Skip to content

Commit 32efafb

Browse files
adammwjoshfrench
adammw
authored and
joshfrench
committed
Add webhook validation for access config
1 parent b289e83 commit 32efafb

File tree

2 files changed

+113
-0
lines changed

2 files changed

+113
-0
lines changed

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,7 @@ func (*awsManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, oldObj
140140
allErrs = append(allErrs, r.validateEKSClusterNameSame(oldAWSManagedControlplane)...)
141141
allErrs = append(allErrs, r.validateEKSVersion(oldAWSManagedControlplane)...)
142142
allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
143+
allErrs = append(allErrs, r.validateAccessConfig(oldAWSManagedControlplane)...)
143144
allErrs = append(allErrs, r.validateIAMAuthConfig()...)
144145
allErrs = append(allErrs, r.validateSecondaryCIDR()...)
145146
allErrs = append(allErrs, r.validateEKSAddons()...)
@@ -318,6 +319,28 @@ func validateEKSAddons(eksVersion *string, networkSpec infrav1.NetworkSpec, addo
318319
return allErrs
319320
}
320321

322+
func (r *AWSManagedControlPlane) validateAccessConfig(old *AWSManagedControlPlane) field.ErrorList {
323+
var allErrs field.ErrorList
324+
325+
// If accessConfig is already set, do not allow removal of it.
326+
if old.Spec.AccessConfig != nil && r.Spec.AccessConfig == nil {
327+
allErrs = append(allErrs,
328+
field.Invalid(field.NewPath("spec", "accessConfig"), r.Spec.AccessConfig, "removing AccessConfig is not allowed after it has been enabled"),
329+
)
330+
}
331+
332+
// AuthenticationMode is ratcheting - do not allow downgrades
333+
if old.Spec.AccessConfig != nil && old.Spec.AccessConfig.AuthenticationMode != r.Spec.AccessConfig.AuthenticationMode &&
334+
((old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeApiAndConfigMap && r.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeConfigMap) ||
335+
old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeApi) {
336+
allErrs = append(allErrs,
337+
field.Invalid(field.NewPath("spec", "accessConfig", "authenticationMode"), r.Spec.AccessConfig.AuthenticationMode, "downgrading authentication mode is not allowed after it has been enabled"),
338+
)
339+
}
340+
341+
return allErrs
342+
}
343+
321344
func (r *AWSManagedControlPlane) validateIAMAuthConfig() field.ErrorList {
322345
return validateIAMAuthConfig(r.Spec.IAMAuthenticatorConfig, field.NewPath("spec.iamAuthenticatorConfig"))
323346
}

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -669,6 +669,96 @@ func TestWebhookUpdate(t *testing.T) {
669669
},
670670
expectError: false,
671671
},
672+
{
673+
name: "no change in access config",
674+
oldClusterSpec: AWSManagedControlPlaneSpec{
675+
EKSClusterName: "default_cluster1",
676+
AccessConfig: &AccessConfig{
677+
AuthenticationMode: EKSAuthenticationModeConfigMap,
678+
},
679+
},
680+
newClusterSpec: AWSManagedControlPlaneSpec{
681+
EKSClusterName: "default_cluster1",
682+
AccessConfig: &AccessConfig{
683+
AuthenticationMode: EKSAuthenticationModeConfigMap,
684+
},
685+
},
686+
expectError: false,
687+
},
688+
{
689+
name: "change in access config to nil",
690+
oldClusterSpec: AWSManagedControlPlaneSpec{
691+
EKSClusterName: "default_cluster1",
692+
AccessConfig: &AccessConfig{
693+
AuthenticationMode: EKSAuthenticationModeConfigMap,
694+
},
695+
},
696+
newClusterSpec: AWSManagedControlPlaneSpec{
697+
EKSClusterName: "default_cluster1",
698+
},
699+
expectError: true,
700+
},
701+
{
702+
name: "change in access config from nil to valid",
703+
oldClusterSpec: AWSManagedControlPlaneSpec{
704+
EKSClusterName: "default_cluster1",
705+
},
706+
newClusterSpec: AWSManagedControlPlaneSpec{
707+
EKSClusterName: "default_cluster1",
708+
AccessConfig: &AccessConfig{
709+
AuthenticationMode: EKSAuthenticationModeConfigMap,
710+
},
711+
},
712+
expectError: false,
713+
},
714+
{
715+
name: "change in access config auth mode from ApiAndConfigMap to API is allowed",
716+
oldClusterSpec: AWSManagedControlPlaneSpec{
717+
EKSClusterName: "default_cluster1",
718+
AccessConfig: &AccessConfig{
719+
AuthenticationMode: EKSAuthenticationModeApiAndConfigMap,
720+
},
721+
},
722+
newClusterSpec: AWSManagedControlPlaneSpec{
723+
EKSClusterName: "default_cluster1",
724+
AccessConfig: &AccessConfig{
725+
AuthenticationMode: EKSAuthenticationModeApi,
726+
},
727+
},
728+
expectError: false,
729+
},
730+
{
731+
name: "change in access config auth mode from API to Config Map is denied",
732+
oldClusterSpec: AWSManagedControlPlaneSpec{
733+
EKSClusterName: "default_cluster1",
734+
AccessConfig: &AccessConfig{
735+
AuthenticationMode: EKSAuthenticationModeApi,
736+
},
737+
},
738+
newClusterSpec: AWSManagedControlPlaneSpec{
739+
EKSClusterName: "default_cluster1",
740+
AccessConfig: &AccessConfig{
741+
AuthenticationMode: EKSAuthenticationModeConfigMap,
742+
},
743+
},
744+
expectError: true,
745+
},
746+
{
747+
name: "change in access config auth mode from APIAndConfigMap to Config Map is denied",
748+
oldClusterSpec: AWSManagedControlPlaneSpec{
749+
EKSClusterName: "default_cluster1",
750+
AccessConfig: &AccessConfig{
751+
AuthenticationMode: EKSAuthenticationModeApiAndConfigMap,
752+
},
753+
},
754+
newClusterSpec: AWSManagedControlPlaneSpec{
755+
EKSClusterName: "default_cluster1",
756+
AccessConfig: &AccessConfig{
757+
AuthenticationMode: EKSAuthenticationModeConfigMap,
758+
},
759+
},
760+
expectError: true,
761+
},
672762
{
673763
name: "change in encryption config to nil",
674764
oldClusterSpec: AWSManagedControlPlaneSpec{

0 commit comments

Comments
 (0)