Skip to content

Commit 49e7a7b

Browse files
adammwadammw
committed
Add webhook validation for access config
1 parent f36e389 commit 49e7a7b

File tree

2 files changed

+113
-0
lines changed

2 files changed

+113
-0
lines changed

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,7 @@ func (r *AWSManagedControlPlane) ValidateUpdate(old runtime.Object) (admission.W
123123
allErrs = append(allErrs, r.validateEKSClusterNameSame(oldAWSManagedControlplane)...)
124124
allErrs = append(allErrs, r.validateEKSVersion(oldAWSManagedControlplane)...)
125125
allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
126+
allErrs = append(allErrs, r.validateAccessConfig(oldAWSManagedControlplane)...)
126127
allErrs = append(allErrs, r.validateIAMAuthConfig()...)
127128
allErrs = append(allErrs, r.validateSecondaryCIDR()...)
128129
allErrs = append(allErrs, r.validateEKSAddons()...)
@@ -289,6 +290,28 @@ func (r *AWSManagedControlPlane) validateEKSAddons() field.ErrorList {
289290
return allErrs
290291
}
291292

293+
func (r *AWSManagedControlPlane) validateAccessConfig(old *AWSManagedControlPlane) field.ErrorList {
294+
var allErrs field.ErrorList
295+
296+
// If accessConfig is already set, do not allow removal of it.
297+
if old.Spec.AccessConfig != nil && r.Spec.AccessConfig == nil {
298+
allErrs = append(allErrs,
299+
field.Invalid(field.NewPath("spec", "accessConfig"), r.Spec.AccessConfig, "removing AccessConfig is not allowed after it has been enabled"),
300+
)
301+
}
302+
303+
// AuthenticationMode is ratcheting - do not allow downgrades
304+
if old.Spec.AccessConfig != nil && old.Spec.AccessConfig.AuthenticationMode != r.Spec.AccessConfig.AuthenticationMode &&
305+
((old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeApiAndConfigMap && r.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeConfigMap) ||
306+
old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeApi) {
307+
allErrs = append(allErrs,
308+
field.Invalid(field.NewPath("spec", "accessConfig", "authenticationMode"), r.Spec.AccessConfig.AuthenticationMode, "downgrading authentication mode is not allowed after it has been enabled"),
309+
)
310+
}
311+
312+
return allErrs
313+
}
314+
292315
func (r *AWSManagedControlPlane) validateIAMAuthConfig() field.ErrorList {
293316
var allErrs field.ErrorList
294317

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -603,6 +603,96 @@ func TestWebhookUpdate(t *testing.T) {
603603
},
604604
expectError: false,
605605
},
606+
{
607+
name: "no change in access config",
608+
oldClusterSpec: AWSManagedControlPlaneSpec{
609+
EKSClusterName: "default_cluster1",
610+
AccessConfig: &AccessConfig{
611+
AuthenticationMode: EKSAuthenticationModeConfigMap,
612+
},
613+
},
614+
newClusterSpec: AWSManagedControlPlaneSpec{
615+
EKSClusterName: "default_cluster1",
616+
AccessConfig: &AccessConfig{
617+
AuthenticationMode: EKSAuthenticationModeConfigMap,
618+
},
619+
},
620+
expectError: false,
621+
},
622+
{
623+
name: "change in access config to nil",
624+
oldClusterSpec: AWSManagedControlPlaneSpec{
625+
EKSClusterName: "default_cluster1",
626+
AccessConfig: &AccessConfig{
627+
AuthenticationMode: EKSAuthenticationModeConfigMap,
628+
},
629+
},
630+
newClusterSpec: AWSManagedControlPlaneSpec{
631+
EKSClusterName: "default_cluster1",
632+
},
633+
expectError: true,
634+
},
635+
{
636+
name: "change in access config from nil to valid",
637+
oldClusterSpec: AWSManagedControlPlaneSpec{
638+
EKSClusterName: "default_cluster1",
639+
},
640+
newClusterSpec: AWSManagedControlPlaneSpec{
641+
EKSClusterName: "default_cluster1",
642+
AccessConfig: &AccessConfig{
643+
AuthenticationMode: EKSAuthenticationModeConfigMap,
644+
},
645+
},
646+
expectError: false,
647+
},
648+
{
649+
name: "change in access config auth mode from ApiAndConfigMap to API is allowed",
650+
oldClusterSpec: AWSManagedControlPlaneSpec{
651+
EKSClusterName: "default_cluster1",
652+
AccessConfig: &AccessConfig{
653+
AuthenticationMode: EKSAuthenticationModeApiAndConfigMap,
654+
},
655+
},
656+
newClusterSpec: AWSManagedControlPlaneSpec{
657+
EKSClusterName: "default_cluster1",
658+
AccessConfig: &AccessConfig{
659+
AuthenticationMode: EKSAuthenticationModeApi,
660+
},
661+
},
662+
expectError: false,
663+
},
664+
{
665+
name: "change in access config auth mode from API to Config Map is denied",
666+
oldClusterSpec: AWSManagedControlPlaneSpec{
667+
EKSClusterName: "default_cluster1",
668+
AccessConfig: &AccessConfig{
669+
AuthenticationMode: EKSAuthenticationModeApi,
670+
},
671+
},
672+
newClusterSpec: AWSManagedControlPlaneSpec{
673+
EKSClusterName: "default_cluster1",
674+
AccessConfig: &AccessConfig{
675+
AuthenticationMode: EKSAuthenticationModeConfigMap,
676+
},
677+
},
678+
expectError: true,
679+
},
680+
{
681+
name: "change in access config auth mode from APIAndConfigMap to Config Map is denied",
682+
oldClusterSpec: AWSManagedControlPlaneSpec{
683+
EKSClusterName: "default_cluster1",
684+
AccessConfig: &AccessConfig{
685+
AuthenticationMode: EKSAuthenticationModeApiAndConfigMap,
686+
},
687+
},
688+
newClusterSpec: AWSManagedControlPlaneSpec{
689+
EKSClusterName: "default_cluster1",
690+
AccessConfig: &AccessConfig{
691+
AuthenticationMode: EKSAuthenticationModeConfigMap,
692+
},
693+
},
694+
expectError: true,
695+
},
606696
{
607697
name: "change in encryption config to nil",
608698
oldClusterSpec: AWSManagedControlPlaneSpec{

0 commit comments

Comments
 (0)