in webhooks/core/node_update_webhook.go [48:95]
func (a *NodeUpdateWebhook) Handle(_ context.Context, req admission.Request) admission.Response {
// Allow all requests that are not from aws-node username
if req.UserInfo.Username != awsNodeUsername {
return admission.Allowed("")
}
logger := a.Log.WithValues("node", req.Name)
logger.Info("update request received from aws-node")
newNode := &corev1.Node{}
if err := a.decoder.DecodeRaw(req.Object, newNode); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
oldNode := &corev1.Node{}
if err := a.decoder.DecodeRaw(req.OldObject, oldNode); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
// Remove the values that we expect the aws-node is supposed to modify
delete(oldNode.Labels, config.HasTrunkAttachedLabel)
delete(newNode.Labels, config.HasTrunkAttachedLabel)
delete(oldNode.Labels, config.CustomNetworkingLabel)
delete(newNode.Labels, config.CustomNetworkingLabel)
// The new object has the ManagedFields which is missing from older object, so remove it as well
oldNode.ManagedFields = nil
newNode.ManagedFields = nil
// Required for v1.18 clusters
oldNode.SelfLink = ""
newNode.SelfLink = ""
// Deny request if there's any modification in the old and new object after removing the fields
// added by aws-node
if !reflect.DeepEqual(*newNode, *oldNode) {
denyMessage := "aws-node can only update limited fields on the Node Object"
// Keep log to Debug as it prints entire object
logger.V(1).Info("request will be denied", "old object", *oldNode, "new object", *newNode)
logger.Info(denyMessage)
return admission.Denied(denyMessage)
}
// If all validation check succeed, allow admission
return admission.Allowed("")
}