Skip to content

Commit

Permalink
Use caches and disable throttling
Browse files Browse the repository at this point in the history
  • Loading branch information
@dramich
dramich committed Sep 26, 2020
1 parent 1a8e7a0 commit 9c9a15a
Show file tree
Hide file tree
Showing 7 changed files with 33 additions and 36 deletions.
3 changes: 3 additions & 0 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (

"github.com/rancher/webhook/pkg/admission"
"github.com/rancher/wrangler/pkg/kubeconfig"
"github.com/rancher/wrangler/pkg/ratelimit"
"github.com/rancher/wrangler/pkg/signals"
"github.com/sirupsen/logrus"
)
Expand All @@ -24,6 +25,8 @@ func run() error {
return err
}

cfg.RateLimiter = ratelimit.None

ctx := signals.SetupSignalHandler(context.Background())
if err := admission.ListenAndServe(ctx, cfg); err != nil {
return err
Expand Down
2 changes: 1 addition & 1 deletion pkg/admission/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func ListenAndServe(ctx context.Context, cfg *rest.Config) error {
return err
}

handler, err := Validation(cfg)
handler, err := Validation(ctx, cfg)
if err != nil {
return err
}
Expand Down
8 changes: 6 additions & 2 deletions pkg/admission/validation.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package admission

import (
"context"
"net/http"

"github.com/rancher/rancher/pkg/apis/management.cattle.io"
Expand All @@ -9,12 +10,13 @@ import (
"github.com/rancher/webhook/pkg/cluster"
mgmtcontrollers "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io"
"github.com/rancher/wrangler-api/pkg/generated/controllers/rbac"
"github.com/rancher/wrangler/pkg/start"
"github.com/rancher/wrangler/pkg/webhook"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)

func Validation(cfg *rest.Config) (http.Handler, error) {
func Validation(ctx context.Context, cfg *rest.Config) (http.Handler, error) {
grb, err := mgmtcontrollers.NewFactoryFromConfig(cfg)
if err != nil {
return nil, err
Expand All @@ -25,7 +27,7 @@ func Validation(cfg *rest.Config) (http.Handler, error) {
return nil, err
}

globalRoleBindings, err := auth.NewGRBValidator(grb.Management().V3().GlobalRole(), r.Rbac())
globalRoleBindings, err := auth.NewGRBValidator(grb.Management().V3().GlobalRole().Cache(), r.Rbac())
if err != nil {
return nil, err
}
Expand All @@ -47,5 +49,7 @@ func Validation(cfg *rest.Config) (http.Handler, error) {
router.Kind("ProjectRoleTemplateBinding").Group(management.GroupName).Type(&v3.ProjectRoleTemplateBinding{}).Handle(prtbs)
router.Kind("ClusterRoleTemplateBinding").Group(management.GroupName).Type(&v3.ClusterRoleTemplateBinding{}).Handle(crtbs)

starters := []start.Starter{r, grb}
start.All(ctx, 5, starters...)
return router, nil
}
2 changes: 1 addition & 1 deletion pkg/auth/clusterrtb.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ type clusterRoleTemplateBindingValidator struct {

func (c *clusterRoleTemplateBindingValidator) Admit(response *webhook.Response, request *webhook.Request) error {
listTrace := trace.New("clusterRoleTemplateBindingValidator Admit", trace.Field{Key: "user", Value: request.UserInfo.Username})
defer listTrace.LogIfLong(1 * time.Second)
defer listTrace.LogIfLong(2 * time.Second)

crtb, err := crtbObject(request)
if err != nil {
Expand Down
19 changes: 11 additions & 8 deletions pkg/auth/globarolebinding.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,36 +23,39 @@ import (
"k8s.io/utils/trace"
)

func NewGRBValidator(grClient v3.GlobalRoleClient, r rbac.Interface) (webhook.Handler, error) {
func NewGRBValidator(grClient v3.GlobalRoleCache, r rbac.Interface) (webhook.Handler, error) {
rbacRestGetter := authentication.RBACRestGetter{
Interface: r,
Roles: r.V1().Role().Cache(),
RoleBindings: r.V1().RoleBinding().Cache(),
ClusterRoles: r.V1().ClusterRole().Cache(),
ClusterRoleBindings: r.V1().ClusterRoleBinding().Cache(),
}

ruleResolver := rbacregistryvalidation.NewDefaultRuleResolver(rbacRestGetter, rbacRestGetter, rbacRestGetter, rbacRestGetter)

return &globalRoleBindingValidator{
globalRoleClient: grClient,
ruleSolver: ruleResolver,
globalRoles: grClient,
ruleSolver: ruleResolver,
}, nil

}

type globalRoleBindingValidator struct {
globalRoleClient v3.GlobalRoleClient
ruleSolver validation.AuthorizationRuleResolver
globalRoles v3.GlobalRoleCache
ruleSolver validation.AuthorizationRuleResolver
}

func (grbv *globalRoleBindingValidator) Admit(response *webhook.Response, request *webhook.Request) error {
listTrace := trace.New("globalRoleBindingValidator Admit", trace.Field{Key: "user", Value: request.UserInfo.Username})
defer listTrace.LogIfLong(1 * time.Second)
defer listTrace.LogIfLong(2 * time.Second)

newGRB, err := grbObject(request)
if err != nil {
return err
}

// Pull the global role to get the rules
globalRole, err := grbv.globalRoleClient.Get(newGRB.GlobalRoleName, metav1.GetOptions{})
globalRole, err := grbv.globalRoles.Get(newGRB.GlobalRoleName)
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/auth/projectrtb.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ type projectRoleTemplateBindingValidator struct {

func (p *projectRoleTemplateBindingValidator) Admit(response *webhook.Response, request *webhook.Request) error {
listTrace := trace.New("projectRoleTemplateBindingValidator Admit", trace.Field{Key: "user", Value: request.UserInfo.Username})
defer listTrace.LogIfLong(1 * time.Second)
defer listTrace.LogIfLong(2 * time.Second)

prtb, err := prtbObject(request)
if err != nil {
Expand Down
33 changes: 10 additions & 23 deletions pkg/authentication/rolegetter.go
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,30 @@
package authentication

import (
"github.com/rancher/wrangler-api/pkg/generated/controllers/rbac"
wranglerv1 "github.com/rancher/wrangler-api/pkg/generated/controllers/rbac/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
)

type RBACRestGetter struct {
rbac.Interface
Roles wranglerv1.RoleCache
RoleBindings wranglerv1.RoleBindingCache
ClusterRoles wranglerv1.ClusterRoleCache
ClusterRoleBindings wranglerv1.ClusterRoleBindingCache
}

func (r RBACRestGetter) GetRole(namespace, name string) (*rbacv1.Role, error) {
return r.Interface.V1().Role().Get(namespace, name, metav1.GetOptions{})
return r.Roles.Get(namespace, name)
}

func (r RBACRestGetter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error) {
rolebindings, err := r.Interface.V1().RoleBinding().List(namespace, metav1.ListOptions{})
if err != nil {
return nil, err
}
var rbs []*rbacv1.RoleBinding
for i := range rolebindings.Items {
rbs = append(rbs, &rolebindings.Items[i])
}
return rbs, nil
return r.RoleBindings.List(namespace, labels.NewSelector())
}

func (r RBACRestGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error) {
return r.Interface.V1().ClusterRole().Get(name, metav1.GetOptions{})
return r.ClusterRoles.Get(name)
}

func (r RBACRestGetter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error) {
clusterrolebindings, err := r.Interface.V1().ClusterRoleBinding().List(metav1.ListOptions{})
if err != nil {
return nil, err
}
var crbs []*rbacv1.ClusterRoleBinding
for i := range clusterrolebindings.Items {
crbs = append(crbs, &clusterrolebindings.Items[i])
}
return crbs, nil
return r.ClusterRoleBindings.List(labels.NewSelector())
}

0 comments on commit 9c9a15a

Please sign in to comment.