123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 |
- /*
- Copyright 2017 The Kubernetes Authors.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package storageobjectinuseprotection
- import (
- "context"
- "io"
- "k8s.io/apiserver/pkg/admission"
- "k8s.io/apiserver/pkg/admission/initializer"
- "k8s.io/component-base/featuregate"
- "k8s.io/klog"
- api "k8s.io/kubernetes/pkg/apis/core"
- "k8s.io/kubernetes/pkg/features"
- volumeutil "k8s.io/kubernetes/pkg/volume/util"
- )
- const (
- // PluginName is the name of this admission controller plugin
- PluginName = "StorageObjectInUseProtection"
- )
- // Register registers a plugin
- func Register(plugins *admission.Plugins) {
- plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
- plugin := newPlugin()
- return plugin, nil
- })
- }
- // storageProtectionPlugin holds state for and implements the admission plugin.
- type storageProtectionPlugin struct {
- *admission.Handler
- storageObjectInUseProtection bool
- }
- var _ admission.Interface = &storageProtectionPlugin{}
- var _ initializer.WantsFeatures = &storageProtectionPlugin{}
- // newPlugin creates a new admission plugin.
- func newPlugin() *storageProtectionPlugin {
- return &storageProtectionPlugin{
- Handler: admission.NewHandler(admission.Create),
- }
- }
- var (
- pvResource = api.Resource("persistentvolumes")
- pvcResource = api.Resource("persistentvolumeclaims")
- )
- // Admit sets finalizer on all PVCs(PVs). The finalizer is removed by
- // PVCProtectionController(PVProtectionController) when it's not referenced.
- //
- // This prevents users from deleting a PVC that's used by a running pod.
- // This also prevents admin from deleting a PV that's bound by a PVC
- func (c *storageProtectionPlugin) Admit(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
- if !c.storageObjectInUseProtection {
- return nil
- }
- switch a.GetResource().GroupResource() {
- case pvResource:
- return c.admitPV(a)
- case pvcResource:
- return c.admitPVC(a)
- default:
- return nil
- }
- }
- func (c *storageProtectionPlugin) admitPV(a admission.Attributes) error {
- if len(a.GetSubresource()) != 0 {
- return nil
- }
- pv, ok := a.GetObject().(*api.PersistentVolume)
- // if we can't convert the obj to PV, just return
- if !ok {
- return nil
- }
- for _, f := range pv.Finalizers {
- if f == volumeutil.PVProtectionFinalizer {
- // Finalizer is already present, nothing to do
- return nil
- }
- }
- klog.V(4).Infof("adding PV protection finalizer to %s", pv.Name)
- pv.Finalizers = append(pv.Finalizers, volumeutil.PVProtectionFinalizer)
- return nil
- }
- func (c *storageProtectionPlugin) admitPVC(a admission.Attributes) error {
- if len(a.GetSubresource()) != 0 {
- return nil
- }
- pvc, ok := a.GetObject().(*api.PersistentVolumeClaim)
- // if we can't convert the obj to PVC, just return
- if !ok {
- return nil
- }
- for _, f := range pvc.Finalizers {
- if f == volumeutil.PVCProtectionFinalizer {
- // Finalizer is already present, nothing to do
- return nil
- }
- }
- klog.V(4).Infof("adding PVC protection finalizer to %s/%s", pvc.Namespace, pvc.Name)
- pvc.Finalizers = append(pvc.Finalizers, volumeutil.PVCProtectionFinalizer)
- return nil
- }
- func (c *storageProtectionPlugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
- c.storageObjectInUseProtection = featureGates.Enabled(features.StorageObjectInUseProtection)
- }
- func (c *storageProtectionPlugin) ValidateInitialization() error {
- return nil
- }
|