cloudprovider webhook: Enforce object selector unconditionally (#10027)

* cloudprovider webhook: Enforce object selector unconditionally * Rename buildSelector funcs to buildNamespaceSelector
gardener · Jun 25, 2024 · 27ee197 · 27ee197
1 parent bfa8059
commit 27ee197
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 25 deletions.
diff --git a/extensions/pkg/webhook/cloudprovider/cloudprovider.go b/extensions/pkg/webhook/cloudprovider/cloudprovider.go
@@ -24,9 +24,8 @@ var logger = log.Log.WithName("cloudprovider-webhook")
 
 // Args are the requirements to create a cloudprovider webhook.
 type Args struct {
-	Provider             string
-	Mutator              extensionswebhook.Mutator
-	EnableObjectSelector bool
+	Provider string
+	Mutator  extensionswebhook.Mutator
 }
 
 // New creates a new cloudprovider webhook.
@@ -39,7 +38,12 @@ func New(mgr manager.Manager, args Args) (*extensionswebhook.Webhook, error) {
 		return nil, err
 	}
 
-	namespaceSelector := buildSelector(args.Provider)
+	namespaceSelector := buildNamespaceSelector(args.Provider)
+	objectSelector := &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			v1beta1constants.GardenerPurpose: v1beta1constants.SecretNameCloudProvider,
+		},
+	}
 	logger.Info("Creating webhook")
 
 	webhook := &extensionswebhook.Webhook{
@@ -50,20 +54,13 @@ func New(mgr manager.Manager, args Args) (*extensionswebhook.Webhook, error) {
 		Webhook:           &admission.Webhook{Handler: handler, RecoverPanic: true},
 		Path:              WebhookName,
 		NamespaceSelector: namespaceSelector,
-	}
-
-	if args.EnableObjectSelector {
-		webhook.ObjectSelector = &metav1.LabelSelector{
-			MatchLabels: map[string]string{
-				v1beta1constants.GardenerPurpose: v1beta1constants.SecretNameCloudProvider,
-			},
-		}
+		ObjectSelector:    objectSelector,
 	}
 
 	return webhook, nil
 }
 
-func buildSelector(provider string) *metav1.LabelSelector {
+func buildNamespaceSelector(provider string) *metav1.LabelSelector {
 	return &metav1.LabelSelector{
 		MatchExpressions: []metav1.LabelSelectorRequirement{
 			{

diff --git a/extensions/pkg/webhook/controlplane/controlplane.go b/extensions/pkg/webhook/controlplane/controlplane.go
@@ -62,7 +62,7 @@ func New(mgr manager.Manager, args Args) (*extensionswebhook.Webhook, error) {
 	logger.Info("Creating webhook", "name", getName(args.Kind))
 
 	// Build namespace selector from the webhook kind and provider
-	namespaceSelector, err := buildSelector(args.Kind, args.Provider)
+	namespaceSelector, err := buildNamespaceSelector(args.Kind, args.Provider)
 	if err != nil {
 		return nil, err
 	}
@@ -90,8 +90,8 @@ func getName(kind string) string {
 	}
 }
 
-// buildSelector creates and returns a LabelSelector for the given webhook kind and provider.
-func buildSelector(kind, provider string) (*metav1.LabelSelector, error) {
+// buildNamespaceSelector creates and returns a LabelSelector for the given webhook kind and provider.
+func buildNamespaceSelector(kind, provider string) (*metav1.LabelSelector, error) {
 	// Determine label selector key from the kind
 	var key string
 

diff --git a/extensions/pkg/webhook/network/network.go b/extensions/pkg/webhook/network/network.go
@@ -57,12 +57,12 @@ func New(mgr manager.Manager, args Args) (*extensionswebhook.Webhook, error) {
 		Target:            extensionswebhook.TargetSeed,
 		Path:              path,
 		Webhook:           &admission.Webhook{Handler: handler, RecoverPanic: true},
-		NamespaceSelector: buildSelector(args.NetworkProvider, args.CloudProvider),
+		NamespaceSelector: buildNamespaceSelector(args.NetworkProvider, args.CloudProvider),
 	}, nil
 }
 
-// buildSelector creates and returns a LabelSelector for the given webhook kind and provider.
-func buildSelector(networkProvider, cloudProvider string) *metav1.LabelSelector {
+// buildNamespaceSelector creates and returns a LabelSelector for the given webhook kind and provider.
+func buildNamespaceSelector(networkProvider, cloudProvider string) *metav1.LabelSelector {
 	// Create and return LabelSelector
 	return &metav1.LabelSelector{
 		MatchExpressions: []metav1.LabelSelectorRequirement{

diff --git a/extensions/pkg/webhook/shoot/shoot.go b/extensions/pkg/webhook/shoot/shoot.go
@@ -49,7 +49,7 @@ func New(mgr manager.Manager, args Args) (*extensionswebhook.Webhook, error) {
 		Types:             args.Types,
 		Path:              WebhookName,
 		Target:            extensionswebhook.TargetShoot,
-		NamespaceSelector: buildSelector(),
+		NamespaceSelector: buildNamespaceSelector(),
 		ObjectSelector:    args.ObjectSelector,
 		FailurePolicy:     args.FailurePolicy,
 	}
@@ -77,8 +77,8 @@ func New(mgr manager.Manager, args Args) (*extensionswebhook.Webhook, error) {
 	return nil, fmt.Errorf("neither mutator nor mutator with shoot client is set")
 }
 
-// buildSelector creates and returns a LabelSelector for the given webhook kind and provider.
-func buildSelector() *metav1.LabelSelector {
+// buildNamespaceSelector creates and returns a LabelSelector for the given webhook kind and provider.
+func buildNamespaceSelector() *metav1.LabelSelector {
 	// Create and return LabelSelector
 	return &metav1.LabelSelector{
 		MatchExpressions: []metav1.LabelSelectorRequirement{

diff --git a/test/integration/extensions/webhook/cloudprovider/cloudprovider_suite_test.go b/test/integration/extensions/webhook/cloudprovider/cloudprovider_suite_test.go
@@ -161,9 +161,8 @@ func addTestWebhookToManager(mgr manager.Manager) error {
 	switchOptions := extensionscmdwebhook.NewSwitchOptions(
 		extensionscmdwebhook.Switch("cloudprovider", func(mgr manager.Manager) (*extensionswebhook.Webhook, error) {
 			return cloudprovider.New(mgr, cloudprovider.Args{
-				Provider:             providerName,
-				Mutator:              cloudprovider.NewMutator(mgr, log, testcloudprovider.NewEnsurer(log)),
-				EnableObjectSelector: true,
+				Provider: providerName,
+				Mutator:  cloudprovider.NewMutator(mgr, log, testcloudprovider.NewEnsurer(log)),
 			})
 		}),
 	)