Merge pull request #345 from joshbranham/bug/fix-sdn-user-override

OSD-21711: Fix admin username that can bypass SDN webhook

Author: openshift-merge-bot[bot]

pkg/webhooks/sdnmigration/sdnmigration.go

@@ -19,7 +19,7 @@ const (
 	WebhookName               string = "sdn-migration-validation"
 	docString                 string = `Managed OpenShift customers may not modify the network config type because it can can degrade cluster operators and can interfere with OpenShift SRE monitoring.`
 	overrideAnnotation        string = "unsupported-red-hat-internal-testing"
-	privilegedHiveUserAccount string = "admin-kubeconfig-signer"
+	privilegedHiveUserAccount string = "system:admin"
 )
 
 var (

pkg/webhooks/sdnmigration/sdnmigration_test.go

@@ -32,16 +32,17 @@ func TestAuthorized(t *testing.T) {
 			},
 			ExpectAllowed: true,
 		},
+		// Hive uses the admin user and we need to bypass the webhook for Hive
 		{
-			Name: "system admin should be denied",
+			Name: "system admin should be allowed",
 			Request: admissionctl.Request{
 				AdmissionRequest: admissionv1.AdmissionRequest{
 					UserInfo: authenticationv1.UserInfo{
 						Username: "system:admin",
 					},
 				},
 			},
-			ExpectAllowed: false,
+			ExpectAllowed: true,
 		},
 		{
 			Name: "non-privileged account should be denied",