initial webhook

erikgb · erikgb · commit 53d5f069e0d2 · 2023-06-16T20:48:35.000+02:00
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -71,6 +71,28 @@ webhooks:
     resources:
     - hierarchyconfigurations
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-objects
+  failurePolicy: Fail
+  name: objects.hnc.x-k8s.io
+  rules:
+  - apiGroups:
+    - rbac.authorization.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - roles
+    - rolebindings
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:
diff --git a/internal/objects/validator.go b/internal/objects/validator.go
@@ -32,6 +32,12 @@ const (
 	ServingPath = "/validate-objects"
 )
 
+// Note: the validating webhook FAILS CLOSE. This means that if the webhook goes
+// down, all further changes are forbidden. The initial webhook configuration contains
+// just enforced types, and will be dynamically updated when reconciling the HNC configuration.
+//
+// +kubebuilder:webhook:admissionReviewVersions=v1,path=/validate-objects,mutating=false,failurePolicy=fail,groups="rbac.authorization.k8s.io",resources=roles;rolebindings,sideEffects=None,verbs=create;update;delete,versions=v1,name=objects.hnc.x-k8s.io
+
 type Validator struct {
 	Log     logr.Logger
 	Forest  *forest.Forest
