add test for authorizer type checking.

2025-08-07 19:23:40 +00:00 · 2023-06-08 15:51:05 -07:00 · 2023-06-08 15:51:05 -07:00 · 7ccc231783
commit 7ccc231783
parent 04fa4184ed
1 changed files with 66 additions and 0 deletions
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go
@ -233,6 +233,42 @@ func TestTypeCheck(t *testing.T) {
 			},
 		}},
 	}}
+	authorizerPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
+		Validations: []v1alpha1.Validation{
+			{
+				Expression: "authorizer.group('').resource('endpoints').check('create').allowed()",
+			},
+		},
+		MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
+			{
+				RuleWithOperations: v1alpha1.RuleWithOperations{
+					Rule: v1alpha1.Rule{
+						APIGroups:   []string{"apps"},
+						APIVersions: []string{"v1"},
+						Resources:   []string{"deployments"},
+					},
+				},
+			},
+		}},
+	}}
+	authorizerInvalidPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
+		Validations: []v1alpha1.Validation{
+			{
+				Expression: "authorizer.allowed()",
+			},
+		},
+		MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
+			{
+				RuleWithOperations: v1alpha1.RuleWithOperations{
+					Rule: v1alpha1.Rule{
+						APIGroups:   []string{"apps"},
+						APIVersions: []string{"v1"},
+						Resources:   []string{"deployments"},
+					},
+				},
+			},
+		}},
+	}}
 	for _, tc := range []struct {
 		name           string
 		schemaToReturn *spec.Schema
@ -327,6 +363,36 @@ func TestTypeCheck(t *testing.T) {
 				toHaveLengthOf(1),
 			},
 		},
+		{
+			name:   "authorizer",
+			policy: authorizerPolicy,
+			schemaToReturn: &spec.Schema{
+				SchemaProps: spec.SchemaProps{
+					Type: []string{"object"},
+					Properties: map[string]spec.Schema{
+						"foo": *spec.StringProperty(),
+					},
+				},
+			},
+			assertions: []assertionFunc{toBeEmpty},
+		},
+		{
+			name:   "authorizer invalid",
+			policy: authorizerInvalidPolicy,
+			schemaToReturn: &spec.Schema{
+				SchemaProps: spec.SchemaProps{
+					Type: []string{"object"},
+					Properties: map[string]spec.Schema{
+						"foo": *spec.StringProperty(),
+					},
+				},
+			},
+			assertions: []assertionFunc{
+				toHaveFieldRef("spec.validations[0].expression"),
+				toHaveLengthOf(1),
+				toContain("found no matching overload for 'allowed' applied to 'kubernetes.authorization.Authorizer"),
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			typeChecker := buildTypeChecker(tc.schemaToReturn)