Add a knob to initiate webhook deletion checks for ip resources

cyclinder · cyclinder · commit 2705a2430d96 · 2025-02-21T15:22:31.000+08:00
Signed-off-by: Cyclinder Kuo &lt;kuocyclinder@gmail.com&gt;
diff --git a/charts/spiderpool/README.md b/charts/spiderpool/README.md
@@ -343,6 +343,7 @@ helm install spiderpool spiderpool/spiderpool --wait --namespace kube-system \
 | `spiderpoolController.healthChecking.readinessProbe.failureThreshold`           | the failure threshold of startup probe for spiderpoolController health checking                                                                                                                 | `3`                                                            |
 | `spiderpoolController.healthChecking.readinessProbe.periodSeconds`              | the period seconds of startup probe for spiderpoolController health checking                                                                                                                    | `10`                                                           |
 | `spiderpoolController.webhookPort`                                              | the http port for spiderpoolController webhook                                                                                                                                                  | `5722`                                                         |
+| `spiderpoolController.enableValidatingResourcesDeletedWebhook`                  | enable validating resources deleted webhook for spiderpoolController                                                                                                                            | `false`                                                        |
 | `spiderpoolController.podResourceInject.enabled`                                | enable pod resource inject                                                                                                                                                                      | `false`                                                        |
 | `spiderpoolController.podResourceInject.namespacesExclude`                      | exclude the namespaces of the pod resource inject                                                                                                                                               | `["kube-system","spiderpool","metallb-system","istio-system"]` |
 | `spiderpoolController.podResourceInject.namespacesInclude`                      | include the namespaces of the pod resource inject, empty means all namespaces but exclude the namespaces in namespacesExclude, not empty means only include the namespaces in namespacesInclude | `[]`                                                           |
diff --git a/charts/spiderpool/templates/configmap.yaml b/charts/spiderpool/templates/configmap.yaml
@@ -24,6 +24,7 @@ data:
     enableAutoPoolForApplication: {{ .Values.ipam.spiderSubnet.autoPool.enable }}
     enableIPConflictDetection: {{ .Values.ipam.enableIPConflictDetection }}
     enableGatewayDetection: {{ .Values.ipam.enableGatewayDetection }}
+    enableValidatingResourcesDeletedWebhook: {{ .Values.spiderpoolController.enableValidatingResourcesDeletedWebhook }}
     {{- if and .Values.ipam.spiderSubnet.enable .Values.ipam.spiderSubnet.autoPool.enable }}
     clusterSubnetDefaultFlexibleIPNumber: {{ .Values.ipam.spiderSubnet.autoPool.defaultRedundantIPNumber }}
     {{- else}}
diff --git a/charts/spiderpool/values.yaml b/charts/spiderpool/values.yaml
@@ -670,6 +670,9 @@ spiderpoolController:
   ## @param spiderpoolController.webhookPort the http port for spiderpoolController webhook
   webhookPort: 5722
 
+  ## @param spiderpoolController.enableValidatingResourcesDeletedWebhook enable validating resources deleted webhook for spiderpoolController
+  enableValidatingResourcesDeletedWebhook: false
+
   podResourceInject:
     ## @param spiderpoolController.podResourceInject.enabled enable pod resource inject
     enabled: false
diff --git a/cmd/spiderpool-controller/cmd/daemon.go b/cmd/spiderpool-controller/cmd/daemon.go
@@ -338,11 +338,12 @@ func initControllerServiceManagers(ctx context.Context) {
 
 	logger.Debug("Begin to set up IPPool webhook")
 	if err := (&ippoolmanager.IPPoolWebhook{
-		Client:             controllerContext.CRDManager.GetClient(),
-		APIReader:          controllerContext.CRDManager.GetAPIReader(),
-		EnableIPv4:         controllerContext.Cfg.EnableIPv4,
-		EnableIPv6:         controllerContext.Cfg.EnableIPv6,
-		EnableSpiderSubnet: controllerContext.Cfg.EnableSpiderSubnet,
+		Client:                                  controllerContext.CRDManager.GetClient(),
+		APIReader:                               controllerContext.CRDManager.GetAPIReader(),
+		EnableIPv4:                              controllerContext.Cfg.EnableIPv4,
+		EnableIPv6:                              controllerContext.Cfg.EnableIPv6,
+		EnableSpiderSubnet:                      controllerContext.Cfg.EnableSpiderSubnet,
+		EnableValidatingResourcesDeletedWebhook: controllerContext.Cfg.EnableValidatingResourcesDeletedWebhook,
 	}).SetupWebhookWithManager(controllerContext.CRDManager); err != nil {
 		logger.Fatal(err.Error())
 	}
@@ -368,10 +369,11 @@ func initControllerServiceManagers(ctx context.Context) {
 
 		logger.Debug("Begin to set up Subnet webhook")
 		if err := (&subnetmanager.SubnetWebhook{
-			Client:     controllerContext.CRDManager.GetClient(),
-			APIReader:  controllerContext.CRDManager.GetAPIReader(),
-			EnableIPv4: controllerContext.Cfg.EnableIPv4,
-			EnableIPv6: controllerContext.Cfg.EnableIPv6,
+			Client:                                  controllerContext.CRDManager.GetClient(),
+			APIReader:                               controllerContext.CRDManager.GetAPIReader(),
+			EnableIPv4:                              controllerContext.Cfg.EnableIPv4,
+			EnableIPv6:                              controllerContext.Cfg.EnableIPv6,
+			EnableValidatingResourcesDeletedWebhook: controllerContext.Cfg.EnableValidatingResourcesDeletedWebhook,
 		}).SetupWebhookWithManager(controllerContext.CRDManager); err != nil {
 			logger.Fatal(err.Error())
 		}
diff --git a/pkg/ippoolmanager/ippool_webhook.go b/pkg/ippoolmanager/ippool_webhook.go
@@ -6,6 +6,7 @@ package ippoolmanager
 import (
 	"context"
 	"errors"
+	"fmt"
 	"strings"
 
 	"go.uber.org/zap"
@@ -30,9 +31,10 @@ type IPPoolWebhook struct {
 	Client    client.Client
 	APIReader client.Reader
 
-	EnableIPv4         bool
-	EnableIPv6         bool
-	EnableSpiderSubnet bool
+	EnableIPv4                              bool
+	EnableIPv6                              bool
+	EnableSpiderSubnet                      bool
+	EnableValidatingResourcesDeletedWebhook bool
 }
 
 func (iw *IPPoolWebhook) SetupWebhookWithManager(mgr ctrl.Manager) error {
@@ -136,6 +138,10 @@ func (iw *IPPoolWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runt
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.
 func (iw *IPPoolWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	if !iw.EnableValidatingResourcesDeletedWebhook {
+		return nil, nil
+	}
+
 	ipPool := obj.(*spiderpoolv2beta1.SpiderIPPool)
 
 	logger := WebhookLogger.Named("Validating").With(
@@ -149,7 +155,7 @@ func (iw *IPPoolWebhook) ValidateDelete(ctx context.Context, obj runtime.Object)
 		return nil, apierrors.NewForbidden(
 			schema.GroupResource{Group: constant.SpiderpoolAPIGroup, Resource: "spiderippools"},
 			ipPool.Name,
-			errors.New("cannot delete an IPPool with allocated IPs"),
+			fmt.Errorf("cannot delete an IPPool with allocated IPs(%v)", *ipPool.Status.AllocatedIPCount),
 		)
 	}
 	return nil, nil
diff --git a/pkg/ippoolmanager/ippool_webhook_test.go b/pkg/ippoolmanager/ippool_webhook_test.go
@@ -2152,6 +2152,32 @@ var _ = Describe("IPPoolWebhook", Label("ippool_webhook_test"), func() {
 				Expect(err).NotTo(HaveOccurred())
 				Expect(warns).To(BeNil())
 			})
+
+			It("should allow deletion when EnableValidatingResourcesDeletedWebhook is false", func() {
+				ipPoolWebhook.EnableValidatingResourcesDeletedWebhook = false
+				warns, err := ipPoolWebhook.ValidateDelete(ctx, ipPoolT)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(warns).To(BeNil())
+			})
+
+			It("should prevent deletion when IPPool has allocated IPs", func() {
+				ipPoolWebhook.EnableValidatingResourcesDeletedWebhook = true
+				allocatedIPs := int64(5)
+				ipPoolT.Status.AllocatedIPCount = &allocatedIPs
+				warns, err := ipPoolWebhook.ValidateDelete(ctx, ipPoolT)
+				Expect(err).To(HaveOccurred())
+				Expect(apierrors.IsForbidden(err)).To(BeTrue())
+				Expect(warns).To(BeNil())
+			})
+
+			It("should allow deletion when IPPool has no allocated IPs", func() {
+				ipPoolWebhook.EnableValidatingResourcesDeletedWebhook = true
+				allocatedIPs := int64(0)
+				ipPoolT.Status.AllocatedIPCount = &allocatedIPs
+				warns, err := ipPoolWebhook.ValidateDelete(ctx, ipPoolT)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(warns).To(BeNil())
+			})
 		})
 	})
 })
diff --git a/pkg/podmanager/pod_manager_suite_test.go b/pkg/podmanager/pod_manager_suite_test.go
@@ -4,19 +4,19 @@
 package podmanager_test
 
 import (
+	"net/http"
 	"testing"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"github.com/spidernet-io/spiderpool/pkg/podmanager"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	k8stesting "k8s.io/client-go/testing"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-
-	"github.com/spidernet-io/spiderpool/pkg/podmanager"
 )
 
 var scheme *runtime.Scheme
@@ -58,4 +58,5 @@ var _ = BeforeSuite(func() {
 		fakeAPIReader,
 	)
 	Expect(err).NotTo(HaveOccurred())
+
 })
diff --git a/pkg/podmanager/pod_webhook.go b/pkg/podmanager/pod_webhook.go
@@ -30,7 +30,7 @@ type PodWebhook interface {
 	admission.CustomValidator
 }
 
-type podWebhook struct {
+type PWebhook struct {
 	spiderClient crdclientset.Interface
 }
 
@@ -46,7 +46,7 @@ func InitPodWebhook(mgr ctrl.Manager) error {
 		return err
 	}
 
-	pw := &podWebhook{
+	pw := &PWebhook{
 		spiderClient: spiderClient,
 	}
 
@@ -67,7 +67,7 @@ func InitPodWebhook(mgr ctrl.Manager) error {
 //   - obj: The runtime object (expected to be a Pod)
 //
 // Returns an error if defaulting fails.
-func (pw *podWebhook) Default(ctx context.Context, obj runtime.Object) error {
+func (pw *PWebhook) Default(ctx context.Context, obj runtime.Object) error {
 	logger := logutils.FromContext(ctx)
 	pod := obj.(*corev1.Pod)
 	mutateLogger := logger.Named("PodMutating").With(
@@ -97,18 +97,18 @@ func (pw *podWebhook) Default(ctx context.Context, obj runtime.Object) error {
 
 // ValidateCreate implements the validation webhook for pod creation.
 // Currently, it performs no validation and always returns nil.
-func (pw *podWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+func (pw *PWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
 
 // ValidateUpdate implements the validation webhook for pod updates.
 // Currently, it performs no validation and always returns nil.
-func (pw *podWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+func (pw *PWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
 
 // ValidateDelete implements the validation webhook for pod deletion.
 // Currently, it performs no validation and always returns nil.
-func (pw *podWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+func (pw *PWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
diff --git a/pkg/podmanager/pod_webhook_test.go b/pkg/podmanager/pod_webhook_test.go
@@ -0,0 +1,72 @@
+// Copyright 2025 Authors of spidernet-io
+// SPDX-License-Identifier: Apache-2.0
+package podmanager_test
+
+// import (
+// 	"context"
+// 	"testing"
+
+// 	. "github.com/onsi/ginkgo/v2"
+// 	. "github.com/onsi/gomega"
+// 	"github.com/spidernet-io/spiderpool/pkg/podmanager"
+// 	corev1 "k8s.io/api/core/v1"
+// 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+// 	"k8s.io/client-go/rest"
+// 	"sigs.k8s.io/controller-runtime/pkg/client"
+// 	"sigs.k8s.io/controller-runtime/pkg/manager"
+// )
+
+// func TestPodWebhook(t *testing.T) {
+// 	RegisterFailHandler(Fail)
+// 	RunSpecs(t, "Pod Webhook Suite")
+// }
+
+// var _ = Describe("Pod Webhook", Label("pod_webhook_test"), func() {
+// 	var (
+// 		err error
+// 		mgr manager.Manager
+// 		ctx context.Context
+// 		pod *corev1.Pod
+// 	)
+
+// 	BeforeEach(func() {
+// 		// Create a new manager
+
+// 		mgr, err = manager.New(cfg, manager.Options{
+// 			NewClient: func(config *rest.Config, options client.Options) (client.Client, error) {
+// 				return nil, nil
+// 			},
+// 		})
+// 		Expect(err).NotTo(HaveOccurred())
+
+// 		pod = &corev1.Pod{
+// 			ObjectMeta: metav1.ObjectMeta{
+// 				Namespace:    "default",
+// 				GenerateName: "test-pod",
+// 				Annotations:  map[string]string{},
+// 			},
+// 		}
+// 	})
+
+// 	Context("InitPodWebhook", func() {
+// 		It("should initialize without error", func() {
+// 			err := podmanager.InitPodWebhook(mgr)
+// 			Expect(err).NotTo(HaveOccurred())
+// 		})
+// 	})
+
+// 	Context("Default", func() {
+// 		It("should not inject resources if no annotations are present", func() {
+// 			pw := &podmanager.PWebhook{}
+// 			err := pw.Default(ctx, pod)
+// 			Expect(err).NotTo(HaveOccurred())
+// 		})
+
+// 		It("should inject resources if annotations are present", func() {
+// 			pod.Annotations["spiderpool.io/pod-resource-inject"] = "true"
+// 			pw := podmanager.PWebhook{}
+// 			err := pw.Default(ctx, pod)
+// 			Expect(err).NotTo(HaveOccurred())
+// 		})
+// 	})
+// })
diff --git a/pkg/subnetmanager/subnet_webhook.go b/pkg/subnetmanager/subnet_webhook.go
@@ -6,6 +6,7 @@ package subnetmanager
 import (
 	"context"
 	"errors"
+	"fmt"
 	"strings"
 
 	"go.uber.org/zap"
@@ -30,8 +31,9 @@ type SubnetWebhook struct {
 	Client    client.Client
 	APIReader client.Reader
 
-	EnableIPv4 bool
-	EnableIPv6 bool
+	EnableIPv4                              bool
+	EnableIPv6                              bool
+	EnableValidatingResourcesDeletedWebhook bool
 }
 
 func (sw *SubnetWebhook) SetupWebhookWithManager(mgr ctrl.Manager) error {
@@ -135,6 +137,10 @@ func (sw *SubnetWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runt
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.
 func (sw *SubnetWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	if !sw.EnableValidatingResourcesDeletedWebhook {
+		return nil, nil
+	}
+
 	subnet := obj.(*spiderpoolv2beta1.SpiderSubnet)
 
 	logger := WebhookLogger.Named("Validating").With(
@@ -148,7 +154,7 @@ func (sw *SubnetWebhook) ValidateDelete(ctx context.Context, obj runtime.Object)
 		return nil, apierrors.NewForbidden(
 			schema.GroupResource{Group: constant.SpiderpoolAPIGroup, Resource: "spidersubnets"},
 			subnet.Name,
-			errors.New("cannot delete an Subnet with allocated IPs"),
+			fmt.Errorf("cannot delete an Subnet with allocated IPs(%v)", *subnet.Status.AllocatedIPCount),
 		)
 	}
 	return nil, nil
diff --git a/pkg/subnetmanager/subnet_webhook_test.go b/pkg/subnetmanager/subnet_webhook_test.go
@@ -1488,6 +1488,32 @@ var _ = Describe("SubnetWebhook", Label("subnet_webhook_test"), func() {
 				Expect(err).NotTo(HaveOccurred())
 				Expect(warns).To(BeNil())
 			})
+
+			It("should allow deletion when EnableValidatingResourcesDeletedWebhook is false", func() {
+				subnetWebhook.EnableValidatingResourcesDeletedWebhook = false
+				warns, err := subnetWebhook.ValidateDelete(ctx, subnetT)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(warns).To(BeNil())
+			})
+
+			It("should prevent deletion when Subnet has allocated IPs", func() {
+				subnetWebhook.EnableValidatingResourcesDeletedWebhook = true
+				allocatedIPs := int64(5)
+				subnetT.Status.AllocatedIPCount = &allocatedIPs
+				warns, err := subnetWebhook.ValidateDelete(ctx, subnetT)
+				Expect(err).To(HaveOccurred())
+				Expect(apierrors.IsForbidden(err)).To(BeTrue())
+				Expect(warns).To(BeNil())
+			})
+
+			It("should allow deletion when Subnet has no allocated IPs", func() {
+				subnetWebhook.EnableValidatingResourcesDeletedWebhook = true
+				allocatedIPs := int64(0)
+				subnetT.Status.AllocatedIPCount = &allocatedIPs
+				warns, err := subnetWebhook.ValidateDelete(ctx, subnetT)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(warns).To(BeNil())
+			})
 		})
 	})
 })
diff --git a/pkg/types/k8s.go b/pkg/types/k8s.go
@@ -121,6 +121,7 @@ type SpiderpoolConfigmapConfig struct {
 	EnableGatewayDetection                        bool                    `yaml:"enableGatewayDetection"`
 	ClusterSubnetAutoPoolDefaultRedundantIPNumber int                     `yaml:"clusterSubnetAutoPoolDefaultRedundantIPNumber"`
 	PodResourceInjectConfig                       PodResourceInjectConfig `yaml:"podResourceInject"`
+	EnableValidatingResourcesDeletedWebhook       bool                    `yaml:"enableValidatingResourcesDeletedWebhook"`
 }
 
 type PodResourceInjectConfig struct {
diff --git a/test/e2e/common/resourceclaim.go b/test/e2e/common/resourceclaim.go

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ type PodWebhook interface {`
`30`	`30`	`admission.CustomValidator`
`31`	`31`	`}`
`32`	`32`
`33`		`-type podWebhook struct {`
	`33`	`+type PWebhook struct {`
`34`	`34`	`spiderClient crdclientset.Interface`
`35`	`35`	`}`
`36`	`36`
`@@ -46,7 +46,7 @@ func InitPodWebhook(mgr ctrl.Manager) error {`
`46`	`46`	`return err`
`47`	`47`	`}`
`48`	`48`
`49`		`- pw := &podWebhook{`
	`49`	`+ pw := &PWebhook{`
`50`	`50`	`spiderClient: spiderClient,`
`51`	`51`	`}`
`52`	`52`
`@@ -67,7 +67,7 @@ func InitPodWebhook(mgr ctrl.Manager) error {`
`67`	`67`	`// - obj: The runtime object (expected to be a Pod)`
`68`	`68`	`//`
`69`	`69`	`// Returns an error if defaulting fails.`
`70`		`-func (pw *podWebhook) Default(ctx context.Context, obj runtime.Object) error {`
	`70`	`+func (pw *PWebhook) Default(ctx context.Context, obj runtime.Object) error {`
`71`	`71`	`logger := logutils.FromContext(ctx)`
`72`	`72`	`pod := obj.(*corev1.Pod)`
`73`	`73`	`mutateLogger := logger.Named("PodMutating").With(`
`@@ -97,18 +97,18 @@ func (pw *podWebhook) Default(ctx context.Context, obj runtime.Object) error {`
`97`	`97`
`98`	`98`	`// ValidateCreate implements the validation webhook for pod creation.`
`99`	`99`	`// Currently, it performs no validation and always returns nil.`
`100`		`-func (pw *podWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
	`100`	`+func (pw *PWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
`101`	`101`	`return nil, nil`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`// ValidateUpdate implements the validation webhook for pod updates.`
`105`	`105`	`// Currently, it performs no validation and always returns nil.`
`106`		`-func (pw *podWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {`
	`106`	`+func (pw *PWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {`
`107`	`107`	`return nil, nil`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`// ValidateDelete implements the validation webhook for pod deletion.`
`111`	`111`	`// Currently, it performs no validation and always returns nil.`
`112`		`-func (pw *podWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
	`112`	`+func (pw *PWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
`113`	`113`	`return nil, nil`
`114`	`114`	`}`