Skip to content

Commit 74eac8c

Browse files
author
Nont
committed
Use a different client for system:masters
Signed-off-by: Nont <[email protected]>
1 parent e769fbf commit 74eac8c

File tree

5 files changed

+141
-90
lines changed

5 files changed

+141
-90
lines changed

pkg/webhook/managedresource/validatingadmissionpolicy.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ import (
1212

1313
const resourceName = "aks-fleet-managed-by-arm"
1414

15+
var forbidden = metav1.StatusReasonForbidden
16+
1517
func GetValidatingAdmissionPolicy(isHub bool) *admv1.ValidatingAdmissionPolicy {
1618
vap := &admv1.ValidatingAdmissionPolicy{
1719
TypeMeta: metav1.TypeMeta{
@@ -66,6 +68,8 @@ func GetValidatingAdmissionPolicy(isHub bool) *admv1.ValidatingAdmissionPolicy {
6668
Validations: []admv1.Validation{
6769
{
6870
Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups`,
71+
Message: "Create, Update, or Delete operations on ARM managed resources is forbidden",
72+
Reason: &forbidden,
6973
},
7074
},
7175
},

test/e2e/fleet_guard_rail_test.go

Lines changed: 39 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ var _ = Describe("fleet guard rail tests for deny fleet MC CREATE operations", f
7878
}
7979

8080
By(fmt.Sprintf("expecting denial of operation CREATE of fleet member cluster %s", mc.Name))
81-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, mc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &mcGVK, "", types.NamespacedName{Name: mc.Name}))).Should(Succeed())
81+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Create(ctx, mc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &mcGVK, "", types.NamespacedName{Name: mc.Name}))).Should(Succeed())
8282
})
8383
})
8484

@@ -105,7 +105,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
105105
return errors.New("annotations are empty")
106106
}
107107
mc.Annotations[fleetClusterResourceIDAnnotationKey] = clusterID2
108-
err = impersonateHubClient.Update(ctx, &mc)
108+
err = notMasterUser.Update(ctx, &mc)
109109
if k8sErrors.IsConflict(err) {
110110
return err
111111
}
@@ -120,7 +120,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
120120
}
121121
By(fmt.Sprintf("remove fleet member cluster, cluster id annotation %s", mc.Name))
122122
mc.SetAnnotations(nil)
123-
err = impersonateHubClient.Update(ctx, &mc)
123+
err = notMasterUser.Update(ctx, &mc)
124124
if k8sErrors.IsConflict(err) {
125125
return err
126126
}
@@ -155,7 +155,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
155155
By(fmt.Sprintf("update fleet member cluster spec for MC %s", mc.Name))
156156
mc.Spec.HeartbeatPeriodSeconds = 30
157157
By(fmt.Sprintf("expecting denial of operation UPDATE of fleet member cluster %s", mc.Name))
158-
err = impersonateHubClient.Update(ctx, &mc)
158+
err = notMasterUser.Update(ctx, &mc)
159159
if k8sErrors.IsConflict(err) {
160160
return err
161161
}
@@ -175,7 +175,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
175175
return errors.New("status conditions are empty")
176176
}
177177
mc.Status.Conditions[0].Reason = testReason
178-
err = impersonateHubClient.Status().Update(ctx, &mc)
178+
err = notMasterUser.Status().Update(ctx, &mc)
179179
if k8sErrors.IsConflict(err) {
180180
return err
181181
}
@@ -190,7 +190,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
190190
},
191191
}
192192
By(fmt.Sprintf("expecting denial of operation DELETE of fleet member cluster %s", mc.Name))
193-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Delete(ctx, &mc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &mcGVK, "", types.NamespacedName{Name: mc.Name}))).Should(Succeed())
193+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Delete(ctx, &mc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &mcGVK, "", types.NamespacedName{Name: mc.Name}))).Should(Succeed())
194194
})
195195

196196
It("should allow update operation on fleet member cluster CR labels for non system user", func() {
@@ -202,7 +202,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
202202
return err
203203
}
204204
mc.SetLabels(map[string]string{testKey: testValue})
205-
return impersonateHubClient.Update(ctx, &mc)
205+
return notMasterUser.Update(ctx, &mc)
206206
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
207207
})
208208

@@ -220,7 +220,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
220220
}
221221
annotations[testKey] = testValue
222222
mc.SetAnnotations(annotations)
223-
return impersonateHubClient.Update(ctx, &mc)
223+
return notMasterUser.Update(ctx, &mc)
224224
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
225225
})
226226

@@ -288,7 +288,7 @@ var _ = Describe("fleet guard rail tests for allow/deny fleet MC UPDATE, DELETE
288288
Effect: corev1.TaintEffectNoSchedule,
289289
}
290290
mc.Spec.Taints = append(mc.Spec.Taints, taint)
291-
return impersonateHubClient.Update(ctx, &mc)
291+
return notMasterUser.Update(ctx, &mc)
292292
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
293293
})
294294

@@ -339,9 +339,9 @@ var _ = Describe("fleet guard rail tests for allow upstream MC CREATE, DELETE op
339339
HeartbeatPeriodSeconds: 60,
340340
},
341341
}
342-
Expect(impersonateHubClient.Create(ctx, mc)).Should(Succeed())
343-
Expect(impersonateHubClient.Get(ctx, types.NamespacedName{Name: mc.Name}, mc)).Should(Succeed())
344-
Expect(impersonateHubClient.Delete(ctx, mc)).Should(Succeed())
342+
Expect(notMasterUser.Create(ctx, mc)).Should(Succeed())
343+
Expect(notMasterUser.Get(ctx, types.NamespacedName{Name: mc.Name}, mc)).Should(Succeed())
344+
Expect(notMasterUser.Delete(ctx, mc)).Should(Succeed())
345345
ensureMemberClusterAndRelatedResourcesDeletion(mcName)
346346
})
347347
})
@@ -366,7 +366,7 @@ var _ = Describe("fleet guard rail tests for allow/deny upstream MC UPDATE opera
366366
}
367367
By(fmt.Sprintf("add fleet member cluster, cluster id annotation %s", mc.Name))
368368
mc.SetAnnotations(map[string]string{fleetClusterResourceIDAnnotationKey: clusterID1})
369-
err = impersonateHubClient.Update(ctx, &mc)
369+
err = notMasterUser.Update(ctx, &mc)
370370
if k8sErrors.IsConflict(err) {
371371
return err
372372
}
@@ -403,7 +403,7 @@ var _ = Describe("fleet guard rail tests for allow/deny upstream MC UPDATE opera
403403
return errors.New("status conditions are empty")
404404
}
405405
mc.Status.Conditions[0].Reason = testReason
406-
err = impersonateHubClient.Status().Update(ctx, &mc)
406+
err = notMasterUser.Status().Update(ctx, &mc)
407407
if k8sErrors.IsConflict(err) {
408408
return err
409409
}
@@ -420,7 +420,7 @@ var _ = Describe("fleet guard rail tests for allow/deny upstream MC UPDATE opera
420420
return err
421421
}
422422
mc.SetLabels(map[string]string{testKey: testValue})
423-
return impersonateHubClient.Update(ctx, &mc)
423+
return notMasterUser.Update(ctx, &mc)
424424
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
425425
})
426426

@@ -433,7 +433,7 @@ var _ = Describe("fleet guard rail tests for allow/deny upstream MC UPDATE opera
433433
return err
434434
}
435435
mc.SetAnnotations(map[string]string{testKey: testValue})
436-
return impersonateHubClient.Update(ctx, &mc)
436+
return notMasterUser.Update(ctx, &mc)
437437
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
438438
})
439439

@@ -451,7 +451,7 @@ var _ = Describe("fleet guard rail tests for allow/deny upstream MC UPDATE opera
451451
Effect: corev1.TaintEffectNoSchedule,
452452
}
453453
mc.Spec.Taints = append(mc.Spec.Taints, taint)
454-
return impersonateHubClient.Update(ctx, &mc)
454+
return notMasterUser.Update(ctx, &mc)
455455
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
456456
})
457457

@@ -478,7 +478,7 @@ var _ = Describe("fleet guard rail tests for allow/deny upstream MC UPDATE opera
478478
By(fmt.Sprintf("update upstream member cluster spec for MC %s", mc.Name))
479479
mc.Spec.HeartbeatPeriodSeconds = 32
480480
By(fmt.Sprintf("expecting denial of operation UPDATE of upstream member cluster %s", mc.Name))
481-
return impersonateHubClient.Update(ctx, &mc)
481+
return notMasterUser.Update(ctx, &mc)
482482
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
483483
})
484484

@@ -524,7 +524,7 @@ var _ = Describe("fleet guard rail tests for IMC UPDATE operation, in fleet-memb
524524
},
525525
}
526526
By(fmt.Sprintf("expecting denial of operation CREATE of Internal Member Cluster %s/%s", mcName, imcNamespace))
527-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &imc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &imcGVK, "", types.NamespacedName{Name: imc.Name, Namespace: imc.Namespace}))).Should(Succeed())
527+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Create(ctx, &imc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &imcGVK, "", types.NamespacedName{Name: imc.Name, Namespace: imc.Namespace}))).Should(Succeed())
528528
})
529529

530530
It("should deny UPDATE operation on internal member cluster CR for user not in MC identity in fleet member namespace", func() {
@@ -536,7 +536,7 @@ var _ = Describe("fleet guard rail tests for IMC UPDATE operation, in fleet-memb
536536
}
537537
imc.Spec.HeartbeatPeriodSeconds = 25
538538
By("expecting denial of operation UPDATE of Internal Member Cluster")
539-
err = impersonateHubClient.Update(ctx, &imc)
539+
err = notMasterUser.Update(ctx, &imc)
540540
if k8sErrors.IsConflict(err) {
541541
return err
542542
}
@@ -548,7 +548,7 @@ var _ = Describe("fleet guard rail tests for IMC UPDATE operation, in fleet-memb
548548
var imc clusterv1beta1.InternalMemberCluster
549549
Expect(hubClient.Get(ctx, types.NamespacedName{Name: mcName, Namespace: imcNamespace}, &imc)).Should(Succeed())
550550
By("expecting denial of operation DELETE of Internal Member Cluster")
551-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Delete(ctx, &imc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &imcGVK, "", types.NamespacedName{Name: imc.Name, Namespace: imc.Namespace}))).Should(Succeed())
551+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Delete(ctx, &imc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &imcGVK, "", types.NamespacedName{Name: imc.Name, Namespace: imc.Namespace}))).Should(Succeed())
552552
})
553553

554554
It("should deny UPDATE operation on internal member cluster CR status for user not in MC identity in fleet member namespace", func() {
@@ -569,7 +569,7 @@ var _ = Describe("fleet guard rail tests for IMC UPDATE operation, in fleet-memb
569569
AgentStatus: nil,
570570
}
571571
By("expecting denial of operation UPDATE of internal member cluster CR status")
572-
err = impersonateHubClient.Status().Update(ctx, &imc)
572+
err = notMasterUser.Status().Update(ctx, &imc)
573573
if k8sErrors.IsConflict(err) {
574574
return err
575575
}
@@ -609,7 +609,7 @@ var _ = Describe("fleet guard rail tests for IMC UPDATE operation, in fleet-memb
609609
AgentStatus: nil,
610610
}
611611
By("expecting successful UPDATE of Internal Member Cluster Status")
612-
return impersonateHubClient.Status().Update(ctx, &imc)
612+
return notMasterUser.Status().Update(ctx, &imc)
613613
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
614614
})
615615

@@ -622,7 +622,7 @@ var _ = Describe("fleet guard rail tests for IMC UPDATE operation, in fleet-memb
622622
}
623623
imc.Labels = map[string]string{testKey: testValue}
624624
By("expecting successful UPDATE of Internal Member Cluster Status")
625-
return impersonateHubClient.Update(ctx, &imc)
625+
return notMasterUser.Update(ctx, &imc)
626626
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
627627
})
628628

@@ -693,7 +693,7 @@ var _ = Describe("fleet guard rail for UPDATE work operations, in fleet prefixed
693693
},
694694
}
695695
By(fmt.Sprintf("expecting denial of operation CREATE of Work %s/%s", workName, imcNamespace))
696-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &w), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &workGVK, "", types.NamespacedName{Name: w.Name, Namespace: w.Namespace}))).Should(Succeed())
696+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Create(ctx, &w), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &workGVK, "", types.NamespacedName{Name: w.Name, Namespace: w.Namespace}))).Should(Succeed())
697697
})
698698

699699
It("should deny UPDATE operation on work CR status for user not in MC identity", func() {
@@ -715,7 +715,7 @@ var _ = Describe("fleet guard rail for UPDATE work operations, in fleet prefixed
715715
},
716716
}
717717
By("expecting denial of operation UPDATE of work CR status")
718-
err = impersonateHubClient.Status().Update(ctx, &w)
718+
err = notMasterUser.Status().Update(ctx, &w)
719719
if k8sErrors.IsConflict(err) {
720720
return err
721721
}
@@ -727,7 +727,7 @@ var _ = Describe("fleet guard rail for UPDATE work operations, in fleet prefixed
727727
var w placementv1beta1.Work
728728
Expect(hubClient.Get(ctx, types.NamespacedName{Name: workName, Namespace: imcNamespace}, &w)).Should(Succeed())
729729
By("expecting denial of operation DELETE of work")
730-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Delete(ctx, &w), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &workGVK, "", types.NamespacedName{Name: w.Name, Namespace: w.Namespace}))).Should(Succeed())
730+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Delete(ctx, &w), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &workGVK, "", types.NamespacedName{Name: w.Name, Namespace: w.Namespace}))).Should(Succeed())
731731
})
732732
})
733733

@@ -755,7 +755,7 @@ var _ = Describe("fleet guard rail for UPDATE work operations, in fleet prefixed
755755
}
756756
w.SetLabels(map[string]string{testKey: testValue})
757757
By("expecting successful UPDATE of work")
758-
return impersonateHubClient.Update(ctx, &w)
758+
return notMasterUser.Update(ctx, &w)
759759
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
760760
})
761761

@@ -778,7 +778,7 @@ var _ = Describe("fleet guard rail for UPDATE work operations, in fleet prefixed
778778
},
779779
}
780780
By("expecting successful UPDATE of work Status")
781-
return impersonateHubClient.Status().Update(ctx, &w)
781+
return notMasterUser.Status().Update(ctx, &w)
782782
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
783783
})
784784

@@ -827,7 +827,7 @@ var _ = Describe("fleet guard rail networking E2Es", Serial, Ordered, func() {
827827
}
828828
ise.SetLabels(map[string]string{testKey: testValue})
829829
By("expecting denial of operation UPDATE of Internal Service Export")
830-
err = impersonateHubClient.Update(ctx, &ise)
830+
err = notMasterUser.Update(ctx, &ise)
831831
if k8sErrors.IsConflict(err) {
832832
return err
833833
}
@@ -854,29 +854,29 @@ var _ = Describe("fleet guard rail networking E2Es", Serial, Ordered, func() {
854854
It("should allow CREATE operation on Internal service export resource in fleet-member namespace for user in member cluster identity", func() {
855855
ise := internalServiceExport(iseName, imcNamespace)
856856
By("expecting successful CREATE of Internal Service Export")
857-
Expect(impersonateHubClient.Create(ctx, &ise)).Should(Succeed())
857+
Expect(notMasterUser.Create(ctx, &ise)).Should(Succeed())
858858

859859
By("deleting Internal Service Export")
860860
// Cleanup the internalServiceExport so that it won't block the member deletion.
861-
Expect(impersonateHubClient.Delete(ctx, &ise)).Should(Succeed(), "failed to delete Internal Service Export")
861+
Expect(notMasterUser.Delete(ctx, &ise)).Should(Succeed(), "failed to delete Internal Service Export")
862862
})
863863

864864
It("should allow CREATE operation on Internal service import resource in fleet-member namespace for user in member cluster identity", func() {
865865
isi := internalServiceImport(isiName, imcNamespace)
866866
By("expecting successful CREATE of Internal Service Import")
867-
Expect(impersonateHubClient.Create(ctx, &isi)).Should(Succeed())
867+
Expect(notMasterUser.Create(ctx, &isi)).Should(Succeed())
868868

869869
By("deleting Internal Service Import")
870-
Expect(impersonateHubClient.Delete(ctx, &isi)).Should(Succeed(), "failed to delete Internal Service Import")
870+
Expect(notMasterUser.Delete(ctx, &isi)).Should(Succeed(), "failed to delete Internal Service Import")
871871
})
872872

873873
It("should allow CREATE operation on Endpoint slice export resource in fleet-member namespace for user in member cluster identity", func() {
874874
esx := endpointSliceExport(epName, imcNamespace)
875875
By("expecting successful CREATE of Endpoint slice export")
876-
Expect(impersonateHubClient.Create(ctx, &esx)).Should(Succeed())
876+
Expect(notMasterUser.Create(ctx, &esx)).Should(Succeed())
877877

878878
By("deleting Endpoint Slice Export")
879-
Expect(impersonateHubClient.Delete(ctx, &esx)).Should(Succeed(), "failed to delete EndpointSlice Export")
879+
Expect(notMasterUser.Delete(ctx, &esx)).Should(Succeed(), "failed to delete EndpointSlice Export")
880880
})
881881
})
882882

@@ -910,7 +910,7 @@ var _ = Describe("fleet guard rail networking E2Es", Serial, Ordered, func() {
910910
}
911911
ise.SetLabels(map[string]string{testKey: testValue})
912912
By("expecting denial of operation UPDATE of Internal Service Export")
913-
return impersonateHubClient.Update(ctx, &ise)
913+
return notMasterUser.Update(ctx, &ise)
914914
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
915915
})
916916
})
@@ -929,12 +929,12 @@ var _ = Describe("fleet guard rail restrict internal fleet resources from being
929929
HeartbeatPeriodSeconds: 30,
930930
},
931931
}
932-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &imc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &imcGVK, "", types.NamespacedName{Name: imc.Name, Namespace: imc.Namespace}))).Should(Succeed())
932+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Create(ctx, &imc), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &imcGVK, "", types.NamespacedName{Name: imc.Name, Namespace: imc.Namespace}))).Should(Succeed())
933933
})
934934
})
935935

936936
It("should deny CREATE operation on internal service export resource in kube-system namespace for invalid user", func() {
937937
ise := internalServiceExport("test-ise", "kube-system")
938-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &ise), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &iseGVK, "", types.NamespacedName{Name: ise.Name, Namespace: ise.Namespace}))).Should(Succeed())
938+
Expect(checkIfStatusErrorWithMessage(notMasterUser.Create(ctx, &ise), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &iseGVK, "", types.NamespacedName{Name: ise.Name, Namespace: ise.Namespace}))).Should(Succeed())
939939
})
940940
})

0 commit comments

Comments
 (0)