in admission-controller/pods.go [39:80]
func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("admitting pods")
podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
if ar.Request.Resource != podResource {
err := fmt.Errorf("expect resource to be %s", podResource)
klog.Error(err)
return toV1AdmissionResponse(err)
}
raw := ar.Request.Object.Raw
pod := corev1.Pod{}
deserializer := codecs.UniversalDeserializer()
if _, _, err := deserializer.Decode(raw, nil, &pod); err != nil {
klog.Error(err)
return toV1AdmissionResponse(err)
}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = true
var msg string
if v, ok := pod.Labels["webhook-e2e-test"]; ok {
if v == "webhook-disallow" {
reviewResponse.Allowed = false
msg = msg + "the pod contains unwanted label; "
}
if v == "wait-forever" {
reviewResponse.Allowed = false
msg = msg + "the pod response should not be sent; "
<-make(chan int) // Sleep forever - no one sends to this channel
}
}
for _, container := range pod.Spec.Containers {
if strings.Contains(container.Name, "webhook-disallow") {
reviewResponse.Allowed = false
msg = msg + "the pod contains unwanted container name; "
}
}
if !reviewResponse.Allowed {
reviewResponse.Result = &metav1.Status{Message: strings.TrimSpace(msg)}
}
return &reviewResponse
}