Merge pull request karmada-io#1429 from XiShanYongYe-Chang/federated-resource-qupta-validation

add validation for federatedResourceQuota create/update

Author: karmada-bot

artifacts/deploy/webhook-configuration.yaml

@@ -139,3 +139,17 @@ webhooks:
     sideEffects: None
     admissionReviewVersions: ["v1"]
     timeoutSeconds: 3
+  - name: federatedresourcequota.karmada.io
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: ["policy.karmada.io"]
+        apiVersions: ["*"]
+        resources: ["federatedresourcequotas"]
+        scope: "Namespaced"
+    clientConfig:
+      url: https://karmada-webhook.karmada-system.svc:443/validate-federatedresourcequota
+      caBundle: {{caBundle}}
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: [ "v1" ]
+    timeoutSeconds: 3

cmd/webhook/app/webhook.go

@@ -21,6 +21,7 @@ import (
 	"github.com/karmada-io/karmada/pkg/webhook/clusteroverridepolicy"
 	"github.com/karmada-io/karmada/pkg/webhook/clusterpropagationpolicy"
 	"github.com/karmada-io/karmada/pkg/webhook/configuration"
+	"github.com/karmada-io/karmada/pkg/webhook/federatedresourcequota"
 	"github.com/karmada-io/karmada/pkg/webhook/overridepolicy"
 	"github.com/karmada-io/karmada/pkg/webhook/propagationpolicy"
 	"github.com/karmada-io/karmada/pkg/webhook/work"
@@ -102,6 +103,7 @@ func Run(ctx context.Context, opts *options.Options) error {
 	hookServer.Register("/mutate-work", &webhook.Admission{Handler: &work.MutatingAdmission{}})
 	hookServer.Register("/convert", &conversion.Webhook{})
 	hookServer.Register("/validate-resourceinterpreterwebhookconfiguration", &webhook.Admission{Handler: &configuration.ValidatingAdmission{}})
+	hookServer.Register("/validate-federatedresourcequota", &webhook.Admission{Handler: &federatedresourcequota.ValidatingAdmission{}})
 	hookServer.WebhookMux.Handle("/readyz/", http.StripPrefix("/readyz/", &healthz.Handler{}))
 
 	// blocks until the context is done.

pkg/webhook/federatedresourcequota/helper/helper.go

@@ -0,0 +1,136 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This code is directly lifted from the Kubernetes codebase in order to avoid relying on the k8s.io/kubernetes package.
+// For reference:
+// https://github.com/kubernetes/kubernetes/blob/release-1.22/pkg/apis/core/helper/helpers.go#L57-L61
+// https://github.com/kubernetes/kubernetes/blob/release-1.22/pkg/apis/core/helper/helpers.go#L169-L192
+// https://github.com/kubernetes/kubernetes/blob/release-1.22/pkg/apis/core/helper/helpers.go#L212-L283
+
+package helper
+
+import (
+	"fmt"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+// IsQuotaHugePageResourceName returns true if the resource name has the quota
+// related huge page resource prefix.
+func IsQuotaHugePageResourceName(name corev1.ResourceName) bool {
+	return strings.HasPrefix(string(name), corev1.ResourceHugePagesPrefix) || strings.HasPrefix(string(name), corev1.ResourceRequestsHugePagesPrefix)
+}
+
+// IsExtendedResourceName returns true if:
+// 1. the resource name is not in the default namespace;
+// 2. resource name does not have "requests." prefix,
+// to avoid confusion with the convention in quota
+// 3. it satisfies the rules in IsQualifiedName() after converted into quota resource name
+func IsExtendedResourceName(name corev1.ResourceName) bool {
+	if IsNativeResource(name) || strings.HasPrefix(string(name), corev1.DefaultResourceRequestsPrefix) {
+		return false
+	}
+	// Ensure it satisfies the rules in IsQualifiedName() after converted into quota resource name
+	nameForQuota := fmt.Sprintf("%s%s", corev1.DefaultResourceRequestsPrefix, string(name))
+	if errs := validation.IsQualifiedName(string(nameForQuota)); len(errs) != 0 {
+		return false
+	}
+	return true
+}
+
+// IsNativeResource returns true if the resource name is in the
+// *kubernetes.io/ namespace. Partially-qualified (unprefixed) names are
+// implicitly in the kubernetes.io/ namespace.
+func IsNativeResource(name corev1.ResourceName) bool {
+	return !strings.Contains(string(name), "/") ||
+		strings.Contains(string(name), corev1.ResourceDefaultNamespacePrefix)
+}
+
+var standardQuotaResources = sets.NewString(
+	string(corev1.ResourceCPU),
+	string(corev1.ResourceMemory),
+	string(corev1.ResourceEphemeralStorage),
+	string(corev1.ResourceRequestsCPU),
+	string(corev1.ResourceRequestsMemory),
+	string(corev1.ResourceRequestsStorage),
+	string(corev1.ResourceRequestsEphemeralStorage),
+	string(corev1.ResourceLimitsCPU),
+	string(corev1.ResourceLimitsMemory),
+	string(corev1.ResourceLimitsEphemeralStorage),
+	string(corev1.ResourcePods),
+	string(corev1.ResourceQuotas),
+	string(corev1.ResourceServices),
+	string(corev1.ResourceReplicationControllers),
+	string(corev1.ResourceSecrets),
+	string(corev1.ResourcePersistentVolumeClaims),
+	string(corev1.ResourceConfigMaps),
+	string(corev1.ResourceServicesNodePorts),
+	string(corev1.ResourceServicesLoadBalancers),
+)
+
+// IsStandardQuotaResourceName returns true if the resource is known to
+// the quota tracking system
+func IsStandardQuotaResourceName(str string) bool {
+	return standardQuotaResources.Has(str) || IsQuotaHugePageResourceName(corev1.ResourceName(str))
+}
+
+var standardResources = sets.NewString(
+	string(corev1.ResourceCPU),
+	string(corev1.ResourceMemory),
+	string(corev1.ResourceEphemeralStorage),
+	string(corev1.ResourceRequestsCPU),
+	string(corev1.ResourceRequestsMemory),
+	string(corev1.ResourceRequestsEphemeralStorage),
+	string(corev1.ResourceLimitsCPU),
+	string(corev1.ResourceLimitsMemory),
+	string(corev1.ResourceLimitsEphemeralStorage),
+	string(corev1.ResourcePods),
+	string(corev1.ResourceQuotas),
+	string(corev1.ResourceServices),
+	string(corev1.ResourceReplicationControllers),
+	string(corev1.ResourceSecrets),
+	string(corev1.ResourceConfigMaps),
+	string(corev1.ResourcePersistentVolumeClaims),
+	string(corev1.ResourceStorage),
+	string(corev1.ResourceRequestsStorage),
+	string(corev1.ResourceServicesNodePorts),
+	string(corev1.ResourceServicesLoadBalancers),
+)
+
+// IsStandardResourceName returns true if the resource is known to the system
+func IsStandardResourceName(str string) bool {
+	return standardResources.Has(str) || IsQuotaHugePageResourceName(corev1.ResourceName(str))
+}
+
+var integerResources = sets.NewString(
+	string(corev1.ResourcePods),
+	string(corev1.ResourceQuotas),
+	string(corev1.ResourceServices),
+	string(corev1.ResourceReplicationControllers),
+	string(corev1.ResourceSecrets),
+	string(corev1.ResourceConfigMaps),
+	string(corev1.ResourcePersistentVolumeClaims),
+	string(corev1.ResourceServicesNodePorts),
+	string(corev1.ResourceServicesLoadBalancers),
+)
+
+// IsIntegerResourceName returns true if the resource is measured in integer values
+func IsIntegerResourceName(str string) bool {
+	return integerResources.Has(str) || IsExtendedResourceName(corev1.ResourceName(str))
+}

pkg/webhook/federatedresourcequota/validating.go

@@ -0,0 +1,157 @@
+package federatedresourcequota
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	clustervalidation "github.com/karmada-io/karmada/pkg/apis/cluster/validation"
+	policyv1alpha1 "github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1"
+)
+
+// ValidatingAdmission validates FederatedResourceQuota object when creating/updating.
+type ValidatingAdmission struct {
+	decoder *admission.Decoder
+}
+
+// Check if our ValidatingAdmission implements necessary interface
+var _ admission.Handler = &ValidatingAdmission{}
+var _ admission.DecoderInjector = &ValidatingAdmission{}
+
+// Handle implements admission.Handler interface.
+// It yields a response to an AdmissionRequest.
+func (v *ValidatingAdmission) Handle(ctx context.Context, req admission.Request) admission.Response {
+	quota := &policyv1alpha1.FederatedResourceQuota{}
+
+	err := v.decoder.Decode(req, quota)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+	klog.V(2).Infof("Validating FederatedResourceQuote(%s) for request: %s", klog.KObj(quota).String(), req.Operation)
+
+	if errs := validateFederatedResourceQuota(quota); len(errs) != 0 {
+		klog.Errorf("%v", errs)
+		return admission.Denied(errs.ToAggregate().Error())
+	}
+
+	return admission.Allowed("")
+}
+
+// InjectDecoder implements admission.DecoderInjector interface.
+// A decoder will be automatically injected.
+func (v *ValidatingAdmission) InjectDecoder(d *admission.Decoder) error {
+	v.decoder = d
+	return nil
+}
+
+func validateFederatedResourceQuota(quota *policyv1alpha1.FederatedResourceQuota) field.ErrorList {
+	errs := field.ErrorList{}
+	errs = append(errs, validateFederatedResourceQuotaSpec(&quota.Spec, field.NewPath("spec"))...)
+	errs = append(errs, validateFederatedResourceQuotaStatus(&quota.Status, field.NewPath("status"))...)
+	return errs
+}
+
+func validateFederatedResourceQuotaSpec(quotaSpec *policyv1alpha1.FederatedResourceQuotaSpec, fld *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+
+	errs = append(errs, validateResourceList(quotaSpec.Overall, fld.Child("overall"))...)
+
+	fldPath := fld.Child("staticAssignments")
+	for index := range quotaSpec.StaticAssignments {
+		errs = append(errs, validateStaticAssignment(&quotaSpec.StaticAssignments[index], fldPath.Index(index))...)
+	}
+
+	errs = append(errs, validateOverallAndAssignments(quotaSpec, fld)...)
+
+	return errs
+}
+
+func validateStaticAssignment(staticAssignment *policyv1alpha1.StaticClusterAssignment, fld *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+
+	if errMegs := clustervalidation.ValidateClusterName(staticAssignment.ClusterName); len(errMegs) > 0 {
+		errs = append(errs, field.Invalid(fld.Child("clusterName"), staticAssignment.ClusterName, strings.Join(errMegs, ",")))
+	}
+	errs = append(errs, validateResourceList(staticAssignment.Hard, fld.Child("hard"))...)
+
+	return errs
+}
+
+func validateOverallAndAssignments(quotaSpec *policyv1alpha1.FederatedResourceQuotaSpec, fld *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+
+	overallPath := fld.Child("overall")
+	for k, v := range quotaSpec.Overall {
+		assignment := calculateAssignmentForResourceKey(k, quotaSpec.StaticAssignments)
+		if v.Cmp(assignment) < 0 {
+			errs = append(errs, field.Invalid(overallPath.Key(string(k)), v, "overall is less than assignments"))
+		}
+	}
+
+	staticAssignmentsPath := fld.Child("staticAssignments")
+	for index, assignment := range quotaSpec.StaticAssignments {
+		restPath := staticAssignmentsPath.Index(index).Child("hard")
+		for k := range assignment.Hard {
+			if _, exist := quotaSpec.Overall[k]; !exist {
+				errs = append(errs, field.Invalid(restPath.Key(string(k)), k, "assignment resourceName is not exist in overall"))
+			}
+		}
+	}
+
+	return errs
+}
+
+func calculateAssignmentForResourceKey(resourceKey corev1.ResourceName, staticAssignments []policyv1alpha1.StaticClusterAssignment) resource.Quantity {
+	quantity := resource.Quantity{}
+	for index := range staticAssignments {
+		q, exist := staticAssignments[index].Hard[resourceKey]
+		if exist {
+			quantity.Add(q)
+		}
+	}
+	return quantity
+}
+
+func validateFederatedResourceQuotaStatus(quotaStatus *policyv1alpha1.FederatedResourceQuotaStatus, fld *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+
+	errs = append(errs, validateResourceList(quotaStatus.Overall, fld.Child("overall"))...)
+	errs = append(errs, validateResourceList(quotaStatus.OverallUsed, fld.Child("overallUsed"))...)
+
+	fldPath := fld.Child("aggregatedStatus")
+	for index := range quotaStatus.AggregatedStatus {
+		errs = append(errs, validateClusterQuotaStatus(&quotaStatus.AggregatedStatus[index], fldPath.Index(index))...)
+	}
+
+	return errs
+}
+
+func validateClusterQuotaStatus(aggregatedStatus *policyv1alpha1.ClusterQuotaStatus, fld *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+
+	if errMegs := clustervalidation.ValidateClusterName(aggregatedStatus.ClusterName); len(errMegs) > 0 {
+		errs = append(errs, field.Invalid(fld.Child("clusterName"), aggregatedStatus.ClusterName, strings.Join(errMegs, ",")))
+	}
+	errs = append(errs, validateResourceList(aggregatedStatus.Hard, fld.Child("hard"))...)
+	errs = append(errs, validateResourceList(aggregatedStatus.Used, fld.Child("used"))...)
+
+	return errs
+}
+
+func validateResourceList(resourceList corev1.ResourceList, fld *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+
+	for k, v := range resourceList {
+		resPath := fld.Key(string(k))
+		errs = append(errs, ValidateResourceQuotaResourceName(string(k), resPath)...)
+		errs = append(errs, ValidateResourceQuantityValue(string(k), v, resPath)...)
+	}
+
+	return errs
+}