Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CRTBs from being created with mismatching Namespace and ClusterName #294

Merged
merged 5 commits into from
Sep 15, 2023
Merged

Prevent CRTBs from being created with mismatching Namespace and ClusterName #294

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
400036a
Fix 42754
JonCrowther Sep 15, 2023
44ca1d6
Update create error message to have consistent wording
JonCrowther Sep 15, 2023
8fd02f7
Update CRTB docs
JonCrowther Sep 15, 2023
aa1922d
Address comments
JonCrowther Sep 15, 2023
bc81227
Update integration test
JonCrowther Sep 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Fix 42754
  • Loading branch information
@JonCrowther
JonCrowther committed Sep 15, 2023
commit 400036a5c81709c58eeadd8f3ae9aac7b697e516
12 changes: 12 additions & 0 deletions pkg/resources/management.cattle.io/v3/clusterroletemplatebinding/validator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResp
defer listTrace.LogIfLong(admission.SlowTraceDuration)

fieldPath := field.NewPath("clusterroletemplatebinding")
var warnings []string

if request.Operation == admissionv1.Update {
oldCRTB, newCRTB, err := objectsv3.ClusterRoleTemplateBindingOldAndNewFromRequest(&request.AdmissionRequest)
Expand All @@ -91,6 +92,10 @@ func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResp
if err := validateUpdateFields(oldCRTB, newCRTB, fieldPath); err != nil {
return admission.ResponseBadRequest(err.Error()), nil
}

if newCRTB.ClusterName != newCRTB.Namespace {
warnings = append(warnings, "Using CRTBs with namespaces and clusterNames that differ is not supported")
JonCrowther marked this conversation as resolved.
Show resolved Hide resolved
}
}

crtb, err := objectsv3.ClusterRoleTemplateBindingFromRequest(&request.AdmissionRequest)
Expand Down Expand Up @@ -123,6 +128,9 @@ func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResp
response := &admissionv1.AdmissionResponse{}
auth.SetEscalationResponse(response, auth.ConfirmNoEscalation(request, rules, crtb.ClusterName, a.resolver))

if warnings != nil {
response.Warnings = warnings
}
return response, nil
}

Expand Down Expand Up @@ -167,6 +175,10 @@ func (a *admitter) validateCreateFields(newCRTB *apisv3.ClusterRoleTemplateBindi
return field.Required(fieldPath.Child("clusterName"), reason)
}

if newCRTB.ClusterName != newCRTB.Namespace {
return field.Forbidden(fieldPath, "clusterName and namespace must be the same value")
}

if newCRTB.RoleTemplateName == "" {
return field.Required(fieldPath.Child("roleTemplateName"), reason)
}
Expand Down
55 changes: 48 additions & 7 deletions pkg/resources/management.cattle.io/v3/clusterroletemplatebinding/validator_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ type ClusterRoleTemplateBindingSuite struct {
}

func TestClusterRoleTemplateBindings(t *testing.T) {
t.Parallel()
//t.Parallel()
suite.Run(t, new(ClusterRoleTemplateBindingSuite))
}

Expand Down Expand Up @@ -668,10 +668,11 @@ func (c *ClusterRoleTemplateBindingSuite) Test_Create() {
username string
}
tests := []struct {
name string
args args
wantErr bool
allowed bool
name string
args args
wantErr bool
allowed bool
warnings []string
}{
{
name: "base test valid CRTB",
Expand Down Expand Up @@ -793,7 +794,6 @@ func (c *ClusterRoleTemplateBindingSuite) Test_Create() {
},
allowed: false,
},

{
name: "locked role template, crtb owned by grb",
args: args{
Expand Down Expand Up @@ -842,7 +842,6 @@ func (c *ClusterRoleTemplateBindingSuite) Test_Create() {
},
allowed: false,
},

{
name: "locked role template, crtb owned by missing grb",
args: args{
Expand Down Expand Up @@ -875,6 +874,39 @@ func (c *ClusterRoleTemplateBindingSuite) Test_Create() {
},
wantErr: true,
},
{
name: "create mismatched clusterName and namespace",
args: args{
username: adminUser,
oldCRTB: func() *apisv3.ClusterRoleTemplateBinding {
return nil
},
newCRTB: func() *apisv3.ClusterRoleTemplateBinding {
baseCRTB := newDefaultCRTB()
baseCRTB.ClusterName = "c-mismatch"
return baseCRTB
},
},
allowed: false,
},
{
name: "update mismatched clusterName and namespace",
args: args{
username: adminUser,
oldCRTB: func() *apisv3.ClusterRoleTemplateBinding {
baseCRTB := newDefaultCRTB()
baseCRTB.ClusterName = "c-mismatch"
return baseCRTB
},
newCRTB: func() *apisv3.ClusterRoleTemplateBinding {
baseCRTB := newDefaultCRTB()
baseCRTB.ClusterName = "c-mismatch"
return baseCRTB
},
},
allowed: true,
warnings: []string{"Using CRTBs with namespaces and clusterNames that differ is not supported"},
},
}

for i := range tests {
Expand All @@ -892,6 +924,15 @@ func (c *ClusterRoleTemplateBindingSuite) Test_Create() {
if resp.Allowed != test.allowed {
c.Failf("Response was incorrectly validated", "Wanted response.Allowed = '%v' got '%v': result=%+v", test.name, test.allowed, resp.Allowed, resp.Result)
}
// check warnings
if test.warnings != nil {
if len(test.warnings) != len(resp.Warnings) {
c.Failf("Number of warnings in response different from expected", "Wanted response.Warnings: '%v' got '%v'", test.warnings, resp.Warnings)
}
for w := range test.warnings {
assert.Equal(c.T(), test.warnings[w], resp.Warnings[w])
}
}
}
})
}
Expand Down