func()

in webhooks/core/annotation_validation_webhook.go [108:143]


func (a *AnnotationValidator) handleUpdate(req admission.Request) admission.Response {
	pod := &corev1.Pod{}
	if err := a.decoder.DecodeRaw(req.Object, pod); err != nil {
		return admission.Errored(http.StatusBadRequest, err)
	}
	oldPod := &corev1.Pod{}
	if err := a.decoder.DecodeRaw(req.OldObject, oldPod); err != nil {
		return admission.Errored(http.StatusBadRequest, err)
	}
	logger := a.Log.WithValues("name", pod.Name, "namespace", pod.Namespace, "uid", pod.UID)

	// Block any update on Fargate SGP Annotation Key. The Fargate Security Group Annotation is
	// added by the mutating WebHook on Create Event.
	if pod.Annotations[FargatePodSGAnnotationKey] !=
		oldPod.Annotations[FargatePodSGAnnotationKey] {
		logger.Info("denying annotation", "username", req.UserInfo.Username,
			"annotation key", FargatePodSGAnnotationKey)
		return admission.Denied("annotation is not set by mutating webhook")
	}

	// This will block any update on the specific annotation from non vpc resource controller
	// service accounts
	for _, annotationKey := range a.getAnnotationKeysToBeValidated() {
		if pod.Annotations[annotationKey] != oldPod.Annotations[annotationKey] {
			// Checking for two users, as the Service Account used by controller was changed
			// after first release.
			if (req.UserInfo.Username != validUserInfo) && (req.UserInfo.Username != newValidUserInfo) &&
				(req.UserInfo.Username != vpcControllerUserName) {
				logger.Info("denying annotation", "username", req.UserInfo.Username,
					"annotation key", annotationKey)
				return admission.Denied("annotation is not set by vpc-resource-controller")
			}
		}
	}
	return admission.Allowed("")
}