From 11ce6d29157daf7437d6da7fdeb11cabf2e774aa Mon Sep 17 00:00:00 2001 From: Nabarun Pal Date: Wed, 4 Oct 2023 10:33:58 +0530 Subject: [PATCH] k8s.io/apiserver: fix levelling of the name field in AuthorizationConfiguration Signed-off-by: Nabarun Pal --- .../apiserver/pkg/apis/apiserver/types.go | 13 +- .../pkg/apis/apiserver/v1alpha1/types.go | 13 +- .../v1alpha1/zz_generated.conversion.go | 4 +- .../apis/apiserver/validation/validation.go | 25 +- .../apiserver/validation/validation_test.go | 268 +++++++----------- 5 files changed, 132 insertions(+), 191 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go index 5d7bf39ecdf..2786fa2445a 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go @@ -228,18 +228,19 @@ type AuthorizerConfiguration struct { // types like Node, RBAC, ABAC, etc. Type AuthorizerType + // Name used to describe the webhook + // This is explicitly used in monitoring machinery for metrics + // Note: Names must be DNS1123 labels like `myauthorizername` or + // subdomains like `myauthorizer.example.domain` + // Required, with no default + Name string + // Webhook defines the configuration for a Webhook authorizer // Must be defined when Type=Webhook Webhook *WebhookConfiguration } type WebhookConfiguration struct { - // Name used to describe the webhook - // This is explicitly used in monitoring machinery for metrics - // Note: Names must be DNS1123 labels like `mywebhookname` or - // subdomains like `webhookname.example.domain` - // Required, with no default - Name string // The duration to cache 'authorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-authorized-ttl` flag diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go index 913c212ee27..4c1aa334839 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go @@ -298,6 +298,13 @@ type AuthorizerConfiguration struct { // types like Node, RBAC, ABAC, etc. Type string `json:"type"` + // Name used to describe the webhook + // This is explicitly used in monitoring machinery for metrics + // Note: Names must be DNS1123 labels like `myauthorizername` or + // subdomains like `myauthorizer.example.domain` + // Required, with no default + Name string `json:"name"` + // Webhook defines the configuration for a Webhook authorizer // Must be defined when Type=Webhook // Must not be defined when Type!=Webhook @@ -305,12 +312,6 @@ type AuthorizerConfiguration struct { } type WebhookConfiguration struct { - // Name used to describe the webhook - // This is explicitly used in monitoring machinery for metrics - // Note: Names must be DNS1123 labels like `mywebhookname` or - // subdomains like `webhookname.example.domain` - // Required, with no default - Name string `json:"name"` // The duration to cache 'authorized' responses from the webhook // authorizer. // Same as setting `--authorization-webhook-cache-authorized-ttl` flag diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go index 87b5346f5f8..a7a09ad0eed 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go @@ -335,6 +335,7 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfi func autoConvert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error { out.Type = apiserver.AuthorizerType(in.Type) + out.Name = in.Name out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook)) return nil } @@ -346,6 +347,7 @@ func Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfigurati func autoConvert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error { out.Type = string(in.Type) + out.Name = in.Name out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook)) return nil } @@ -677,7 +679,6 @@ func Convert_apiserver_UDSTransport_To_v1alpha1_UDSTransport(in *apiserver.UDSTr } func autoConvert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error { - out.Name = in.Name out.AuthorizedTTL = in.AuthorizedTTL out.UnauthorizedTTL = in.UnauthorizedTTL out.Timeout = in.Timeout @@ -697,7 +698,6 @@ func Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in } func autoConvert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error { - out.Name = in.Name out.AuthorizedTTL = in.AuthorizedTTL out.UnauthorizedTTL = in.UnauthorizedTTL out.Timeout = in.Timeout diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go index 93089ac34bf..a18f8621537 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go @@ -18,6 +18,7 @@ package validation import ( "fmt" + utilvalidation "k8s.io/apimachinery/pkg/util/validation" "net/url" "os" "path/filepath" @@ -28,7 +29,6 @@ import ( "k8s.io/api/authorization/v1beta1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/sets" - utilvalidation "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/apiserver/pkg/apis/apiserver" "k8s.io/client-go/util/cert" @@ -220,7 +220,7 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio } seenAuthorizerTypes := sets.NewString() - seenWebhookNames := sets.NewString() + seenAuthorizerNames := sets.NewString() for i, a := range c.Authorizers { fldPath := fldPath.Child("authorizers").Index(i) aType := string(a.Type) @@ -238,13 +238,22 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio } seenAuthorizerTypes.Insert(aType) + if len(a.Name) == 0 { + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) + } else if seenAuthorizerNames.Has(a.Name) { + allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), a.Name)) + } else if errs := utilvalidation.IsDNS1123Subdomain(a.Name); len(errs) != 0 { + allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), a.Name, fmt.Sprintf("authorizer name is invalid: %s", strings.Join(errs, ", ")))) + } + seenAuthorizerNames.Insert(a.Name) + switch a.Type { case api.TypeWebhook: if a.Webhook == nil { allErrs = append(allErrs, field.Required(fldPath.Child("webhook"), "required when type=Webhook")) continue } - allErrs = append(allErrs, ValidateWebhookConfiguration(fldPath, a.Webhook, seenWebhookNames)...) + allErrs = append(allErrs, ValidateWebhookConfiguration(fldPath, a.Webhook)...) default: if a.Webhook != nil { allErrs = append(allErrs, field.Invalid(fldPath.Child("webhook"), "non-null", "may only be specified when type=Webhook")) @@ -255,16 +264,8 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio return allErrs } -func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfiguration, seenNames sets.String) field.ErrorList { +func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfiguration) field.ErrorList { allErrs := field.ErrorList{} - if len(c.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) - } else if seenNames.Has(c.Name) { - allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), c.Name)) - } else if errs := utilvalidation.IsDNS1123Subdomain(c.Name); len(errs) != 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), c.Name, fmt.Sprintf("webhook name is invalid: %s", strings.Join(errs, ", ")))) - } - seenNames.Insert(c.Name) if c.Timeout.Duration == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("timeout"), "")) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go index 072a34a400b..d2e5f28c9f0 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go @@ -448,7 +448,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { repeatableTypes: sets.NewString(), }, { - name: "type is required if an authorizer is defined", + name: "type and name are required if an authorizer is defined", configuration: api.AuthorizationConfiguration{ Authorizers: []api.AuthorizerConfiguration{ {}, @@ -458,14 +458,88 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { knownTypes: sets.NewString(string("Webhook")), repeatableTypes: sets.NewString(string("Webhook")), }, + { + name: "authorizer names should be of non-zero length", + configuration: api.AuthorizationConfiguration{ + Authorizers: []api.AuthorizerConfiguration{ + { + Type: "Foo", + Name: "", + }, + }, + }, + expectedErrList: field.ErrorList{field.Required(field.NewPath("name"), "")}, + knownTypes: sets.NewString(string("Foo")), + repeatableTypes: sets.NewString(string("Webhook")), + }, + { + name: "authorizer names should be unique", + configuration: api.AuthorizationConfiguration{ + Authorizers: []api.AuthorizerConfiguration{ + { + Type: "Foo", + Name: "foo", + }, + { + Type: "Bar", + Name: "foo", + }, + }, + }, + expectedErrList: field.ErrorList{field.Duplicate(field.NewPath("name"), "foo")}, + knownTypes: sets.NewString(string("Foo"), string("Bar")), + repeatableTypes: sets.NewString(string("Webhook")), + }, + { + name: "authorizer names should be DNS1123 labels", + configuration: api.AuthorizationConfiguration{ + Authorizers: []api.AuthorizerConfiguration{ + { + Type: "Foo", + Name: "myauthorizer", + }, + }, + }, + expectedErrList: field.ErrorList{}, + knownTypes: sets.NewString(string("Foo")), + repeatableTypes: sets.NewString(string("Webhook")), + }, + { + name: "authorizer names should be DNS1123 subdomains", + configuration: api.AuthorizationConfiguration{ + Authorizers: []api.AuthorizerConfiguration{ + { + Type: "Foo", + Name: "foo.example.domain", + }, + }, + }, + expectedErrList: field.ErrorList{}, + knownTypes: sets.NewString(string("Foo")), + repeatableTypes: sets.NewString(string("Webhook")), + }, + { + name: "authorizer names should not be invalid DNS1123 labels or subdomains", + configuration: api.AuthorizationConfiguration{ + Authorizers: []api.AuthorizerConfiguration{ + { + Type: "Foo", + Name: "FOO.example.domain", + }, + }, + }, + expectedErrList: field.ErrorList{field.Invalid(field.NewPath("name"), "FOO.example.domain", "")}, + knownTypes: sets.NewString(string("Foo")), + repeatableTypes: sets.NewString(string("Webhook")), + }, { name: "bare minimum configuration with Webhook", configuration: api.AuthorizationConfiguration{ Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -489,8 +563,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -504,8 +578,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { }, { Type: "Webhook", + Name: "second-webhook", Webhook: &api.WebhookConfiguration{ - Name: "second-webhook", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -542,14 +616,16 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Foo", + Name: "foo-1", }, { Type: "Foo", + Name: "foo-2", }, }, }, expectedErrList: field.ErrorList{field.Duplicate(field.NewPath("type"), "Foo")}, - knownTypes: sets.NewString([]string{string("Foo"), string("Webhook")}...), + knownTypes: sets.NewString(string("Foo")), repeatableTypes: sets.NewString(string("Webhook")), }, { @@ -558,6 +634,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", }, }, }, @@ -571,6 +648,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Foo", + Name: "foo", Webhook: &api.WebhookConfiguration{}, }, }, @@ -579,154 +657,14 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { knownTypes: sets.NewString(string("Foo")), repeatableTypes: sets.NewString(string("Webhook")), }, - { - name: "webhook name should be of non-zero length", - configuration: api.AuthorizationConfiguration{ - Authorizers: []api.AuthorizerConfiguration{ - { - Type: "Webhook", - Webhook: &api.WebhookConfiguration{ - Name: "", - Timeout: metav1.Duration{Duration: 5 * time.Second}, - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, - FailurePolicy: "NoOpinion", - SubjectAccessReviewVersion: "v1", - MatchConditionSubjectAccessReviewVersion: "v1", - ConnectionInfo: api.WebhookConnectionInfo{ - Type: "InClusterConfig", - }, - }, - }, - }, - }, - expectedErrList: field.ErrorList{field.Required(field.NewPath("name"), "")}, - knownTypes: sets.NewString(string("Webhook")), - repeatableTypes: sets.NewString(string("Webhook")), - }, - { - name: "webhook names should be unique", - configuration: api.AuthorizationConfiguration{ - Authorizers: []api.AuthorizerConfiguration{ - { - Type: "Webhook", - Webhook: &api.WebhookConfiguration{ - Name: "name-1", - Timeout: metav1.Duration{Duration: 5 * time.Second}, - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, - FailurePolicy: "NoOpinion", - SubjectAccessReviewVersion: "v1", - MatchConditionSubjectAccessReviewVersion: "v1", - ConnectionInfo: api.WebhookConnectionInfo{ - Type: "InClusterConfig", - }, - }, - }, - { - Type: "Webhook", - Webhook: &api.WebhookConfiguration{ - Name: "name-1", - Timeout: metav1.Duration{Duration: 5 * time.Second}, - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, - FailurePolicy: "NoOpinion", - SubjectAccessReviewVersion: "v1", - MatchConditionSubjectAccessReviewVersion: "v1", - ConnectionInfo: api.WebhookConnectionInfo{ - Type: "InClusterConfig", - }, - }, - }, - }, - }, - expectedErrList: field.ErrorList{field.Duplicate(field.NewPath("name"), "name-1")}, - knownTypes: sets.NewString(string("Webhook")), - repeatableTypes: sets.NewString(string("Webhook")), - }, - { - name: "webhook names should be DNS1123 labels", - configuration: api.AuthorizationConfiguration{ - Authorizers: []api.AuthorizerConfiguration{ - { - Type: "Webhook", - Webhook: &api.WebhookConfiguration{ - Name: "mywebhookname", - Timeout: metav1.Duration{Duration: 5 * time.Second}, - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, - FailurePolicy: "NoOpinion", - SubjectAccessReviewVersion: "v1", - MatchConditionSubjectAccessReviewVersion: "v1", - ConnectionInfo: api.WebhookConnectionInfo{ - Type: "InClusterConfig", - }, - }, - }, - }, - }, - expectedErrList: field.ErrorList{}, - knownTypes: sets.NewString(string("Webhook")), - repeatableTypes: sets.NewString(string("Webhook")), - }, - { - name: "webhook names should be DNS1123 subdomains", - configuration: api.AuthorizationConfiguration{ - Authorizers: []api.AuthorizerConfiguration{ - { - Type: "Webhook", - Webhook: &api.WebhookConfiguration{ - Name: "webhookname.example.domain", - Timeout: metav1.Duration{Duration: 5 * time.Second}, - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, - FailurePolicy: "NoOpinion", - SubjectAccessReviewVersion: "v1", - MatchConditionSubjectAccessReviewVersion: "v1", - ConnectionInfo: api.WebhookConnectionInfo{ - Type: "InClusterConfig", - }, - }, - }, - }, - }, - expectedErrList: field.ErrorList{}, - knownTypes: sets.NewString(string("Webhook")), - repeatableTypes: sets.NewString(string("Webhook")), - }, - { - name: "webhook names should not be invalid DNS1123 labels or subdomains", - configuration: api.AuthorizationConfiguration{ - Authorizers: []api.AuthorizerConfiguration{ - { - Type: "Webhook", - Webhook: &api.WebhookConfiguration{ - Name: "WEBHOOKNAME.example.domain", - Timeout: metav1.Duration{Duration: 5 * time.Second}, - AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, - UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, - FailurePolicy: "NoOpinion", - SubjectAccessReviewVersion: "v1", - MatchConditionSubjectAccessReviewVersion: "v1", - ConnectionInfo: api.WebhookConnectionInfo{ - Type: "InClusterConfig", - }, - }, - }, - }, - }, - expectedErrList: field.ErrorList{field.Invalid(field.NewPath("name"), "WEBHOOKNAME.example.domain", "")}, - knownTypes: sets.NewString(string("Webhook")), - repeatableTypes: sets.NewString(string("Webhook")), - }, { name: "timeout should be specified", configuration: api.AuthorizationConfiguration{ Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -750,8 +688,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: 0 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, @@ -775,8 +713,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: -30 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, @@ -800,8 +738,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: 60 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, @@ -825,8 +763,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: 5 * time.Second}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -849,8 +787,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: -30 * time.Second}, @@ -874,8 +812,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, @@ -898,8 +836,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", FailurePolicy: "NoOpinion", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, @@ -923,8 +861,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -947,8 +885,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -972,8 +910,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -996,8 +934,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1021,8 +959,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1045,8 +983,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1070,8 +1008,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1092,8 +1030,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1119,8 +1057,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1147,8 +1085,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1172,8 +1110,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second}, @@ -1198,8 +1136,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) { Authorizers: []api.AuthorizerConfiguration{ { Type: "Webhook", + Name: "default", Webhook: &api.WebhookConfiguration{ - Name: "default", Timeout: metav1.Duration{Duration: 5 * time.Second}, AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute}, UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},