├── .github ├── CONTRIBUTING.md ├── dependabot.yml └── workflows │ └── ci.yaml ├── .gitignore ├── LICENSE ├── README.md ├── build ├── Dockerfile └── DockerfileInitContainer ├── cmd ├── createcerts │ └── main.go └── nsnodeaffinity │ ├── main.go │ └── main_test.go ├── deployments ├── base │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── deployment.yaml │ ├── kustomization.yaml │ ├── role.yaml │ ├── rolebinding.yaml │ ├── sa.yaml │ └── service.yaml └── overlays │ └── local │ ├── deployment.yaml │ └── kustomization.yaml ├── examples ├── example_namespaces.yaml ├── mutatingwebhookconfiguration.yaml ├── sample_configmap.yaml ├── sample_ignored_pod.yaml └── sample_pod.yaml ├── go.mod ├── go.sum ├── injector ├── injector.go └── injector_test.go ├── scripts ├── Makefile └── gofmt-check.sh └── webhookconfig ├── webhookconfig.go └── webhookconfig_test.go /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Thank you for your interest in contributing to the project! 4 | 5 | Contributions to this project are released to the public under the [Apache-2.0 License](https://github.com/idgenchev/namespace-node-affinity/blob/main/LICENSE). 6 | 7 | # Submitting a pull request 8 | 9 | * [Fork](https://github.com/idgenchev/namespace-node-affinity/fork) and clone the repository 10 | * Make sure you have [golang](https://golang.org/dl/) and [Docker](https://docs.docker.com/get-docker/) installed 11 | * Create a new branch: git checkout -b my-branch 12 | * Make your changes 13 | * `git push` to your fork and [submit a pull request](https://github.com/idgenchev/namespace-node-affinity/compare) :) 14 | * Make sure all the automated tests and checks (go lint, go vet, etc) have passed 15 | 16 | # Additional Resources 17 | 18 | * [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/) 19 | * [Using Pull Requests](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests) 20 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "gomod" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "monthly" 12 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - 'main' 7 | tags: 8 | - 'v*.*.*' 9 | pull_request: 10 | branches: 11 | - 'main' 12 | 13 | jobs: 14 | 15 | lint-and-test: 16 | runs-on: ubuntu-latest 17 | 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@v3 21 | 22 | - name: Set up Go 23 | uses: actions/setup-go@v3 24 | with: 25 | go-version: '1.18.0' 26 | 27 | - name: Install dependencies 28 | run: go install golang.org/x/lint/golint@latest 29 | 30 | - name: Lint 31 | run: golint -set_exit_status ./... 32 | 33 | - name: Check gofmt 34 | run: ./scripts/gofmt-check.sh 35 | 36 | - name: Vet 37 | run: go vet ./... 38 | 39 | - name: Test 40 | run: go test -race -coverprofile=coverage.txt -covermode=atomic -v ./... 41 | 42 | - name: Upload Coverage 43 | uses: codecov/codecov-action@v2 44 | with: 45 | token: ${{ secrets.CODECOV_TOKEN }} 46 | files: coverage.txt 47 | flags: unittests 48 | fail_ci_if_error: true 49 | verbose: true 50 | 51 | build-and-push-docker-images: 52 | needs: lint-and-test 53 | if: ${{ github.event_name != 'pull_request' }} 54 | 55 | runs-on: ubuntu-latest 56 | 57 | steps: 58 | - name: Checkout 59 | uses: actions/checkout@v2 60 | 61 | - name: Docker meta 62 | id: meta 63 | uses: crazy-max/ghaction-docker-meta@v2 64 | with: 65 | images: | 66 | idgenchev/namespace-node-affinity 67 | flavor: | 68 | latest=true 69 | tags: | 70 | type=ref,event=branch 71 | type=semver,pattern={{version}} 72 | 73 | - name: Docker meta for the init container 74 | id: initmeta 75 | uses: crazy-max/ghaction-docker-meta@v2 76 | with: 77 | images: | 78 | idgenchev/namespace-node-affinity-init-container 79 | flavor: | 80 | latest=true 81 | tags: | 82 | type=ref,event=branch 83 | type=semver,pattern={{version}} 84 | 85 | - name: Set up QEMU 86 | uses: docker/setup-qemu-action@v1 87 | 88 | - name: Set up Docker Buildx 89 | uses: docker/setup-buildx-action@v1 90 | 91 | - name: Login to DockerHub 92 | uses: docker/login-action@v1 93 | with: 94 | username: ${{ secrets.DOCKERHUB_USERNAME }} 95 | password: ${{ secrets.DOCKERHUB_TOKEN }} 96 | 97 | - name: Build and push Webhook image 98 | uses: docker/build-push-action@v2 99 | with: 100 | context: . 101 | file: ./build/Dockerfile 102 | push: ${{ github.event_name != 'pull_request' }} 103 | platforms: linux/386,linux/amd64,linux/arm64 104 | tags: ${{ steps.meta.outputs.tags }} 105 | labels: ${{ steps.meta.outputs.labels }} 106 | 107 | - name: Build and push init container image 108 | uses: docker/build-push-action@v2 109 | with: 110 | context: . 111 | file: ./build/DockerfileInitContainer 112 | push: ${{ github.event_name != 'pull_request' }} 113 | platforms: linux/386,linux/amd64,linux/arm64 114 | tags: ${{ steps.initmeta.outputs.tags }} 115 | labels: ${{ steps.initmeta.outputs.labels }} 116 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, built with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out 13 | 14 | # Dependency directories (remove the comment below to include it) 15 | # vendor/ 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![CI](https://github.com/idgenchev/namespace-node-affinity/actions/workflows/ci.yaml/badge.svg?branch=main) 2 | [![Go Report Card](https://goreportcard.com/badge/github.com/idgenchev/namespace-node-affinity)](https://goreportcard.com/report/github.com/idgenchev/namespace-node-affinity) 3 | [![codecov](https://codecov.io/gh/idgenchev/namespace-node-affinity/branch/main/graph/badge.svg?token=MEIA879BHX)](https://codecov.io/gh/idgenchev/namespace-node-affinity) 4 | 5 | # Namespace Node Affinity 6 | 7 | Namespace Node Affinity is a Kubernetes mutating webhook which provides the ability to define node affinity and/or tolerations for pods on a namespace level. 8 | 9 | It is a replacement for the [PodNodeSelector](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector) admission controller and it is useful when using a managed k8s control plane such as [GKE](https://cloud.google.com/kubernetes-engine) or [EKS](https://aws.amazon.com/eks) where you do not have the ability to enable additional admission controller plugins and the [PodNodeSelector](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector) might not be available. The only admission controller plugin required to run the namespace-node-affinity mutating webhook is the `MutatingAdmissionWebhook` which is already enabled on most managed Kubernetes services such as [EKS](https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html). 10 | 11 | It might still be useful on [AKS](https://azure.microsoft.com/en-gb/services/kubernetes-service/) where the [PodNodeSelector](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector) admission controller is [readily available](https://docs.microsoft.com/en-us/azure/aks/faq#what-kubernetes-admission-controllers-does-aks-support-can-admission-controllers-be-added-or-removed) as using `namespace-node-affinity` allows a litte bit more flexibility than the node selector by allowing you to set node affinity (only `requiredDuringSchedulingIgnoredDuringExecution` is supported for now) for all pods in the namespace. 12 | 13 | # Deployment 14 | 15 | The easiest way to deploy the namespace-node-affinity mutating webhook is to apply the kustomizations in the `deployments` directory: 16 | ``` 17 | kubectl apply -k deployments/base 18 | ``` 19 | 20 | This will create the following: 21 | * namespace-node-affinity ServiceAccount 22 | * namespace-node-affinity Role 23 | * namespace-node-affinity RoleBinding 24 | * namespace-node-affinity ClusterRole 25 | * namespace-node-affinity ClusterRoleBinding 26 | * namespace-node-affinity Service 27 | * namespace-node-affinity Deployment 28 | 29 | > Note that this will use the latest images on [Docker Hub](https://hub.docker.com/repository/docker/idgenchev/namespace-node-affinity). If you like to use a specific tag you can use the kustomizations in [deployments](/deployments/) as base and override the images in the Deployment with the desired tag. 30 | 31 | The Deployment includes an init container which generates a CA and a certificate and key pair for the webhook server and will create/update the MutatingWebhookConfiguration with the generated CA bundle which will be loaded by the Kubernetes API server and used to verify the serving certificates of the namespace-node-affinity mutating webhook. Using this init container allows for a quick and easy deployment of the namespace-node-affinity webhook, but is not recommended for production. For production use it is recommended to use a tool such as [cert-manager](https://cert-manager.io) to manage the certificates for the namespace-node-affinity mutating webhook. 32 | 33 | Docker images for the webhook are available for multiple platforms [here](https://hub.docker.com/repository/docker/idgenchev/namespace-node-affinity). Images for the init container are available [here](https://hub.docker.com/repository/docker/idgenchev/namespace-node-affinity-init-container). 34 | 35 | # Required Permissions 36 | 37 | The namespace-node-affinity webhook requires `get` permissions for `configmaps` in the namespace where the centralised config is deployed. 38 | 39 | The init container (if used) requires `get`, `create` and `update` for `mutatingwebhookconfigurations` in the `admissionregistration.k8s.io` api group to create or update the MutatingWebhookConfiguration. 40 | 41 | The `Role` and `ClusterRole` included in [deployments](/deployments/) already include all of the required permissions and the supplied `RoleBinding` and `ClusterRoleBinding` binds the `Role` and `ClusterRole` to the `ServiceAccount` used by the webhook. 42 | 43 | # Configuration 44 | 45 | To enable the namespace-node-affinity mutating webhook on a namespace you simply have to label the namespace with `namespace-node-affinity=enabled`. 46 | ``` 47 | kubectl label ns my-namespace namespace-node-affinity=enabled 48 | ``` 49 | 50 | Each namespace with the `namespace-node-affinity=enabled` label will also need an entry in the `ConfigMap` where the configuration for the webhook is stored. The config for each namespace can be in either JSON or YAML format and must have at least one of `nodeSelectorTerms` or `tolerations`. The `nodeSelectorTerms` from the config will be added as `requiredDuringSchedulingIgnoredDuringExecution` node affinity type to each pod that is created in the labeled namespace. An example configuration can be found in [examples/sample_configmap.yaml](/examples/sample_configmap.yaml). 51 | 52 | More information on how node affinity works can be found [here](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). 53 | More information on how taints and tolerations work can be found [here](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). 54 | 55 | # Failure Modes 56 | 57 | When using the provided init container to create the mutating webhook configuration, the namespace-node-affinity mutating webhook will fail silently so pods can still be created on the cluster if the webhook has been misconfigured. The affected namespace can be seen in the `AdmissionReview.Namespace`. 58 | 59 | * Missing `namespace-node-affinity` `ConfigMap` 60 | ``` 61 | time="2021-04-10T09:35:06Z" level=info msg="Received AdmissionReview: {...} 62 | time="2021-04-10T09:35:06Z" level=error msg="missing configuration: configmaps \"namespace-node-affinity\" not found" 63 | ``` 64 | 65 | * Missing entry for the namespace in the `ConfigMap` 66 | ``` 67 | time="2021-09-03T17:32:16Z" level=info msg="Received AdmissionReview: {...} 68 | time="2021-09-03T17:32:16Z" level=error msg="missing configuration: for testing-ns-e" 69 | ``` 70 | 71 | * Both `nodeSelectorTerms` and `tolerations` are missing from the entry for the namespace in the `ConfigMap` 72 | ``` 73 | time="2021-09-03T17:38:46Z" level=info msg="Received AdmissionReview: {...} 74 | time="2021-09-03T17:38:46Z" level=error msg="invalid configuration: at least one of nodeSelectorTerms or tolerations needs to be specified for testing-ns-d" 75 | ``` 76 | 77 | * Invalid `nodeSelectorTerms` or `tolerations` in the `namespace-node-affinity` `ConfigMap` 78 | ``` 79 | time="2021-04-10T09:40:59Z" level=info msg="Received AdmissionReview: {...} 80 | time="2021-04-10T09:40:59Z" level=error msg="invalid configuration: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go struct field NamespaceConfig.nodeSelectorTerms of type []v1.NodeSelectorTerm" 81 | ``` 82 | 83 | # Contributing 84 | 85 | Want to contribute? Awesome! The easiest way to show your support is to star the project, or to raise issues. If you want to open a pull request, please follow the [contributing guidelines](/.github/CONTRIBUTING.md). 86 | 87 | Thanks for your support, it is much appreciated! 88 | 89 | # License 90 | 91 | Apache-2.0. See LICENSE for more details. 92 | -------------------------------------------------------------------------------- /build/Dockerfile: -------------------------------------------------------------------------------- 1 | # Builder 2 | FROM golang:1.21.9-alpine3.19 as builder 3 | 4 | COPY . ./app 5 | 6 | WORKDIR ./app 7 | 8 | RUN go mod download 9 | 10 | RUN export GO111MODULE=on 11 | 12 | RUN apk add --no-cache gcc musl-dev libc6-compat 13 | 14 | RUN go build -ldflags "-linkmode external -extldflags -static" -o /namespace-node-affinity cmd/nsnodeaffinity/main.go 15 | 16 | # Webhook 17 | FROM scratch 18 | 19 | EXPOSE 8443 20 | 21 | COPY --from=builder /namespace-node-affinity /namespace-node-affinity 22 | 23 | ENTRYPOINT ["/namespace-node-affinity"] 24 | -------------------------------------------------------------------------------- /build/DockerfileInitContainer: -------------------------------------------------------------------------------- 1 | # Builder 2 | FROM golang:1.21.9-alpine3.19 as builder 3 | 4 | COPY . ./app 5 | 6 | WORKDIR ./app 7 | 8 | RUN go mod download 9 | 10 | RUN export GO111MODULE=on 11 | 12 | RUN apk add --no-cache gcc musl-dev libc6-compat 13 | 14 | RUN go build -ldflags "-linkmode external -extldflags -static" -o /create-certs cmd/createcerts/main.go 15 | 16 | # CreateCerts 17 | FROM scratch 18 | 19 | EXPOSE 8443 20 | 21 | COPY --from=builder /create-certs /create-certs 22 | 23 | ENTRYPOINT ["/create-certs"] 24 | -------------------------------------------------------------------------------- /cmd/createcerts/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | cryptorand "crypto/rand" 6 | "crypto/rsa" 7 | "crypto/x509" 8 | "crypto/x509/pkix" 9 | "encoding/pem" 10 | "fmt" 11 | "math/big" 12 | "os" 13 | "path/filepath" 14 | "time" 15 | 16 | log "github.com/sirupsen/logrus" 17 | 18 | "github.com/idgenchev/namespace-node-affinity/webhookconfig" 19 | "github.com/jessevdk/go-flags" 20 | k8sclient "k8s.io/client-go/kubernetes" 21 | "k8s.io/client-go/rest" 22 | ) 23 | 24 | var opts struct { 25 | Namespace string `long:"namespace" short:"n" env:"NAMESPACE" default:"namespace-node-affinity" description:"The namespace where the namespace-node-affinity webhook is deployed"` 26 | ServiceName string `long:"service-name" short:"s" env:"SERVICE_NAME" default:"namespace-node-affinity" description:"Name of the service object for the namespace-node-affinity"` 27 | CertFile string `lond:"cert" short:"c" env:"CERT" default:"/etc/webhook/certs/tls.crt" description:"Path to the cert file"` 28 | KeyFile string `lond:"key" short:"k" env:"KEY" default:"/etc/webhook/certs/tls.key" description:"Path to the key file"` 29 | } 30 | 31 | const ( 32 | webhookConfigName = "namespace-node-affinity" 33 | ) 34 | 35 | func main() { 36 | flags.Parse(&opts) 37 | 38 | var caPEM, serverCertPEM, serverPrivKeyPEM *bytes.Buffer 39 | // CA config 40 | ca := &x509.Certificate{ 41 | SerialNumber: big.NewInt(2020), 42 | Subject: pkix.Name{ 43 | Organization: []string{"idgenchev"}, 44 | }, 45 | NotBefore: time.Now(), 46 | NotAfter: time.Now().AddDate(1, 0, 0), 47 | IsCA: true, 48 | ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, 49 | KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 50 | BasicConstraintsValid: true, 51 | } 52 | 53 | // CA private key 54 | caPrivKey, err := rsa.GenerateKey(cryptorand.Reader, 4096) 55 | if err != nil { 56 | log.Fatalf("Failed to generate CA private key: %s", err) 57 | } 58 | 59 | // Self signed CA certificate 60 | caBytes, err := x509.CreateCertificate(cryptorand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) 61 | if err != nil { 62 | log.Fatalf("Failed to create self-signed CA cert: %s", err) 63 | } 64 | 65 | // PEM encode CA cert 66 | caPEM = new(bytes.Buffer) 67 | _ = pem.Encode(caPEM, &pem.Block{ 68 | Type: "CERTIFICATE", 69 | Bytes: caBytes, 70 | }) 71 | 72 | config, err := rest.InClusterConfig() 73 | if err != nil { 74 | log.Fatalf("Failed to create k8s config: %s", err) 75 | } 76 | 77 | clientset, err := k8sclient.NewForConfig(config) 78 | if err != nil { 79 | log.Fatalf("Failed to create k8s client: %s", err) 80 | } 81 | 82 | if err = webhookconfig.CreateOrUpdateMutatingWebhookConfig(clientset, caPEM, opts.Namespace, webhookConfigName, opts.ServiceName); err != nil { 83 | log.Fatalf("Failed to create mutating webhook config: %s", err) 84 | } 85 | 86 | commonName := fmt.Sprintf("%s.%s.svc", opts.ServiceName, opts.Namespace) 87 | dnsNames := []string{ 88 | opts.ServiceName, 89 | fmt.Sprintf("%s.%s", opts.ServiceName, opts.Namespace), 90 | commonName, 91 | fmt.Sprintf("%s.%s.svc.cluster.local", opts.ServiceName, opts.Namespace), 92 | } 93 | 94 | // server cert config 95 | cert := &x509.Certificate{ 96 | DNSNames: dnsNames, 97 | SerialNumber: big.NewInt(1658), 98 | Subject: pkix.Name{ 99 | CommonName: commonName, 100 | Organization: []string{"idgenchev"}, 101 | }, 102 | NotBefore: time.Now(), 103 | NotAfter: time.Now().AddDate(1, 0, 0), 104 | SubjectKeyId: []byte{1, 2, 3, 4, 6}, 105 | ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, 106 | KeyUsage: x509.KeyUsageDigitalSignature, 107 | } 108 | 109 | // server private key 110 | serverPrivKey, err := rsa.GenerateKey(cryptorand.Reader, 4096) 111 | if err != nil { 112 | log.Fatalf("Failed to generate server private key: %s", err) 113 | } 114 | 115 | // sign the server cert 116 | serverCertBytes, err := x509.CreateCertificate(cryptorand.Reader, cert, ca, &serverPrivKey.PublicKey, caPrivKey) 117 | if err != nil { 118 | log.Fatalf("Failed to create server cert: %s", err) 119 | } 120 | 121 | // PEM encode the server cert and key 122 | serverCertPEM = new(bytes.Buffer) 123 | _ = pem.Encode(serverCertPEM, &pem.Block{ 124 | Type: "CERTIFICATE", 125 | Bytes: serverCertBytes, 126 | }) 127 | 128 | serverPrivKeyPEM = new(bytes.Buffer) 129 | _ = pem.Encode(serverPrivKeyPEM, &pem.Block{ 130 | Type: "RSA PRIVATE KEY", 131 | Bytes: x509.MarshalPKCS1PrivateKey(serverPrivKey), 132 | }) 133 | 134 | err = writeFile(opts.CertFile, serverCertPEM) 135 | if err != nil { 136 | log.Fatalf("Failed to write certificate: %s", err) 137 | } 138 | 139 | err = writeFile(opts.KeyFile, serverPrivKeyPEM) 140 | if err != nil { 141 | log.Fatalf("Failed to write key: %s", err) 142 | } 143 | } 144 | 145 | func writeFile(path string, sCert *bytes.Buffer) error { 146 | err := os.MkdirAll(filepath.Dir(path), 0666) 147 | if err != nil { 148 | return err 149 | } 150 | 151 | f, err := os.Create(path) 152 | if err != nil { 153 | return err 154 | } 155 | defer f.Close() 156 | 157 | _, err = f.Write(sCert.Bytes()) 158 | if err != nil { 159 | return err 160 | } 161 | return nil 162 | } 163 | -------------------------------------------------------------------------------- /cmd/nsnodeaffinity/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "k8s.io/client-go/tools/clientcmd" 7 | "net/http" 8 | "time" 9 | 10 | "github.com/idgenchev/namespace-node-affinity/injector" 11 | 12 | "github.com/jessevdk/go-flags" 13 | "github.com/prometheus/client_golang/prometheus/promhttp" 14 | log "github.com/sirupsen/logrus" 15 | k8sclient "k8s.io/client-go/kubernetes" 16 | "k8s.io/client-go/rest" 17 | ) 18 | 19 | var opts struct { 20 | Port int `long:"port" short:"p" env:"PORT" default:"8443" description:"The port on which to serve."` 21 | ReadTimeout time.Duration `long:"read-timeout" default:"10s" description:"Read timeout"` 22 | WriteTimeout time.Duration `long:"write-timeout" default:"10s" description:"Write timeout"` 23 | CertFile string `lond:"cert" short:"c" env:"CERT" default:"/etc/webhook/certs/tls.crt" description:"Path to the cert file"` 24 | KeyFile string `lond:"key" short:"k" env:"KEY" default:"/etc/webhook/certs/tls.key" description:"Path to the key file"` 25 | Namespace string `long:"namespace" short:"n" env:"NAMESPACE" description:"The namespace where the configmap is deployed"` 26 | ConfigMapName string `long:"config-map-name" short:"m" env:"CONFIG_MAP_NAME" default:"namespace-node-affinity" description:"Name of the configm map containing the node selector terms to be applied to every pod on creation."` 27 | KubeConfig string `long:"kubeconfig" default:"" description:"Path to a kubeconfig file, if running external to a kubernets cluster for testing"` 28 | } 29 | 30 | type injectorInterface interface { 31 | Mutate(body []byte) ([]byte, error) 32 | } 33 | 34 | type handler struct { 35 | injector injectorInterface 36 | } 37 | 38 | func (h *handler) mutate(w http.ResponseWriter, r *http.Request) { 39 | body, err := ioutil.ReadAll(r.Body) 40 | defer r.Body.Close() 41 | 42 | if err != nil { 43 | log.Errorf("error reading request: %s", err) 44 | w.WriteHeader(http.StatusInternalServerError) 45 | fmt.Fprintf(w, "%s", err) 46 | } 47 | 48 | mutated, err := h.injector.Mutate(body) 49 | if err != nil { 50 | log.Error(err) 51 | w.WriteHeader(http.StatusInternalServerError) 52 | fmt.Fprintf(w, "%s", err) 53 | } 54 | 55 | w.WriteHeader(http.StatusOK) 56 | w.Write(mutated) 57 | } 58 | 59 | func main() { 60 | flags.Parse(&opts) 61 | 62 | mux := http.NewServeMux() 63 | 64 | var config = &rest.Config{} 65 | 66 | if opts.KubeConfig == "" { 67 | _config, err := rest.InClusterConfig() 68 | if err != nil { 69 | log.Fatalf("Failed to create k8s config: %s", err) 70 | } 71 | config = _config 72 | } else { 73 | _config, err := clientcmd.BuildConfigFromFlags("", opts.KubeConfig) 74 | if err != nil { 75 | panic(err.Error()) 76 | } 77 | config = _config 78 | } 79 | 80 | clientset, err := k8sclient.NewForConfig(config) 81 | if err != nil { 82 | log.Fatalf("Failed to create k8s client: %s", err) 83 | } 84 | 85 | h := handler{ 86 | injector.NewInjector(clientset, opts.Namespace, opts.ConfigMapName), 87 | } 88 | mux.HandleFunc("/mutate", h.mutate) 89 | 90 | mux.Handle("/metrics", promhttp.Handler()) 91 | 92 | s := &http.Server{ 93 | Addr: fmt.Sprintf(":%d", opts.Port), 94 | Handler: mux, 95 | ReadTimeout: opts.ReadTimeout, 96 | WriteTimeout: opts.WriteTimeout, 97 | MaxHeaderBytes: 1 << 20, // 1048576; 1MiB 98 | } 99 | 100 | log.Fatal(s.ListenAndServeTLS(opts.CertFile, opts.KeyFile)) 101 | } 102 | -------------------------------------------------------------------------------- /cmd/nsnodeaffinity/main_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "errors" 5 | "net/http" 6 | "net/http/httptest" 7 | "strings" 8 | "testing" 9 | 10 | "github.com/stretchr/testify/assert" 11 | ) 12 | 13 | var ( 14 | readerErr = "reader error" 15 | mutateErr = "mutate error" 16 | ) 17 | 18 | type FakeInjector struct { 19 | body []byte 20 | err error 21 | } 22 | 23 | func (f *FakeInjector) Mutate(body []byte) ([]byte, error) { 24 | return f.body, f.err 25 | } 26 | 27 | type errReader struct { 28 | } 29 | 30 | func (r errReader) Read(p []byte) (n int, err error) { 31 | return 0, errors.New(readerErr) 32 | } 33 | 34 | func TestMutateWithRequestError(t *testing.T) { 35 | t.Parallel() 36 | 37 | h := handler{ 38 | injector: &FakeInjector{}, 39 | } 40 | 41 | req := httptest.NewRequest(http.MethodPost, "/mutate", errReader{}) 42 | rec := httptest.NewRecorder() 43 | 44 | h.mutate(rec, req) 45 | 46 | assert.Equal(t, http.StatusInternalServerError, rec.Code) 47 | assert.Equal(t, readerErr, rec.Body.String()) 48 | } 49 | 50 | func TestMutateWithMutatorError(t *testing.T) { 51 | t.Parallel() 52 | 53 | h := handler{ 54 | injector: &FakeInjector{ 55 | err: errors.New(mutateErr), 56 | }, 57 | } 58 | 59 | rdr := strings.NewReader("testing") 60 | req := httptest.NewRequest(http.MethodPost, "/mutate", rdr) 61 | rec := httptest.NewRecorder() 62 | 63 | h.mutate(rec, req) 64 | 65 | assert.Equal(t, http.StatusInternalServerError, rec.Code) 66 | assert.Equal(t, mutateErr, rec.Body.String()) 67 | } 68 | 69 | func TestMutate(t *testing.T) { 70 | t.Parallel() 71 | 72 | h := handler{ 73 | injector: &FakeInjector{ 74 | body: []byte("test"), 75 | }, 76 | } 77 | 78 | rdr := strings.NewReader("testing") 79 | req := httptest.NewRequest(http.MethodPost, "/mutate", rdr) 80 | rec := httptest.NewRecorder() 81 | 82 | h.mutate(rec, req) 83 | 84 | assert.Equal(t, http.StatusOK, rec.Code) 85 | assert.Equal(t, "test", rec.Body.String()) 86 | } 87 | -------------------------------------------------------------------------------- /deployments/base/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: namespace-node-affinity 6 | rules: 7 | - apiGroups: ["admissionregistration.k8s.io"] 8 | resources: ["mutatingwebhookconfigurations"] 9 | verbs: ["get", "create", "update"] 10 | -------------------------------------------------------------------------------- /deployments/base/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: namespace-node-affinity 6 | subjects: 7 | - kind: ServiceAccount 8 | name: namespace-node-affinity 9 | namespace: default 10 | apiGroup: "" 11 | roleRef: 12 | kind: ClusterRole 13 | name: namespace-node-affinity 14 | apiGroup: rbac.authorization.k8s.io 15 | -------------------------------------------------------------------------------- /deployments/base/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | spec: 8 | replicas: 1 9 | template: 10 | metadata: 11 | name: namespace-node-affinity 12 | spec: 13 | serviceAccountName: namespace-node-affinity 14 | containers: 15 | - name: mutator 16 | image: idgenchev/namespace-node-affinity 17 | volumeMounts: 18 | - mountPath: /etc/webhook/certs 19 | name: webhook-certs 20 | readOnly: true 21 | resources: 22 | limits: 23 | cpu: 500m 24 | memory: 128Mi 25 | requests: 26 | cpu: 250m 27 | memory: 64Mi 28 | env: 29 | - name: CERT 30 | value: /etc/webhook/certs/tls.crt 31 | - name: KEY 32 | value: /etc/webhook/certs/tls.key 33 | - name: NAMESPACE 34 | valueFrom: 35 | fieldRef: 36 | fieldPath: metadata.namespace 37 | initContainers: 38 | - name: init-webhook 39 | image: idgenchev/namespace-node-affinity-init-container 40 | volumeMounts: 41 | - mountPath: /etc/webhook/certs 42 | name: webhook-certs 43 | env: 44 | - name: NAMESPACE 45 | valueFrom: 46 | fieldRef: 47 | fieldPath: metadata.namespace 48 | - name: SERVICE_NAME 49 | value: namespace-node-affinity 50 | - name: CERT 51 | value: /etc/webhook/certs/tls.crt 52 | - name: KEY 53 | value: /etc/webhook/certs/tls.key 54 | volumes: 55 | - name: webhook-certs 56 | emptyDir: {} 57 | -------------------------------------------------------------------------------- /deployments/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | commonLabels: 6 | app: namespace-node-affinity 7 | 8 | resources: 9 | - deployment.yaml 10 | - role.yaml 11 | - rolebinding.yaml 12 | - clusterrole.yaml 13 | - clusterrolebinding.yaml 14 | - sa.yaml 15 | - service.yaml 16 | -------------------------------------------------------------------------------- /deployments/base/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["configmaps"] 10 | verbs: ["get"] 11 | -------------------------------------------------------------------------------- /deployments/base/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | subjects: 8 | - kind: ServiceAccount 9 | name: namespace-node-affinity 10 | namespace: default 11 | apiGroup: "" 12 | roleRef: 13 | kind: Role 14 | name: namespace-node-affinity 15 | apiGroup: rbac.authorization.k8s.io 16 | -------------------------------------------------------------------------------- /deployments/base/sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | -------------------------------------------------------------------------------- /deployments/base/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | spec: 8 | publishNotReadyAddresses: true 9 | ports: 10 | - port: 443 11 | targetPort: 8443 12 | -------------------------------------------------------------------------------- /deployments/overlays/local/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: mutator 12 | image: namespace-node-affinity 13 | imagePullPolicy: Never 14 | 15 | initContainers: 16 | - name: init-webhook 17 | image: namespace-node-affinity-init-container 18 | imagePullPolicy: Never 19 | -------------------------------------------------------------------------------- /deployments/overlays/local/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - ../../base 7 | 8 | patchesStrategicMerge: 9 | - deployment.yaml 10 | -------------------------------------------------------------------------------- /examples/example_namespaces.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: testing-ns 6 | labels: 7 | namespace-node-affinity: enabled 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: testing-ns-b 13 | labels: 14 | namespace-node-affinity: enabled 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: testing-ns-c 20 | labels: 21 | namespace-node-affinity: enabled 22 | --- 23 | apiVersion: v1 24 | kind: Namespace 25 | metadata: 26 | name: testing-ns-d 27 | labels: 28 | namespace-node-affinity: enabled 29 | --- 30 | apiVersion: v1 31 | kind: Namespace 32 | metadata: 33 | name: testing-ns-e 34 | labels: 35 | namespace-node-affinity: enabled 36 | -------------------------------------------------------------------------------- /examples/mutatingwebhookconfiguration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: MutatingWebhookConfiguration 3 | metadata: 4 | name: namespace-node-affinity 5 | namespace: default 6 | labels: 7 | app: namespace-node-affinity 8 | webhooks: 9 | - name: namespace-node-affinity.default.svc 10 | clientConfig: 11 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1EY3lOVEV4TkRjek9Gb1hEVEk1TURjeU1qRXhORGN6T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHhzCk9Xay9OUE5jL2FMeFFiemZ3dnJlVGR3V3pXaU4rUlV2WTFLclRPWHB5WlBSaGMrUU8xc25ZQzdCWGtZTWNJVzAKaFVjLzRlR0Vtb3NGZjZpeTR5bzlUc3g4WW82dkxzazBHWktZay92dlJDcjVyL09wZUk2dFFOTTlMVFNkOXhXdgpFT0ZONDdsU2dFSWV5K0o4b2lHYldNb0V4Q3lmSHdINVVHV1pUZCtkWk5ELzNMT29oL3VRY2RjME4yK1llTXVECkJJa3JXL0VYODM3T3dZcGRMZlJka0dPdHoxWXloaHRGQmVyQWpRTG4vNEp2Z1lOQzQ5V0JRQitrZU1mNHJObDAKenFLaTNraklicEY1TEdUUVNYRTY3SVArb0dkYTgvYTVpN3NNUlNONFNqRVlMaGs5c1YxdUFGQW4weW9xMFNhKwpFdjB1U01jVFJjenFwVTBpSms4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLams2NUtaUmhmbXVHUit5NnhoTFdZT1E0OUUKVmdONGR2MHJpR2ozWUw1TktoMTgyRTY0MGJpbzBFMDBabnpWb2tHT3ZnKzBSMWFGSFAyZXh4R1VsMDBWMXJkWgp6QWJCQW13aGh2UURORnJmQ0hKKytjZTNSZTl1RTdxZFFiOVgxOGlQTko3NlpKRS9OOFFmeitEZ1RqR244dEdwCjV4cTZVZ0RRWXBPd05LOXh6endLb29uKzFIRU9MSm5ELzBMVDlMRlNXRDBSSlk1eHJLWmFvbHJZUkRLRHlyc2kKNWdMUE5MZXVuVTBjb3pHdWVmY3grWXhtTXJqRndLamxORDFITEZvSmw0RTcwcTN0T0RxdUc3KzlsVW9OREJ0SgpPUmdvMWJ1THNQdVpiWURNVnZ5UHhlUkg2RDB0cmtKaFg3QmZ1bjUyZHpJNkVaUlJEQ081cVhlS0pDbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 12 | service: 13 | name: namespace-node-affinity 14 | namespace: default 15 | path: "/mutate" 16 | port: 443 17 | rules: 18 | - operations: ["CREATE"] 19 | apiGroups: [""] 20 | apiVersions: ["v1"] 21 | resources: ["pods"] 22 | admissionReviewVersions: ["v1"] 23 | sideEffects: None 24 | timeoutSeconds: 5 25 | reinvocationPolicy: Never 26 | failurePolicy: Ignore 27 | namespaceSelector: 28 | matchLabels: 29 | namespace-node-affinity: enabled 30 | -------------------------------------------------------------------------------- /examples/sample_configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: namespace-node-affinity 6 | namespace: default 7 | data: 8 | testing-ns: | 9 | nodeSelectorTerms: 10 | - matchExpressions: 11 | - key: the-testing-key 12 | operator: In 13 | values: 14 | - the-testing-val1 15 | tolerations: 16 | - key: "example-key" 17 | operator: "Exists" 18 | effect: "NoSchedule" 19 | excludedLabels: 20 | ignoreme: ignored 21 | testing-ns-b: | 22 | nodeSelectorTerms: 23 | - matchExpressions: 24 | - key: the-testing-key 25 | operator: In 26 | values: 27 | - the-testing-val1 28 | testing-ns-c: | 29 | tolerations: 30 | - key: "example-key" 31 | operator: "Exists" 32 | effect: "NoSchedule" 33 | testing-ns-d: | 34 | invalid: 35 | - key: "example-key" 36 | operator: "Exists" 37 | effect: "NoSchedule" 38 | -------------------------------------------------------------------------------- /examples/sample_ignored_pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | run: nginx-test 7 | ignoreme: ignored 8 | name: nginx-test 9 | namespace: testing-ns 10 | spec: 11 | containers: 12 | - image: nginx 13 | name: nginx-test 14 | resources: {} 15 | dnsPolicy: ClusterFirst 16 | restartPolicy: Always 17 | status: {} 18 | -------------------------------------------------------------------------------- /examples/sample_pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | run: nginx-test 7 | name: nginx-test 8 | namespace: testing-ns 9 | spec: 10 | containers: 11 | - image: nginx 12 | name: nginx-test 13 | resources: {} 14 | dnsPolicy: ClusterFirst 15 | restartPolicy: Always 16 | status: {} 17 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/idgenchev/namespace-node-affinity 2 | 3 | go 1.21 4 | 5 | require ( 6 | github.com/jessevdk/go-flags v1.5.0 7 | github.com/prometheus/client_golang v1.14.0 8 | github.com/sirupsen/logrus v1.9.2 9 | github.com/stretchr/testify v1.8.2 10 | k8s.io/api v0.26.1 11 | k8s.io/apimachinery v0.26.1 12 | k8s.io/client-go v0.26.1 13 | sigs.k8s.io/yaml v1.3.0 14 | ) 15 | 16 | require ( 17 | github.com/beorn7/perks v1.0.1 // indirect 18 | github.com/cespare/xxhash/v2 v2.1.2 // indirect 19 | github.com/davecgh/go-spew v1.1.1 // indirect 20 | github.com/emicklei/go-restful/v3 v3.9.0 // indirect 21 | github.com/evanphx/json-patch v4.12.0+incompatible // indirect 22 | github.com/go-logr/logr v1.2.3 // indirect 23 | github.com/go-openapi/jsonpointer v0.19.5 // indirect 24 | github.com/go-openapi/jsonreference v0.20.0 // indirect 25 | github.com/go-openapi/swag v0.19.14 // indirect 26 | github.com/gogo/protobuf v1.3.2 // indirect 27 | github.com/golang/protobuf v1.5.2 // indirect 28 | github.com/google/gnostic v0.5.7-v3refs // indirect 29 | github.com/google/go-cmp v0.5.9 // indirect 30 | github.com/google/gofuzz v1.1.0 // indirect 31 | github.com/imdario/mergo v0.3.6 // indirect 32 | github.com/josharian/intern v1.0.0 // indirect 33 | github.com/json-iterator/go v1.1.12 // indirect 34 | github.com/mailru/easyjson v0.7.6 // indirect 35 | github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect 36 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 37 | github.com/modern-go/reflect2 v1.0.2 // indirect 38 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 39 | github.com/pkg/errors v0.9.1 // indirect 40 | github.com/pmezard/go-difflib v1.0.0 // indirect 41 | github.com/prometheus/client_model v0.3.0 // indirect 42 | github.com/prometheus/common v0.37.0 // indirect 43 | github.com/prometheus/procfs v0.8.0 // indirect 44 | github.com/spf13/pflag v1.0.5 // indirect 45 | golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect 46 | golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect 47 | golang.org/x/sys v0.3.0 // indirect 48 | golang.org/x/term v0.3.0 // indirect 49 | golang.org/x/text v0.5.0 // indirect 50 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect 51 | google.golang.org/appengine v1.6.7 // indirect 52 | google.golang.org/protobuf v1.28.1 // indirect 53 | gopkg.in/inf.v0 v0.9.1 // indirect 54 | gopkg.in/yaml.v2 v2.4.0 // indirect 55 | gopkg.in/yaml.v3 v3.0.1 // indirect 56 | k8s.io/klog/v2 v2.80.1 // indirect 57 | k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect 58 | k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect 59 | sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect 60 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect 61 | ) 62 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 3 | cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= 4 | cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= 5 | cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= 6 | cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= 7 | cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= 8 | cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= 9 | cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= 10 | cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= 11 | cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= 12 | cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= 13 | cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= 14 | cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= 15 | cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= 16 | cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= 17 | cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= 18 | cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= 19 | cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= 20 | cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= 21 | cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= 22 | cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= 23 | cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= 24 | cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= 25 | cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= 26 | cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= 27 | cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= 28 | cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= 29 | cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= 30 | cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= 31 | cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= 32 | cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= 33 | dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= 34 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 35 | github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= 36 | github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= 37 | github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= 38 | github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= 39 | github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= 40 | github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= 41 | github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= 42 | github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= 43 | github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= 44 | github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= 45 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 46 | github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 47 | github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= 48 | github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 49 | github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= 50 | github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= 51 | github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= 52 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 53 | github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= 54 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 55 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 56 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 57 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 58 | github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= 59 | github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= 60 | github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= 61 | github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 62 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 63 | github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= 64 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 65 | github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= 66 | github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= 67 | github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= 68 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 69 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 70 | github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= 71 | github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= 72 | github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= 73 | github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= 74 | github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= 75 | github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= 76 | github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= 77 | github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= 78 | github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 79 | github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= 80 | github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 81 | github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= 82 | github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= 83 | github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= 84 | github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= 85 | github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= 86 | github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= 87 | github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= 88 | github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= 89 | github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= 90 | github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= 91 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 92 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 93 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 94 | github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 95 | github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 96 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 97 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 98 | github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 99 | github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= 100 | github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 101 | github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 102 | github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 103 | github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= 104 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 105 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 106 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 107 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 108 | github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 109 | github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= 110 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 111 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 112 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 113 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 114 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 115 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= 116 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 117 | github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 118 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 119 | github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= 120 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 121 | github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 122 | github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 123 | github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= 124 | github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= 125 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 126 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 127 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 128 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 129 | github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 130 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 131 | github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 132 | github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 133 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 134 | github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= 135 | github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 136 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 137 | github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= 138 | github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 139 | github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= 140 | github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= 141 | github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 142 | github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 143 | github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 144 | github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 145 | github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 146 | github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 147 | github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 148 | github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= 149 | github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= 150 | github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= 151 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 152 | github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 153 | github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= 154 | github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= 155 | github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= 156 | github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc= 157 | github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= 158 | github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= 159 | github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= 160 | github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= 161 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 162 | github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 163 | github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 164 | github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= 165 | github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= 166 | github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= 167 | github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= 168 | github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= 169 | github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= 170 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 171 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 172 | github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 173 | github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 174 | github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= 175 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 176 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 177 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 178 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 179 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 180 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 181 | github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 182 | github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 183 | github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= 184 | github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= 185 | github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= 186 | github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= 187 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 188 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 189 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 190 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 191 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 192 | github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= 193 | github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= 194 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= 195 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 196 | github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= 197 | github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= 198 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= 199 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= 200 | github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs= 201 | github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= 202 | github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys= 203 | github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= 204 | github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 205 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 206 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 207 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 208 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 209 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 210 | github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= 211 | github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= 212 | github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= 213 | github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= 214 | github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= 215 | github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= 216 | github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= 217 | github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= 218 | github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 219 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 220 | github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 221 | github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= 222 | github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= 223 | github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= 224 | github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= 225 | github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= 226 | github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= 227 | github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= 228 | github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= 229 | github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= 230 | github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= 231 | github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= 232 | github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= 233 | github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= 234 | github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= 235 | github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= 236 | github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 237 | github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= 238 | github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= 239 | github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= 240 | github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y= 241 | github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 242 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 243 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 244 | github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= 245 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 246 | github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 247 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 248 | github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= 249 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 250 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 251 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 252 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 253 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 254 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 255 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 256 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 257 | github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= 258 | github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= 259 | github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 260 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 261 | github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 262 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 263 | go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= 264 | go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= 265 | go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 266 | go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 267 | go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 268 | golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= 269 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 270 | golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 271 | golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 272 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 273 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 274 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 275 | golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 276 | golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= 277 | golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= 278 | golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= 279 | golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 280 | golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 281 | golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 282 | golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= 283 | golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= 284 | golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= 285 | golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= 286 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 287 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 288 | golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 289 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 290 | golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 291 | golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 292 | golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 293 | golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= 294 | golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 295 | golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 296 | golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= 297 | golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= 298 | golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= 299 | golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= 300 | golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 301 | golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 302 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 303 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 304 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 305 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 306 | golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 307 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 308 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 309 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 310 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 311 | golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 312 | golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 313 | golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= 314 | golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 315 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 316 | golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 317 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 318 | golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 319 | golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 320 | golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 321 | golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 322 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 323 | golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 324 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 325 | golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 326 | golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 327 | golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 328 | golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 329 | golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 330 | golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 331 | golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 332 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 333 | golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 334 | golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= 335 | golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= 336 | golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc= 337 | golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= 338 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 339 | golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 340 | golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 341 | golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 342 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 343 | golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 344 | golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b h1:clP8eMhB30EHdc0bd2Twtq6kgU7yl5ub2cQLSdrv1Dg= 345 | golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= 346 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 347 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 348 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 349 | golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 350 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 351 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 352 | golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 353 | golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 354 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 355 | golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 356 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 357 | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 358 | golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 359 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 360 | golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 361 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 362 | golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 363 | golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 364 | golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 365 | golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 366 | golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 367 | golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 368 | golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 369 | golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 370 | golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 371 | golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 372 | golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 373 | golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 374 | golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 375 | golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 376 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 377 | golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 378 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 379 | golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 380 | golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 381 | golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 382 | golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 383 | golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 384 | golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 385 | golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 386 | golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 387 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 388 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 389 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 390 | golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 391 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 392 | golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 393 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 394 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 395 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 396 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 397 | golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= 398 | golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 399 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 400 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 401 | golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= 402 | golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= 403 | golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 404 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 405 | golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 406 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 407 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 408 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 409 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 410 | golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= 411 | golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 412 | golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 413 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 414 | golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 415 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= 416 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 417 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 418 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 419 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 420 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 421 | golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 422 | golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 423 | golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 424 | golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 425 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 426 | golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 427 | golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 428 | golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 429 | golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 430 | golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 431 | golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 432 | golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 433 | golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 434 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 435 | golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 436 | golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 437 | golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 438 | golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 439 | golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 440 | golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 441 | golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 442 | golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 443 | golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 444 | golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 445 | golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 446 | golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 447 | golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 448 | golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 449 | golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= 450 | golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 451 | golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 452 | golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 453 | golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 454 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 455 | golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 456 | golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 457 | golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 458 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 459 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 460 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 461 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 462 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 463 | google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= 464 | google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= 465 | google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 466 | google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 467 | google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 468 | google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 469 | google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 470 | google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 471 | google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 472 | google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 473 | google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 474 | google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 475 | google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= 476 | google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= 477 | google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= 478 | google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= 479 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 480 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 481 | google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 482 | google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= 483 | google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 484 | google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 485 | google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= 486 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 487 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 488 | google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 489 | google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 490 | google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 491 | google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 492 | google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 493 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 494 | google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= 495 | google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 496 | google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 497 | google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 498 | google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 499 | google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 500 | google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 501 | google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= 502 | google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 503 | google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 504 | google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 505 | google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 506 | google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 507 | google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 508 | google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 509 | google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 510 | google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= 511 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= 512 | google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= 513 | google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 514 | google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 515 | google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 516 | google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 517 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 518 | google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= 519 | google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= 520 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 521 | google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= 522 | google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 523 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 524 | google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 525 | google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= 526 | google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= 527 | google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 528 | google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 529 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 530 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 531 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 532 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 533 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 534 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 535 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 536 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 537 | google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= 538 | google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= 539 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 540 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 541 | google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= 542 | google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= 543 | gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= 544 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 545 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 546 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 547 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= 548 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 549 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 550 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 551 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 552 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 553 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 554 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 555 | gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 556 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 557 | gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 558 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 559 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 560 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 561 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 562 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 563 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 564 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 565 | honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 566 | honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 567 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 568 | honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= 569 | honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 570 | honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 571 | k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ= 572 | k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg= 573 | k8s.io/apimachinery v0.26.1 h1:8EZ/eGJL+hY/MYCNwhmDzVqq2lPl3N3Bo8rvweJwXUQ= 574 | k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= 575 | k8s.io/client-go v0.26.1 h1:87CXzYJnAMGaa/IDDfRdhTzxk/wzGZ+/HUQpqgVSZXU= 576 | k8s.io/client-go v0.26.1/go.mod h1:IWNSglg+rQ3OcvDkhY6+QLeasV4OYHDjdqeWkDQZwGE= 577 | k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= 578 | k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= 579 | k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= 580 | k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= 581 | k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= 582 | k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= 583 | rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= 584 | rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= 585 | rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= 586 | sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= 587 | sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= 588 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= 589 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= 590 | sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= 591 | sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= 592 | -------------------------------------------------------------------------------- /injector/injector.go: -------------------------------------------------------------------------------- 1 | // Package injector deals with AdmissionReview requests and responses 2 | package injector 3 | 4 | import ( 5 | "context" 6 | "encoding/json" 7 | "errors" 8 | "fmt" 9 | 10 | log "github.com/sirupsen/logrus" 11 | v1beta1 "k8s.io/api/admission/v1beta1" 12 | corev1 "k8s.io/api/core/v1" 13 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 14 | k8sclient "k8s.io/client-go/kubernetes" 15 | "sigs.k8s.io/yaml" 16 | ) 17 | 18 | // Errors returned by this package 19 | var ( 20 | ErrInvalidAdmissionReview = errors.New("invalid admission review") 21 | ErrInvalidAdmissionReviewObj = errors.New("invalid admission review object") 22 | ErrFailedToCreatePatch = errors.New("failed to create patch") 23 | ErrFailedToReadNodeSelectorTerms = errors.New("failed to load node selector terms") 24 | ErrMissingConfiguration = errors.New("missing configuration") 25 | ErrInvalidConfiguration = errors.New("invalid configuration") 26 | ) 27 | 28 | // PatchPath is the path for the JSON patch 29 | type PatchPath string 30 | 31 | // PatchPath values 32 | const ( 33 | // affinity 34 | CreateAffinity = "/spec/affinity" 35 | CreateNodeAffinity = "/spec/affinity/nodeAffinity" 36 | AddRequiredDuringScheduling = "/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution" 37 | AddNodeSelectorTerms = "/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms" 38 | AddToNodeSelectorTerms = "/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/-" 39 | // tolerations 40 | CreateTolerations = "/spec/tolerations" 41 | AddTolerations = "/spec/tolerations/-" 42 | ) 43 | 44 | const ( 45 | nodeSelectorKey = "nodeSelectorTerms" 46 | tolerationsKey = "tolerations" 47 | successStatus = "Success" 48 | annotationKey = "namespace-node-affinity.idgenchev.github.com/applied-patch" 49 | ) 50 | 51 | var ( 52 | jsonMarshal = json.Marshal 53 | jsonUnmarshal = json.Unmarshal 54 | yamlUnmarshal = yaml.Unmarshal 55 | ) 56 | 57 | // JSONPatch is the JSON patch (http://jsonpatch.com) for patching k8s 58 | // object 59 | type JSONPatch struct { 60 | Op string `json:"op"` 61 | Path PatchPath `json:"path"` 62 | Value interface{} `json:"value"` 63 | } 64 | 65 | // NamespaceConfig is the per-namespace configuration 66 | type NamespaceConfig struct { 67 | NodeSelectorTerms []corev1.NodeSelectorTerm `json:"nodeSelectorTerms"` 68 | Tolerations []corev1.Toleration `json:"tolerations"` 69 | ExcludedLabels map[string]string `json:"excludedLabels"` 70 | } 71 | 72 | // Injector handles AdmissionReview objects 73 | type Injector struct { 74 | clientset k8sclient.Interface 75 | namespace string 76 | configMapName string 77 | } 78 | 79 | // NewInjector returns *Injector with k8sclient and configMapName 80 | func NewInjector(k8sclient k8sclient.Interface, namespace string, configMapName string) *Injector { 81 | return &Injector{k8sclient, namespace, configMapName} 82 | } 83 | 84 | // Mutate unmarshalls the AdmissionReview (body) and creates or updates the 85 | // nodeAffinity and/or the tolerations of the k8s object in the admission 86 | // review request, sets the AdmissionReview response and returns the marshalled 87 | // AdmissionReview or an error 88 | func (m *Injector) Mutate(body []byte) ([]byte, error) { 89 | log.Infof("Received AdmissionReview: %s\n", string(body)) 90 | 91 | // unmarshal request into AdmissionReview struct 92 | admissionReview := v1beta1.AdmissionReview{} 93 | if err := jsonUnmarshal(body, &admissionReview); err != nil { 94 | return nil, fmt.Errorf("%w: %s", ErrInvalidAdmissionReview, err) 95 | } 96 | 97 | var pod *corev1.Pod 98 | 99 | req := admissionReview.Request 100 | if req == nil { 101 | log.Warning("admissionReview with empty request") 102 | return nil, nil 103 | } 104 | 105 | resp := v1beta1.AdmissionResponse{} 106 | 107 | if err := jsonUnmarshal(req.Object.Raw, &pod); err != nil { 108 | return nil, fmt.Errorf("%w: %v", ErrInvalidAdmissionReviewObj, err) 109 | } 110 | 111 | // set response options 112 | resp.Allowed = true 113 | resp.UID = req.UID 114 | jsonPatch := v1beta1.PatchTypeJSONPatch 115 | resp.PatchType = &jsonPatch 116 | 117 | podNamespace := req.Namespace 118 | if podNamespace == "" { 119 | podNamespace = "default" 120 | } 121 | 122 | config, err := m.configForNamespace(podNamespace) 123 | if err != nil { 124 | return nil, err 125 | } 126 | 127 | if ignorePodWithLabels(pod.Labels, config) { 128 | log.Infof("Ignoring pod with labels: %#v in namespace: %s", pod.Labels, podNamespace) 129 | // return the unmodified AdmissionReview 130 | return body, nil 131 | } 132 | 133 | patch, err := buildPatch(config, pod.Spec) 134 | if err != nil { 135 | return nil, err 136 | } 137 | 138 | resp.Patch = patch 139 | 140 | resp.AuditAnnotations = map[string]string{ 141 | annotationKey: string(patch), 142 | } 143 | 144 | resp.Result = &metav1.Status{ 145 | Status: successStatus, 146 | } 147 | 148 | admissionReview.Response = &resp 149 | 150 | responseBody, err := jsonMarshal(admissionReview) 151 | if err != nil { 152 | return nil, err 153 | } 154 | 155 | log.Infof("AdmissionReview response: %s\n", string(responseBody)) 156 | 157 | return responseBody, nil 158 | } 159 | 160 | func (m *Injector) configForNamespace(namespace string) (*NamespaceConfig, error) { 161 | configMap, err := m.clientset.CoreV1(). 162 | ConfigMaps(m.namespace). 163 | Get(context.Background(), m.configMapName, metav1.GetOptions{}) 164 | 165 | if err != nil { 166 | return nil, fmt.Errorf("%w: %s", ErrMissingConfiguration, err) 167 | } 168 | 169 | namespaceConfigString, exists := configMap.Data[namespace] 170 | if !exists { 171 | return nil, fmt.Errorf("%w: for %s", ErrMissingConfiguration, namespace) 172 | } 173 | 174 | config := &NamespaceConfig{} 175 | err = yamlUnmarshal([]byte(namespaceConfigString), config) 176 | if err != nil { 177 | return nil, fmt.Errorf("%w: %s", ErrInvalidConfiguration, err) 178 | } else if config.NodeSelectorTerms == nil && config.Tolerations == nil { 179 | return nil, fmt.Errorf("%w: at least one of nodeSelectorTerms or tolerations needs to be specified for %s", ErrInvalidConfiguration, namespace) 180 | } 181 | 182 | return config, nil 183 | } 184 | 185 | func buildNodeSelectorTermsPath(podSpec corev1.PodSpec) PatchPath { 186 | var path PatchPath 187 | 188 | if podSpec.Affinity == nil { 189 | path = CreateAffinity 190 | } else if podSpec.Affinity != nil && podSpec.Affinity.NodeAffinity == nil { 191 | path = CreateNodeAffinity 192 | } else if podSpec.Affinity.NodeAffinity != nil && podSpec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution == nil { 193 | path = AddRequiredDuringScheduling 194 | } else if podSpec.Affinity.NodeAffinity != nil && podSpec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution != nil && podSpec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms == nil { 195 | path = AddNodeSelectorTerms 196 | } else { 197 | // We have a nodeSelectorTerms that != nil (eg: it is a 0 or more length array, or it is malformed) 198 | path = AddToNodeSelectorTerms 199 | } 200 | 201 | return path 202 | } 203 | 204 | func buildTolerationsPath(podSpec corev1.PodSpec) PatchPath { 205 | if podSpec.Tolerations == nil { 206 | return CreateTolerations 207 | } 208 | return AddTolerations 209 | } 210 | 211 | func buildNodeSelectorTermPatch(path PatchPath, nodeSelectorTerm corev1.NodeSelectorTerm) JSONPatch { 212 | patch := JSONPatch{ 213 | Op: "add", 214 | Path: path, 215 | Value: nodeSelectorTerm, 216 | } 217 | 218 | return patch 219 | } 220 | 221 | // Returns a patch that initialises the PodSpec's NodeSelectorTerms array as an empty array, if it does not exist 222 | func buildNodeSelectorTermsInitPatch(podSpec corev1.PodSpec) (JSONPatch, error) { 223 | path := buildNodeSelectorTermsPath(podSpec) 224 | 225 | patch := JSONPatch{ 226 | Op: "add", 227 | Path: path, 228 | } 229 | 230 | patchAffinity := &corev1.Affinity{ 231 | NodeAffinity: &corev1.NodeAffinity{ 232 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ 233 | NodeSelectorTerms: []corev1.NodeSelectorTerm{}, 234 | }, 235 | }, 236 | } 237 | 238 | switch path { 239 | case AddToNodeSelectorTerms: 240 | // Array for NodeSelectorTerms already exists. Do nothing 241 | return JSONPatch{}, nil 242 | case AddNodeSelectorTerms: 243 | // NodeSelectorTerms array missing, add it 244 | fmt.Print("buildNodeSelectorTermsInitPatch case AddNodeSelectorTerms\n") 245 | patch.Value = patchAffinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms 246 | case AddRequiredDuringScheduling: 247 | // Adds RequiredDuringScheduling with NodeSelectorTerms 248 | patch.Value = patchAffinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution 249 | case CreateNodeAffinity: 250 | // Adds NodeAffinity with RequiredDuringScheduling and NodeSelectorTerms 251 | patch.Value = patchAffinity.NodeAffinity 252 | case CreateAffinity: 253 | // Adds Affinity with NodeAffinity, RequiredDuringScheduling, and NodeSelectorTerms 254 | patch.Value = patchAffinity 255 | default: 256 | return JSONPatch{}, fmt.Errorf("%w: invalid patch path", ErrFailedToCreatePatch) 257 | } 258 | 259 | return patch, nil 260 | } 261 | 262 | func buildPatch(config *NamespaceConfig, podSpec corev1.PodSpec) ([]byte, error) { 263 | var patches []JSONPatch 264 | 265 | if config.NodeSelectorTerms != nil { 266 | initPatch, err := buildNodeSelectorTermsInitPatch(podSpec) 267 | if err != nil { 268 | return nil, err 269 | } 270 | if (initPatch != JSONPatch{}) { 271 | patches = append(patches, initPatch) 272 | } 273 | 274 | for _, NodeSelectorTerm := range config.NodeSelectorTerms { 275 | nodeSelectorTermsPatch := buildNodeSelectorTermPatch(AddToNodeSelectorTerms, NodeSelectorTerm) 276 | 277 | patches = append(patches, nodeSelectorTermsPatch) 278 | } 279 | } 280 | 281 | if config.Tolerations != nil { 282 | tolerationsPatchPath := buildTolerationsPath(podSpec) 283 | for _, toleration := range config.Tolerations { 284 | tolerationsPatch := JSONPatch{ 285 | Op: "add", 286 | Path: tolerationsPatchPath, 287 | Value: toleration, 288 | } 289 | 290 | patches = append(patches, tolerationsPatch) 291 | } 292 | } 293 | 294 | patch, err := jsonMarshal(patches) 295 | if err != nil { 296 | return nil, fmt.Errorf("%w: %s", ErrFailedToCreatePatch, err) 297 | } 298 | 299 | return patch, nil 300 | } 301 | 302 | func ignorePodWithLabels(podLabels map[string]string, config *NamespaceConfig) bool { 303 | if len(config.ExcludedLabels) == 0 { 304 | return false 305 | } 306 | 307 | numMatchedLabels := 0 308 | for k, v := range config.ExcludedLabels { 309 | if podVal, ok := podLabels[k]; ok && podVal == v { 310 | numMatchedLabels++ 311 | } 312 | } 313 | 314 | return numMatchedLabels == len(config.ExcludedLabels) 315 | } 316 | -------------------------------------------------------------------------------- /injector/injector_test.go: -------------------------------------------------------------------------------- 1 | package injector 2 | 3 | import ( 4 | "encoding/json" 5 | "errors" 6 | "fmt" 7 | "testing" 8 | 9 | "github.com/stretchr/testify/assert" 10 | v1beta1 "k8s.io/api/admission/v1beta1" 11 | corev1 "k8s.io/api/core/v1" 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 13 | "k8s.io/apimachinery/pkg/runtime" 14 | "k8s.io/client-go/kubernetes/fake" 15 | ) 16 | 17 | func nodeSelectorTerms() []corev1.NodeSelectorTerm { 18 | return []corev1.NodeSelectorTerm{ 19 | { 20 | MatchExpressions: []corev1.NodeSelectorRequirement{ 21 | { 22 | Key: "key", 23 | Operator: corev1.NodeSelectorOpIn, 24 | Values: []string{"val"}, 25 | }, 26 | }, 27 | }, 28 | } 29 | } 30 | 31 | func tolerations() []corev1.Toleration { 32 | return []corev1.Toleration{ 33 | { 34 | Key: "example-key", 35 | Operator: corev1.TolerationOpExists, 36 | Value: "example-value", 37 | Effect: corev1.TaintEffectNoSchedule, 38 | }, 39 | { 40 | Key: "example-key-b", 41 | Operator: corev1.TolerationOpExists, 42 | Value: "example-value-b", 43 | Effect: corev1.TaintEffectPreferNoSchedule, 44 | }, 45 | } 46 | } 47 | 48 | // PodSpecs with various levels of completion for Node Affinity 49 | var ( 50 | podSpecWithNoAffinity = corev1.PodSpec{} 51 | podSpecWithNoNodeAffinity = corev1.PodSpec{ 52 | Affinity: &corev1.Affinity{PodAffinity: &corev1.PodAffinity{}}, 53 | } 54 | podSpecWithNoRequiredDuringSchedulingIgnoreDuringExecution = corev1.PodSpec{ 55 | Affinity: &corev1.Affinity{ 56 | NodeAffinity: &corev1.NodeAffinity{}, 57 | }, 58 | } 59 | podSpecWithNoNodeSelectorTerms = corev1.PodSpec{ 60 | Affinity: &corev1.Affinity{ 61 | NodeAffinity: &corev1.NodeAffinity{ 62 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{}, 63 | }, 64 | }, 65 | } 66 | podSpecWithEmptyNodeSelectorTerms = corev1.PodSpec{ 67 | Affinity: &corev1.Affinity{ 68 | NodeAffinity: &corev1.NodeAffinity{ 69 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ 70 | NodeSelectorTerms: []corev1.NodeSelectorTerm{ 71 | { 72 | MatchExpressions: []corev1.NodeSelectorRequirement{}, 73 | }, 74 | }, 75 | }, 76 | }, 77 | }, 78 | } 79 | podSpecWithExistingNodeSelectorTerms = corev1.PodSpec{ 80 | Affinity: &corev1.Affinity{ 81 | NodeAffinity: &corev1.NodeAffinity{ 82 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ 83 | NodeSelectorTerms: []corev1.NodeSelectorTerm{ 84 | { 85 | MatchExpressions: []corev1.NodeSelectorRequirement{ 86 | { 87 | Key: "key", 88 | Operator: corev1.NodeSelectorOpIn, 89 | Values: []string{"val"}, 90 | }, 91 | }, 92 | }, 93 | }, 94 | }, 95 | }, 96 | }, 97 | } 98 | ) 99 | 100 | func TestBuildNodeSelectorTermPath(t *testing.T) { 101 | t.Parallel() 102 | 103 | testCases := []struct { 104 | name string 105 | podSpec corev1.PodSpec 106 | expectedPath PatchPath 107 | }{ 108 | { 109 | name: "WithNoAffinity", 110 | podSpec: podSpecWithNoAffinity, 111 | expectedPath: CreateAffinity, 112 | }, 113 | { 114 | name: "WithNoNodeAffinity", 115 | podSpec: podSpecWithNoNodeAffinity, 116 | expectedPath: CreateNodeAffinity, 117 | }, 118 | { 119 | name: "WithNoRequiredDuringSchedulingIgnoredDuringExecution", 120 | podSpec: podSpecWithNoRequiredDuringSchedulingIgnoreDuringExecution, 121 | expectedPath: AddRequiredDuringScheduling, 122 | }, 123 | { 124 | name: "WithNoNodeSelectorTerms", 125 | podSpec: podSpecWithNoNodeSelectorTerms, 126 | expectedPath: AddNodeSelectorTerms, 127 | }, 128 | { 129 | name: "WithEmptyNodeSelectorTerms", 130 | podSpec: podSpecWithEmptyNodeSelectorTerms, 131 | expectedPath: AddToNodeSelectorTerms, 132 | }, 133 | { 134 | name: "WithExistingAffinity", 135 | podSpec: podSpecWithExistingNodeSelectorTerms, 136 | expectedPath: AddToNodeSelectorTerms, 137 | }, 138 | } 139 | 140 | for _, tc := range testCases { 141 | tc := tc 142 | t.Run(tc.name, func(t *testing.T) { 143 | t.Parallel() 144 | 145 | path := buildNodeSelectorTermsPath(tc.podSpec) 146 | assert.Equal(t, tc.expectedPath, path) 147 | }) 148 | } 149 | } 150 | 151 | func TestBuildTolerationsPath(t *testing.T) { 152 | t.Parallel() 153 | 154 | testCases := []struct { 155 | name string 156 | podSpec corev1.PodSpec 157 | expectedPath PatchPath 158 | }{ 159 | { 160 | name: "WithTolerations", 161 | podSpec: corev1.PodSpec{ 162 | Tolerations: tolerations(), 163 | }, 164 | expectedPath: AddTolerations, 165 | }, 166 | { 167 | name: "WithoutTolerations", 168 | podSpec: corev1.PodSpec{}, 169 | expectedPath: CreateTolerations, 170 | }, 171 | } 172 | 173 | for _, tc := range testCases { 174 | tc := tc 175 | t.Run(tc.name, func(t *testing.T) { 176 | t.Parallel() 177 | 178 | path := buildTolerationsPath(tc.podSpec) 179 | assert.Equal(t, tc.expectedPath, path) 180 | }) 181 | } 182 | } 183 | 184 | func TestBuildNodeSelectorTermPatch(t *testing.T) { 185 | t.Parallel() 186 | 187 | path := PatchPath("") 188 | nodeSelectorTerm := corev1.NodeSelectorTerm{ 189 | MatchExpressions: []corev1.NodeSelectorRequirement{ 190 | corev1.NodeSelectorRequirement{ 191 | Key: "test key", 192 | Operator: corev1.NodeSelectorOpIn, 193 | Values: []string{"val"}, 194 | }, 195 | }, 196 | } 197 | expectedPatch := JSONPatch{ 198 | Op: "add", 199 | Path: path, 200 | Value: nodeSelectorTerm, 201 | } 202 | 203 | patch := buildNodeSelectorTermPatch(path, nodeSelectorTerm) 204 | assert.Equal(t, patch, expectedPatch) 205 | } 206 | 207 | func TestBuildNodeSelectorTermsInitPatch(t *testing.T) { 208 | t.Parallel() 209 | 210 | testCases := []struct { 211 | name string 212 | podSpec corev1.PodSpec 213 | expectedPatch JSONPatch 214 | }{ 215 | { 216 | name: "WithNoAffinity", 217 | podSpec: podSpecWithNoAffinity, 218 | expectedPatch: JSONPatch{ 219 | Op: "add", 220 | Path: CreateAffinity, 221 | Value: &corev1.Affinity{ 222 | NodeAffinity: &corev1.NodeAffinity{ 223 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ 224 | NodeSelectorTerms: []corev1.NodeSelectorTerm{}, 225 | }, 226 | }, 227 | }, 228 | }, 229 | }, 230 | { 231 | name: "WithNoNodeAffinity", 232 | podSpec: podSpecWithNoNodeAffinity, 233 | expectedPatch: JSONPatch{ 234 | Op: "add", 235 | Path: CreateNodeAffinity, 236 | Value: &corev1.NodeAffinity{ 237 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ 238 | NodeSelectorTerms: []corev1.NodeSelectorTerm{}, 239 | }, 240 | }, 241 | }, 242 | }, 243 | { 244 | name: "WithNoRequiredDuringSchedulingIgnoredDuringExecution", 245 | podSpec: podSpecWithNoRequiredDuringSchedulingIgnoreDuringExecution, 246 | expectedPatch: JSONPatch{ 247 | Op: "add", 248 | Path: AddRequiredDuringScheduling, 249 | Value: &corev1.NodeSelector{ 250 | NodeSelectorTerms: []corev1.NodeSelectorTerm{}, 251 | }, 252 | }, 253 | }, 254 | { 255 | name: "WithNoNodeSelectorTerms", 256 | podSpec: podSpecWithNoNodeSelectorTerms, 257 | expectedPatch: JSONPatch{ 258 | Op: "add", 259 | Path: AddNodeSelectorTerms, 260 | Value: []corev1.NodeSelectorTerm{}, 261 | }, 262 | }, 263 | { 264 | name: "WithEmptyNodeSelectorTerms", 265 | podSpec: podSpecWithEmptyNodeSelectorTerms, 266 | expectedPatch: JSONPatch{}, 267 | }, 268 | { 269 | name: "WithExistingNodeSelectorTerms", 270 | podSpec: podSpecWithExistingNodeSelectorTerms, 271 | expectedPatch: JSONPatch{}, 272 | }, 273 | } 274 | 275 | for _, tc := range testCases { 276 | tc := tc 277 | t.Run(tc.name, func(t *testing.T) { 278 | t.Parallel() 279 | 280 | patch, err := buildNodeSelectorTermsInitPatch(tc.podSpec) 281 | 282 | assert.Nil(t, err) 283 | assert.Equal(t, tc.expectedPatch, patch) 284 | 285 | }) 286 | } 287 | } 288 | 289 | func TestMutateWithInvalidBody(t *testing.T) { 290 | t.Parallel() 291 | 292 | clientset := fake.NewSimpleClientset() 293 | m := Injector{clientset, "default", "cm"} 294 | 295 | body, err := m.Mutate([]byte("invalid")) 296 | 297 | assert.Nil(t, body) 298 | assert.True(t, errors.Is(err, ErrInvalidAdmissionReview)) 299 | } 300 | 301 | func TestMutateWithNoRequest(t *testing.T) { 302 | t.Parallel() 303 | 304 | clientset := fake.NewSimpleClientset() 305 | m := Injector{clientset, "default", "cm"} 306 | 307 | admissionReview := []byte("{}") 308 | 309 | body, err := m.Mutate(admissionReview) 310 | 311 | assert.Nil(t, body) 312 | assert.NoError(t, err) 313 | } 314 | 315 | func TestMutateWithMissingConfigMap(t *testing.T) { 316 | t.Parallel() 317 | 318 | clientset := fake.NewSimpleClientset() 319 | m := Injector{clientset, "default", "test-cm"} 320 | 321 | admissionReview := v1beta1.AdmissionReview{ 322 | Request: &v1beta1.AdmissionRequest{ 323 | Object: runtime.RawExtension{ 324 | Object: &corev1.Pod{}, 325 | }, 326 | }, 327 | } 328 | j, err := json.Marshal(admissionReview) 329 | assert.NoError(t, err) 330 | 331 | body, err := m.Mutate(j) 332 | assert.Nil(t, body) 333 | assert.Error(t, err) 334 | assert.True(t, errors.Is(err, ErrMissingConfiguration)) 335 | } 336 | 337 | func TestMutateWithMissingConfigurationForTheNamespace(t *testing.T) { 338 | t.Parallel() 339 | 340 | deploymentNamespace := "ns-node-affinity" 341 | podNamespace := "test-ns" 342 | cm := &corev1.ConfigMap{ 343 | ObjectMeta: metav1.ObjectMeta{ 344 | Name: "test-cm", 345 | Namespace: deploymentNamespace, 346 | }, 347 | Data: map[string]string{"someconfig": "somevalue"}, 348 | } 349 | clientset := fake.NewSimpleClientset(cm) 350 | m := Injector{clientset, deploymentNamespace, "test-cm"} 351 | 352 | admissionReview := v1beta1.AdmissionReview{ 353 | Request: &v1beta1.AdmissionRequest{ 354 | Namespace: podNamespace, 355 | Object: runtime.RawExtension{ 356 | Object: &corev1.Pod{ 357 | ObjectMeta: metav1.ObjectMeta{ 358 | Name: "test-pod", 359 | Namespace: podNamespace, 360 | }, 361 | }, 362 | }, 363 | }, 364 | } 365 | j, err := json.Marshal(admissionReview) 366 | assert.NoError(t, err) 367 | 368 | body, err := m.Mutate(j) 369 | assert.Nil(t, body) 370 | assert.Error(t, err) 371 | assert.True(t, errors.Is(err, ErrMissingConfiguration)) 372 | } 373 | 374 | func TestMutateWithInvalidConfigForNamespace(t *testing.T) { 375 | t.Parallel() 376 | 377 | testCases := []struct { 378 | name string 379 | }{ 380 | { 381 | name: "nodeSelectorTerms", 382 | }, 383 | { 384 | name: "tolerations", 385 | }, 386 | { 387 | name: "noneoftheexpected", 388 | }, 389 | } 390 | 391 | for _, tc := range testCases { 392 | tc := tc 393 | 394 | t.Run(tc.name, func(t *testing.T) { 395 | t.Parallel() 396 | 397 | deploymentNamespace := "ns-node-affinity" 398 | podNamespace := "test-ns" 399 | 400 | namespaceConfig := fmt.Sprintf("%s: \"invalid\"", tc.name) 401 | 402 | cm := &corev1.ConfigMap{ 403 | ObjectMeta: metav1.ObjectMeta{ 404 | Name: "test-cm", 405 | Namespace: deploymentNamespace, 406 | }, 407 | Data: map[string]string{podNamespace: namespaceConfig}, 408 | } 409 | clientset := fake.NewSimpleClientset(cm) 410 | m := Injector{clientset, deploymentNamespace, "test-cm"} 411 | 412 | admissionReview := v1beta1.AdmissionReview{ 413 | Request: &v1beta1.AdmissionRequest{ 414 | Namespace: podNamespace, 415 | Object: runtime.RawExtension{ 416 | Object: &corev1.Pod{}, 417 | }, 418 | }, 419 | } 420 | j, err := json.Marshal(admissionReview) 421 | assert.NoError(t, err) 422 | 423 | body, err := m.Mutate(j) 424 | assert.Nil(t, body) 425 | assert.Error(t, err) 426 | assert.True(t, errors.Is(err, ErrInvalidConfiguration)) 427 | }) 428 | } 429 | } 430 | 431 | func TestMutateWithBuildPatchError(t *testing.T) { 432 | deploymentNamespace := "ns-node-affinity" 433 | podNamespace := "default" 434 | nodeSelectorTermsJSON, _ := json.Marshal(nodeSelectorTerms()) 435 | namespaceConfig := fmt.Sprintf("%s: %s", nodeSelectorKey, nodeSelectorTermsJSON) 436 | 437 | cm := &corev1.ConfigMap{ 438 | ObjectMeta: metav1.ObjectMeta{ 439 | Name: "test-cm", 440 | Namespace: deploymentNamespace, 441 | }, 442 | Data: map[string]string{podNamespace: namespaceConfig}, 443 | } 444 | clientset := fake.NewSimpleClientset(cm) 445 | m := Injector{clientset, deploymentNamespace, "test-cm"} 446 | 447 | admissionReview := v1beta1.AdmissionReview{ 448 | Request: &v1beta1.AdmissionRequest{ 449 | Object: runtime.RawExtension{ 450 | Object: &corev1.Pod{}, 451 | }, 452 | }, 453 | } 454 | j, err := json.Marshal(admissionReview) 455 | assert.NoError(t, err) 456 | 457 | origMarshal := jsonMarshal 458 | jsonMarshal = func(v interface{}) ([]byte, error) { 459 | return nil, errors.New("some error") 460 | } 461 | defer func() { jsonMarshal = origMarshal }() 462 | 463 | body, err := m.Mutate(j) 464 | assert.Nil(t, body) 465 | assert.Error(t, err) 466 | assert.True(t, errors.Is(err, ErrFailedToCreatePatch)) 467 | } 468 | 469 | func TestMutate(t *testing.T) { 470 | t.Parallel() 471 | 472 | deploymentNamespace := "ns-node-affinity" 473 | podNamespace := "testing-ns" 474 | 475 | nsConfig := NamespaceConfig{ 476 | NodeSelectorTerms: nodeSelectorTerms(), 477 | Tolerations: tolerations(), 478 | } 479 | nsConfigJSON, _ := json.Marshal(nsConfig) 480 | 481 | cm := &corev1.ConfigMap{ 482 | ObjectMeta: metav1.ObjectMeta{ 483 | Name: "test-cm", 484 | Namespace: deploymentNamespace, 485 | }, 486 | Data: map[string]string{podNamespace: string(nsConfigJSON)}, 487 | } 488 | clientset := fake.NewSimpleClientset(cm) 489 | m := Injector{clientset, deploymentNamespace, "test-cm"} 490 | 491 | samplePod := corev1.Pod{} 492 | 493 | admissionReview := v1beta1.AdmissionReview{ 494 | Request: &v1beta1.AdmissionRequest{ 495 | Namespace: podNamespace, 496 | Object: runtime.RawExtension{ 497 | Object: &samplePod, 498 | }, 499 | }, 500 | } 501 | j, err := json.Marshal(admissionReview) 502 | assert.NoError(t, err) 503 | 504 | body, err := m.Mutate(j) 505 | assert.NoError(t, err) 506 | 507 | expectedPatch, err := buildPatch(&nsConfig, samplePod.Spec) 508 | assert.NoError(t, err) 509 | 510 | jsonPatch := v1beta1.PatchTypeJSONPatch 511 | expectedResp := v1beta1.AdmissionResponse{ 512 | PatchType: &jsonPatch, 513 | Allowed: true, 514 | Patch: expectedPatch, 515 | AuditAnnotations: map[string]string{annotationKey: string(expectedPatch)}, 516 | Result: &metav1.Status{Status: successStatus}, 517 | } 518 | 519 | expectedAdmissionReview := admissionReview 520 | expectedAdmissionReview.Response = &expectedResp 521 | 522 | expectedBody, err := json.Marshal(expectedAdmissionReview) 523 | assert.NoError(t, err) 524 | assert.Equal(t, expectedBody, body) 525 | } 526 | 527 | func TestMutateIgnoresPodsWithExcludedLabels(t *testing.T) { 528 | t.Parallel() 529 | 530 | deploymentNamespace := "ns-node-affinity" 531 | podNamespace := "testing-ns" 532 | 533 | nsConfig := NamespaceConfig{ 534 | NodeSelectorTerms: nodeSelectorTerms(), 535 | Tolerations: tolerations(), 536 | ExcludedLabels: map[string]string{"ignore-me": "ignored"}, 537 | } 538 | nsConfigJSON, _ := json.Marshal(nsConfig) 539 | 540 | cm := &corev1.ConfigMap{ 541 | ObjectMeta: metav1.ObjectMeta{ 542 | Name: "test-cm", 543 | Namespace: deploymentNamespace, 544 | }, 545 | Data: map[string]string{podNamespace: string(nsConfigJSON)}, 546 | } 547 | clientset := fake.NewSimpleClientset(cm) 548 | m := Injector{clientset, deploymentNamespace, "test-cm"} 549 | 550 | admissionReview := v1beta1.AdmissionReview{ 551 | Request: &v1beta1.AdmissionRequest{ 552 | Namespace: podNamespace, 553 | Object: runtime.RawExtension{ 554 | Object: &corev1.Pod{ 555 | ObjectMeta: metav1.ObjectMeta{ 556 | Labels: map[string]string{ 557 | "ignore-me": "ignored", 558 | "another-label": "label", 559 | }, 560 | }, 561 | }, 562 | }, 563 | }, 564 | } 565 | j, err := json.Marshal(admissionReview) 566 | assert.NoError(t, err) 567 | 568 | body, err := m.Mutate(j) 569 | assert.NoError(t, err) 570 | 571 | assert.NoError(t, err) 572 | assert.Equal(t, j, body) 573 | } 574 | -------------------------------------------------------------------------------- /scripts/Makefile: -------------------------------------------------------------------------------- 1 | SHELL=/bin/bash 2 | 3 | MINIKUBE_RUNNING := $(shell echo `minikube status | grep 'apiserver:' | awk '{print $$2}'`) 4 | 5 | .PHONY: check-minikube deploy-to-minikube test clean 6 | 7 | check-minikube: 8 | @[ $(MINIKUBE_RUNNING) != 'Running' ] && (echo 'minikube is not running' && exit 1) || echo 'minikube is running' 9 | 10 | build-init-container-image: check-minikube 11 | (cd .. && minikube image build -t namespace-node-affinity-init-container -f build/DockerfileInitContainer .) 12 | 13 | build-webhook-image: check-minikube 14 | (cd .. && minikube image build -t namespace-node-affinity -f build/Dockerfile .) 15 | 16 | clean: 17 | (cd .. && kubectl delete -k deployments/overlays/local) 18 | (minikube image rm namespace-node-affinity-init-container) 19 | (minikube image rm namespace-node-affinity) 20 | 21 | test: 22 | (cd .. && go test ./...) 23 | 24 | deploy-to-minikube: build-init-container-image build-webhook-image 25 | (cd .. && kubectl apply -k deployments/overlays/local) 26 | -------------------------------------------------------------------------------- /scripts/gofmt-check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | unformatted=$(gofmt -l .) 4 | [ -z "$unformatted" ] && exit 0 5 | 6 | echo "$unformatted" 7 | 8 | exit 1 9 | -------------------------------------------------------------------------------- /webhookconfig/webhookconfig.go: -------------------------------------------------------------------------------- 1 | // Package webhookconfig deals with creating or updating 2 | // MutatingWebhookConfiguration for the namespace-node-affinity webhook 3 | package webhookconfig 4 | 5 | import ( 6 | "bytes" 7 | "context" 8 | "fmt" 9 | 10 | admissionregistrationv1 "k8s.io/api/admissionregistration/v1" 11 | k8serrors "k8s.io/apimachinery/pkg/api/errors" 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 13 | k8sclient "k8s.io/client-go/kubernetes" 14 | ) 15 | 16 | func failurePolicy() *admissionregistrationv1.FailurePolicyType { 17 | policy := admissionregistrationv1.Ignore 18 | return &policy 19 | } 20 | 21 | func sideEffect() *admissionregistrationv1.SideEffectClass { 22 | sideEffectClass := admissionregistrationv1.SideEffectClassNone 23 | return &sideEffectClass 24 | } 25 | 26 | func path() *string { 27 | p := "/mutate" 28 | return &p 29 | } 30 | 31 | // CreateOrUpdateMutatingWebhookConfig creates "namespace-node-affinity" 32 | // mutating webhook configuration with "Ignore" failure policy for pods 33 | // or returns an error 34 | // NOTE: If the MutatingWebhookConfiguration already exists, the only 35 | // thing that will be updated is the CABundle 36 | func CreateOrUpdateMutatingWebhookConfig(k8sClient k8sclient.Interface, caBundle *bytes.Buffer, namespace, name, serviceName string) error { 37 | webhookName := fmt.Sprintf("%s.%s.svc", serviceName, namespace) 38 | 39 | mutateconfig := &admissionregistrationv1.MutatingWebhookConfiguration{ 40 | ObjectMeta: metav1.ObjectMeta{ 41 | Name: name, 42 | }, 43 | Webhooks: []admissionregistrationv1.MutatingWebhook{ 44 | { 45 | Name: webhookName, 46 | SideEffects: sideEffect(), 47 | AdmissionReviewVersions: []string{"v1"}, 48 | ClientConfig: admissionregistrationv1.WebhookClientConfig{ 49 | CABundle: caBundle.Bytes(), 50 | Service: &admissionregistrationv1.ServiceReference{ 51 | Name: serviceName, 52 | Namespace: namespace, 53 | Path: path(), 54 | }, 55 | }, 56 | Rules: []admissionregistrationv1.RuleWithOperations{ 57 | { 58 | Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, 59 | Rule: admissionregistrationv1.Rule{ 60 | APIGroups: []string{""}, 61 | APIVersions: []string{"v1"}, 62 | Resources: []string{"pods"}, 63 | }, 64 | }, 65 | }, 66 | FailurePolicy: failurePolicy(), 67 | NamespaceSelector: &metav1.LabelSelector{ 68 | MatchLabels: map[string]string{ 69 | "namespace-node-affinity": "enabled", 70 | }, 71 | }, 72 | }, 73 | }, 74 | } 75 | 76 | if _, err := k8sClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.Background(), mutateconfig, metav1.CreateOptions{}); err != nil { 77 | if k8serrors.IsAlreadyExists(err) { 78 | existingConf, err := k8sClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.Background(), name, metav1.GetOptions{}) 79 | if err != nil { 80 | return err 81 | } 82 | 83 | // The metadata.resourceVersion needs to be specified for an update 84 | mutateconfig.ResourceVersion = existingConf.ResourceVersion 85 | _, err = k8sClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.Background(), mutateconfig, metav1.UpdateOptions{}) 86 | return err 87 | } 88 | return err 89 | } 90 | 91 | return nil 92 | } 93 | -------------------------------------------------------------------------------- /webhookconfig/webhookconfig_test.go: -------------------------------------------------------------------------------- 1 | package webhookconfig 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "errors" 7 | "fmt" 8 | "testing" 9 | 10 | "github.com/stretchr/testify/assert" 11 | admissionregistrationv1 "k8s.io/api/admissionregistration/v1" 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 13 | "k8s.io/apimachinery/pkg/runtime" 14 | fake "k8s.io/client-go/kubernetes/fake" 15 | fakeadmissionregistrationv1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1/fake" 16 | k8stesting "k8s.io/client-go/testing" 17 | ) 18 | 19 | const ( 20 | webhookConfigName = "wh" 21 | namespace = "ns" 22 | serviceName = "whsvc" 23 | ) 24 | 25 | func caBundle(contents string) *bytes.Buffer { 26 | caBundle := &bytes.Buffer{} 27 | caBundle.Write([]byte(contents)) 28 | return caBundle 29 | } 30 | 31 | func TestCreateMutatingWebhookConfig(t *testing.T) { 32 | t.Parallel() 33 | 34 | clientset := fake.NewSimpleClientset() 35 | 36 | bundle := caBundle("asdasd") 37 | err := CreateOrUpdateMutatingWebhookConfig(clientset, bundle, namespace, webhookConfigName, serviceName) 38 | assert.NoError(t, err) 39 | 40 | expectedConfig := &admissionregistrationv1.MutatingWebhookConfiguration{ 41 | ObjectMeta: metav1.ObjectMeta{ 42 | Name: webhookConfigName, 43 | }, 44 | Webhooks: []admissionregistrationv1.MutatingWebhook{ 45 | { 46 | Name: fmt.Sprintf("%s.%s.svc", serviceName, namespace), 47 | SideEffects: sideEffect(), 48 | AdmissionReviewVersions: []string{"v1"}, 49 | ClientConfig: admissionregistrationv1.WebhookClientConfig{ 50 | CABundle: bundle.Bytes(), 51 | Service: &admissionregistrationv1.ServiceReference{ 52 | Name: serviceName, 53 | Namespace: namespace, 54 | Path: path(), 55 | }, 56 | }, 57 | Rules: []admissionregistrationv1.RuleWithOperations{ 58 | { 59 | Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, 60 | Rule: admissionregistrationv1.Rule{ 61 | APIGroups: []string{""}, 62 | APIVersions: []string{"v1"}, 63 | Resources: []string{"pods"}, 64 | }, 65 | }, 66 | }, 67 | FailurePolicy: failurePolicy(), 68 | NamespaceSelector: &metav1.LabelSelector{ 69 | MatchLabels: map[string]string{ 70 | "namespace-node-affinity": "enabled", 71 | }, 72 | }, 73 | }, 74 | }, 75 | } 76 | 77 | actualConfig, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.Background(), webhookConfigName, metav1.GetOptions{}) 78 | 79 | assert.NoError(t, err) 80 | assert.Equal(t, expectedConfig, actualConfig) 81 | } 82 | 83 | func TestUpdateMutatingWebhookConfig(t *testing.T) { 84 | t.Parallel() 85 | 86 | initialBundle := caBundle("initialcabundle") 87 | existingConfig := &admissionregistrationv1.MutatingWebhookConfiguration{ 88 | ObjectMeta: metav1.ObjectMeta{ 89 | Name: webhookConfigName, 90 | ResourceVersion: "testv", 91 | }, 92 | Webhooks: []admissionregistrationv1.MutatingWebhook{ 93 | { 94 | Name: fmt.Sprintf("%s.%s.svc", serviceName, namespace), 95 | SideEffects: sideEffect(), 96 | AdmissionReviewVersions: []string{"v1"}, 97 | ClientConfig: admissionregistrationv1.WebhookClientConfig{ 98 | CABundle: initialBundle.Bytes(), 99 | Service: &admissionregistrationv1.ServiceReference{ 100 | Name: serviceName, 101 | Namespace: namespace, 102 | Path: path(), 103 | }, 104 | }, 105 | Rules: []admissionregistrationv1.RuleWithOperations{ 106 | { 107 | Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, 108 | Rule: admissionregistrationv1.Rule{ 109 | APIGroups: []string{""}, 110 | APIVersions: []string{"v1"}, 111 | Resources: []string{"pods"}, 112 | }, 113 | }, 114 | }, 115 | FailurePolicy: failurePolicy(), 116 | NamespaceSelector: &metav1.LabelSelector{ 117 | MatchLabels: map[string]string{ 118 | "namespace-node-affinity": "enabled", 119 | }, 120 | }, 121 | }, 122 | }, 123 | } 124 | 125 | clientset := fake.NewSimpleClientset(existingConfig) 126 | 127 | newBundle := caBundle("newcabundle") 128 | err := CreateOrUpdateMutatingWebhookConfig(clientset, newBundle, namespace, webhookConfigName, serviceName) 129 | assert.NoError(t, err) 130 | 131 | newConfig, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.Background(), webhookConfigName, metav1.GetOptions{}) 132 | 133 | assert.NoError(t, err) 134 | assert.Equal(t, newBundle.Bytes(), newConfig.Webhooks[0].ClientConfig.CABundle) 135 | 136 | // Make sure we've set the ResourceVersion. The fake client is 137 | // returning whatever is passed to the Update, so the 138 | // ResourceVersion should be exactly the same as the existing one 139 | assert.Equal(t, existingConfig.ResourceVersion, newConfig.ResourceVersion) 140 | } 141 | 142 | func TestCreateMutatingWebhookConfigWithError(t *testing.T) { 143 | expectedErr := errors.New("create err") 144 | 145 | clientset := fake.NewSimpleClientset() 146 | clientset.AdmissionregistrationV1().(*fakeadmissionregistrationv1.FakeAdmissionregistrationV1).PrependReactor("create", "*", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { 147 | return true, nil, expectedErr 148 | }) 149 | 150 | bundle := caBundle("asdasd") 151 | err := CreateOrUpdateMutatingWebhookConfig(clientset, bundle, namespace, webhookConfigName, serviceName) 152 | assert.Equal(t, expectedErr, err) 153 | } 154 | 155 | func TestFailingToGetExistingWebhook(t *testing.T) { 156 | expectedErr := errors.New("get err") 157 | 158 | existingConfig := &admissionregistrationv1.MutatingWebhookConfiguration{ 159 | ObjectMeta: metav1.ObjectMeta{ 160 | Name: webhookConfigName, 161 | }, 162 | } 163 | clientset := fake.NewSimpleClientset(existingConfig) 164 | clientset.AdmissionregistrationV1().(*fakeadmissionregistrationv1.FakeAdmissionregistrationV1).PrependReactor("get", "*", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { 165 | return true, nil, expectedErr 166 | }) 167 | 168 | bundle := caBundle("asdasd") 169 | err := CreateOrUpdateMutatingWebhookConfig(clientset, bundle, namespace, webhookConfigName, serviceName) 170 | assert.Equal(t, expectedErr, err) 171 | } 172 | --------------------------------------------------------------------------------