NE-1953: Add Validating Admission Policy for Gateway API CRDs

alebedev87 · alebedev87 · commit 415446ace0f7 · 2025-03-03T10:55:14.000+01:00
This commit introduces a validating admission policy that restricts modifications
to CRDs from the "gateway.networking.k8s.io" group, allowing only the cluster
ingress operator's service account to make changes.

This ensures that the core OpenShift retains exclusive ownership of the Gateway API
implementation, preventing modifications from any add-ons (whether third-party or
Red Hat-owned).

The policy and its corresponding binding will be managed by CVO.
diff --git a/manifests/01-validating-admission-policy-binding.yaml b/manifests/01-validating-admission-policy-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: openshift-ingress-operator-gatewayapi-crd-admission
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade,CustomNoUpgrade"
+spec:
+  policyName: openshift-ingress-operator-gatewayapi-crd-admission
+  validationActions: [Deny]
diff --git a/manifests/01-validating-admission-policy.yaml b/manifests/01-validating-admission-policy.yaml
@@ -0,0 +1,36 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: openshift-ingress-operator-gatewayapi-crd-admission
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade,CustomNoUpgrade"
+spec:
+  matchConstraints:
+    # Consider only requests to CRD resources.
+    resourceRules:
+    - apiGroups:   ["apiextensions.k8s.io"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE","UPDATE","DELETE"]
+      resources:   ["customresourcedefinitions"]
+  matchConditions:
+    # Consider only request to Gateway API CRDs.
+    - name: "check-only-gateway-api-crds"
+      # When the operation is DELETE, the "object" variable is null.
+      expression: "(request.operation == 'DELETE' ? oldObject : object).spec.group == 'gateway.networking.k8s.io'"
+  # Validations are evaluated in the the order of their declaration.
+  validations:
+    # Verify that the request was sent by the ingress operator's service account.
+    - expression: "has(request.userInfo.username) && (request.userInfo.username == 'system:serviceaccount:openshift-ingress-operator:ingress-operator')"
+      message: "modifications to Gateway API Custom Resource Definitions may only be made by the Ingress Operator"
+      reason: Forbidden
+    # Verify that the request was sent from a pod. The presence of both "node" and "pod" claims implies that the token is bound to a pod object.
+    # Ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#schema-for-service-account-private-claims.
+    - expression: "has(request.userInfo.extra) && ('authentication.kubernetes.io/node-name' in request.userInfo.extra) && ('authentication.kubernetes.io/pod-name' in request.userInfo.extra)"
+      message: "this user must have a \"authentication.kubernetes.io/node-name\" and \"authentication.kubernetes.io/pod-name\" claims"
+      reason: Forbidden
+  # Fail the admission if any validation evaluates to false.
+  failurePolicy: Fail
diff --git a/test/e2e/gateway_api_test.go b/test/e2e/gateway_api_test.go
@@ -14,8 +14,10 @@ import (
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller/gatewayclass"
 
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/storage/names"
 
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -30,6 +32,8 @@ const (
 	expectedCatalogSourceNamespace = "openshift-marketplace"
 	// The test gateway name used in multiple places.
 	testGatewayName = "test-gateway"
+	// gwapiCRDVAPName is the name of the ingress operator's Validating Admission Policy (VAP).
+	gwapiCRDVAPName = "openshift-ingress-operator-gatewayapi-crd-admission"
 )
 
 var crdNames = []string{
@@ -75,6 +79,7 @@ func TestGatewayAPI(t *testing.T) {
 	t.Run("testGatewayAPIResources", testGatewayAPIResources)
 	t.Run("testGatewayAPIObjects", testGatewayAPIObjects)
 	t.Run("testGatewayAPIIstioInstallation", testGatewayAPIIstioInstallation)
+	t.Run("testGatewayAPIResourcesProtection", testGatewayAPIResourcesProtection)
 }
 
 // testGatewayAPIResources tests that Gateway API Custom Resource Definitions are available.
@@ -141,6 +146,60 @@ func testGatewayAPIObjects(t *testing.T) {
 	}
 }
 
+// testGatewayAPIResourcesProtection verifies that the ingress operator's Validating Admission Policy
+// denies admission requests attempting to modify Gateway API CRDs on behalf of a user
+// who is not the ingress operator's service account.
+func testGatewayAPIResourcesProtection(t *testing.T) {
+	t.Helper()
+
+	var testCRDs []*apiextensionsv1.CustomResourceDefinition
+	for _, name := range crdNames {
+		testCRDs = append(testCRDs, buildGWAPICRDFromName(name))
+	}
+	expectedErrMsg := "modifications to Gateway API Custom Resource Definitions may only be made by the Ingress Operator"
+
+	// Verify that GatewayAPI CRD creation is forbidden.
+	for i := range testCRDs {
+		if err := kclient.Create(context.Background(), testCRDs[i]); err != nil {
+			if !strings.Contains(err.Error(), expectedErrMsg) {
+				t.Errorf("unexpected error received while creating CRD %q: %v", testCRDs[i].Name, err)
+			}
+		} else {
+			t.Errorf("admission error is expected while creating CRD %q but not received", testCRDs[i].Name)
+		}
+	}
+
+	// Verify that GatewayAPI CRD update is forbidden.
+	for i := range testCRDs {
+		crdName := types.NamespacedName{Name: testCRDs[i].Name}
+		crd := &apiextensionsv1.CustomResourceDefinition{}
+		if err := kclient.Get(context.Background(), crdName, crd); err != nil {
+			t.Errorf("failed to get %q CRD: %v", crdName.Name, err)
+			continue
+		}
+		crd.Spec = testCRDs[i].Spec
+		crd.Spec.Conversion = testCRDs[i].Spec.Conversion
+		if err := kclient.Update(context.Background(), crd); err != nil {
+			if !strings.Contains(err.Error(), expectedErrMsg) {
+				t.Errorf("unexpected error received while updating CRD %q: %v", testCRDs[i].Name, err)
+			}
+		} else {
+			t.Errorf("admission error is expected while updating CRD %q but not received", testCRDs[i].Name)
+		}
+	}
+
+	// Verify that GatewayAPI CRD deletion is forbidden.
+	for i := range testCRDs {
+		if err := kclient.Delete(context.Background(), testCRDs[i]); err != nil {
+			if !strings.Contains(err.Error(), expectedErrMsg) {
+				t.Errorf("unexpected error received while deleting CRD %q: %v", testCRDs[i].Name, err)
+			}
+		} else {
+			t.Errorf("admission error is expected while deleting CRD %q but not received", testCRDs[i].Name)
+		}
+	}
+}
+
 // ensureCRDs tests that the Gateway API custom resource definitions exist.
 func ensureCRDs(t *testing.T) {
 	t.Helper()
@@ -156,6 +215,19 @@ func ensureCRDs(t *testing.T) {
 // deleteCRDs deletes Gateway API custom resource definitions.
 func deleteCRDs(t *testing.T) {
 	t.Helper()
+
+	vm := newVAPManager(t, gwapiCRDVAPName)
+	// Remove the ingress operator's Validating Admission Policy (VAP)
+	// which prevents modifications of Gateway API CRDs
+	// by anything other than the ingress operator.
+	if err, recoverFn := vm.disable(); err != nil {
+		defer recoverFn()
+		t.Fatalf("failed to disable vap: %v", err)
+	}
+	// Put back the VAP to ensure that it does not prevent
+	// the ingress operator from managing Gateway API CRDs.
+	defer vm.enable()
+
 	for _, crdName := range crdNames {
 		err := deleteExistingCRD(t, crdName)
 		if err != nil {
diff --git a/test/e2e/util_gatewayapi_test.go b/test/e2e/util_gatewayapi_test.go
@@ -19,6 +19,7 @@ import (
 	operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -43,6 +44,10 @@ const (
 	openshiftIstiodDeploymentName = "istiod-openshift-gateway"
 	// openshiftSMCPName holds the expected OSSM ServiceMeshControlPlane name
 	openshiftSMCPName = "openshift-gateway"
+	// cvoNamespace is the namespace of cluster version operator (CVO).
+	cvoNamespace = "openshift-cluster-version"
+	// cvoDeploymentName is the name of cluster version operator's deployment.
+	cvoDeploymentName = "cluster-version-operator"
 )
 
 // updateIngressOperatorRole updates the ingress-operator cluster role with cluster-admin privilege.
@@ -149,6 +154,53 @@ func deleteExistingCRD(t *testing.T, crdName string) error {
 	return nil
 }
 
+// deleteExistingVAP deletes if the VAP of the given name exists and returns an error if not.
+func deleteExistingVAP(t *testing.T, vapName string) error {
+	t.Helper()
+
+	vap := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	newVAP := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	name := types.NamespacedName{Name: vapName}
+
+	// Retrieve the object to be deleted.
+	if err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) {
+		if err := kclient.Get(context, name, vap); err != nil {
+			t.Logf("failed to get vap %q: %v, retrying ...", vapName, err)
+			return false, nil
+		}
+		return true, nil
+	}); err != nil {
+		return fmt.Errorf("failed to get vap %q: %w", vapName, err)
+	}
+
+	if err := kclient.Delete(context.Background(), vap); err != nil {
+		return fmt.Errorf("failed to delete vap %q: %w", vapName, err)
+	}
+
+	// Verify VAP was not recreated.
+	if err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(ctx context.Context) (bool, error) {
+		if err := kclient.Get(ctx, name, newVAP); err != nil {
+			if kerrors.IsNotFound(err) {
+				// VAP does not exist as expected.
+				return true, nil
+			}
+			t.Logf("failed to get vap %q: %v, retrying ...", vapName, err)
+			return false, nil
+		}
+		// Check if new VAP got recreated.
+		if newVAP != nil && newVAP.UID != vap.UID {
+			return true, fmt.Errorf("vap %q got recreated", vapName)
+		}
+		t.Logf("vap %q still exists, retrying ...", vapName)
+		return false, nil
+	}); err != nil {
+		return fmt.Errorf("failed to verify deletion of vap %q: %v", vapName, err)
+	}
+
+	t.Logf("deleted vap %q", vapName)
+	return nil
+}
+
 // createHttpRoute checks if the HTTPRoute can be created.
 // If it can't an error is returned.
 func createHttpRoute(namespace, routeName, parentNamespace, hostname, backendRefname string, gateway *gatewayapiv1.Gateway) (*gatewayapiv1.HTTPRoute, error) {
@@ -272,6 +324,71 @@ func buildHTTPRoute(routeName, namespace, parentgateway, parentNamespace, hostna
 	}
 }
 
+// buildGWAPICRDFromName initializes the GatewayAPI CRD deducing most of its required fields from the given name.
+func buildGWAPICRDFromName(name string) *apiextensionsv1.CustomResourceDefinition {
+	var (
+		plural   = strings.Split(name, ".")[0]
+		group, _ = strings.CutPrefix(name, plural+".")
+		scope    = apiextensionsv1.NamespaceScoped
+		// removing trailing "s"
+		singular = plural[0 : len(plural)-1]
+		kind     string
+	)
+
+	switch plural {
+	case "gatewayclasses":
+		singular = "gatewayclass"
+		kind = "GatewayClass"
+		scope = apiextensionsv1.ClusterScoped
+	case "gateways":
+		kind = "Gateway"
+	case "httproutes":
+		kind = "HTTPRoute"
+	case "referencegrants":
+		kind = "ReferenceGrant"
+	}
+
+	return &apiextensionsv1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: plural + "." + group,
+			Annotations: map[string]string{
+				"api-approved.kubernetes.io": "https://github.com/kubernetes-sigs/gateway-api/pull/2466",
+			},
+		},
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+			Group: group,
+			Names: apiextensionsv1.CustomResourceDefinitionNames{
+				Singular: singular,
+				Plural:   plural,
+				Kind:     kind,
+			},
+			Scope: scope,
+			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+				{
+					Name:    "v1",
+					Storage: true,
+					Served:  true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+				{
+					Name:    "v1beta1",
+					Storage: false,
+					Served:  true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 // assertSubscription checks if the Subscription of the given name exists and returns an error if not.
 func assertSubscription(t *testing.T, namespace, subName string) error {
 	t.Helper()
@@ -651,3 +768,77 @@ func assertDNSRecord(t *testing.T, recordName types.NamespacedName) error {
 	})
 	return err
 }
+
+// assertVAP checks if the VAP of the given name exists, and returns an error if not.
+func assertVAP(t *testing.T, name string) error {
+	t.Helper()
+	vap := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	return wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 1*time.Minute, false, func(context context.Context) (bool, error) {
+		if err := kclient.Get(context, types.NamespacedName{Name: name}, vap); err != nil {
+			t.Logf("failed to get vap %q: %v, retrying...", name, err)
+			return false, nil
+		}
+		return true, nil
+	})
+}
+
+// scaleDeployment scales the deployment with the given name to the specified number of replicas.
+func scaleDeployment(t *testing.T, namespace, name string, replicas int32) error {
+	t.Helper()
+
+	nsName := types.NamespacedName{Namespace: namespace, Name: name}
+	return wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) {
+		depl := &appsv1.Deployment{}
+		if err := kclient.Get(context, nsName, depl); err != nil {
+			t.Logf("failed to get deployment %q: %v, retrying...", nsName, err)
+			return false, nil
+		}
+		if *depl.Spec.Replicas != replicas {
+			depl.Spec.Replicas = &replicas
+			if err := kclient.Update(context, depl); err != nil {
+				t.Logf("failed to update deployment %q: %v, retrying...", nsName, err)
+				return false, nil
+			}
+		}
+		t.Logf("scaled  deployment %q to %d replica(s)", nsName, replicas)
+		return true, nil
+	})
+}
+
+// vapManager helps to disable the VAP resource which is managed by CVO.
+type vapManager struct {
+	t    *testing.T
+	name string
+}
+
+// newVAPManager returns a new instance of VAPManager.
+func newVAPManager(t *testing.T, vapName string) *vapManager {
+	return &vapManager{
+		t:    t,
+		name: vapName,
+	}
+}
+
+// disable scales down CVO and removes the VAP resource.
+func (m *vapManager) disable() (error, func()) {
+	if err := scaleDeployment(m.t, cvoNamespace, cvoDeploymentName, 0); err != nil {
+		return fmt.Errorf("failed to scale down cvo: %w", err), func() { /*scale down didn't work, nothing to do*/ }
+	}
+	if err := deleteExistingVAP(m.t, m.name); err != nil {
+		return fmt.Errorf("failed to delete vap %q: %w", m.name, err), func() {
+			if err := scaleDeployment(m.t, cvoNamespace, cvoDeploymentName, 1); err != nil {
+				m.t.Errorf("failed to scale up cvo: %v", err)
+			}
+		}
+	}
+	return nil, nil
+}
+
+// Enable scales up CVO and waits until the VAP is recreated.
+func (m *vapManager) enable() {
+	if err := scaleDeployment(m.t, cvoNamespace, cvoDeploymentName, 1); err != nil {
+		m.t.Errorf("failed to scale up cvo: %v", err)
+	} else if err := assertVAP(m.t, m.name); err != nil {
+		m.t.Errorf("failed to find vap %q: %v", m.name, err)
+	}
+}
