Implement resources-deletion-protection including Always and Cascading

Signed-off-by: FillZpp <[email protected]>
openkruise · May 18, 2021 · 6675044 · 6675044
1 parent c5c37ae
commit 6675044
Show file tree

Hide file tree

Showing 28 changed files with 1,181 additions and 50 deletions.
diff --git a/apis/policy/v1alpha1/doc.go b/apis/policy/v1alpha1/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2021 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:openapi-gen=true
+// +groupName=policy.kruise.io
+package v1alpha1
diff --git a/apis/policy/v1alpha1/groupversion_info.go b/apis/policy/v1alpha1/groupversion_info.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2021 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=policy.kruise.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "policy.kruise.io", Version: "v1alpha1"}
+
+	SchemeGroupVersion = GroupVersion
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// Resource is required by pkg/client/listers/...
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
diff --git a/apis/policy/v1alpha1/resources_deletion_protection.go b/apis/policy/v1alpha1/resources_deletion_protection.go
@@ -0,0 +1,28 @@
+/*
+Copyright 2021 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+const (
+	// DeletionProtectionKey is a key in object labels and its value can be Always and Cascading.
+	// Currently supports Namespace, CustomResourcesDefinition, Deployment, StatefulSet, ReplicaSet, CloneSet, Advanced StatefulSet, UnitedDeployment.
+	DeletionProtectionKey = "policy.kruise.io/delete-protection"
+
+	// DeletionProtectionTypeAlways indicates this object will always be forbidden to be deleted, unless the label is removed.
+	DeletionProtectionTypeAlways = "Always"
+	// DeletionProtectionTypeCascading indicates this object will be forbidden to be deleted, if it has active resources owned.
+	DeletionProtectionTypeCascading = "Cascading"
+)
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -6,6 +6,12 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - list
 - apiGroups:
   - admissionregistration.k8s.io
   resources:

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -248,6 +248,57 @@ webhooks:
     - UPDATE
     resources:
     - broadcastjobs
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-deployment
+  failurePolicy: Fail
+  name: vbuiltindeployment.kb.io
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - deployments
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-replicaset
+  failurePolicy: Fail
+  name: vbuiltinreplicaset.kb.io
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - replicasets
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-statefulset
+  failurePolicy: Fail
+  name: vbuiltinstatefulset.kb.io
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - statefulsets
 - clientConfig:
     caBundle: Cg==
     service:
@@ -264,8 +315,27 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - clonesets
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-customresourcedefinition
+  failurePolicy: Fail
+  name: vcustomresourcedefinition.kb.io
+  rules:
+  - apiGroups:
+    - apiextensions.k8s.io
+    apiVersions:
+    - v1
+    - v1beta1
+    operations:
+    - DELETE
+    resources:
+    - customresourcedefinitions
 - clientConfig:
     caBundle: Cg==
     service:
@@ -302,6 +372,23 @@ webhooks:
     - UPDATE
     resources:
     - imagepulljobs
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-namespace
+  failurePolicy: Fail
+  name: vnamespace.kb.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - namespaces
 - clientConfig:
     caBundle: Cg==
     service:
@@ -355,6 +442,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - statefulsets
 - clientConfig:
@@ -373,5 +461,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - uniteddeployments
diff --git a/main.go b/main.go
@@ -24,11 +24,6 @@ import (
 	"os"
 	"time"
 
-	extclient "github.com/openkruise/kruise/pkg/client"
-	"github.com/openkruise/kruise/pkg/features"
-	utilfeature "github.com/openkruise/kruise/pkg/util/feature"
-	"github.com/openkruise/kruise/pkg/util/fieldindex"
-	"github.com/openkruise/kruise/pkg/webhook"
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -39,8 +34,15 @@ import (
 	"k8s.io/kubernetes/pkg/capabilities"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	extclient "github.com/openkruise/kruise/pkg/client"
+	"github.com/openkruise/kruise/pkg/features"
+	utilfeature "github.com/openkruise/kruise/pkg/util/feature"
+	"github.com/openkruise/kruise/pkg/util/fieldindex"
+	"github.com/openkruise/kruise/pkg/webhook"
+
 	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
 	appsv1beta1 "github.com/openkruise/kruise/apis/apps/v1beta1"
+	policyv1alpha1 "github.com/openkruise/kruise/apis/policy/v1alpha1"
 	"github.com/openkruise/kruise/pkg/controller"
 	// +kubebuilder:scaffold:imports
 )
@@ -60,6 +62,7 @@ func init() {
 
 	_ = appsv1alpha1.AddToScheme(scheme)
 	_ = appsv1beta1.AddToScheme(scheme)
+	_ = policyv1alpha1.AddToScheme(scheme)
 	// +kubebuilder:scaffold:scheme
 }
 

diff --git a/pkg/features/kruise_features.go b/pkg/features/kruise_features.go
@@ -49,6 +49,14 @@ const (
 	// CloneSetPartitionRollback enables CloneSet controller to rollback Pods to currentRevision
 	// when number of updateRevision pods is bigger than (replicas - partition).
 	CloneSetPartitionRollback featuregate.Feature = "CloneSetPartitionRollback"
+
+	// ResourcesDeletionProtection enables protection for resources deletion, currently supports
+	// Namespace, CustomResourcesDefinition, Deployment, StatefulSet, ReplicaSet, CloneSet, Advanced StatefulSet, UnitedDeployment.
+	// It is only supported for Kubernetes version >= 1.16
+	// Note that if it is enabled during Kruise installation or upgrade, Kruise will require more authorities:
+	// 1. Webhook for deletion operation of namespace, crd, deployment, statefulset, replicaset and workloads in Kruise.
+	// 2. ClusterRole for reading all resource types, because CRD validation needs to list the CRs of this CRD.
+	ResourcesDeletionProtection featuregate.Feature = "ResourcesDeletionProtection"
 )
 
 var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -58,6 +66,7 @@ var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
 	KruisePodReadinessGate:           {Default: false, PreRelease: featuregate.Alpha},
 	PreDownloadImageForInPlaceUpdate: {Default: false, PreRelease: featuregate.Alpha},
 	CloneSetPartitionRollback:        {Default: false, PreRelease: featuregate.Alpha},
+	ResourcesDeletionProtection:      {Default: false, PreRelease: featuregate.Alpha},
 }
 
 func init() {

diff --git a/pkg/webhook/add_builtinworkloads.go b/pkg/webhook/add_builtinworkloads.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2021 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	"github.com/openkruise/kruise/pkg/webhook/builtinworkloads/validating"
+)
+
+func init() {
+	addHandlers(validating.HandlerMap)
+}
diff --git a/pkg/webhook/add_customresourcedefinition.go b/pkg/webhook/add_customresourcedefinition.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2021 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	"github.com/openkruise/kruise/pkg/webhook/customresourcedefinition/validating"
+)
+
+func init() {
+	addHandlers(validating.HandlerMap)
+}
diff --git a/pkg/webhook/add_namespace.go b/pkg/webhook/add_namespace.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2021 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	"github.com/openkruise/kruise/pkg/webhook/namespace/validating"
+)
+
+func init() {
+	addHandlers(validating.HandlerMap)
+}