Skip to content

Commit

Permalink
Added tests for webhooks
Browse files Browse the repository at this point in the history
Signed-off-by: Kevin Conner <[email protected]>
  • Loading branch information
knrc committed Apr 22, 2024
1 parent 2be6077 commit 77fc7b2
Show file tree
Hide file tree
Showing 59 changed files with 873 additions and 23 deletions.
4 changes: 3 additions & 1 deletion k8s/evals.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,9 @@ func calculateLazyEvalCost(lazyEvals lazyEvalMap) uint64 {
func calculateEvalResponsesCost(evals evalResponses) uint64 {
var cost uint64
for _, eval := range evals {
cost += *eval.details.ActualCost()
if eval.details != nil {
cost += *eval.details.ActualCost()
}
}
return cost
}
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
12 changes: 12 additions & 0 deletions k8s/testdata/webhook/authorizer4.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
paths:
groups:
admissionregistration.k8s.io:
resources:
validatingwebhookconfigurations:
checks:
"":
rbac.my-webhook.example.com:
breakglass:
decision: allow
serviceAccounts:

4 changes: 4 additions & 0 deletions k8s/testdata/webhook/multi authorizer1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
paths:
groups:
serviceAccounts:

12 changes: 12 additions & 0 deletions k8s/testdata/webhook/multi authorizer2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
paths:
groups:
admissionregistration.k8s.io:
resources:
validatingwebhookconfigurations:
checks:
"":
rbac.my-webhook.example.com:
breakglass:
decision: allow
serviceAccounts:

12 changes: 12 additions & 0 deletions k8s/testdata/webhook/multi authorizer3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
paths:
groups:
admissionregistration.k8s.io:
resources:
validatingwebhookconfigurations:
checks:
"":
rbac.my-webhook.example.com:
breakglass:
decision: allow
serviceAccounts:

30 changes: 30 additions & 0 deletions k8s/testdata/webhook/multi request1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
uid: 705ab4f5-6393-11e8-b7cc-42010a800002
kind:
group: apps
version: v1
resource: deployments
resource:
group: apps
version: v1
resource: deployments
requestKind:
group: apps
version: v1
resource: deployments
requestResource:
group: apps
version: v1
resource: deployments
name: kubernetes-bootcamp
namespace: default
operation: CREATE
userInfo:
username: admin
uid: 014fbff9a07c
groups:
- system:authenticated
- my-admin-group
extra:
some-key:
- some-value1
- some-value2
30 changes: 30 additions & 0 deletions k8s/testdata/webhook/multi request2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
uid: 705ab4f5-6393-11e8-b7cc-42010a800002
kind:
group: apps
version: v1
resource: deployments
resource:
group: apps
version: v1
resource: deployments
requestKind:
group: apps
version: v1
resource: deployments
requestResource:
group: apps
version: v1
resource: deployments
name: kubernetes-bootcamp
namespace: default
operation: CREATE
userInfo:
username: admin
uid: 014fbff9a07c
groups:
- system:authenticated
- my-admin-group
extra:
some-key:
- some-value1
- some-value2
30 changes: 30 additions & 0 deletions k8s/testdata/webhook/multi request3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
uid: 705ab4f5-6393-11e8-b7cc-42010a800002
kind:
group: apps
version: v1
resource: deployments
resource:
group: apps
version: v1
resource: deployments
requestKind:
group: apps
version: v1
resource: deployments
requestResource:
group: apps
version: v1
resource: deployments
name: kubernetes-bootcamp
namespace: default
operation: CREATE
userInfo:
username: admin
uid: 014fbff9a07c
groups:
- system:authenticated
- my-admin-group
extra:
some-key:
- some-value1
- some-value2
37 changes: 37 additions & 0 deletions k8s/testdata/webhook/multi updated1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kubernetes-bootcamp
name: kubernetes-bootcamp
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: kubernetes-bootcamp
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: kubernetes-bootcamp
spec:
containers:
- image: gcr.io/google-samples/kubernetes-bootcamp:v1
imagePullPolicy: IfNotPresent
name: kubernetes-bootcamp
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
37 changes: 37 additions & 0 deletions k8s/testdata/webhook/multi updated2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kubernetes-bootcamp
name: kubernetes-bootcamp
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: kubernetes-bootcamp
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: kubernetes-bootcamp
spec:
containers:
- image: gcr.io/google-samples/kubernetes-bootcamp:v1
imagePullPolicy: IfNotPresent
name: kubernetes-bootcamp
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
37 changes: 37 additions & 0 deletions k8s/testdata/webhook/multi updated3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kubernetes-bootcamp
name: kubernetes-bootcamp
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: kubernetes-bootcamp
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: kubernetes-bootcamp
spec:
containers:
- image: gcr.io/google-samples/kubernetes-bootcamp:v1
imagePullPolicy: IfNotPresent
name: kubernetes-bootcamp
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
43 changes: 43 additions & 0 deletions k8s/testdata/webhook/multi webhook1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
webhooks:
- name: rbac.my-webhook.example.com
matchPolicy: Equivalent
rules:
- operations: ['CREATE','UPDATE']
apiGroups: ['apps']
apiVersions: ['*']
resources: ['*']
failurePolicy: 'Fail' # Fail-closed (the default)
sideEffects: None
clientConfig:
service:
namespace: my-namespace
name: my-webhook
caBundle: 'PGNhYnVuZGxlPgo='
# You can have up to 64 matchConditions per webhook
matchConditions:
- name: 'breakglass'
# Skip requests made by users authorized to 'breakglass' on this webhook.
# The 'breakglass' API verb does not need to exist outside this check.
expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("rbac.my-webhook.example.com").check("breakglass").allowed()'
- name: my-webhook.example.com
matchPolicy: Equivalent
rules:
- operations: ['CREATE','UPDATE']
apiGroups: ['*']
apiVersions: ['*']
resources: ['*']
failurePolicy: 'Ignore' # Fail-open (optional)
sideEffects: None
clientConfig:
service:
namespace: my-namespace
name: my-webhook
caBundle: 'PGNhYnVuZGxlPgo='
# You can have up to 64 matchConditions per webhook
matchConditions:
- name: 'exclude-leases' # Each match condition must have a unique name
expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
- name: 'exclude-kubelet-requests'
expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
41 changes: 41 additions & 0 deletions k8s/testdata/webhook/multi webhook2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
webhooks:
- name: rbac.my-webhook.example.com
matchPolicy: Equivalent
rules:
- operations: ['CREATE','UPDATE']
apiGroups: ['apps']
apiVersions: ['*']
resources: ['*']
failurePolicy: 'Fail' # Fail-closed (the default)
sideEffects: None
clientConfig:
service:
namespace: my-namespace
name: my-webhook
caBundle: 'PGNhYnVuZGxlPgo='
# You can have up to 64 matchConditions per webhook
matchConditions:
- name: 'breakglass'
# Skip requests made by users authorized to 'breakglass' on this webhook.
# The 'breakglass' API verb does not need to exist outside this check.
expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("rbac.my-webhook.example.com").check("breakglass").allowed()'
- name: my-webhook.example.com
matchPolicy: Equivalent
rules:
- operations: ['CREATE','UPDATE']
apiGroups: ['*']
apiVersions: ['*']
resources: ['*']
failurePolicy: 'Ignore' # Fail-open (optional)
sideEffects: None
clientConfig:
service:
namespace: my-namespace
name: my-webhook
caBundle: 'PGNhYnVuZGxlPgo='
# You can have up to 64 matchConditions per webhook
matchConditions:
- name: 'exclude-bootcamp'
expression: '!(object.metadata.labels.app == "kubernetes-bootcamp")'
43 changes: 43 additions & 0 deletions k8s/testdata/webhook/multi webhook3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
webhooks:
- name: rbac.my-webhook.example.com
matchPolicy: Equivalent
rules:
- operations: ['CREATE','UPDATE']
apiGroups: ['apps']
apiVersions: ['*']
resources: ['*']
failurePolicy: 'Fail' # Fail-closed (the default)
sideEffects: None
clientConfig:
service:
namespace: my-namespace
name: my-webhook
caBundle: 'PGNhYnVuZGxlPgo='
# You can have up to 64 matchConditions per webhook
matchConditions:
- name: 'breakglass'
# Skip requests made by users authorized to 'breakglass' on this webhook.
# The 'breakglass' API verb does not need to exist outside this check.
expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("rbac.my-webhook.example.com").check("breakglass").allowed()'
- name: my-webhook.example.com
matchPolicy: Equivalent
rules:
- operations: ['CREATE','UPDATE']
apiGroups: ['*']
apiVersions: ['*']
resources: ['*']
failurePolicy: 'Ignore' # Fail-open (optional)
sideEffects: None
clientConfig:
service:
namespace: my-namespace
name: my-webhook
caBundle: 'PGNhYnVuZGxlPgo='
# You can have up to 64 matchConditions per webhook
matchConditions:
- name: 'exclude-leases' # Each match condition must have a unique name
expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
- name: 'exclude-kubelet-requests'
expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
Loading

0 comments on commit 77fc7b2

Please sign in to comment.