github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

init a common apiserver for TestCRDParams testcases

Browse Source
This commit is contained in:
Richa Banker 2024-07-23 21:57:28 -07:00
parent de2730a9a6
commit 99eaa71f0e
1 changed files with 51 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
test/integration/apiserver/cel/validatingadmissionpolicy_test.go
View File

@ -2341,70 +2341,7 @@ func generateValidationsWithAuthzCheck(num int, exp string) []admissionregistrat
// TestCRDParams tests that a CustomResource can be used as a param resource for a ValidatingAdmissionPolicy. // TestCRDParams tests that a CustomResource can be used as a param resource for a ValidatingAdmissionPolicy.
func TestCRDParams(t *testing.T) { func TestCRDParams(t *testing.T) {
testcases := []struct { generic.PolicyRefreshInterval = 10 * time.Millisecond
name string
resource *unstructured.Unstructured
policy *admissionregistrationv1.ValidatingAdmissionPolicy
policyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding
namespace *v1.Namespace
err string
failureReason metav1.StatusReason
}{
{
name: "a rule that uses data from a CRD param resource does NOT pass",
resource: &unstructured.Unstructured{Object: map[string]interface{}{
"apiVersion": "awesome.bears.com/v1",
"kind": "Panda",
"metadata": map[string]interface{}{
"name": "config-obj",
},
"spec": map[string]interface{}{
"nameCheck": "crd-test-k8s",
},
}},
policy: withValidations([]admissionregistrationv1.Validation{
{
Expression: "params.spec.nameCheck == object.metadata.name",
},
}, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1.Fail, makePolicy("test-policy"))))),
policyBinding: makeBinding("crd-policy-binding", "test-policy", "config-obj"),
namespace: &v1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: "incorrect-name",
},
},
err: `namespaces "incorrect-name" is forbidden: ValidatingAdmissionPolicy 'test-policy' with binding 'crd-policy-binding' denied request: failed expression: params.spec.nameCheck == object.metadata.name`,
failureReason: metav1.StatusReasonInvalid,
},
{
name: "a rule that uses data from a CRD param resource that does pass",
resource: &unstructured.Unstructured{Object: map[string]interface{}{
"apiVersion": "awesome.bears.com/v1",
"kind": "Panda",
"metadata": map[string]interface{}{
"name": "config-obj",
},
"spec": map[string]interface{}{
"nameCheck": "crd-test-k8s",
},
}},
policy: withValidations([]admissionregistrationv1.Validation{
{
Expression: "params.spec.nameCheck == object.metadata.name",
},
}, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1.Fail, makePolicy("test-policy"))))),
policyBinding: makeBinding("crd-policy-binding", "test-policy", "config-obj"),
namespace: &v1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: "crd-test-k8s",
},
},
err: ``,
},
}
for _, testcase := range testcases {
t.Run(testcase.name, func(t *testing.T) {
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true)
server, err := apiservertesting.StartTestServer(t, nil, []string{ server, err := apiservertesting.StartTestServer(t, nil, []string{
"--enable-admission-plugins", "ValidatingAdmissionPolicy", "--enable-admission-plugins", "ValidatingAdmissionPolicy",
@ -2415,7 +2352,6 @@ func TestCRDParams(t *testing.T) {
defer server.TearDownFn() defer server.TearDownFn()
config := server.ClientConfig config := server.ClientConfig
client, err := clientset.NewForConfig(config) client, err := clientset.NewForConfig(config)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -2433,18 +2369,70 @@ func TestCRDParams(t *testing.T) {
Resource: crd.Spec.Names.Plural, Resource: crd.Spec.Names.Plural,
} }
crClient := dynamicClient.Resource(gvr) crClient := dynamicClient.Resource(gvr)
_, err = crClient.Create(context.TODO(), testcase.resource, metav1.CreateOptions{})
resource := &unstructured.Unstructured{Object: map[string]interface{}{
"apiVersion": "awesome.bears.com/v1",
"kind": "Panda",
"metadata": map[string]interface{}{
"name": "config-obj",
},
"spec": map[string]interface{}{
"nameCheck": "crd-test-k8s",
},
}}
_, err = crClient.Create(context.TODO(), resource, metav1.CreateOptions{})
if err != nil { if err != nil {
t.Fatalf("error creating %s: %s", gvr, err) t.Fatalf("error creating %s: %s", gvr, err)
} }
testcases := []struct {
name string
policy *admissionregistrationv1.ValidatingAdmissionPolicy
namespace *v1.Namespace
err string
failureReason metav1.StatusReason
}{
{
name: "a rule that uses data from a CRD param resource does NOT pass",
policy: withValidations([]admissionregistrationv1.Validation{
{
Expression: "params.spec.nameCheck == object.metadata.name",
},
}, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1.Fail, makePolicy("test-policy"))))),
namespace: &v1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: "incorrect-name",
},
},
err: `namespaces "incorrect-name" is forbidden: ValidatingAdmissionPolicy 'test-policy' with binding 'crd-policy-binding' denied request: failed expression: params.spec.nameCheck == object.metadata.name`,
failureReason: metav1.StatusReasonInvalid,
},
{
name: "a rule that uses data from a CRD param resource that does pass",
policy: withValidations([]admissionregistrationv1.Validation{
{
Expression: "params.spec.nameCheck == object.metadata.name",
},
}, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1.Fail, makePolicy("test-policy"))))),
namespace: &v1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: "crd-test-k8s",
},
},
err: ``,
},
}
for _, testcase := range testcases {
t.Run(testcase.name, func(t *testing.T) {
policy := withWaitReadyConstraintAndExpression(testcase.policy) policy := withWaitReadyConstraintAndExpression(testcase.policy)
if _, err := client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { if _, err := client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil {
t.Fatal(err) t.Fatal(err)
} }
// remove default namespace since the CRD is cluster-scoped // remove default namespace since the CRD is cluster-scoped
testcase.policyBinding.Spec.ParamRef.Namespace = "" policyBinding := makeBinding("crd-policy-binding", "test-policy", "config-obj")
if err := createAndWaitReady(t, client, testcase.policyBinding, nil); err != nil { policyBinding.Spec.ParamRef.Namespace = ""
if err := createAndWaitReady(t, client, policyBinding, nil); err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -2452,6 +2440,10 @@ func TestCRDParams(t *testing.T) {
checkExpectedError(t, err, testcase.err) checkExpectedError(t, err, testcase.err)
checkFailureReason(t, err, testcase.failureReason) checkFailureReason(t, err, testcase.failureReason)
if err := cleanupPolicy(t, client, policy, policyBinding); err != nil {
t.Fatalf("error while cleaning up policy and its bindings: %v", err)
}
}) })
} }
} }