Merge pull request #2 from shipt/webhook-annotation

Only inject when an annotation is present on the pod
shipt · Nov 11, 2021 · 6ca7558 · 6ca7558
2 parents b43fe64 + 9a2ea6a
commit 6ca7558
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/cmd/gtoken-webhook/main.go b/cmd/gtoken-webhook/main.go
@@ -44,6 +44,8 @@ const (
 	// AWS annotation key; used to annotate Kubernetes Service Account with AWS Role ARN
 	awsRoleArnKey = "amazonaws.com/role-arn"
 
+	annotationInjectKey = "gtoken.shipt.com/inject"
+
 	// AWS Web Identity Token ENV
 	awsWebIdentityTokenFile = "AWS_WEB_IDENTITY_TOKEN_FILE"
 	awsRoleArn              = "AWS_ROLE_ARN"
@@ -179,7 +181,28 @@ func (mw *mutatingWebhook) mutateContainers(containers []corev1.Container, roleA
 	return true
 }
 
+func (mw *mutatingWebhook) containsGtokenInjectAnnotation(annotations map[string]string, annotationKey string) bool {
+	value, ok := annotations[annotationKey]
+	if !ok {
+		return false
+	}
+
+	switch value {
+	case "y", "yes", "true", "on":
+		return true
+	}
+
+	return false
+}
+
 func (mw *mutatingWebhook) mutatePod(pod *corev1.Pod, ns string, dryRun bool) error {
+	shouldInject := mw.containsGtokenInjectAnnotation(pod.GetObjectMeta().GetAnnotations(), annotationInjectKey)
+
+	if !shouldInject {
+		logger.Debug(fmt.Sprintf("skipping pod without gtoken annotation: %s", pod.GetName()))
+		return nil
+	}
+
 	// get service account AWS Role ARN annotation
 	roleArn, ok, err := mw.getAwsRoleArn(pod.Spec.ServiceAccountName, ns)
 	if err != nil {

diff --git a/cmd/gtoken-webhook/main_test.go b/cmd/gtoken-webhook/main_test.go
@@ -187,6 +187,9 @@ func Test_mutatingWebhook_mutatePod(t *testing.T) {
 			},
 			args: args{
 				pod: &corev1.Pod{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{annotationInjectKey: "true"},
+					},
 					Spec: corev1.PodSpec{
 						Containers: []corev1.Container{
 							{
@@ -202,6 +205,9 @@ func Test_mutatingWebhook_mutatePod(t *testing.T) {
 				annotations:        map[string]string{awsRoleArnKey: "arn:aws:iam::123456789012:role/testrole"},
 			},
 			wantedPod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{annotationInjectKey: "true"},
+				},
 				Spec: corev1.PodSpec{
 					InitContainers: []corev1.Container{
 						{
@@ -275,6 +281,43 @@ func Test_mutatingWebhook_mutatePod(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "no annotation",
+			fields: fields{
+				image:      "doitintl/gtoken:test",
+				pullPolicy: "Always",
+				volumeName: "test-volume-name",
+				volumePath: "/test-volume-path",
+				tokenFile:  "test-token",
+			},
+			args: args{
+				pod: &corev1.Pod{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Name:  "TestContainer",
+								Image: "test-image",
+							},
+						},
+						ServiceAccountName: "test-sa",
+					},
+				},
+				ns:                 "test-namespace",
+				serviceAccountName: "test-sa",
+				annotations:        map[string]string{awsRoleArnKey: "arn:aws:iam::123456789012:role/testrole"},
+			},
+			wantedPod: &corev1.Pod{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  "TestContainer",
+							Image: "test-image",
+						},
+					},
+					ServiceAccountName: "test-sa",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {