NE-1953: Add Validating Admission Policy for Gateway API CRDs

alebedev87 · alebedev87 · commit eff18466f750 · 2025-02-27T14:56:15.000+01:00
This commit introduces a validating admission policy that restricts modifications
to CRDs from the "gateway.networking.k8s.io" group, allowing only the cluster
ingress operator's service account to make changes.

This ensures that the core OpenShift retains exclusive ownership of the Gateway API
implementation, preventing modifications from any add-ons (whether third-party or
Red Hat-owned).

The policy and its corresponding binding will be managed by CVO.
diff --git a/manifests/01-validating-admission-policy-binding.yaml b/manifests/01-validating-admission-policy-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: openshift-ingress-operator-gatewayapi-crd-admission
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade"
+spec:
+  policyName: openshift-ingress-operator-gatewayapi-crd-admission
+  validationActions: [Deny]
diff --git a/manifests/01-validating-admission-policy.yaml b/manifests/01-validating-admission-policy.yaml
@@ -0,0 +1,36 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: openshift-ingress-operator-gatewayapi-crd-admission
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade"
+spec:
+  matchConstraints:
+    # Consider only requests to CRD resources.
+    resourceRules:
+    - apiGroups:   ["apiextensions.k8s.io"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE","UPDATE","DELETE"]
+      resources:   ["customresourcedefinitions"]
+  matchConditions:
+    # Consider only request to Gateway API CRDs.
+    - name: "check-only-gateway-api-crds"
+      # When the operation is DELETE, the "object" variable is null.
+      expression: "(request.operation == 'DELETE' ? oldObject : object).spec.group == 'gateway.networking.k8s.io'"
+  # Validations are evaluated in the the order of their declaration.
+  validations:
+    # Verify that the request was sent by the ingress operator's service account.
+    - expression: "has(request.userInfo.username) && (request.userInfo.username == 'system:serviceaccount:openshift-ingress-operator:ingress-operator')"
+      message: "modifications to Gateway API Custom Resource Definitions may only be made by the Ingress Operator"
+      reason: Forbidden
+    # Verify that the request was sent from a pod. The presence of both "node" and "pod" claims implies that the token is bound to a pod object.
+    # Ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#schema-for-service-account-private-claims.
+    - expression: "has(request.userInfo.extra) && ('authentication.kubernetes.io/node-name' in request.userInfo.extra) && ('authentication.kubernetes.io/pod-name' in request.userInfo.extra)"
+      message: "this user must have a \"authentication.kubernetes.io/node-name\" and \"authentication.kubernetes.io/pod-name\" claims"
+      reason: Forbidden
+  # Fail the admission if any validation evaluates to false.
+  failurePolicy: Fail
diff --git a/test/e2e/gateway_api_test.go b/test/e2e/gateway_api_test.go
@@ -14,8 +14,10 @@ import (
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller/gatewayclass"
 
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/storage/names"
 
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -30,6 +32,12 @@ const (
 	expectedCatalogSourceNamespace = "openshift-marketplace"
 	// The test gateway name used in multiple places.
 	testGatewayName = "test-gateway"
+	// gwapiCRDVAPName is the name of the ingress operator's Validating Admission Policy (VAP).
+	gwapiCRDVAPName = "openshift-ingress-operator-gatewayapi-crd-admission"
+	// cvoNamespace is the namespace of cluster version operator (CVO).
+	cvoNamespace = "openshift-cluster-version"
+	// cvoDeploymentName is the name of cluster version operator's deployment.
+	cvoDeploymentName = "cluster-version-operator"
 )
 
 var crdNames = []string{
@@ -75,6 +83,7 @@ func TestGatewayAPI(t *testing.T) {
 	t.Run("testGatewayAPIResources", testGatewayAPIResources)
 	t.Run("testGatewayAPIObjects", testGatewayAPIObjects)
 	t.Run("testGatewayAPIIstioInstallation", testGatewayAPIIstioInstallation)
+	t.Run("testGatewayAPIResourcesProtection", testGatewayAPIResourcesProtection)
 }
 
 // testGatewayAPIResources tests that Gateway API Custom Resource Definitions are available.
@@ -141,6 +150,60 @@ func testGatewayAPIObjects(t *testing.T) {
 	}
 }
 
+// testGatewayAPIResourcesProtection verifies that the ingress operator's Validating Admission Policy
+// denies admission requests attempting to modify Gateway API CRDs on behalf of a user
+// who is not the ingress operator's service account.
+func testGatewayAPIResourcesProtection(t *testing.T) {
+	t.Helper()
+
+	var testCRDs []*apiextensionsv1.CustomResourceDefinition
+	for _, name := range crdNames {
+		testCRDs = append(testCRDs, buildGWAPICRDFromName(name))
+	}
+	expectedErrMsg := "modifications to Gateway API Custom Resource Definitions may only be made by the Ingress Operator"
+
+	// Verify that GatewayAPI CRD creation is forbidden.
+	for i := range testCRDs {
+		if err := kclient.Create(context.Background(), testCRDs[i]); err != nil {
+			if !strings.Contains(err.Error(), expectedErrMsg) {
+				t.Errorf("unexpected error received while creating CRD %q: %v", testCRDs[i].Name, err)
+			}
+		} else {
+			t.Errorf("admission error is expected while creating CRD %q but not received", testCRDs[i].Name)
+		}
+	}
+
+	// Verify that GatewayAPI CRD update is forbidden.
+	for i := range testCRDs {
+		crdName := types.NamespacedName{Name: testCRDs[i].Name}
+		crd := &apiextensionsv1.CustomResourceDefinition{}
+		if err := kclient.Get(context.Background(), crdName, crd); err != nil {
+			t.Errorf("failed to get %q CRD: %v", crdName.Name, err)
+			continue
+		}
+		crd.Spec = testCRDs[i].Spec
+		crd.Spec.Conversion = testCRDs[i].Spec.Conversion
+		if err := kclient.Update(context.Background(), crd); err != nil {
+			if !strings.Contains(err.Error(), expectedErrMsg) {
+				t.Errorf("unexpected error received while updating CRD %q: %v", testCRDs[i].Name, err)
+			}
+		} else {
+			t.Errorf("admission error is expected while updating CRD %q but not received", testCRDs[i].Name)
+		}
+	}
+
+	// Verify that GatewayAPI CRD deletion is forbidden.
+	for i := range testCRDs {
+		if err := kclient.Delete(context.Background(), testCRDs[i]); err != nil {
+			if !strings.Contains(err.Error(), expectedErrMsg) {
+				t.Errorf("unexpected error received while deleting CRD %q: %v", testCRDs[i].Name, err)
+			}
+		} else {
+			t.Errorf("admission error is expected while deleting CRD %q but not received", testCRDs[i].Name)
+		}
+	}
+}
+
 // ensureCRDs tests that the Gateway API custom resource definitions exist.
 func ensureCRDs(t *testing.T) {
 	t.Helper()
@@ -156,6 +219,24 @@ func ensureCRDs(t *testing.T) {
 // deleteCRDs deletes Gateway API custom resource definitions.
 func deleteCRDs(t *testing.T) {
 	t.Helper()
+
+	// Remove the ingress operator's Validating Admission Policy
+	// which prevents modifications of Gateway API CRDs
+	// by anything other than the ingress operator.
+	scaleDeployment(t, cvoNamespace, cvoDeploymentName, 0)
+	if err := deleteVAP(t, gwapiCRDVAPName); err != nil {
+		// Stop here because VAP will prevent the deletion of CRDs.
+		t.Fatalf("failed to delete vap %q: %v", gwapiCRDVAPName, err)
+	}
+	defer func() {
+		// Put the VAP back to ensure that it does not prevent
+		// the ingress operator from managing Gateway API CRDs.
+		scaleDeployment(t, cvoNamespace, cvoDeploymentName, 1)
+		if err := assertVAP(t, gwapiCRDVAPName); err != nil {
+			t.Errorf("failed to find vap %q: %v", gwapiCRDVAPName, err)
+		}
+	}()
+
 	for _, crdName := range crdNames {
 		err := deleteExistingCRD(t, crdName)
 		if err != nil {
diff --git a/test/e2e/util_gatewayapi_test.go b/test/e2e/util_gatewayapi_test.go
@@ -19,6 +19,7 @@ import (
 	operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -149,6 +150,53 @@ func deleteExistingCRD(t *testing.T, crdName string) error {
 	return nil
 }
 
+// deleteVAP delete given Validating Admission Policy.
+func deleteVAP(t *testing.T, vapName string) error {
+	t.Helper()
+
+	vap := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	newVAP := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	name := types.NamespacedName{Name: vapName}
+
+	// Retrieve the object to be deleted.
+	if err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) {
+		if err := kclient.Get(context, name, vap); err != nil {
+			t.Logf("failed to get vap %q: %v, retrying ...", vapName, err)
+			return false, nil
+		}
+		return true, nil
+	}); err != nil {
+		return fmt.Errorf("failed to get vap %q: %w", vapName, err)
+	}
+
+	if err := kclient.Delete(context.Background(), vap); err != nil {
+		return fmt.Errorf("failed to delete vap %q: %w", vapName, err)
+	}
+
+	// Verify VAP was not recreated.
+	if err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(ctx context.Context) (bool, error) {
+		if err := kclient.Get(ctx, name, newVAP); err != nil {
+			if kerrors.IsNotFound(err) {
+				// VAP does not exist as expected.
+				return true, nil
+			}
+			t.Logf("failed to get vap %q: %v, retrying ...", vapName, err)
+			return false, nil
+		}
+		// Check if new VAP got recreated.
+		if newVAP != nil && newVAP.UID != vap.UID {
+			return true, fmt.Errorf("vap %q got recreated", vapName)
+		}
+		t.Logf("vap %q still exists, retrying ...", vapName)
+		return false, nil
+	}); err != nil {
+		return fmt.Errorf("failed to verify deletion of vap %q: %v", vapName, err)
+	}
+
+	t.Logf("deleted vap %q", vapName)
+	return nil
+}
+
 // createHttpRoute checks if the HTTPRoute can be created.
 // If it can't an error is returned.
 func createHttpRoute(namespace, routeName, parentNamespace, hostname, backendRefname string, gateway *gatewayapiv1.Gateway) (*gatewayapiv1.HTTPRoute, error) {
@@ -272,6 +320,71 @@ func buildHTTPRoute(routeName, namespace, parentgateway, parentNamespace, hostna
 	}
 }
 
+// buildGWAPICRDFromName initializes the GatewayAPI CRD deducing most of its required fields from the given name.
+func buildGWAPICRDFromName(name string) *apiextensionsv1.CustomResourceDefinition {
+	var (
+		plural   = strings.Split(name, ".")[0]
+		group, _ = strings.CutPrefix(name, plural+".")
+		scope    = apiextensionsv1.NamespaceScoped
+		// removing trailing "s"
+		singular = plural[0 : len(plural)-1]
+		kind     string
+	)
+
+	switch plural {
+	case "gatewayclasses":
+		singular = "gatewayclass"
+		kind = "GatewayClass"
+		scope = apiextensionsv1.ClusterScoped
+	case "gateways":
+		kind = "Gateway"
+	case "httproutes":
+		kind = "HTTPRoute"
+	case "referencegrants":
+		kind = "ReferenceGrant"
+	}
+
+	return &apiextensionsv1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: plural + "." + group,
+			Annotations: map[string]string{
+				"api-approved.kubernetes.io": "https://github.com/kubernetes-sigs/gateway-api/pull/2466",
+			},
+		},
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+			Group: group,
+			Names: apiextensionsv1.CustomResourceDefinitionNames{
+				Singular: singular,
+				Plural:   plural,
+				Kind:     kind,
+			},
+			Scope: scope,
+			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+				{
+					Name:    "v1",
+					Storage: true,
+					Served:  true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+				{
+					Name:    "v1beta1",
+					Storage: false,
+					Served:  true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 // assertSubscription checks if the Subscription of the given name exists and returns an error if not.
 func assertSubscription(t *testing.T, namespace, subName string) error {
 	t.Helper()
@@ -651,3 +764,37 @@ func assertDNSRecord(t *testing.T, recordName types.NamespacedName) error {
 	})
 	return err
 }
+
+// assertVAP checks if the VAP of the given name exists, and returns an error if not.
+func assertVAP(t *testing.T, name string) error {
+	t.Helper()
+	vap := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	return wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 1*time.Minute, false, func(context context.Context) (bool, error) {
+		if err := kclient.Get(context, types.NamespacedName{Name: name}, vap); err != nil {
+			t.Logf("failed to get vap %q: %v, retrying...", name, err)
+			return false, nil
+		}
+		return true, nil
+	})
+}
+
+// scaleDeployment scales a deployment with the given name to the specified number of replicas.
+func scaleDeployment(t *testing.T, namespace, name string, replicas int32) error {
+	t.Helper()
+
+	nsName := types.NamespacedName{Namespace: namespace, Name: name}
+	return wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) {
+		depl := &appsv1.Deployment{}
+		if err := kclient.Get(context, nsName, depl); err != nil {
+			t.Logf("failed to get deployment %q: %v, retrying...", nsName, err)
+			return false, nil
+		}
+		depl.Spec.Replicas = &replicas
+		if err := kclient.Update(context, depl); err != nil {
+			t.Logf("failed to update deployment %q: %v, retrying...", nsName, err)
+			return false, nil
+		}
+		t.Logf("scaled  deployment %q to %d replica(s)", nsName, replicas)
+		return true, nil
+	})
+}
