComponentLabel}}: sp-validator
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: linkerd-sp-validator
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: sp-validator
+  annotations:
+    {{.CreatedByAnnotation}}: {{.CliVersion}}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{.ControllerComponentLabel}}: sp-validator
+  template:
+    metadata:
+      labels:
+        {{.ControllerComponentLabel}}: sp-validator
+      annotations:
+        {{.CreatedByAnnotation}}: {{.CliVersion}}
+    spec:
+      serviceAccountName: linkerd-sp-validator
+      containers:
+      - name: sp-validator
+        image: {{.ControllerImage}}
+        imagePullPolicy: {{.ImagePullPolicy}}
+        args:
+        - "sp-validator"
+        - "-controller-namespace={{.Namespace}}"
+        - "-log-level={{.ControllerLogLevel}}"
+        ports:
+        - name: sp-validator
+          containerPort: 8443
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 9997
+          failureThreshold: 7
+        {{ with .SPValidatorResources -}}
+        {{- template "resources" . }}
+        {{ end -}}
+        securityContext:
+          runAsUser: {{.ControllerUID}}
+      volumes:
+      - name: config
+        configMap:
+          name: linkerd-config
+{{end -}}
diff --git a/cli/Dockerfile-bin b/cli/Dockerfile-bin
@@ -1,5 +1,5 @@
 ## compile binaries
-FROM gcr.io/linkerd-io/go-deps:f39dc9a4 as golang
+FROM gcr.io/linkerd-io/go-deps:3f016933 as golang
 WORKDIR /go/src/github.com/linkerd/linkerd2
 COPY cli cli
 COPY chart chart

diff --git a/cli/cmd/install.go b/cli/cmd/install.go
@@ -63,6 +63,7 @@ type (
 		PrometheusResources,
 		ProxyInjectorResources,
 		PublicAPIResources,
+		SPValidatorResources,
 		TapResources,
 		WebResources *resources
 
@@ -146,6 +147,7 @@ const (
 	resourcesTemplateName      = "templates/_resources.yaml"
 	serviceprofileTemplateName = "templates/serviceprofile.yaml"
 	proxyInjectorTemplateName  = "templates/proxy_injector.yaml"
+	spValidatorTemplateName    = "templates/sp_validator.yaml"
 )
 
 // newInstallOptionsWithDefaults initializes install options with default
@@ -433,6 +435,7 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins
 		PrometheusResources:    &resources{},
 		ProxyInjectorResources: &resources{},
 		PublicAPIResources:     &resources{},
+		SPValidatorResources:   &resources{},
 		TapResources:           &resources{},
 		WebResources:           &resources{},
 	}
@@ -447,6 +450,7 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins
 		*values.GrafanaResources = *defaultConstraints
 		*values.ProxyInjectorResources = *defaultConstraints
 		*values.PublicAPIResources = *defaultConstraints
+		*values.SPValidatorResources = *defaultConstraints
 		*values.TapResources = *defaultConstraints
 		*values.WebResources = *defaultConstraints
 
@@ -493,6 +497,7 @@ func (values *installValues) render(w io.Writer, configs *pb.All) error {
 		{Name: prometheusTemplateName},
 		{Name: grafanaTemplateName},
 		{Name: proxyInjectorTemplateName},
+		{Name: spValidatorTemplateName},
 	}
 
 	// Read templates into bytes