in pkg/webhook/admission_controller_interface.go [39:87]
func validate(req *admissionv1.AdmissionRequest, ac admissionController) *admissionv1.AdmissionResponse {
// Verify right resource is passed
resource := ac.getGVR()
if req.Resource != *resource {
errMsg := fmt.Sprintf("expected resource %v but got %v", *resource, req.Resource)
return requestDeniedBad(req.UID, errMsg)
}
// Handle operation
defaultGVK := ac.getGVK()
decoder := scheme.Codecs.UniversalDeserializer()
switch req.Operation {
case admissionv1.Create:
// retrieve new object and validate it
obj, _, err := decoder.Decode(req.Object.Raw, defaultGVK, ac.newObject())
if err != nil {
return requestDeniedBad(req.UID, err.Error())
}
klog.V(5).Info(fmt.Sprintf("Retrieved new object : %v", obj))
return ac.validateCreate(req.UID, obj)
case admissionv1.Update:
// any updates made from the ndb-operator can be accepted without validation
if updateFromNdbOperator, _ := regexp.MatchString(
"system:serviceaccount:.*:ndb-operator", req.UserInfo.Username); updateFromNdbOperator {
klog.Info("Skipping validation for an update from ndb-operator")
return requestAllowed(req.UID)
}
// retrieve new and old objects
obj, _, err := decoder.Decode(req.Object.Raw, defaultGVK, ac.newObject())
if err != nil {
return requestDeniedBad(req.UID, err.Error())
}
klog.V(5).Info(fmt.Sprintf("Retrieved new object : %v", obj))
oldObject, _, err := decoder.Decode(req.OldObject.Raw, defaultGVK, ac.newObject())
if err != nil {
return requestDeniedBad(req.UID, err.Error())
}
klog.V(5).Info(fmt.Sprintf("Retrieved old object : %v", oldObject))
// validate the update
return ac.validateUpdate(req.UID, obj, oldObject)
default:
return unsupportedValidatorOperation(req.UID, req.Operation)
}
}