Merge branch 'openshift:master' into OSD-24275

Author: nephomaniac

README.md

@@ -437,5 +437,3 @@ pkg/webhooks/namespace
 Commit all changes and deploy as normal.
 
 Once the code changes are complete, remove the undesired `ValidatingWebhookConfiguration` object(s) manually from the cluster.
-
-

pkg/config/generate/namespaces.go

@@ -23,7 +23,7 @@ var namespaceFiles = []string{
 
 var (
 	// Base lists - default values which will always be enforced regardless of managed-cluster-config
-	namespaces = []string{"^kube.*", "^default$", "^redhat.*"}
+	namespaces = []string{"^default$", "^openshift$", "^kube-.*", "^redhat-.*"}
 	configmaps = []string{}
 )
 

pkg/config/namespaces.go

@@ -17,15 +17,14 @@ import (
 )
 
 const (
-	WebhookName               string = "ingress-config-validation"
-	privilegedServiceAccounts string = `^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*|osde2e-[a-z0-9]{5})`
-	privilegedUsers           string = `system:admin`
-	docString                 string = `Managed OpenShift customers may not modify ingress config resources because it can can degrade cluster operators and can interfere with OpenShift SRE monitoring.`
+	WebhookName     string = "ingress-config-validation"
+	privilegedUsers string = `system:admin`
+	docString       string = `Managed OpenShift customers may not modify ingress config resources because it can can degrade cluster operators and can interfere with OpenShift SRE monitoring.`
 )
 
 var (
 	log                         = logf.Log.WithName(WebhookName)
-	privilegedServiceAccountsRe = regexp.MustCompile(privilegedServiceAccounts)
+	privilegedServiceAccountsRe = regexp.MustCompile(utils.PrivilegedServiceAccountGroups)
 	privilegedUsersRe           = regexp.MustCompile(privilegedUsers)
 
 	scope = admissionregv1.ClusterScope

pkg/webhooks/ingressconfig/ingressconfig.go

@@ -22,7 +22,7 @@ import (
 const (
 	WebhookName                  string = "namespace-validation"
 	badNamespace                 string = `(^com$|^io$|^in$)`
-	layeredProductNamespace      string = `^redhat.*`
+	layeredProductNamespace      string = `^redhat-.*`
 	layeredProductAdminGroupName string = "layered-sre-cluster-admins"
 	docString                    string = `Managed OpenShift Customers may not modify namespaces specified in the %v ConfigMaps because customer workloads should be placed in customer-created namespaces. Customers may not create namespaces identified by this regular expression %s because it could interfere with critical DNS resolution. Additionally, customers may not set or change the values of these Namespace labels %s.`
 	clusterAdminGroup            string = "cluster-admins"

pkg/webhooks/namespace/namespace.go

@@ -290,7 +290,7 @@ func TestLayeredProducts(t *testing.T) {
 	tests := []namespaceTestSuites{
 		{
 			// Layered admins can manipulate in the lp ns, but not privileged ones
-			// note: ^redhat.* is a privileged ns, but lp admins have an exception in
+			// note: ^redhat-.* is a privileged ns, but lp admins have an exception in
 			// it (but not other privileged ns)
 			testID:          "lp-create-layered-ns",
 			targetNamespace: "redhat-layered-product",

pkg/webhooks/namespace/namespace_test.go

@@ -18,16 +18,15 @@ import (
 )
 
 const (
-	WebhookName                    string = "prometheusrule-validation"
-	docString                      string = `Managed OpenShift Customers may not create PrometheusRule in namespaces managed by Red Hat.`
-	privilegedServiceAccountGroups string = `^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*|osde2e-[a-z0-9]{5})`
+	WebhookName string = "prometheusrule-validation"
+	docString   string = `Managed OpenShift Customers may not create PrometheusRule in namespaces managed by Red Hat.`
 )
 
 var (
 	timeout                          int32 = 2
 	allowedUsers                           = []string{"kube:admin", "system:admin", "backplane-cluster-admin"}
 	sreAdminGroups                         = []string{"system:serviceaccounts:openshift-backplane-srep"}
-	privilegedServiceAccountGroupsRe       = regexp.MustCompile(privilegedServiceAccountGroups)
+	privilegedServiceAccountGroupsRe       = regexp.MustCompile(utils.PrivilegedServiceAccountGroups)
 	privilegedLabels                       = map[string]string{"app.kubernetes.io/name": "stackrox"}
 	scope                                  = admissionregv1.NamespacedScope
 	rules                                  = []admissionregv1.RuleWithOperations{

pkg/webhooks/prometheusrule/prometheusrule.go

@@ -16,15 +16,14 @@ import (
 )
 
 const (
-	WebhookName               string = "sdn-migration-validation"
-	privilegedServiceAccounts string = `^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*|osde2e-[a-z0-9]{5})`
-	docString                 string = `Managed OpenShift customers may not modify the network config type because it can can degrade cluster operators and can interfere with OpenShift SRE monitoring.`
-	overrideAnnotation        string = "unsupported-red-hat-internal-testing"
+	WebhookName        string = "sdn-migration-validation"
+	docString          string = `Managed OpenShift customers may not modify the network config type because it can can degrade cluster operators and can interfere with OpenShift SRE monitoring.`
+	overrideAnnotation string = "unsupported-red-hat-internal-testing"
 )
 
 var (
 	log                         = logf.Log.WithName(WebhookName)
-	privilegedServiceAccountsRe = regexp.MustCompile(privilegedServiceAccounts)
+	privilegedServiceAccountsRe = regexp.MustCompile(utils.PrivilegedServiceAccountGroups)
 
 	scope = admissionregv1.ClusterScope
 	rules = []admissionregv1.RuleWithOperations{

pkg/webhooks/sdnmigration/sdnmigration.go

@@ -22,7 +22,7 @@ const (
 	// perform restricted actions.
 	// Centralized osde2e tests have a serviceaccount like "system:serviceaccounts:osde2e-abcde"
 	// Decentralized osde2e tests have a serviceaccount like "system:serviceaccounts:osde2e-h-abcde"
-	PrivilegedServiceAccountGroups string = `^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*|osde2e-(h-)?[a-z0-9]{5})`
+	PrivilegedServiceAccountGroups string = `^system:serviceaccounts:(kube-.*|openshift|openshift-.*|default|redhat-.*|osde2e-(h-)?[a-z0-9]{5})`
 )
 
 var (