Tighten the VAP rule for all managed resources

Signed-off-by: Nont <[email protected]>

Author: Nont

charts/member-agent-arc/templates/serviceaccount.yaml

@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  # the name is also used in the managed resource validating admission webhook.
+  # please make the change accordingly when you change the name.
   name: fleet-member-agent-sa
   namespace: fleet-system
   labels:

pkg/webhook/managedresource/createordelete_test.go

@@ -371,9 +371,11 @@ func TestGetVAPWithMutator(t *testing.T) {
 			// Verify initial state
 			if vap == nil {
 				t.Fatal("getVAPWithMutator() returned nil VAP")
+				return
 			}
 			if mutateFunc == nil {
 				t.Fatal("getVAPWithMutator() returned nil mutate function")
+				return
 			}
 
 			// Verify mutate function works
@@ -411,9 +413,11 @@ func TestGetVAPBindingWithMutator(t *testing.T) {
 	// Verify initial state
 	if vapb == nil {
 		t.Fatal("getVAPBindingWithMutator() returned nil VAP binding")
+		return
 	}
 	if mutateFunc == nil {
 		t.Fatal("getVAPBindingWithMutator() returned nil mutate function")
+		return
 	}
 
 	// Verify mutate function works

pkg/webhook/managedresource/validatingadmissionpolicy.go

@@ -42,58 +42,30 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy, isHub
 				{
 					RuleWithOperations: admv1.RuleWithOperations{
 						Rule: admv1.Rule{
-							APIGroups:   []string{""},
-							Resources:   []string{"namespaces"},
-							APIVersions: []string{"v1"},
-						},
-						Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
-					},
-				},
-				{
-					RuleWithOperations: admv1.RuleWithOperations{
-						Rule: admv1.Rule{
-							APIGroups:   []string{""},
-							Resources:   []string{"resourcequotas"},
-							APIVersions: []string{"v1"},
-						},
-						Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
-					},
-					ResourceNames: []string{"default"},
-				},
-				{
-					RuleWithOperations: admv1.RuleWithOperations{
-						Rule: admv1.Rule{
-							APIGroups:   []string{"networking.k8s.io"},
-							Resources:   []string{"networkpolicies"},
+							APIGroups:   []string{"*"},
+							Resources:   []string{"*"},
 							APIVersions: []string{"*"},
 						},
 						Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
 					},
-					ResourceNames: []string{"default"},
 				},
 			},
 		},
 		Validations: []admv1.Validation{
 			{
-				Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups || "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups`,
-				Message:    "Create, Update, or Delete operations on ARM managed resources is forbidden",
-				Reason:     &forbidden,
+				Expression: `(
+					request.userInfo.username == "aksService" ||
+					request.userInfo.username == "fleet-member-agent-sa")
+					&& (
+					"system:masters" in request.userInfo.groups ||
+					"system:serviceaccounts:kube-system" in request.userInfo.groups ||
+					"system:serviceaccounts:fleet-system" in request.userInfo.groups ||
+					"system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups)`,
+				Message: "Create, Update, or Delete operations on ARM managed resources is forbidden",
+				Reason:  &forbidden,
 			},
 		},
 	}
-
-	if isHub {
-		vap.Spec.MatchConstraints.ResourceRules = append(vap.Spec.MatchConstraints.ResourceRules, admv1.NamedRuleWithOperations{
-			RuleWithOperations: admv1.RuleWithOperations{
-				Rule: admv1.Rule{
-					APIGroups:   []string{"placement.kubernetes-fleet.io"},
-					Resources:   []string{"*"},
-					APIVersions: []string{"*"},
-				},
-				Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
-			},
-		})
-	}
 }
 
 func getValidatingAdmissionPolicyBinding() *admv1.ValidatingAdmissionPolicyBinding {

pkg/webhook/managedresource/validatingadmissionpolicy_test.go

@@ -16,60 +16,52 @@ import (
 func TestGetValidatingAdmissionPolicy(t *testing.T) {
 	t.Parallel()
 
-	t.Run("member", func(t *testing.T) {
-		t.Parallel()
+	tests := []struct {
+		name  string
+		isHub bool
+	}{
+		{
+			name:  "member cluster",
+			isHub: false,
+		},
+		{
+			name:  "hub cluster",
+			isHub: true,
+		},
+	}
 
-		vap := getValidatingAdmissionPolicy(false)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 
-		unwantedRule := admv1.NamedRuleWithOperations{
-			RuleWithOperations: admv1.RuleWithOperations{
-				Rule: admv1.Rule{
-					APIGroups:   []string{"placement.kubernetes-fleet.io"},
-					Resources:   []string{"clusterresourceplacements"},
-					APIVersions: []string{"*"},
+			vap := getValidatingAdmissionPolicy(tt.isHub)
+
+			// Both hub and member clusters should have the same single rule that covers all resources
+			expectedRule := admv1.NamedRuleWithOperations{
+				RuleWithOperations: admv1.RuleWithOperations{
+					Rule: admv1.Rule{
+						APIGroups:   []string{"*"},
+						Resources:   []string{"*"},
+						APIVersions: []string{"*"},
+					},
+					Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
 				},
-				Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
-			},
-		}
-
-		if vap.Spec.MatchConstraints != nil {
-			for _, rule := range vap.Spec.MatchConstraints.ResourceRules {
-				if diff := cmp.Diff(unwantedRule, rule); diff == "" {
-					t.Errorf("getValidatingAdmissionPolicy(false) contains unwanted rule %+v", unwantedRule)
-				}
 			}
-		}
-	})
 
-	t.Run("hub", func(t *testing.T) {
-		t.Parallel()
+			if vap.Spec.MatchConstraints == nil {
+				t.Fatal("MatchConstraints should not be nil")
+			}
 
-		vap := getValidatingAdmissionPolicy(true)
+			if len(vap.Spec.MatchConstraints.ResourceRules) != 1 {
+				t.Errorf("Expected exactly 1 resource rule, got %d", len(vap.Spec.MatchConstraints.ResourceRules))
+			}
 
-		wantedRule := admv1.NamedRuleWithOperations{
-			RuleWithOperations: admv1.RuleWithOperations{
-				Rule: admv1.Rule{
-					APIGroups:   []string{"placement.kubernetes-fleet.io"},
-					Resources:   []string{"*"},
-					APIVersions: []string{"*"},
-				},
-				Operations: []admv1.OperationType{admv1.Create, admv1.Update, admv1.Delete},
-			},
-		}
-
-		found := false
-		if vap.Spec.MatchConstraints != nil {
-			for _, rule := range vap.Spec.MatchConstraints.ResourceRules {
-				if diff := cmp.Diff(wantedRule, rule); diff == "" {
-					found = true
-					break
-				}
+			actualRule := vap.Spec.MatchConstraints.ResourceRules[0]
+			if diff := cmp.Diff(expectedRule, actualRule); diff != "" {
+				t.Errorf("Resource rule mismatch (-want +got):\n%s", diff)
 			}
-		}
-		if !found {
-			t.Errorf("getValidatingAdmissionPolicy(true) missing expected rule %+v", wantedRule)
-		}
-	})
+		})
+	}
 }
 
 func TestMutateValidatingAdmissionPolicy(t *testing.T) {

test/e2e/framework/cluster.go

@@ -62,7 +62,7 @@ func NewCluster(name, svcAccountName string, scheme *runtime.Scheme, pp trackers
 func GetClusterClient(cluster *Cluster) {
 	clusterConfig := GetClientConfig(cluster)
 	impersonateClusterConfig := GetImpersonateClientConfig(cluster)
-	systemMastersConfig := GetSystemMastersClientConfig(cluster)
+	systemMastersConfig := GetAKSServiceSystemMastersClientConfig(cluster)
 
 	restConfig, err := clusterConfig.ClientConfig()
 	if err != nil {
@@ -106,13 +106,13 @@ func GetClientConfig(cluster *Cluster) clientcmd.ClientConfig {
 		})
 }
 
-func GetSystemMastersClientConfig(cluster *Cluster) clientcmd.ClientConfig {
+func GetAKSServiceSystemMastersClientConfig(cluster *Cluster) clientcmd.ClientConfig {
 	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
 		&clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeconfigPath},
 		&clientcmd.ConfigOverrides{
 			CurrentContext: cluster.ClusterName,
 			AuthInfo: api.AuthInfo{
-				Impersonate:       "system",
+				Impersonate:       "aksService",
 				ImpersonateGroups: []string{"system:masters"},
 			},
 		})