Allow using label selectors in PermissionClaims

xmudrii · xmudrii · commit e86d12847565 · 2025-08-22T19:00:42.000+02:00
On-behalf-of: @SAP marko.mudrinic@sap.com Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
diff --git a/config/crds/apis.kcp.io_apibindings.yaml b/config/crds/apis.kcp.io_apibindings.yaml
@@ -557,9 +557,6 @@ spec:
                       x-kubernetes-validations:
                       - message: Permission claim selector is immutable
                         rule: self == oldSelf
-                      - message: a selector is required. Only "matchAll" is currently
-                          implemented
-                        rule: (has(self.matchAll) && self.matchAll)
                     state:
                       enum:
                       - Accepted
@@ -710,9 +707,6 @@ spec:
                       x-kubernetes-validations:
                       - message: Permission claim selector is immutable
                         rule: self == oldSelf
-                      - message: a selector is required. Only "matchAll" is currently
-                          implemented
-                        rule: (has(self.matchAll) && self.matchAll)
                     verbs:
                       description: |-
                         verbs is a list of supported API operation types (this includes
diff --git a/sdk/apis/apis/v1alpha2/types_apibinding.go b/sdk/apis/apis/v1alpha2/types_apibinding.go
@@ -117,8 +117,6 @@ const (
 
 // PermissionClaimSelector configures scoped access to objects
 // of a claimed resource.
-//
-// +kubebuilder:validation:XValidation:rule="(has(self.matchAll) && self.matchAll)",message="a selector is required. Only \"matchAll\" is currently implemented"
 type PermissionClaimSelector struct {
 	metav1.LabelSelector `json:",inline"`
 
diff --git a/sdk/apis/apis/v1alpha2/types_apibinding_test.go b/sdk/apis/apis/v1alpha2/types_apibinding_test.go
@@ -105,109 +105,3 @@ func TestAPIBindingAPIExportReferenceCELValidation(t *testing.T) {
 		})
 	}
 }
-
-// TestAPIBindingAPIExportReferenceCELValidation will validate the APIExport reference for an otherwise valid APIBinding.
-func TestAPIBindingPermissionClaimSelectorCELValidation(t *testing.T) {
-	testCases := []struct {
-		name         string
-		current, old map[string]any
-		wantErrs     []string
-	}{
-		{
-			name: "no change",
-			current: map[string]any{
-				"matchAll": true,
-			},
-			old: map[string]any{
-				"matchAll": true,
-			},
-		},
-		{
-			name:    "nothing set",
-			current: map[string]any{},
-			old:     map[string]any{},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.selector: Invalid value: \"object\": a selector is required. Only \"matchAll\" is currently implemented",
-			},
-		},
-		{
-			name: "using matchLabels",
-			current: map[string]any{
-				"matchLabels": map[string]any{
-					"kcp.io/fake": "test",
-				},
-			},
-			old: map[string]any{
-				"matchLabels": map[string]any{
-					"kcp.io/fake": "test",
-				},
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.selector: Invalid value: \"object\": a selector is required. Only \"matchAll\" is currently implemented",
-			},
-		},
-		/*
-			// TODO(embik): for future updates to unlock other matchers
-				{
-					name: "change from matchAll to matchLabels",
-					current: map[string]any{
-						"matchLabels": map[string]any{
-							"kcp.io/fake": "test",
-						},
-					},
-					old: map[string]any{
-						"matchAll": true,
-					},
-					wantErrs: []string{
-						"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.selector: Invalid value: \"object\": Permission claim selector must not be changed",
-					},
-				},
-				{
-					name: "multiple matchers configured",
-					current: map[string]any{
-						"matchLabels": map[string]any{
-							"kcp.io/fake": "test",
-						},
-						"matchAll": true,
-					},
-					old: map[string]any{
-						"matchLabels": map[string]any{
-							"kcp.io/fake": "test",
-						},
-						"matchAll": true,
-					},
-					wantErrs: []string{
-						"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.selector: Invalid value: \"object\": either \"matchAll\", \"matchLabels\" or \"matchExpressions\" must be set",
-					},
-				},
-		*/
-	}
-
-	validators := apitest.FieldValidatorsFromFile(t, "../../../../config/crds/apis.kcp.io_apibindings.yaml")
-
-	for _, tc := range testCases {
-		pth := "openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.selector"
-		validator, found := validators["v1alpha2"][pth]
-		require.True(t, found, "failed to find validator for %s", pth)
-
-		t.Run(tc.name, func(t *testing.T) {
-			errs := validator(tc.current, tc.old)
-			if len(errs) > 0 {
-				for _, err := range errs {
-					t.Logf("'%s': observed validation error: %s", tc.name, err)
-				}
-			}
-
-			if got := len(errs); got != len(tc.wantErrs) {
-				t.Fatalf("'%s': expected %d errors, got %d", tc.name, len(tc.wantErrs), len(errs))
-			}
-
-			for i := range tc.wantErrs {
-				got := errs[i].Error()
-				if got != tc.wantErrs[i] {
-					t.Errorf("'%s': want error %q, got %q", tc.name, tc.wantErrs[i], got)
-				}
-			}
-		})
-	}
-}
diff --git a/sdk/apis/apis/v1alpha2/validation.go b/sdk/apis/apis/v1alpha2/validation.go
@@ -27,6 +27,7 @@ func ValidateAPIBinding(apiBinding *APIBinding) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	allErrs = append(allErrs, ValidateAPIBindingReference(apiBinding.Spec.Reference, field.NewPath("spec", "reference"))...)
+	allErrs = append(allErrs, ValidateAPIBindingPermissionClaims(apiBinding.Spec.PermissionClaims, field.NewPath("spec", "permissionClaims"))...)
 
 	return allErrs
 }
@@ -61,3 +62,25 @@ func ValidateAPIBindingReference(reference BindingReference, path *field.Path) f
 
 	return allErrs
 }
+
+// ValidateAPIBindingPermissionClaims validates an APIBinding's PermissionClaims.
+func ValidateAPIBindingPermissionClaims(permissionClaims []AcceptablePermissionClaim, path *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	for i := range permissionClaims {
+		claimPath := path.Index(i)
+
+		if permissionClaims[i].Selector.MatchAll {
+			if len(permissionClaims[i].Selector.MatchLabels) > 0 {
+				allErrs = append(allErrs, field.Invalid(claimPath.Child("selector").Child("matchLabels"), permissionClaims[i].Selector, "matchLabels cannot be used with matchAll"))
+			}
+			if len(permissionClaims[i].Selector.MatchExpressions) > 0 {
+				allErrs = append(allErrs, field.Invalid(claimPath.Child("selector").Child("matchExpressions"), permissionClaims[i].Selector, "matchExpressions cannot be used with matchAll"))
+			}
+		} else if len(permissionClaims[i].Selector.MatchLabels) == 0 && len(permissionClaims[i].Selector.MatchExpressions) == 0 {
+			allErrs = append(allErrs, field.Required(claimPath.Child("selector"), "either one of matchAll, matchLabels, or matchExpressions must be set"))
+		}
+	}
+
+	return allErrs
+}
diff --git a/sdk/apis/apis/v1alpha2/validation_test.go b/sdk/apis/apis/v1alpha2/validation_test.go
@@ -0,0 +1,184 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"slices"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func TestValidateAPIBindingPermissionClaims(t *testing.T) {
+	tests := map[string]struct {
+		permissionClaims []AcceptablePermissionClaim
+		wantErrs         []string
+	}{
+		"matchAll": {
+			permissionClaims: []AcceptablePermissionClaim{
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							MatchAll: true,
+						},
+					},
+				},
+			},
+			wantErrs: nil,
+		},
+		"matchLabels": {
+			permissionClaims: []AcceptablePermissionClaim{
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							LabelSelector: metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"test": "test",
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErrs: nil,
+		},
+		"matchExpressions": {
+			permissionClaims: []AcceptablePermissionClaim{
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							LabelSelector: metav1.LabelSelector{
+								MatchExpressions: []metav1.LabelSelectorRequirement{
+									{
+										Key:      "test",
+										Operator: metav1.LabelSelectorOpIn,
+										Values:   []string{"test"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErrs: nil,
+		},
+		"none": {
+			permissionClaims: []AcceptablePermissionClaim{
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{},
+					},
+				},
+			},
+			wantErrs: []string{"spec.permissionClaims[0].selector: Required value: either one of matchAll, matchLabels, or matchExpressions must be set"},
+		},
+		"empty": {
+			permissionClaims: []AcceptablePermissionClaim{
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							MatchAll: false,
+							LabelSelector: metav1.LabelSelector{
+								MatchLabels:      map[string]string{},
+								MatchExpressions: []metav1.LabelSelectorRequirement{},
+							},
+						},
+					},
+				},
+			},
+			wantErrs: []string{"spec.permissionClaims[0].selector: Required value: either one of matchAll, matchLabels, or matchExpressions must be set"},
+		},
+		"matchAll+matchLabels+matchExpressions": {
+			permissionClaims: []AcceptablePermissionClaim{
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							MatchAll: true,
+							LabelSelector: metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"test": "test",
+								},
+							},
+						},
+					},
+				},
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							MatchAll: true,
+							LabelSelector: metav1.LabelSelector{
+								MatchExpressions: []metav1.LabelSelectorRequirement{
+									{
+										Key:      "test",
+										Operator: metav1.LabelSelectorOpIn,
+										Values:   []string{"test"},
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					ScopedPermissionClaim: ScopedPermissionClaim{
+						Selector: PermissionClaimSelector{
+							MatchAll: true,
+							LabelSelector: metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"test": "test",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{
+									{
+										Key:      "test",
+										Operator: metav1.LabelSelectorOpIn,
+										Values:   []string{"test"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErrs: []string{
+				"spec.permissionClaims[0].selector.matchLabels: Invalid value: v1alpha2.PermissionClaimSelector{LabelSelector:v1.LabelSelector{MatchLabels:map[string]string{\"test\":\"test\"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}, MatchAll:true}: matchLabels cannot be used with matchAll",
+				"spec.permissionClaims[1].selector.matchExpressions: Invalid value: v1alpha2.PermissionClaimSelector{LabelSelector:v1.LabelSelector{MatchLabels:map[string]string(nil), MatchExpressions:[]v1.LabelSelectorRequirement{v1.LabelSelectorRequirement{Key:\"test\", Operator:\"In\", Values:[]string{\"test\"}}}}, MatchAll:true}: matchExpressions cannot be used with matchAll",
+				"spec.permissionClaims[2].selector.matchExpressions: Invalid value: v1alpha2.PermissionClaimSelector{LabelSelector:v1.LabelSelector{MatchLabels:map[string]string{\"test\":\"test\"}, MatchExpressions:[]v1.LabelSelectorRequirement{v1.LabelSelectorRequirement{Key:\"test\", Operator:\"In\", Values:[]string{\"test\"}}}}, MatchAll:true}: matchExpressions cannot be used with matchAll",
+				"spec.permissionClaims[2].selector.matchLabels: Invalid value: v1alpha2.PermissionClaimSelector{LabelSelector:v1.LabelSelector{MatchLabels:map[string]string{\"test\":\"test\"}, MatchExpressions:[]v1.LabelSelectorRequirement{v1.LabelSelectorRequirement{Key:\"test\", Operator:\"In\", Values:[]string{\"test\"}}}}, MatchAll:true}: matchLabels cannot be used with matchAll",
+			},
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			got := ValidateAPIBindingPermissionClaims(tc.permissionClaims, field.NewPath("spec", "permissionClaims"))
+
+			// Convert FieldErrors into a string slice
+			errs := []string{}
+			for _, err := range got {
+				errs = append(errs, err.Error())
+			}
+
+			slices.Sort(errs)
+			slices.Sort(tc.wantErrs)
+
+			if !equality.Semantic.DeepEqual(errs, tc.wantErrs) {
+				t.Errorf("ValidateAPIBindingPermissionClaims() = %v, want %v", errs, tc.wantErrs)
+			}
+		})
+	}
+}
