exclude pwo identity from validation rules

Diaphteiros · Diaphteiros · commit c880c8d4ed6d · 2025-10-28T15:27:45.000+01:00
diff --git a/api/core/v1alpha1/common_webhook.go b/api/core/v1alpha1/common_webhook.go
@@ -3,8 +3,6 @@ package v1alpha1
 import (
 	"context"
 	"fmt"
-	"os"
-	"strings"
 
 	admissionv1 "k8s.io/api/admission/v1"
 	authv1 "k8s.io/api/authentication/v1"
@@ -59,11 +57,6 @@ func setMetaDataAnnotation(meta metav1.Object, key, value string) { // TODO move
 	meta.SetAnnotations(labels)
 }
 
-func isOwnServiceAccount(userinfo authv1.UserInfo) bool {
-	svcAccUsername := fmt.Sprintf("system:serviceaccount:%s:%s", os.Getenv("POD_NAMESPACE"), os.Getenv("POD_SERVICE_ACCOUNT"))
-	return strings.HasSuffix(userinfo.Username, svcAccUsername)
-}
-
 // userInfoFromContext extracts the authv1.UserInfo from the admission.Request available in the context. Returns an error if the request can't be found.
 func userInfoFromContext(ctx context.Context) (authv1.UserInfo, error) {
 	req, err := admission.RequestFromContext(ctx)
diff --git a/api/core/v1alpha1/project_webhook.go b/api/core/v1alpha1/project_webhook.go
@@ -13,27 +13,39 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// +kubebuilder:object:generate=false
+type ProjectWebhook struct {
+	client.Client
+
+	// Identity is the name of the entity (usually a service account) the project-workspace-operator uses to access the onboarding cluster.
+	// It is required to exclude the operator's own identity from validation checks.
+	Identity     string
+	OverrideName string
+}
+
 // log is for logging in this package.
 var projectlog = logf.Log.WithName("project-resource")
 
-func (p *Project) SetupWebhookWithManager(mgr ctrl.Manager, memberOverridesName string) error {
+func (p *Project) SetupWebhookWithManager(ctx context.Context, mgr ctrl.Manager, memberOverridesName, identity string) error {
+	pwh := &ProjectWebhook{
+		Client:       mgr.GetClient(),
+		OverrideName: memberOverridesName,
+		Identity:     identity,
+	}
 
 	return ctrl.NewWebhookManagedBy(mgr).
-		For(&Project{}).
-		WithDefaulter(&Project{}).
-		WithValidator(&projectValidator{
-			Client:       mgr.GetClient(),
-			overrideName: memberOverridesName,
-		}).
+		For(p).
+		WithDefaulter(pwh).
+		WithValidator(pwh).
 		Complete()
 }
 
-// +kubebuilder:webhook:path=/mutate-core-openmcp-cloud-v1alpha1-project,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update,versions=v1alpha1,name=mproject.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate-core-openmcp-cloud-v1alpha1-project,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update,versions=v1alpha1,name=mproject.openmcp.cloud,admissionReviewVersions=v1
 
-var _ webhook.CustomDefaulter = &Project{}
+var _ webhook.CustomDefaulter = &ProjectWebhook{}
 
 // Default implements webhook.CustomDefaulter so a webhook will be registered for the type
-func (p *Project) Default(ctx context.Context, obj runtime.Object) error {
+func (p *ProjectWebhook) Default(ctx context.Context, obj runtime.Object) error {
 	project, err := expectProject(obj)
 	if err != nil {
 		return err
@@ -50,30 +62,12 @@ func (p *Project) Default(ctx context.Context, obj runtime.Object) error {
 	return nil
 }
 
-// Project must implement webhook.CustomValidator in order for it's Mutating/Validating Webhook configuration to be generated by 	"github.com/openmcp-project/controller-utils/pkg/init/webhooks"
-var _ webhook.CustomValidator = &Project{}
-
-func (p *Project) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
-	return
-}
-func (p *Project) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
-	return
-}
-func (p *Project) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
-	return
-}
-
-// +kubebuilder:webhook:path=/validate-core-openmcp-cloud-v1alpha1-project,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update;delete,versions=v1alpha1,name=vproject.kb.io,admissionReviewVersions=v1
-
-var _ webhook.CustomValidator = &projectValidator{}
+// +kubebuilder:webhook:path=/validate-core-openmcp-cloud-v1alpha1-project,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=projects,verbs=create;update;delete,versions=v1alpha1,name=vproject.openmcp.cloud,admissionReviewVersions=v1
 
-type projectValidator struct {
-	client.Client
-	overrideName string
-}
+var _ webhook.CustomValidator = &ProjectWebhook{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
-func (v *projectValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+func (v *ProjectWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
 	project, err := expectProject(obj)
 	if err != nil {
 		return
@@ -97,7 +91,7 @@ func (v *projectValidator) ValidateCreate(ctx context.Context, obj runtime.Objec
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
-func (v *projectValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
+func (v *ProjectWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
 	oldProject, err := expectProject(oldObj)
 	if err != nil {
 		return
@@ -138,7 +132,7 @@ func (v *projectValidator) ValidateUpdate(ctx context.Context, oldObj, newObj ru
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
-func (v *projectValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+func (v *ProjectWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
 	project, err := expectProject(obj)
 	if err != nil {
 		return
@@ -160,21 +154,21 @@ func expectProject(obj runtime.Object) (*Project, error) {
 	return project, nil
 }
 
-func (v *projectValidator) ensureValidRole(ctx context.Context, project *Project) (bool, error) {
+func (v *ProjectWebhook) ensureValidRole(ctx context.Context, project *Project) (bool, error) {
 	userInfo, err := userInfoFromContext(ctx)
 	if err != nil {
 		return false, fmt.Errorf("failed to get userInfo")
 	}
-	if project.UserInfoHasRole(userInfo, ProjectRoleAdmin) || isOwnServiceAccount(userInfo) {
+	if project.UserInfoHasRole(userInfo, ProjectRoleAdmin) || userInfo.Username == v.Identity {
 		return true, nil
 	}
 
-	if v.overrideName == "" {
+	if v.OverrideName == "" {
 		return false, nil
 	}
 
 	overrides := &MemberOverrides{}
-	if err := v.Get(ctx, types.NamespacedName{Name: v.overrideName}, overrides); err != nil {
+	if err := v.Get(ctx, types.NamespacedName{Name: v.OverrideName}, overrides); err != nil {
 		return false, err
 	}
 	if overrides.HasAdminOverrideForResource(&userInfo, project.Name, project.Kind) {
diff --git a/api/core/v1alpha1/webhook_suite_test.go b/api/core/v1alpha1/webhook_suite_test.go
@@ -92,6 +92,8 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	Expect(k8sClient).NotTo(BeNil())
 
+	identity := "nobody"
+
 	// start webhook server using Manager
 	webhookInstallOptions := &testEnv.WebhookInstallOptions
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
@@ -106,10 +108,10 @@ var _ = BeforeSuite(func() {
 	})
 	Expect(err).NotTo(HaveOccurred())
 
-	err = (&Project{}).SetupWebhookWithManager(mgr, "test-override")
+	err = (&Project{}).SetupWebhookWithManager(ctx, mgr, "test-override", identity)
 	Expect(err).NotTo(HaveOccurred())
 
-	err = (&Workspace{}).SetupWebhookWithManager(mgr, "test-override")
+	err = (&Workspace{}).SetupWebhookWithManager(ctx, mgr, "test-override", identity)
 	Expect(err).NotTo(HaveOccurred())
 
 	// +kubebuilder:scaffold:webhook
diff --git a/api/core/v1alpha1/workspace_webhook.go b/api/core/v1alpha1/workspace_webhook.go
@@ -17,24 +17,36 @@ import (
 // log is for logging in this package.
 var workspacelog = logf.Log.WithName("workspace-resource")
 
-func (r *Workspace) SetupWebhookWithManager(mgr ctrl.Manager, memberOverridesName string) error {
+// +kubebuilder:object:generate=false
+type WorkspaceWebhook struct {
+	client.Client
+
+	// Identity is the name of the entity (usually a service account) the project-workspace-operator uses to access the onboarding cluster.
+	// It is required to exclude the operator's own identity from validation checks.
+	Identity     string
+	OverrideName string
+}
+
+func (r *Workspace) SetupWebhookWithManager(ctx context.Context, mgr ctrl.Manager, memberOverridesName, identity string) error {
+	wswh := &WorkspaceWebhook{
+		Client:       mgr.GetClient(),
+		OverrideName: memberOverridesName,
+		Identity:     identity,
+	}
 
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
-		WithDefaulter(&Workspace{}).
-		WithValidator(&workspaceValidator{
-			Client:       mgr.GetClient(),
-			overrideName: memberOverridesName,
-		}).
+		WithDefaulter(wswh).
+		WithValidator(wswh).
 		Complete()
 }
 
-// +kubebuilder:webhook:path=/mutate-core-openmcp-cloud-v1alpha1-workspace,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=workspaces,verbs=create;update,versions=v1alpha1,name=mworkspace.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate-core-openmcp-cloud-v1alpha1-workspace,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=workspaces,verbs=create;update,versions=v1alpha1,name=mworkspace.openmcp.cloud,admissionReviewVersions=v1
 
-var _ webhook.CustomDefaulter = &Workspace{}
+var _ webhook.CustomDefaulter = &WorkspaceWebhook{}
 
 // Default implements webhook.CustomDefaulter so a webhook will be registered for the type
-func (w *Workspace) Default(ctx context.Context, obj runtime.Object) error {
+func (w *WorkspaceWebhook) Default(ctx context.Context, obj runtime.Object) error {
 	workspace, err := expectWorkspace(obj)
 	if err != nil {
 		return err
@@ -50,30 +62,12 @@ func (w *Workspace) Default(ctx context.Context, obj runtime.Object) error {
 	return nil
 }
 
-// Workspace must implement webhook.CustomValidator in order for it's Mutating/Validating Webhook configuration to be generated by 	"github.com/openmcp-project/controller-utils/pkg/init/webhooks"
-var _ webhook.CustomValidator = &Workspace{}
-
-func (w *Workspace) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
-	return
-}
-func (w *Workspace) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
-	return
-}
-func (w *Workspace) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
-	return
-}
-
-// +kubebuilder:webhook:path=/validate-core-openmcp-cloud-v1alpha1-workspace,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=workspaces,verbs=create;update;delete,versions=v1alpha1,name=vworkspace.kb.io,admissionReviewVersions=v1
-
-var _ webhook.CustomValidator = &workspaceValidator{}
+// +kubebuilder:webhook:path=/validate-core-openmcp-cloud-v1alpha1-workspace,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openmcp.cloud,resources=workspaces,verbs=create;update;delete,versions=v1alpha1,name=vworkspace.openmcp.cloud,admissionReviewVersions=v1
 
-type workspaceValidator struct {
-	client.Client
-	overrideName string
-}
+var _ webhook.CustomValidator = &WorkspaceWebhook{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
-func (v *workspaceValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+func (v *WorkspaceWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
 	workspace, err := expectWorkspace(obj)
 	if err != nil {
 		return
@@ -96,7 +90,7 @@ func (v *workspaceValidator) ValidateCreate(ctx context.Context, obj runtime.Obj
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
-func (v *workspaceValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
+func (v *WorkspaceWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
 	oldWorkspace, err := expectWorkspace(oldObj)
 	if err != nil {
 		return
@@ -137,7 +131,7 @@ func (v *workspaceValidator) ValidateUpdate(ctx context.Context, oldObj, newObj
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
-func (v *workspaceValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+func (v *WorkspaceWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
 	workspace, err := expectWorkspace(obj)
 	if err != nil {
 		return
@@ -160,21 +154,21 @@ func expectWorkspace(obj runtime.Object) (*Workspace, error) {
 	return workspace, nil
 }
 
-func (v *workspaceValidator) ensureValidRole(ctx context.Context, workspace *Workspace) (bool, error) {
+func (v *WorkspaceWebhook) ensureValidRole(ctx context.Context, workspace *Workspace) (bool, error) {
 	userInfo, err := userInfoFromContext(ctx)
 	if err != nil {
 		return false, fmt.Errorf("failed to get userInfo")
 	}
-	if workspace.UserInfoHasRole(userInfo, WorkspaceRoleAdmin) || isOwnServiceAccount(userInfo) {
+	if workspace.UserInfoHasRole(userInfo, WorkspaceRoleAdmin) || userInfo.Username == v.Identity {
 		return true, nil
 	}
 
-	if v.overrideName == "" {
+	if v.OverrideName == "" {
 		return false, nil
 	}
 
 	overrides := &MemberOverrides{}
-	if err := v.Get(ctx, types.NamespacedName{Name: v.overrideName}, overrides); err != nil {
+	if err := v.Get(ctx, types.NamespacedName{Name: v.OverrideName}, overrides); err != nil {
 		return false, err
 	}
 
diff --git a/api/install/install.go b/api/install/install.go
@@ -1,6 +1,7 @@
 package install
 
 import (
+	authenticationv1 "k8s.io/api/authentication/v1"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -20,8 +21,8 @@ func InstallOperatorAPIsPlatform(scheme *runtime.Scheme) *runtime.Scheme {
 	utilruntime.Must(deployv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(pwv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(apiextv1.AddToScheme(scheme))
-	utilruntime.Must(gatewayv1.AddToScheme(scheme))
-	utilruntime.Must(gatewayv1alpha2.AddToScheme(scheme))
+	utilruntime.Must(gatewayv1.Install(scheme))
+	utilruntime.Must(gatewayv1alpha2.Install(scheme))
 
 	return scheme
 }
@@ -30,6 +31,7 @@ func InstallOperatorAPIsOnboarding(scheme *runtime.Scheme) *runtime.Scheme {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(pwv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(apiextv1.AddToScheme(scheme))
+	utilruntime.Must(authenticationv1.AddToScheme(scheme))
 
 	return scheme
 }
diff --git a/cmd/project-workspace-operator/app/run.go b/cmd/project-workspace-operator/app/run.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -253,6 +254,11 @@ func (o *RunOptions) Run(ctx context.Context) error {
 						Resources: []string{"clusterroles", "clusterrolebindings", "rolebindings"},
 						Verbs:     []string{"*"},
 					},
+					{
+						APIGroups: []string{"authentication.k8s.io/v1"},
+						Resources: []string{"selfsubjectreviews"},
+						Verbs:     []string{"*"},
+					},
 				},
 			},
 		})
@@ -309,6 +315,14 @@ func (o *RunOptions) Run(ctx context.Context) error {
 		}
 	}
 
+	// figure out own identity
+	review := &authenticationv1.SelfSubjectReview{}
+	if err := onboardingCluster.Client().Create(ctx, review); err != nil {
+		return fmt.Errorf("failed to get own identity: %w", err)
+	}
+	identity := review.Status.UserInfo.Username
+	setupLog.Info("determined own identity to exclude from webhook validation", "identity", identity)
+
 	webhookServer := webhook.NewServer(webhook.Options{
 		TLSOpts: o.WebhookTLSOpts,
 		Port:    WebhookPortPod,
@@ -339,10 +353,10 @@ func (o *RunOptions) Run(ctx context.Context) error {
 	}
 
 	if !pwc.Spec.Webhook.Disabled {
-		if err = (&pwv1alpha1.Project{}).SetupWebhookWithManager(mgr, pwc.Spec.MemberOverridesName); err != nil {
+		if err = (&pwv1alpha1.Project{}).SetupWebhookWithManager(ctx, mgr, pwc.Spec.MemberOverridesName, identity); err != nil {
 			return fmt.Errorf("unable to setup Project webhook: %w", err)
 		}
-		if err = (&pwv1alpha1.Workspace{}).SetupWebhookWithManager(mgr, pwc.Spec.MemberOverridesName); err != nil {
+		if err = (&pwv1alpha1.Workspace{}).SetupWebhookWithManager(ctx, mgr, pwc.Spec.MemberOverridesName, identity); err != nil {
 			return fmt.Errorf("unable to setup Workspace webhook: %w", err)
 		}
 	}
diff --git a/cmd/project-workspace-operator/main.go b/cmd/project-workspace-operator/main.go
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
diff --git a/internal/controller/core/common.go b/internal/controller/core/common.go
