Merge pull request kubernetes-sigs#2072 from arghya88/validate-filter-in-sg

🐛Validate that additional security groups can not have filters

Author: k8s-ci-robot

api/v1alpha3/awsmachine_webhook.go

@@ -53,6 +53,7 @@ func (r *AWSMachine) ValidateCreate() error {
 	allErrs = append(allErrs, r.validateRootVolume()...)
 	allErrs = append(allErrs, r.validateNonRootVolumes()...)
 	allErrs = append(allErrs, isValidSSHKey(r.Spec.SSHKeyName)...)
+	allErrs = append(allErrs, r.validateAdditionalSecurityGroups()...)
 
 	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
@@ -183,3 +184,14 @@ func (r *AWSMachine) Default() {
 		r.Spec.CloudInit.SecureSecretsBackend = SecretBackendSecretsManager
 	}
 }
+
+func (r *AWSMachine) validateAdditionalSecurityGroups() field.ErrorList {
+	var allErrs field.ErrorList
+
+	for _, additionalSecurityGroups := range r.Spec.AdditionalSecurityGroups {
+		if len(additionalSecurityGroups.Filters) > 0 {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec.additionalSecurityGroups"), "filters are not implemented for security groups and will be removed in a future release"))
+		}
+	}
+	return allErrs
+}

api/v1alpha3/awsmachine_webhook_test.go

@@ -138,6 +138,24 @@ func TestAWSMachine_ValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "additional security groups should not have filters",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					AdditionalSecurityGroups: []AWSResourceReference{
+						{
+							Filters: []Filter{
+								{
+									Name:   "example-name",
+									Values: []string{"example-value"},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {