Propagate restricted-access to cleanup job and handle in webhook

* Propagate restricted-access annotation from DevWorkspace to the
cleanup job
* Handle restricted-access annotation as normal for Jobs

Signed-off-by: Angel Misevski <[email protected]>

Author: amisevsk

controllers/workspace/finalize.go

@@ -111,14 +111,17 @@ func (r *DevWorkspaceReconciler) finalize(ctx context.Context, log logr.Logger,
 func (r *DevWorkspaceReconciler) getSpecCleanupJob(workspace *v1alpha2.DevWorkspace) (*batchv1.Job, error) {
 	workspaceId := workspace.Status.WorkspaceId
 	pvcName := config.ControllerCfg.GetWorkspacePVCName()
-
+	jobLabels := map[string]string{
+		config.WorkspaceIDLabel: workspaceId,
+	}
+	if restrictedAccess, needsRestrictedAccess := workspace.Annotations[config.WorkspaceRestrictedAccessAnnotation]; needsRestrictedAccess {
+		jobLabels[config.WorkspaceRestrictedAccessAnnotation] = restrictedAccess
+	}
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      common.PVCCleanupJobName(workspaceId),
 			Namespace: workspace.Namespace,
-			Labels: map[string]string{
-				config.WorkspaceIDLabel: workspaceId,
-			},
+			Labels:    jobLabels,
 		},
 		Spec: batchv1.JobSpec{
 			Completions:  &cleanupJobCompletions,

webhook/workspace/handler/kind.go

@@ -11,7 +11,9 @@
 //
 package handler
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 var (
 	V1alpha1DevWorkspaceKind     = metav1.GroupVersionKind{Kind: "DevWorkspace", Group: "workspace.devfile.io", Version: "v1alpha1"}
@@ -23,5 +25,6 @@ var (
 	V1PodKind            = metav1.GroupVersionKind{Kind: "Pod", Group: "", Version: "v1"}
 	V1ServiceKind        = metav1.GroupVersionKind{Kind: "Service", Group: "", Version: "v1"}
 	V1beta1IngressKind   = metav1.GroupVersionKind{Kind: "Ingress", Group: "extensions", Version: "v1beta1"}
+	V1JobKind            = metav1.GroupVersionKind{Kind: "Job", Group: "batch", Version: "v1"}
 	V1RouteKind          = metav1.GroupVersionKind{Kind: "Route", Group: "route.openshift.io", Version: "v1"}
 )

webhook/workspace/mutate.go

@@ -45,7 +45,7 @@ func (m *ResourcesMutator) Handle(ctx context.Context, req admission.Request) ad
 				return m.MutatePodOnCreate(ctx, req)
 			case handler.AppsV1DeploymentKind:
 				return m.MutateDeploymentOnCreate(ctx, req)
-			case handler.V1ServiceKind, handler.V1beta1IngressKind, handler.V1RouteKind,
+			case handler.V1ServiceKind, handler.V1beta1IngressKind, handler.V1RouteKind, handler.V1JobKind,
 				handler.V1alpha1ComponentKind, handler.V1alpha1WorkspaceRoutingKind:
 
 				return m.HandleRestrictedAccessCreate(ctx, req)
@@ -62,7 +62,7 @@ func (m *ResourcesMutator) Handle(ctx context.Context, req admission.Request) ad
 				return m.MutatePodOnUpdate(ctx, req)
 			case handler.AppsV1DeploymentKind:
 				return m.MutateDeploymentOnUpdate(ctx, req)
-			case handler.V1ServiceKind, handler.V1beta1IngressKind, handler.V1RouteKind,
+			case handler.V1ServiceKind, handler.V1beta1IngressKind, handler.V1RouteKind, handler.V1JobKind,
 				handler.V1alpha1ComponentKind, handler.V1alpha1WorkspaceRoutingKind:
 
 				return m.HandleRestrictedAccessUpdate(ctx, req)

webhook/workspace/mutating_cfg.go

@@ -109,6 +109,14 @@ func BuildMutateWebhookCfg(namespace string) *v1beta1.MutatingWebhookConfigurati
 					Resources:   []string{"ingresses"},
 				},
 			},
+			{
+				Operations: []v1beta1.OperationType{v1beta1.Create, v1beta1.Update},
+				Rule: v1beta1.Rule{
+					APIGroups:   []string{"batch"},
+					APIVersions: []string{"v1"},
+					Resources:   []string{"jobs"},
+				},
+			},
 		},
 	}
 	// n.b. Routes do not get UserInfo.UID filled in webhooks for some reason