Cluster scoped admissions (#114)

* Admission: Enforce namespace scoped resources
* Implement ClusterAdmission

Author: bastjan

admission/handler.go

@@ -106,16 +106,31 @@ func (h *handler) handle(ctx context.Context, admissionKey types.NamespacedName,
 		return admission.Errored(http.StatusBadRequest, errors.New("missing namespace and name in context"))
 	}
 
-	var adm espejotev1alpha1.Admission
-	if err := h.Client.Get(ctx, admissionKey, &adm); err != nil {
-		if apierrors.IsNotFound(err) {
-			return admission.Allowed("Admission not found")
+	var admNamespace, admTemplate string
+	if admissionKey.Namespace != "" {
+		var adm espejotev1alpha1.Admission
+		if err := h.Client.Get(ctx, admissionKey, &adm); err != nil {
+			if apierrors.IsNotFound(err) {
+				return admission.Allowed("Admission not found")
+			}
+			return admission.Errored(http.StatusInternalServerError, err)
+		}
+		admNamespace = adm.Namespace
+		admTemplate = adm.Spec.Template
+	} else {
+		var admCluster espejotev1alpha1.ClusterAdmission
+		if err := h.Client.Get(ctx, types.NamespacedName{Name: admissionKey.Name}, &admCluster); err != nil {
+			if apierrors.IsNotFound(err) {
+				return admission.Allowed("ClusterAdmission not found")
+			}
+			return admission.Errored(http.StatusInternalServerError, err)
 		}
-		return admission.Errored(http.StatusInternalServerError, err)
+		admNamespace = ""
+		admTemplate = admCluster.Spec.Template
 	}
 
 	jvm := jsonnet.MakeVM()
-	jvm.Importer(controllers.FromClientImporter(h.Client, adm.GetNamespace(), h.JsonnetLibraryNamespace))
+	jvm.Importer(controllers.FromClientImporter(h.Client, admNamespace, h.JsonnetLibraryNamespace))
 	jvm.NativeFunction(applyPatchNativeFunction)
 
 	reqJson, err := json.Marshal(req)
@@ -124,7 +139,7 @@ func (h *handler) handle(ctx context.Context, admissionKey types.NamespacedName,
 	}
 	jvm.ExtCode("__internal_use_espejote_lib_admissionrequest", string(reqJson))
 
-	ret, err := jvm.EvaluateAnonymousSnippet("admission", adm.Spec.Template)
+	ret, err := jvm.EvaluateAnonymousSnippet("admission", admTemplate)
 	if err != nil {
 		return admission.Errored(http.StatusInternalServerError, fmt.Errorf("failed to evaluate jsonnet: %w", err))
 	}

admission/handler_test.go

@@ -53,6 +53,32 @@ func Test_Handler_AdmissionNotFound(t *testing.T) {
 	assert.Equal(t, "Admission not found", admres.Response.Result.Message)
 }
 
+func Test_Handler_ClusterAdmissionNotFound(t *testing.T) {
+	t.Parallel()
+
+	c := buildFakeClient(t)
+
+	subject := espadmission.NewHandler(c, "default")
+	require.NotNil(t, subject)
+
+	w := httptest.NewRecorder()
+	req := newClusterScopedAdmissionRequest(t, "test", admissionv1.AdmissionRequest{
+		UID: "test",
+	})
+	subject.ServeHTTP(w, req)
+	res := w.Result()
+	require.Equal(t, http.StatusOK, res.StatusCode)
+
+	require.NotNil(t, res.Body)
+	defer res.Body.Close()
+	var admres admissionv1.AdmissionReview
+	require.NoError(t, json.NewDecoder(res.Body).Decode(&admres))
+	require.NotNil(t, admres.Response)
+	require.NotNil(t, admres.Response.Result)
+	assert.Equal(t, http.StatusOK, int(admres.Response.Result.Code))
+	assert.Equal(t, "ClusterAdmission not found", admres.Response.Result.Message)
+}
+
 func Test_Handler_Allowed(t *testing.T) {
 	t.Parallel()
 
@@ -91,6 +117,43 @@ func Test_Handler_Allowed(t *testing.T) {
 	assert.Equal(t, "Nice job!", admres.Response.Result.Message)
 }
 
+func Test_Handler_Allowed_ClusterScoped(t *testing.T) {
+	t.Parallel()
+
+	c := buildFakeClient(t, &espejotev1alpha1.ClusterAdmission{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+		},
+		Spec: espejotev1alpha1.ClusterAdmissionSpec{
+			Template: `
+			local esp = import 'espejote.libsonnet';
+
+			esp.ALPHA.admission.allowed("Nice job!")
+`,
+		},
+	})
+
+	subject := espadmission.NewHandler(c, "default")
+	require.NotNil(t, subject)
+
+	w := httptest.NewRecorder()
+	req := newClusterScopedAdmissionRequest(t, "test", admissionv1.AdmissionRequest{
+		UID: "test",
+	})
+	subject.ServeHTTP(w, req)
+	res := w.Result()
+	require.Equal(t, http.StatusOK, res.StatusCode)
+
+	require.NotNil(t, res.Body)
+	defer res.Body.Close()
+	var admres admissionv1.AdmissionReview
+	require.NoError(t, json.NewDecoder(res.Body).Decode(&admres))
+	require.NotNil(t, admres.Response)
+	require.NotNil(t, admres.Response.Result)
+	assert.Equal(t, http.StatusOK, int(admres.Response.Result.Code))
+	assert.Equal(t, "Nice job!", admres.Response.Result.Message)
+}
+
 func Test_Handler_Denied(t *testing.T) {
 	t.Parallel()
 
@@ -266,6 +329,23 @@ func newAdmissionRequest(t *testing.T, name, namespace string, admreq admissionv
 	return req
 }
 
+func newClusterScopedAdmissionRequest(t *testing.T, name string, admreq admissionv1.AdmissionRequest) *http.Request {
+	t.Helper()
+
+	b := admissionv1.AdmissionReview{
+		Request: &admreq,
+	}
+	b.SetGroupVersionKind(admissionv1.SchemeGroupVersion.WithKind("AdmissionReview"))
+
+	body := new(bytes.Buffer)
+	require.NoError(t, json.NewEncoder(body).Encode(b))
+	req := httptest.NewRequest("GET", path.Join("/dynamic-cluster", name), body)
+	req = req.WithContext(log.IntoContext(req.Context(), testr.New(t)))
+	req.Header.Set("Content-Type", "application/json")
+	req.SetPathValue("name", name)
+	return req
+}
+
 func objectToRaw(t *testing.T, obj client.Object) runtime.RawExtension {
 	t.Helper()
 

api/v1alpha1/admission_types.go

@@ -10,7 +10,8 @@ type AdmissionSpec struct {
 	// WebhookConfiguration defines the configuration for the Admission webhook.
 	// Allows fine grained control over what is forwarded to the webhook.
 	// Note that Admission enforces namespace isolation. The namespaceSelector field is set to the namespace of the Admission and can't be overridden.
-	// There will be a ClusterAdmission in the future to allow for cluster wide admission control.
+	// The rules are enforced to only match namespaced resources.
+	// Use ClusterAdmission for cluster scoped webhooks and resources.
 	WebhookConfiguration WebhookConfiguration `json:"webhookConfiguration,omitempty"`
 
 	// Mutating defines if the Admission should create a MutatingWebhookConfiguration or a ValidatingWebhookConfiguration.
@@ -28,6 +29,77 @@ type AdmissionSpec struct {
 	Template string `json:"template,omitempty"`
 }
 
+// ClusterAdmissionSpec defines the desired state of ClusterAdmission.
+type ClusterAdmissionSpec struct {
+	// WebhookConfiguration defines the configuration for the Admission webhook.
+	// Allows fine grained control over what is forwarded to the webhook.
+	WebhookConfiguration WebhookConfigurationWithNamespaceSelector `json:"webhookConfiguration,omitempty"`
+
+	// Mutating defines if the Admission should create a MutatingWebhookConfiguration or a ValidatingWebhookConfiguration.
+	Mutating bool `json:"mutating,omitempty"`
+
+	// Template contains the Jsonnet code to decide the admission result.
+	// Admission responses should be created using the `espejote.libsonnet` library.
+	// `esp.ALPHA.admission.allowed("Nice job!")`, `esp.ALPHA.admission.denied("Bad job!")`, `esp.ALPHA.admission.patched("added user annotation", [jsonPatchOp("add", "/metadata/annotations/user", "tom")])` are examples of valid responses.
+	// The template can reference JsonnetLibrary objects by importing them.
+	// JsonnetLibrary objects have the following structure:
+	// - "espejote.libsonnet": The built in library for accessing the context and trigger information.
+	// - "lib/<NAME>/<KEY>" libraries in the shared library namespace. The name corresponds to the name of the JsonnetLibrary object and the key to the key in the data field.
+	//   The namespace is configured at controller startup and normally points to the namespace of the controller.
+	// Note that ClusterAdmission cannot reference non-library JsonnetLibrary objects.
+	Template string `json:"template,omitempty"`
+}
+
+type WebhookConfigurationWithNamespaceSelector struct {
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
+
+	WebhookConfiguration `json:",inline"`
+}
+
 type WebhookConfiguration struct {
 	// Rules describes what operations on what resources/subresources the webhook cares about.
 	// The webhook cares about an operation if it matches _any_ Rule.
@@ -134,6 +206,29 @@ type AdmissionList struct {
 	Items           []Admission `json:"items"`
 }
 
+//+kubebuilder:object:root=true
+
+// ClusterAdmission is the Schema for the ClusterAdmissions API.
+// ClusterAdmission currently fully relies on cert-manager for certificate management and webhook certificate injection.
+// See the kustomize overlays for more information.
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+type ClusterAdmission struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ClusterAdmissionSpec `json:"spec,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterAdmissionList contains a list of ClusterAdmission
+type ClusterAdmissionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterAdmission `json:"items"`
+}
+
 func init() {
-	SchemeBuilder.Register(&Admission{}, &AdmissionList{})
+	SchemeBuilder.Register(&Admission{}, &AdmissionList{}, &ClusterAdmission{}, &ClusterAdmissionList{})
 }