feat: check user request service account

Author: zijiren233

webhooks/admission/api/v1/pod_validator_test.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	v1 "github.com/labring/sealos/webhook/admission/api/v1"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -181,17 +182,52 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Create workload mutator and validator
+	workloadMutatorValidator := v1.NewWorkloadMutatorWithThresholds(
+		defaultOversellRatio,
+		databaseOversellRatio,
+		skipCPUThreshold,
+		skipMemoryThreshold,
+	)
+
+	// Register Deployment webhook
+	err = builder.WebhookManagedBy(mgr).
+		For(&appsv1.Deployment{}).
+		WithDefaulter(workloadMutatorValidator).
+		WithValidator(workloadMutatorValidator).
+		Complete()
+	if err != nil {
+		setupLog.Error(err, "unable to create deployment webhook")
+		os.Exit(1)
+	}
+
+	// Register StatefulSet webhook
+	err = builder.WebhookManagedBy(mgr).
+		For(&appsv1.StatefulSet{}).
+		WithDefaulter(workloadMutatorValidator).
+		WithValidator(workloadMutatorValidator).
+		Complete()
+	if err != nil {
+		setupLog.Error(err, "unable to create statefulset webhook")
+		os.Exit(1)
+	}
+
+	// Register ReplicaSet webhook
+	err = builder.WebhookManagedBy(mgr).
+		For(&appsv1.ReplicaSet{}).
+		WithDefaulter(workloadMutatorValidator).
+		WithValidator(workloadMutatorValidator).
+		Complete()
+	if err != nil {
+		setupLog.Error(err, "unable to create replicaset webhook")
+		os.Exit(1)
+	}
+
+	// Register Pod webhook (only for pods created directly by users)
 	err = builder.WebhookManagedBy(mgr).
 		For(&corev1.Pod{}).
-		WithDefaulter(
-			v1.NewPodMutatorWithThresholds(
-				defaultOversellRatio,
-				databaseOversellRatio,
-				skipCPUThreshold,
-				skipMemoryThreshold,
-			),
-		).
-		WithValidator(&v1.PodValidator{}).
+		WithDefaulter(workloadMutatorValidator).
+		WithValidator(workloadMutatorValidator).
 		Complete()
 	if err != nil {
 		setupLog.Error(err, "unable to create pod webhook")

webhooks/admission/api/v1/pod_webhook.go

@@ -66,6 +66,78 @@ webhooks:
     resources:
     - namespaces
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-apps-v1-deployment
+  failurePolicy: Ignore
+  name: mdeployment.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - deployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-apps-v1-statefulset
+  failurePolicy: Ignore
+  name: mstatefulset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - statefulsets
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-apps-v1-replicaset
+  failurePolicy: Ignore
+  name: mreplicaset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - replicasets
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:
@@ -146,6 +218,78 @@ webhooks:
     resources:
     - namespaces
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-v1-deployment
+  failurePolicy: Ignore
+  name: vdeployment.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - deployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-v1-statefulset
+  failurePolicy: Ignore
+  name: vstatefulset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - statefulsets
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-v1-replicaset
+  failurePolicy: Ignore
+  name: vreplicaset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - replicasets
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

webhooks/admission/api/v1/pod_webhook_test.go

@@ -20,7 +20,8 @@ ENV icpKey=""
 ENV namespaceWebhookEnabled="true"
 ENV namespaceWebhookFailurePolicy="Fail"
 
-ENV podWebhookEnabled="true"
+# Workload webhook settings (applies to Deployment, StatefulSet, ReplicaSet, and Pod)
+ENV workloadWebhookEnabled="true"
 ENV defaultOversellRatio="10"
 ENV databaseOversellRatio="5"
 ENV skipCPUThreshold="100m"

webhooks/admission/api/v1/workload_webhook.go

@@ -489,7 +489,79 @@ webhooks:
     - namespaces
   sideEffects: None
 {{ end }}
-{{ if .podWebhookEnabled }}
+{{ if .workloadWebhookEnabled }}
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: admission-webhook-service
+      namespace: sealos-system
+      path: /mutate-apps-v1-deployment
+  failurePolicy: Ignore
+  name: mdeployment.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - deployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: admission-webhook-service
+      namespace: sealos-system
+      path: /mutate-apps-v1-statefulset
+  failurePolicy: Ignore
+  name: mstatefulset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - statefulsets
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: admission-webhook-service
+      namespace: sealos-system
+      path: /mutate-apps-v1-replicaset
+  failurePolicy: Ignore
+  name: mreplicaset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - replicasets
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:
@@ -585,7 +657,79 @@ webhooks:
     - namespaces
   sideEffects: None
 {{ end }}
-{{ if .podWebhookEnabled }}
+{{ if .workloadWebhookEnabled }}
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: admission-webhook-service
+      namespace: sealos-system
+      path: /validate-apps-v1-deployment
+  failurePolicy: Ignore
+  name: vdeployment.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - deployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: admission-webhook-service
+      namespace: sealos-system
+      path: /validate-apps-v1-statefulset
+  failurePolicy: Ignore
+  name: vstatefulset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - statefulsets
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: admission-webhook-service
+      namespace: sealos-system
+      path: /validate-apps-v1-replicaset
+  failurePolicy: Ignore
+  name: vreplicaset.sealos.io
+  namespaceSelector:
+    matchExpressions:
+      - key: user.sealos.io/owner
+        operator: Exists
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - replicasets
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig: