feat: use factory to init clientset instead of use in cluster config

pkg/webhook/mutateadmissionwebhook.go

@@ -9,14 +9,18 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/spf13/cobra"
-
 	v1 "k8s.io/api/admission/v1"
 	"k8s.io/api/admission/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/klog/v2"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
 
+// admissionReviewHandler is a handler to handle business logic, holding an util.Factory
+type admissionReviewHandler struct {
+	f cmdutil.Factory
+}
+
 // admitv1beta1Func handles a v1beta1 admission
 type admitv1beta1Func func(v1beta1.AdmissionReview) *v1beta1.AdmissionResponse
 
@@ -116,23 +120,30 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitHandler) {
 	}
 }
 
-func servePods(w http.ResponseWriter, r *http.Request) {
-	serve(w, r, newDelegateToV1AdmitHandler(admitPods))
-}
-
-func Main(cmd *cobra.Command, args []string) {
-	http.HandleFunc("/pods", servePods)
-	http.HandleFunc("/readyz", func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("ok")) })
-	cert, _ := base64.StdEncoding.DecodeString(os.Getenv("CERT"))
-	key, _ := base64.StdEncoding.DecodeString(os.Getenv("KEY"))
-	pair, _ := tls.X509KeyPair(cert, key)
+func Main(f cmdutil.Factory) error {
+	h := &admissionReviewHandler{f: f}
+	http.HandleFunc("/pods", func(w http.ResponseWriter, r *http.Request) {
+		serve(w, r, newDelegateToV1AdmitHandler(h.admitPods))
+	})
+	http.HandleFunc("/readyz", func(w http.ResponseWriter, req *http.Request) {
+		_, _ = w.Write([]byte("ok"))
+	})
+	cert, err := base64.StdEncoding.DecodeString(os.Getenv("CERT"))
+	if err != nil {
+		return err
+	}
+	key, err := base64.StdEncoding.DecodeString(os.Getenv("KEY"))
+	if err != nil {
+		return err
+	}
+	pair, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return err
+	}
 	t := &tls.Config{Certificates: []tls.Certificate{pair}}
 	server := &http.Server{
 		Addr:      fmt.Sprintf(":%d", 80),
 		TLSConfig: t,
 	}
-	err := server.ListenAndServeTLS("", "")
-	if err != nil {
-		panic(err)
-	}
+	return server.ListenAndServeTLS("", "")
 }

pkg/webhook/pods.go

@@ -9,8 +9,6 @@ import (
 	"k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	"k8s.io/kubectl/pkg/cmd/util/podcmd"
 
@@ -19,7 +17,7 @@ import (
 )
 
 // only allow pods to pull images from specific registry.
-func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse {
+func (h *admissionReviewHandler) admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse {
 	klog.V(2).Info("admitting pods")
 	podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
 	if ar.Request.Resource != podResource {
@@ -47,12 +45,7 @@ func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse {
 					pair := pod.Spec.Containers[i].Env[j]
 					if pair.Name == "InboundPodTunIP" {
 						found = true
-						conf, err := rest.InClusterConfig()
-						if err != nil {
-							klog.Error(err)
-							return toV1AdmissionResponse(err)
-						}
-						clientset, err := kubernetes.NewForConfig(conf)
+						clientset, err := h.f.KubernetesClientSet()
 						if err != nil {
 							klog.Error(err)
 							return toV1AdmissionResponse(err)
@@ -92,12 +85,7 @@ func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse {
 				if envVar.Name == "InboundPodTunIP" {
 					ip, cidr, err := net.ParseCIDR(envVar.Value)
 					if err == nil {
-						conf, err := rest.InClusterConfig()
-						if err != nil {
-							klog.Error(err)
-							return toV1AdmissionResponse(err)
-						}
-						clientset, err := kubernetes.NewForConfig(conf)
+						clientset, err := h.f.KubernetesClientSet()
 						if err != nil {
 							klog.Error(err)
 							return toV1AdmissionResponse(err)