[feat] namespace deletion protection

Signed-off-by: Vacant2333 <vacant2333@gmail.com>

artifacts/deploy/webhook-configuration.yaml

@@ -237,3 +237,20 @@ webhooks:
     sideEffects: None
     admissionReviewVersions: [ "v1" ]
     timeoutSeconds: 3
+  - name: resourcedeletionprotection.karmada.io
+    rules:
+      - operations: ["DELETE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["*"]
+        scope: "*"
+    clientConfig:
+      url: https://karmada-webhook.karmada-system.svc:443/validate-resourcedeletionprotection
+      caBundle: {{caBundle}}
+    objectSelector:
+      matchExpressions:
+        - { key: "karmada.io/deletion-protected", operator: "Exists" }
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: [ "v1" ]
+    timeoutSeconds: 3

charts/karmada/templates/_karmada_webhook_configuration.tpl

@@ -213,4 +213,21 @@ webhooks:
     sideEffects: None
     admissionReviewVersions: [ "v1" ]
     timeoutSeconds: 3
+  - name: resourcedeletionprotection.karmada.io
+    rules:
+      - operations: ["DELETE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["*"]
+        scope: "*"
+    clientConfig:
+      url: https://{{ $name }}-webhook.{{ $namespace }}.svc:443/validate-resourcedeletionprotection
+      {{- include "karmada.webhook.caBundle" . | nindent 6 }}
+    objectSelector:
+      matchExpressions:
+        - { key: "karmada.io/deletion-protected", operator: "Exists" }
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: [ "v1" ]
+    timeoutSeconds: 3
 {{- end -}}

cmd/webhook/app/webhook.go

@@ -33,6 +33,7 @@ import (
 	"github.com/karmada-io/karmada/pkg/webhook/multiclusterservice"
 	"github.com/karmada-io/karmada/pkg/webhook/overridepolicy"
 	"github.com/karmada-io/karmada/pkg/webhook/propagationpolicy"
+	"github.com/karmada-io/karmada/pkg/webhook/resourcedeletionprotection"
 	"github.com/karmada-io/karmada/pkg/webhook/resourceinterpretercustomization"
 	"github.com/karmada-io/karmada/pkg/webhook/work"
 )
@@ -139,6 +140,7 @@ func Run(ctx context.Context, opts *options.Options) error {
 	hookServer.Register("/validate-multiclusteringress", &webhook.Admission{Handler: &multiclusteringress.ValidatingAdmission{Decoder: decoder}})
 	hookServer.Register("/validate-multiclusterservice", &webhook.Admission{Handler: &multiclusterservice.ValidatingAdmission{Decoder: decoder}})
 	hookServer.Register("/mutate-federatedhpa", &webhook.Admission{Handler: &federatedhpa.MutatingAdmission{Decoder: decoder}})
+	hookServer.Register("/validate-resourcedeletionprotection", &webhook.Admission{Handler: &resourcedeletionprotection.ValidatingAdmission{Decoder: decoder}})
 	hookServer.WebhookMux().Handle("/readyz/", http.StripPrefix("/readyz/", &healthz.Handler{}))
 
 	// blocks until the context is done.

operator/pkg/karmadaresource/webhookconfiguration/manifests.go

@@ -245,5 +245,22 @@ webhooks:
     sideEffects: None
     admissionReviewVersions: [ "v1" ]
     timeoutSeconds: 3
+  - name: resourcedeletionprotection.karmada.io
+    rules:
+      - operations: ["DELETE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["*"]
+        scope: "*"
+    clientConfig:
+      url: https://{{ .Service }}.{{ .Namespace }}.svc:443/validate-resourcedeletionprotection
+      caBundle: {{ .CaBundle }}
+    objectSelector:
+      matchExpressions:
+        - { key: "karmada.io/deletion-protected", operator: "Exists" }
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: [ "v1" ]
+    timeoutSeconds: 3
 `
 )

pkg/karmadactl/cmdinit/karmada/webhook_configuration.go

@@ -256,6 +256,23 @@ webhooks:
     sideEffects: None
     admissionReviewVersions: [ "v1" ]
     timeoutSeconds: 3
+  - name: resourcedeletionprotection.karmada.io
+    rules:
+      - operations: ["DELETE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["*"]
+        scope: "*"
+    clientConfig:
+      url: https://karmada-webhook.%[1]s.svc:443/validate-resourcedeletionprotection
+      caBundle: %[2]s
+    objectSelector:
+      matchExpressions:
+        - { key: "karmada.io/deletion-protected", operator: "Exists" }
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: [ "v1" ]
+    timeoutSeconds: 3
 `, systemNamespace, caBundle)
 }
 

pkg/webhook/resourcedeletionprotection/validating.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2023 The Karmada Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourcedeletionprotection
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// ValidatingAdmission validates CronFederatedHPA object when creating/updating.
+type ValidatingAdmission struct {
+	Decoder *admission.Decoder
+}
+
+// Check if our ValidatingAdmission implements necessary interface
+var _ admission.Handler = &ValidatingAdmission{}
+
+// If a user assigns the ResourceDeletionProtectionLabelKey label to a specific resource,
+// and the value of this label is ResourceDeletionProtectionAlways, then deletion requests
+// for this resource will be denied.
+// In the current design, only the Value set to 'Always' will be protected,
+// while other values (including 'Never') will not receive any protection.
+// Additional options will be added here in the future.
+const (
+	ResourceDeletionProtectionLabelKey = "karmada.io/deletion-protected"
+	ResourceDeletionProtectionAlways   = "Always"
+	ResourceDeletionProtectionNever    = "Never"
+)
+
+// Handle implements admission.Handler interface.
+// It yields a response to an AdmissionRequest.
+func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) admission.Response {
+	if req.Operation == admissionv1.Delete {
+		// Parse the uncertain type resource object
+		obj := &unstructured.Unstructured{}
+		if err := v.Decoder.DecodeRaw(req.OldObject, obj); err != nil {
+			return admission.Errored(http.StatusBadRequest, err)
+		}
+
+		klog.V(2).Infof("Validating ResourceDeletionProtection for resource: Kind:%s Name:%s Namespace:%s", req.Kind.Kind, obj.GetName(), obj.GetNamespace())
+
+		if value, ok := obj.GetLabels()[ResourceDeletionProtectionLabelKey]; ok {
+			// In normal, requests will be processed here.
+			// Only ResourceDeletionProtectionAlways value will be denied
+			if value == ResourceDeletionProtectionAlways {
+				return admission.Denied(fmt.Sprintf("Resource are protected, remove the label '%s' for delete the resource", ResourceDeletionProtectionLabelKey))
+			}
+			return admission.Allowed("")
+		} else {
+			// The resource must have the label, the webhook configuration will filter resources based on this label
+			klog.Errorf("The resource should have label '%s'", ResourceDeletionProtectionLabelKey)
+			return admission.Allowed("")
+		}
+	}
+	// The Operation should be 'Delete' only, the webhook configuration will filter other operation types
+	klog.Errorf("The operation type should be 'Delete' in ResourceDeletionProtection webhook")
+	return admission.Allowed("")
+}