AdmissionConfiguration now uses strict validation

seans3 · seans3 · commit ae20937ea6e8 · 2024-10-14T17:50:07.000-07:00
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/config.go b/staging/src/k8s.io/apiserver/pkg/admission/config.go
@@ -63,7 +63,7 @@ func ReadAdmissionConfiguration(pluginNames []string, configFilePath string, con
 	if err != nil {
 		return nil, fmt.Errorf("unable to read admission control configuration from %q [%v]", configFilePath, err)
 	}
-	codecs := serializer.NewCodecFactory(configScheme)
+	codecs := serializer.NewCodecFactory(configScheme, serializer.EnableStrict)
 	decoder := codecs.UniversalDecoder()
 	decodedObj, err := runtime.Decode(decoder, data)
 	// we were able to decode the file successfully
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/config_test.go b/staging/src/k8s.io/apiserver/pkg/admission/config_test.go
@@ -22,6 +22,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -52,7 +53,28 @@ func TestReadAdmissionConfiguration(t *testing.T) {
 		ConfigBody              string
 		ExpectedAdmissionConfig *apiserver.AdmissionConfiguration
 		PluginNames             []string
+		ExpectedError           string
 	}{
+		"duplicate field configuration error": {
+			ConfigBody: `{
+"apiVersion": "apiserver.k8s.io/v1alpha1",
+"kind": "AdmissionConfiguration",
+"plugins": [
+  {"name": "ImagePolicyWebhook-duplicate", "name": "ImagePolicyWebhook", "path": "image-policy-webhook.json"},
+  {"name": "ResourceQuota"}
+]}`,
+			ExpectedError: "strict decoding error: duplicate field",
+		},
+		"unknown field configuration error": {
+			ConfigBody: `{
+"apiVersion": "apiserver.k8s.io/v1alpha1",
+"kind": "AdmissionConfiguration",
+"plugins": [
+  {"foo": "bar", "name": "ImagePolicyWebhook", "path": "image-policy-webhook.json"},
+  {"name": "ResourceQuota"}
+]}`,
+			ExpectedError: "strict decoding error: unknown field",
+		},
 		"v1alpha1 configuration - path fixup": {
 			ConfigBody: `{
 "apiVersion": "apiserver.k8s.io/v1alpha1",
@@ -192,12 +214,18 @@ func TestReadAdmissionConfiguration(t *testing.T) {
 			t.Fatalf("unexpected err writing temp file: %v", err)
 		}
 		config, err := ReadAdmissionConfiguration(testCase.PluginNames, configFileName, scheme)
-		if err != nil {
+		if testCase.ExpectedError != "" {
+			if err != nil {
+				assert.Contains(t, err.Error(), testCase.ExpectedError)
+			} else {
+				t.Fatalf("expected error %q but received none", testCase.ExpectedError)
+			}
+		} else if err != nil {
 			t.Fatalf("unexpected err: %v", err)
+		} else if !reflect.DeepEqual(config.(configProvider).config, testCase.ExpectedAdmissionConfig) {
+			t.Fatalf("%s: Expected:\n\t%#v\nGot:\n\t%#v", testName, testCase.ExpectedAdmissionConfig, config.(configProvider).config)
 		}
-		if !reflect.DeepEqual(config.(configProvider).config, testCase.ExpectedAdmissionConfig) {
-			t.Errorf("%s: Expected:\n\t%#v\nGot:\n\t%#v", testName, testCase.ExpectedAdmissionConfig, config.(configProvider).config)
-		}
+
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func ReadAdmissionConfiguration(pluginNames []string, configFilePath string, con`
`63`	`63`	`if err != nil {`
`64`	`64`	`return nil, fmt.Errorf("unable to read admission control configuration from %q [%v]", configFilePath, err)`
`65`	`65`	`}`
`66`		`- codecs := serializer.NewCodecFactory(configScheme)`
	`66`	`+ codecs := serializer.NewCodecFactory(configScheme, serializer.EnableStrict)`
`67`	`67`	`decoder := codecs.UniversalDecoder()`
`68`	`68`	`decodedObj, err := runtime.Decode(decoder, data)`
`69`	`69`	`// we were able to decode the file successfully`