Skip to content

Commit 28cd9a3

Browse files
joshfrenchjoshfrench
committed
validations for awsmanagedcontrolplane accessentries
1 parent 161ec2d commit 28cd9a3

File tree

1 file changed

+50
-0
lines changed

1 file changed

+50
-0
lines changed

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,56 @@ func (r *AWSManagedControlPlane) validateAccessConfig(old *AWSManagedControlPlan
346346
mcpLog.Info("Ignoring changes to BootstrapClusterCreatorAdminPermissions on cluster update", "old", old.Spec.AccessConfig.BootstrapClusterCreatorAdminPermissions, "new", r.Spec.AccessConfig.BootstrapClusterCreatorAdminPermissions)
347347
}
348348

349+
// AccessEntries require AuthenticationMode to be API or API_AND_CONFIG_MAP
350+
if r.Spec.AccessConfig != nil && len(r.Spec.AccessConfig.AccessEntries) > 0 {
351+
if r.Spec.AccessConfig.AuthenticationMode != EKSAuthenticationModeAPI &&
352+
r.Spec.AccessConfig.AuthenticationMode != EKSAuthenticationModeAPIAndConfigMap {
353+
allErrs = append(allErrs,
354+
field.Invalid(
355+
field.NewPath("spec", "accessConfig", "accessEntries"),
356+
r.Spec.AccessConfig.AccessEntries,
357+
"accessEntries can only be used when authenticationMode is set to API or API_AND_CONFIG_MAP",
358+
),
359+
)
360+
}
361+
362+
// Validate that EC2 types don't have kubernetes groups or access policies
363+
for i, entry := range r.Spec.AccessConfig.AccessEntries {
364+
if entry.Type == "EC2_LINUX" || entry.Type == "EC2_WINDOWS" {
365+
if len(entry.KubernetesGroups) > 0 {
366+
allErrs = append(allErrs,
367+
field.Invalid(
368+
field.NewPath("spec", "accessConfig", "accessEntries").Index(i).Child("kubernetesGroups"),
369+
entry.KubernetesGroups,
370+
"kubernetesGroups cannot be specified when type is EC2_LINUX or EC2_WINDOWS",
371+
),
372+
)
373+
}
374+
if len(entry.AccessPolicies) > 0 {
375+
allErrs = append(allErrs,
376+
field.Invalid(
377+
field.NewPath("spec", "accessConfig", "accessEntries").Index(i).Child("accessPolicies"),
378+
entry.AccessPolicies,
379+
"accessPolicies cannot be specified when type is EC2_LINUX or EC2_WINDOWS",
380+
),
381+
)
382+
}
383+
}
384+
385+
// Validate namespace scopes
386+
for j, policy := range entry.AccessPolicies {
387+
if policy.AccessScope.Type == "namespace" && len(policy.AccessScope.Namespaces) == 0 {
388+
allErrs = append(allErrs,
389+
field.Invalid(
390+
field.NewPath("spec", "accessConfig", "accessEntries").Index(i).Child("accessPolicies").Index(j).Child("accessScope", "namespaces"),
391+
policy.AccessScope.Namespaces,
392+
"at least one value must be specified when accessScope type is namespace",
393+
),
394+
)
395+
}
396+
}
397+
}
398+
}
349399
return allErrs
350400
}
351401

0 commit comments

Comments
 (0)