fix: tighten the VAP rule for all managed resources (#1212)

Author: nwnt

charts/member-agent-arc/templates/serviceaccount.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  # the name is also used in the managed resource validating admission webhook.
+  # please make the change accordingly when you change the name.
   name: fleet-member-agent-sa
   namespace: fleet-system
   labels:

cmd/hubagent/main.go

@@ -205,7 +205,7 @@ func main() {
 		exitWithErrorFunc()
 	}
 
-	if err := managedresource.EnsureVAP(ctx, mgr.GetClient(), true); err != nil {
+	if err := managedresource.EnsureVAP(ctx, mgr.GetClient()); err != nil {
 		klog.Errorf("unable to create managed resource validating admission policy: %s", err)
 		exitWithErrorFunc()
 	}

pkg/controllers/internalmembercluster/v1beta1/member_controller.go

@@ -214,7 +214,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	switch imc.Spec.State {
 	case clusterv1beta1.ClusterStateJoin:
-		if err := managedresource.EnsureVAP(ctx, r.memberClient, false); err != nil {
+		if err := managedresource.EnsureVAP(ctx, r.memberClient); err != nil {
 			return ctrl.Result{}, err
 		}
 		klog.V(2).InfoS("Successfully installed managed resource validating admission policy")
@@ -247,7 +247,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		return ctrl.Result{RequeueAfter: time.Millisecond *
 			(time.Duration(hbinterval) + time.Duration(utilrand.Int63nRange(0, jitterRange)-jitterRange/2))}, nil
 	case clusterv1beta1.ClusterStateLeave:
-		if err := managedresource.EnsureNoVAP(ctx, r.memberClient, false); err != nil {
+		if err := managedresource.EnsureNoVAP(ctx, r.memberClient); err != nil {
 			return ctrl.Result{}, err
 		}
 		klog.V(2).InfoS("Successfully uninstalled managed resource validating admission policy")

pkg/webhook/managedresource/createordelete.go

@@ -16,8 +16,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
-func EnsureNoVAP(ctx context.Context, c client.Client, isHub bool) error {
-	objs := []client.Object{getValidatingAdmissionPolicy(isHub), getValidatingAdmissionPolicyBinding()}
+func EnsureNoVAP(ctx context.Context, c client.Client) error {
+	objs := []client.Object{getValidatingAdmissionPolicy(), getValidatingAdmissionPolicyBinding()}
 	for _, obj := range objs {
 		err := c.Delete(ctx, obj)
 		switch {
@@ -34,13 +34,13 @@ func EnsureNoVAP(ctx context.Context, c client.Client, isHub bool) error {
 	return nil
 }
 
-func EnsureVAP(ctx context.Context, c client.Client, isHub bool) error {
+func EnsureVAP(ctx context.Context, c client.Client) error {
 	type vapObjectAndMutator struct {
 		obj    client.Object
 		mutate func() error
 	}
 	// TODO: this can be simplified by dealing with the specific type rather than using client.Object
-	vap, mutateVAP := getVAPWithMutator(isHub)
+	vap, mutateVAP := getVAPWithMutator()
 	vapb, mutateVAPB := getVAPBindingWithMutator()
 	objsAndMutators := []vapObjectAndMutator{
 		{
@@ -69,10 +69,10 @@ func EnsureVAP(ctx context.Context, c client.Client, isHub bool) error {
 	return nil
 }
 
-func getVAPWithMutator(isHub bool) (*v1.ValidatingAdmissionPolicy, func() error) {
-	vap := getValidatingAdmissionPolicy(isHub)
+func getVAPWithMutator() (*v1.ValidatingAdmissionPolicy, func() error) {
+	vap := getValidatingAdmissionPolicy()
 	return vap, func() error {
-		mutateValidatingAdmissionPolicy(vap, isHub)
+		mutateValidatingAdmissionPolicy(vap)
 		return nil
 	}
 }

pkg/webhook/managedresource/createordelete_test.go

@@ -32,44 +32,30 @@ func TestEnsureVAP(t *testing.T) {
 		t.Fatalf("Failed to add admissionregistration scheme: %v", err)
 	}
 
-	vapHub := getValidatingAdmissionPolicy(true)
-	vapMember := getValidatingAdmissionPolicy(false)
+	vap := getValidatingAdmissionPolicy()
 	binding := getValidatingAdmissionPolicyBinding()
 
 	tests := []struct {
 		name                 string
-		isHub                bool
 		existingObjs         []client.Object
 		createOrUpdateErrors map[client.ObjectKey]error
 		wantErr              bool
 		wantErrMessage       string
 		wantObjects          []client.Object
 	}{
 		{
-			name:         "hub cluster - create new objects",
-			isHub:        true,
+			name:         "create new objects",
 			existingObjs: []client.Object{},
 			wantErr:      false,
 			wantObjects: []client.Object{
-				vapHub.DeepCopy(),
+				vap.DeepCopy(),
 				binding.DeepCopy(),
 			},
 		},
 		{
-			name:         "member cluster - create new objects",
-			isHub:        false,
-			existingObjs: []client.Object{},
-			wantErr:      false,
-			wantObjects: []client.Object{
-				vapMember.DeepCopy(),
-				binding.DeepCopy(),
-			},
-		},
-		{
-			name:  "hub cluster - update existing objects",
-			isHub: true,
+			name: "update existing objects",
 			existingObjs: func() []client.Object {
-				existingVAP := vapHub.DeepCopy()
+				existingVAP := vap.DeepCopy()
 				existingBinding := binding.DeepCopy()
 
 				existingVAP.Spec.Validations = nil
@@ -79,32 +65,29 @@ func TestEnsureVAP(t *testing.T) {
 			}(),
 			wantErr: false,
 			wantObjects: []client.Object{
-				vapHub.DeepCopy(),
+				vap.DeepCopy(),
 				binding.DeepCopy(),
 			},
 		},
 		{
-			name:         "hub cluster - skip no match error",
-			isHub:        true,
+			name:         "skip no match error (cluster version < v1.30)",
 			existingObjs: []client.Object{},
 			createOrUpdateErrors: map[client.ObjectKey]error{
-				client.ObjectKeyFromObject(vapHub): &meta.NoKindMatchError{GroupKind: schema.GroupKind{Group: "admissionregistration.k8s.io", Kind: "ValidatingAdmissionPolicy"}},
+				client.ObjectKeyFromObject(vap): &meta.NoKindMatchError{GroupKind: schema.GroupKind{Group: "admissionregistration.k8s.io", Kind: "ValidatingAdmissionPolicy"}},
 			},
 			wantErr: false,
 		},
 		{
-			name:         "hub cluster - create error propagated",
-			isHub:        true,
+			name:         "vap create error",
 			existingObjs: []client.Object{},
 			createOrUpdateErrors: map[client.ObjectKey]error{
-				client.ObjectKeyFromObject(vapHub): apierrors.NewInternalError(errors.New("internal server error")),
+				client.ObjectKeyFromObject(vap): apierrors.NewInternalError(errors.New("internal server error")),
 			},
 			wantErr:        true,
 			wantErrMessage: "internal server error",
 		},
 		{
-			name:         "member cluster - binding creation error",
-			isHub:        false,
+			name:         "binding create error",
 			existingObjs: []client.Object{},
 			createOrUpdateErrors: map[client.ObjectKey]error{
 				client.ObjectKeyFromObject(binding): apierrors.NewForbidden(schema.GroupResource{Group: "admissionregistration.k8s.io", Resource: "validatingadmissionpolicybindings"}, binding.Name, errors.New("forbidden")),
@@ -173,7 +156,7 @@ func TestEnsureVAP(t *testing.T) {
 				WithInterceptorFuncs(interceptorFuncs).
 				Build()
 
-			err := EnsureVAP(context.Background(), fakeClient, tt.isHub)
+			err := EnsureVAP(context.Background(), fakeClient)
 
 			if tt.wantErr {
 				if err == nil {
@@ -219,74 +202,57 @@ func TestEnsureNoVAP(t *testing.T) {
 		t.Fatalf("Failed to add admissionregistration scheme: %v", err)
 	}
 
-	vapHub := getValidatingAdmissionPolicy(true)
-	vapMember := getValidatingAdmissionPolicy(false)
+	vap := getValidatingAdmissionPolicy()
 	binding := getValidatingAdmissionPolicyBinding()
 
 	tests := []struct {
 		name           string
-		isHub          bool
 		existingObjs   []client.Object
 		deleteErrors   map[client.ObjectKey]error
 		wantErr        bool
 		wantErrMessage string
 	}{
 		{
-			name:         "hub cluster - no existing objects",
-			isHub:        true,
+			name:         "no existing objects",
 			existingObjs: []client.Object{},
 			wantErr:      false,
 		},
 		{
-			name:  "hub cluster - existing objects deleted successfully",
-			isHub: true,
+			name: "existing objects deleted successfully",
 			existingObjs: []client.Object{
-				vapHub.DeepCopy(),
+				vap.DeepCopy(),
 				binding.DeepCopy(),
 			},
 			wantErr: false,
 		},
 		{
-			name:  "member cluster - existing objects deleted successfully",
-			isHub: false,
-			existingObjs: []client.Object{
-				vapMember.DeepCopy(),
-				binding.DeepCopy(),
-			},
-			wantErr: false,
-		},
-		{
-			name:         "hub cluster - not found errors ignored",
-			isHub:        true,
+			name:         "not found errors ignored",
 			existingObjs: []client.Object{},
 			deleteErrors: map[client.ObjectKey]error{
-				client.ObjectKeyFromObject(vapHub):  apierrors.NewNotFound(schema.GroupResource{Group: "admissionregistration.k8s.io", Resource: "validatingadmissionpolicies"}, vapHub.Name),
+				client.ObjectKeyFromObject(vap):     apierrors.NewNotFound(schema.GroupResource{Group: "admissionregistration.k8s.io", Resource: "validatingadmissionpolicies"}, vap.Name),
 				client.ObjectKeyFromObject(binding): apierrors.NewNotFound(schema.GroupResource{Group: "admissionregistration.k8s.io", Resource: "validatingadmissionpolicybindings"}, binding.Name),
 			},
 			wantErr: false,
 		},
 		{
-			name:         "hub cluster - no match error handled gracefully",
-			isHub:        true,
+			name:         "no match error handled gracefully",
 			existingObjs: []client.Object{},
 			deleteErrors: map[client.ObjectKey]error{
-				client.ObjectKeyFromObject(vapHub): &meta.NoKindMatchError{GroupKind: schema.GroupKind{Group: "admissionregistration.k8s.io", Kind: "ValidatingAdmissionPolicy"}},
+				client.ObjectKeyFromObject(vap): &meta.NoKindMatchError{GroupKind: schema.GroupKind{Group: "admissionregistration.k8s.io", Kind: "ValidatingAdmissionPolicy"}},
 			},
 			wantErr: false,
 		},
 		{
-			name:         "hub cluster - delete error",
-			isHub:        true,
+			name:         "delete error on vap",
 			existingObjs: []client.Object{},
 			deleteErrors: map[client.ObjectKey]error{
-				client.ObjectKeyFromObject(vapHub): apierrors.NewInternalError(errors.New("internal server error")),
+				client.ObjectKeyFromObject(vap): apierrors.NewInternalError(errors.New("internal server error")),
 			},
 			wantErr:        true,
 			wantErrMessage: "internal server error",
 		},
 		{
-			name:         "member cluster - delete error on binding propagated",
-			isHub:        false,
+			name:         "delete error on vap binding",
 			existingObjs: []client.Object{},
 			deleteErrors: map[client.ObjectKey]error{
 				client.ObjectKeyFromObject(binding): apierrors.NewForbidden(schema.GroupResource{Group: "admissionregistration.k8s.io", Resource: "validatingadmissionpolicybindings"}, binding.Name, errors.New("forbidden")),
@@ -316,7 +282,7 @@ func TestEnsureNoVAP(t *testing.T) {
 				WithInterceptorFuncs(interceptorFuncs).
 				Build()
 
-			err := EnsureNoVAP(context.Background(), fakeClient, tt.isHub)
+			err := EnsureNoVAP(context.Background(), fakeClient)
 
 			if tt.wantErr {
 				if err == nil {
@@ -334,7 +300,7 @@ func TestEnsureNoVAP(t *testing.T) {
 			}
 
 			// Verify objects are deleted (or don't exist)
-			expectedObjs := []client.Object{getValidatingAdmissionPolicy(tt.isHub), getValidatingAdmissionPolicyBinding()}
+			expectedObjs := []client.Object{getValidatingAdmissionPolicy(), getValidatingAdmissionPolicyBinding()}
 			for _, obj := range expectedObjs {
 				err := fakeClient.Get(context.Background(), client.ObjectKeyFromObject(obj), obj)
 				if !apierrors.IsNotFound(err) {
@@ -349,36 +315,32 @@ func TestGetVAPWithMutator(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
-		name  string
-		isHub bool
+		name string
 	}{
 		{
-			name:  "hub cluster VAP",
-			isHub: true,
-		},
-		{
-			name:  "member cluster VAP",
-			isHub: false,
+			name: "VAP with mutator",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			vap, mutateFunc := getVAPWithMutator(tt.isHub)
+			vap, mutateFunc := getVAPWithMutator()
 
 			// Verify initial state
 			if vap == nil {
 				t.Fatal("getVAPWithMutator() returned nil VAP")
+				return
 			}
 			if mutateFunc == nil {
 				t.Fatal("getVAPWithMutator() returned nil mutate function")
+				return
 			}
 
 			// Verify mutate function works
 			gotVAP := vap.DeepCopy()
-			wantVAP := getValidatingAdmissionPolicy(tt.isHub)
+			wantVAP := getValidatingAdmissionPolicy()
 			ignoreOpts := cmp.Options{
 				cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ResourceVersion", "ManagedFields", "Generation"),
 			}