-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
119 lines (98 loc) · 3.05 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
package main
import (
"crypto/tls"
"encoding/json"
"flag"
"fmt"
"io"
"log"
"net/http"
"strings"
imagepolicy "k8s.io/api/imagepolicy/v1alpha1"
)
type imagineOpts struct {
key string
cert string
imageName string
port int
}
func main() {
opts := imagineOpts{}
flag.StringVar(&opts.key, "key", "", "Path to the key file")
flag.StringVar(&opts.cert, "cert", "", "Path to the cert file")
flag.StringVar(&opts.imageName, "image-name", "", "Part of the image name that is not allowed")
flag.IntVar(&opts.port, "port", 4443, "Port to listen on")
flag.Parse()
cert, err := tls.LoadX509KeyPair(opts.cert, opts.key)
if err != nil {
log.Fatalf("Failed to load key pair: %v", err)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{
cert,
},
}
mux := http.NewServeMux()
mux.Handle("/", imagineHandler(opts.imageName))
server := &http.Server{
Addr: fmt.Sprintf(":%d", opts.port),
Handler: mux,
TLSConfig: tlsConfig,
}
log.Printf("Starting the imagine server on port %d", opts.port)
err = server.ListenAndServeTLS("", "")
if err != nil {
log.Fatalf("Failed to start server: %v", err)
}
}
func imagineHandler(imageName string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
log.Printf("Received request: %s %s", r.Method, r.URL.Path)
if r.Method != http.MethodPost {
if r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(fmt.Sprintf("This is the Imagine validating admission image policy webhook, checks if the image name contains: %s", imageName)))
return
}
w.WriteHeader(http.StatusMethodNotAllowed)
w.Write([]byte("Method not allowed"))
return
}
var imageReview imagepolicy.ImageReview
body, err := io.ReadAll(r.Body)
if err != nil {
log.Printf("Failed to read request body: %v", err)
http.Error(w, "could not read request body", http.StatusBadRequest)
return
}
log.Printf("Raw JSON request body: %s", string(body))
if err := json.Unmarshal(body, &imageReview); err != nil {
log.Printf("Failed to decode request body: %v", err)
http.Error(w, "could not decode request body", http.StatusBadRequest)
return
}
allowed := true
reason := "Image name is allowed"
for _, container := range imageReview.Spec.Containers {
if strings.Contains(container.Image, imageName) {
allowed = false
reason = fmt.Sprintf("image name contains disallowed string: %s", imageName)
break
}
}
imageReview.Status.Allowed = allowed
imageReview.Status.Reason = reason
responseBytes, err := json.Marshal(imageReview)
if err != nil {
log.Printf("Failed to encode response: %v", err)
http.Error(w, "could not encode response", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
if _, err := w.Write(responseBytes); err != nil {
log.Printf("Failed to write response: %v", err)
}
log.Printf("Image: %s, Allowed: %t, Reason: %s", imageReview.Spec.Containers[0].Image, imageReview.Status.Allowed, imageReview.Status.Reason)
}
}