in webhooks/core/annotation_validation_webhook.go [108:143]
func (a *AnnotationValidator) handleUpdate(req admission.Request) admission.Response {
pod := &corev1.Pod{}
if err := a.decoder.DecodeRaw(req.Object, pod); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
oldPod := &corev1.Pod{}
if err := a.decoder.DecodeRaw(req.OldObject, oldPod); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
logger := a.Log.WithValues("name", pod.Name, "namespace", pod.Namespace, "uid", pod.UID)
// Block any update on Fargate SGP Annotation Key. The Fargate Security Group Annotation is
// added by the mutating WebHook on Create Event.
if pod.Annotations[FargatePodSGAnnotationKey] !=
oldPod.Annotations[FargatePodSGAnnotationKey] {
logger.Info("denying annotation", "username", req.UserInfo.Username,
"annotation key", FargatePodSGAnnotationKey)
return admission.Denied("annotation is not set by mutating webhook")
}
// This will block any update on the specific annotation from non vpc resource controller
// service accounts
for _, annotationKey := range a.getAnnotationKeysToBeValidated() {
if pod.Annotations[annotationKey] != oldPod.Annotations[annotationKey] {
// Checking for two users, as the Service Account used by controller was changed
// after first release.
if (req.UserInfo.Username != validUserInfo) && (req.UserInfo.Username != newValidUserInfo) &&
(req.UserInfo.Username != vpcControllerUserName) {
logger.Info("denying annotation", "username", req.UserInfo.Username,
"annotation key", annotationKey)
return admission.Denied("annotation is not set by vpc-resource-controller")
}
}
}
return admission.Allowed("")
}