sigstore · senanz · Oct 31, 2024 · Oct 31, 2024 · Nov 3, 2024 · Nov 12, 2024
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"strings"
 	"time"
 
 	policyduckv1beta1 "github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1"
@@ -78,6 +79,13 @@ var (
 	// https://github.com/sigstore/policy-controller/issues/354
 	disableTUF = flag.Bool("disable-tuf", false, "Disable TUF support.")
 
+	// Validate specific resources.
+    // https://github.com/sigstore/policy-controller/issues/1388
+    resourcesNames = flag.String("resource-name", "replicasets, deployments, pods, cronjobs, jobs, statefulsets, daemonsets", "Comma-separated list of resources")
+    // Split the input string into a slice of strings
+    listResources []string
+    types              map[schema.GroupVersionKind]resourcesemantics.GenericCRD
+
 	// mutatingCIPWebhookName holds the name of the mutating webhook configuration
 	// resource dispatching admission requests to policy-webhook.
 	// It is also the name of the webhook which is injected by the controller
@@ -116,6 +124,8 @@ func main() {
 	flag.IntVar(&opts.Port, "secure-port", opts.Port, "The port on which to serve HTTPS.")
 
 	flag.Parse()
+	resourcesNamesList := strings.Split(*resourcesNames, ",")
+    listResources = append(listResources, resourcesNamesList...)
 
 	// If TUF has been disabled do not try to set it up.
 	if !*disableTUF {
@@ -140,8 +150,7 @@ func main() {
 
 	// This must match the set of resources we configure in
 	// cmd/webhook/main.go in the "types" map.
-	common.ValidResourceNames = sets.NewString("replicasets", "deployments",
-		"pods", "cronjobs", "jobs", "statefulsets", "daemonsets")
+	common.ValidResourceNames = sets.NewString(resourcesNamesList...)
 
 	v := version.GetVersionInfo()
 	vJSON, _ := v.JSONString()
@@ -198,17 +207,29 @@ func (c *crdEphemeralContainers) SupportedVerbs() []admissionregistrationv1.Oper
 	}
 }
 
-var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
-	corev1.SchemeGroupVersion.WithKind("Pod"): &crdEphemeralContainers{GenericCRD: &duckv1.Pod{}},
-
-	appsv1.SchemeGroupVersion.WithKind("ReplicaSet"):  &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},
-	appsv1.SchemeGroupVersion.WithKind("Deployment"):  &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},
-	appsv1.SchemeGroupVersion.WithKind("StatefulSet"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},
-	appsv1.SchemeGroupVersion.WithKind("DaemonSet"):   &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}},
-	batchv1.SchemeGroupVersion.WithKind("Job"):        &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}},
-
-	batchv1.SchemeGroupVersion.WithKind("CronJob"):      &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}},
-	batchv1beta1.SchemeGroupVersion.WithKind("CronJob"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}},
+func createTypesMap(kindsList []string) map[schema.GroupVersionKind]resourcesemantics.GenericCRD {
+	types := make(map[schema.GroupVersionKind]resourcesemantics.GenericCRD)
+	for _, kind := range kindsList {
+		kind = strings.TrimSpace(kind)
+		switch kind {
+		case "pods":
+			types[corev1.SchemeGroupVersion.WithKind("Pod")] = &crdEphemeralContainers{GenericCRD: &duckv1.Pod{}}
+		case "replicasets":
+			types[appsv1.SchemeGroupVersion.WithKind("ReplicaSet")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}}
+		case "deployments":
+			types[appsv1.SchemeGroupVersion.WithKind("Deployment")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}}
+		case "statefulsets":
+			types[appsv1.SchemeGroupVersion.WithKind("StatefulSet")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}}
+		case "daemonsets":
+			types[appsv1.SchemeGroupVersion.WithKind("DaemonSet")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}}
+		case "jobs":
+			types[batchv1.SchemeGroupVersion.WithKind("Job")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}}
+		case "cronjobs":
+			types[batchv1.SchemeGroupVersion.WithKind("CronJob")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}}
+			types[batchv1beta1.SchemeGroupVersion.WithKind("CronJob")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}}
+		}
+	}
+	return types
 }
 
 var typesCIP = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
@@ -221,6 +242,7 @@ var typesCIP = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 
 func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
 	// Decorate contexts with the current state of the config.
+	types = createTypesMap(listResources)
 	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
 	store.WatchConfigs(cmw)
 	policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller"))
@@ -278,7 +300,7 @@ func NewMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *c
 	}
 	ctx = webhook.WithOptions(ctx, *woptions)
 	validator := cwebhook.NewValidator(ctx)
-
+    types = createTypesMap(listResources)
 	return defaulting.NewAdmissionController(ctx,
 		// Name of the resource webhook.
 		*webhookName,

diff --git a/test/e2e_test_cluster_with_scalable.sh b/test/e2e_test_cluster_with_scalable.sh
@@ -111,6 +111,10 @@ echo '::group:: Deploy deployment with unsigned image'
 sed "s#TEST_IMAGE#${demoimage}#" ./test/testdata/policy-controller/e2e/test-deployment.yaml | kubectl apply -f -
 echo '::endgroup::'
 
+echo '::group:: Deploy deployment with custom resource'
+sed "s#TEST_IMAGE#${demoimage}#" ./test/testdata/policy-controller/e2e/test-deployment-with-custom-resource.yaml | kubectl apply -f -
+echo '::endgroup::'
+
 echo '::group:: Label test namespace for verification'
 kubectl label namespace ${NS} policy.sigstore.dev/include=true
 echo '::endgroup::'

diff --git a/test/testdata/policy-controller/e2e/test-deployment-with-custom-resource.yaml b/test/testdata/policy-controller/e2e/test-deployment-with-custom-resource.yaml
@@ -0,0 +1,36 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: demo-scalable-custom-resource
+  name: test-deployment-custom-resource
+  labels:
+    app: demo-custom-resource
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: demo-custom-resource
+  template:
+    metadata:
+      labels:
+        app: demo-custom-resource
+    spec:
+      containers:
+          - args:
+              - resource-name="pods"
+          - name: demo-custom-resource
+          image: TEST_IMAGE