From 7a0eabf0f2f0032c80cbc7dfed0496751e435ef3 Mon Sep 17 00:00:00 2001
From: Sharif Elgamal <selgamal@google.com>
Date: Fri, 2 Oct 2020 13:30:22 -0700
Subject: [PATCH] exclude kube-system from getting patches

---
 Makefile  |   2 +-
 server.go | 147 ++++++++++++++++++++++++++++--------------------------
 2 files changed, 76 insertions(+), 73 deletions(-)

diff --git a/Makefile b/Makefile
index 12017034a5ea..fab64b4bc8d2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 REGISTRY?=gcr.io/k8s-minikube
-VERSION=v0.0.2
+VERSION=v0.0.3-snapshot
 
 build:
 	CGO_ENABLED=0 GOOS=linux go build -o out/gcp-auth-webhook -ldflags=$(PROVISIONER_LDFLAGS) server.go
diff --git a/server.go b/server.go
index f1a6310b352a..33f551cc6ad7 100644
--- a/server.go
+++ b/server.go
@@ -90,83 +90,86 @@ func mutateHandler(w http.ResponseWriter, r *http.Request) {
 
 	var patch []patchOperation
 
-	// Define the volume to mount in
-	v := corev1.Volume{
-		Name: "gcp-creds",
-		VolumeSource: corev1.VolumeSource{
-			HostPath: func() *corev1.HostPathVolumeSource {
-				h := corev1.HostPathVolumeSource{
-					Path: "/var/lib/minikube/google_application_credentials.json",
-					Type: func() *corev1.HostPathType {
-						hpt := corev1.HostPathFile
-						return &hpt
-					}(),
-				}
-				return &h
-			}(),
-		},
-	}
+	// Explicitly and silently exclude the kube-system namespace
+	if pod.ObjectMeta.Namespace != metav1.NamespaceSystem {
+		// Define the volume to mount in
+		v := corev1.Volume{
+			Name: "gcp-creds",
+			VolumeSource: corev1.VolumeSource{
+				HostPath: func() *corev1.HostPathVolumeSource {
+					h := corev1.HostPathVolumeSource{
+						Path: "/var/lib/minikube/google_application_credentials.json",
+						Type: func() *corev1.HostPathType {
+							hpt := corev1.HostPathFile
+							return &hpt
+						}(),
+					}
+					return &h
+				}(),
+			},
+		}
 
-	// Mount the volume in
-	mount := corev1.VolumeMount{
-		Name:      "gcp-creds",
-		MountPath: "/google-app-creds.json",
-		ReadOnly:  true,
-	}
+		// Mount the volume in
+		mount := corev1.VolumeMount{
+			Name:      "gcp-creds",
+			MountPath: "/google-app-creds.json",
+			ReadOnly:  true,
+		}
 
-	// Define the env var
-	e := corev1.EnvVar{
-		Name:  "GOOGLE_APPLICATION_CREDENTIALS",
-		Value: "/google-app-creds.json",
-	}
-	envVars := []corev1.EnvVar{e}
-
-	// If GOOGLE_CLOUD_PROJECT is set in the VM, set it for all GCP apps.
-	if _, err := os.Stat("/var/lib/minikube/google_cloud_project"); err == nil {
-		project, err := ioutil.ReadFile("/var/lib/minikube/google_cloud_project")
-		if err == nil {
-			// Set the project name for every variant of the project env var
-			for _, a := range projectAliases {
-				envVars = append(envVars, corev1.EnvVar{
-					Name:  a,
-					Value: string(project),
-				})
+		// Define the env var
+		e := corev1.EnvVar{
+			Name:  "GOOGLE_APPLICATION_CREDENTIALS",
+			Value: "/google-app-creds.json",
+		}
+		envVars := []corev1.EnvVar{e}
+
+		// If GOOGLE_CLOUD_PROJECT is set in the VM, set it for all GCP apps.
+		if _, err := os.Stat("/var/lib/minikube/google_cloud_project"); err == nil {
+			project, err := ioutil.ReadFile("/var/lib/minikube/google_cloud_project")
+			if err == nil {
+				// Set the project name for every variant of the project env var
+				for _, a := range projectAliases {
+					envVars = append(envVars, corev1.EnvVar{
+						Name:  a,
+						Value: string(project),
+					})
+				}
 			}
 		}
-	}
 
-	patch = append(patch, patchOperation{
-		Op:    "add",
-		Path:  "/spec/volumes",
-		Value: append(pod.Spec.Volumes, v),
-	})
-
-	for i, c := range pod.Spec.Containers {
-		if len(c.VolumeMounts) == 0 {
-			patch = append(patch, patchOperation{
-				Op:    "add",
-				Path:  fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
-				Value: []corev1.VolumeMount{mount},
-			})
-		} else {
-			patch = append(patch, patchOperation{
-				Op:    "add",
-				Path:  fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
-				Value: append(c.VolumeMounts, mount),
-			})
-		}
-		if len(c.Env) == 0 {
-			patch = append(patch, patchOperation{
-				Op:    "add",
-				Path:  fmt.Sprintf("/spec/containers/%d/env", i),
-				Value: envVars,
-			})
-		} else {
-			patch = append(patch, patchOperation{
-				Op:    "add",
-				Path:  fmt.Sprintf("/spec/containers/%d/env", i),
-				Value: append(c.Env, envVars...),
-			})
+		patch = append(patch, patchOperation{
+			Op:    "add",
+			Path:  "/spec/volumes",
+			Value: append(pod.Spec.Volumes, v),
+		})
+
+		for i, c := range pod.Spec.Containers {
+			if len(c.VolumeMounts) == 0 {
+				patch = append(patch, patchOperation{
+					Op:    "add",
+					Path:  fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
+					Value: []corev1.VolumeMount{mount},
+				})
+			} else {
+				patch = append(patch, patchOperation{
+					Op:    "add",
+					Path:  fmt.Sprintf("/spec/containers/%d/volumeMounts", i),
+					Value: append(c.VolumeMounts, mount),
+				})
+			}
+			if len(c.Env) == 0 {
+				patch = append(patch, patchOperation{
+					Op:    "add",
+					Path:  fmt.Sprintf("/spec/containers/%d/env", i),
+					Value: envVars,
+				})
+			} else {
+				patch = append(patch, patchOperation{
+					Op:    "add",
+					Path:  fmt.Sprintf("/spec/containers/%d/env", i),
+					Value: append(c.Env, envVars...),
+				})
+			}
 		}
 	}