diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/accessor.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/accessor.go new file mode 100644 index 00000000000..11fd8c24f2d --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/accessor.go @@ -0,0 +1,38 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package generic + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" +) + +type PolicyAccessor interface { + GetName() string + GetNamespace() string + GetParamKind() *schema.GroupVersionKind +} + +type BindingAccessor interface { + GetName() string + GetNamespace() string + + // GetPolicyName returns the name of the (Validating/Mutating)AdmissionPolicy, + // which is cluster-scoped, so namespace is usually left blank. + // But we leave the door open to add a namespaced vesion in the future + GetPolicyName() types.NamespacedName +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go new file mode 100644 index 00000000000..d4dbfb0aa52 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go @@ -0,0 +1,64 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package generic + +import ( + "context" + + "k8s.io/apiserver/pkg/admission" +) + +// Hook represents a dynamic admission hook. The hook may be a webhook or a +// policy. For webhook, the Hook may describe how to contact the endpoint, expected +// cert, etc. For policies, the hook may describe a compiled policy-binding pair. +type Hook interface { + // All hooks are expected to contain zero or more match conditions, object + // selectors, namespace selectors to help the dispatcher decide when to apply + // the hook. + // + // Methods of matching logic is applied are specific to the hook and left up + // to the implementation. +} + +// Source can list dynamic admission plugins. +type Source[H Hook] interface { + // Hooks returns the list of currently known admission hooks. + Hooks() []H + + // Run the source. This method should be called only once at startup. + Run(ctx context.Context) error + + // HasSynced returns true if the source has completed its initial sync. + HasSynced() bool +} + +// Dispatcher dispatches evaluates an admission request against the currently +// active hooks returned by the source. +type Dispatcher[H Hook] interface { + // Dispatch a request to the policies. Dispatcher may choose not to + // call a hook, either because the rules of the hook does not match, or + // the namespaceSelector or the objectSelector of the hook does not + // match. A non-nil error means the request is rejected. + Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, hooks []H) error +} + +// An evaluator represents a compiled CEL expression that can be evaluated a +// given a set of inputs used by the generic PolicyHook for Mutating and +// ValidatingAdmissionPolicy. +// Mutating and Validating may have different forms of evaluators +type Evaluator interface { +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/plugin.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/plugin.go new file mode 100644 index 00000000000..e6db5df2ec0 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/plugin.go @@ -0,0 +1,206 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package generic + +import ( + "context" + "errors" + "fmt" + + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime/schema" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/apiserver/pkg/admission" + "k8s.io/apiserver/pkg/admission/initializer" + "k8s.io/apiserver/pkg/admission/plugin/policy/matching" + "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes" +) + +// H is the Hook type generated by the source and consumed by the dispatcher. +type sourceFactory[H any] func(informers.SharedInformerFactory, kubernetes.Interface, dynamic.Interface, meta.RESTMapper) Source[H] +type dispatcherFactory[H any] func(authorizer.Authorizer, *matching.Matcher) Dispatcher[H] + +type Invocation struct { + Resource schema.GroupVersionResource + Subresource string + Kind schema.GroupVersionKind +} + +// AdmissionPolicyManager is an abstract admission plugin with all the +// infrastructure to define Admit or Validate on-top. +type Plugin[H any] struct { + *admission.Handler + + sourceFactory sourceFactory[H] + dispatcherFactory dispatcherFactory[H] + + source Source[H] + dispatcher Dispatcher[H] + matcher *matching.Matcher + + informerFactory informers.SharedInformerFactory + client kubernetes.Interface + restMapper meta.RESTMapper + dynamicClient dynamic.Interface + stopCh <-chan struct{} + authorizer authorizer.Authorizer + enabled bool +} + +var ( + _ initializer.WantsExternalKubeInformerFactory = &Plugin[any]{} + _ initializer.WantsExternalKubeClientSet = &Plugin[any]{} + _ initializer.WantsRESTMapper = &Plugin[any]{} + _ initializer.WantsDynamicClient = &Plugin[any]{} + _ initializer.WantsDrainedNotification = &Plugin[any]{} + _ initializer.WantsAuthorizer = &Plugin[any]{} + _ admission.InitializationValidator = &Plugin[any]{} +) + +func NewPlugin[H any]( + handler *admission.Handler, + sourceFactory sourceFactory[H], + dispatcherFactory dispatcherFactory[H], +) *Plugin[H] { + return &Plugin[H]{ + Handler: handler, + sourceFactory: sourceFactory, + dispatcherFactory: dispatcherFactory, + } +} + +func (c *Plugin[H]) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) { + c.informerFactory = f +} + +func (c *Plugin[H]) SetExternalKubeClientSet(client kubernetes.Interface) { + c.client = client +} + +func (c *Plugin[H]) SetRESTMapper(mapper meta.RESTMapper) { + c.restMapper = mapper +} + +func (c *Plugin[H]) SetDynamicClient(client dynamic.Interface) { + c.dynamicClient = client +} + +func (c *Plugin[H]) SetDrainedNotification(stopCh <-chan struct{}) { + c.stopCh = stopCh +} + +func (c *Plugin[H]) SetAuthorizer(authorizer authorizer.Authorizer) { + c.authorizer = authorizer +} + +func (c *Plugin[H]) SetMatcher(matcher *matching.Matcher) { + c.matcher = matcher +} + +func (c *Plugin[H]) SetEnabled(enabled bool) { + c.enabled = enabled +} + +// ValidateInitialization - once clientset and informer factory are provided, creates and starts the admission controller +func (c *Plugin[H]) ValidateInitialization() error { + // By default enabled is set to false. It is up to types which embed this + // struct to set it to true (if feature gate is enabled, or other conditions) + if !c.enabled { + return nil + } + if c.Handler == nil { + return errors.New("missing handler") + } + if c.informerFactory == nil { + return errors.New("missing informer factory") + } + if c.client == nil { + return errors.New("missing kubernetes client") + } + if c.restMapper == nil { + return errors.New("missing rest mapper") + } + if c.dynamicClient == nil { + return errors.New("missing dynamic client") + } + if c.stopCh == nil { + return errors.New("missing stop channel") + } + if c.authorizer == nil { + return errors.New("missing authorizer") + } + + // Use default matcher + namespaceInformer := c.informerFactory.Core().V1().Namespaces() + c.matcher = matching.NewMatcher(namespaceInformer.Lister(), c.client) + + if err := c.matcher.ValidateInitialization(); err != nil { + return err + } + + c.source = c.sourceFactory(c.informerFactory, c.client, c.dynamicClient, c.restMapper) + c.dispatcher = c.dispatcherFactory(c.authorizer, c.matcher) + + pluginContext, pluginContextCancel := context.WithCancel(context.Background()) + go func() { + defer pluginContextCancel() + <-c.stopCh + }() + + go func() { + err := c.source.Run(pluginContext) + if err != nil && !errors.Is(err, context.Canceled) { + utilruntime.HandleError(fmt.Errorf("policy source context unexpectedly closed: %v", err)) + } + }() + + c.SetReadyFunc(func() bool { + return namespaceInformer.Informer().HasSynced() && c.source.HasSynced() + }) + return nil +} + +func (c *Plugin[H]) Dispatch( + ctx context.Context, + a admission.Attributes, + o admission.ObjectInterfaces, +) (err error) { + if !c.enabled { + return nil + } else if isPolicyResource(a) { + return nil + } else if !c.WaitForReady() { + return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request")) + } + + return c.dispatcher.Dispatch(ctx, a, o, c.source.Hooks()) +} + +func isPolicyResource(attr admission.Attributes) bool { + gvk := attr.GetResource() + if gvk.Group == "admissionregistration.k8s.io" { + if gvk.Resource == "validatingadmissionpolicies" || gvk.Resource == "validatingadmissionpolicybindings" { + return true + } else if gvk.Resource == "mutatingadmissionpolicies" || gvk.Resource == "mutatingadmissionpolicybindings" { + return true + } + } + return false +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go new file mode 100644 index 00000000000..4f52e406404 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go @@ -0,0 +1,461 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package generic + +import ( + "context" + goerrors "errors" + "fmt" + "sync" + "sync/atomic" + "time" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/dynamic/dynamicinformer" + "k8s.io/client-go/informers" + "k8s.io/client-go/tools/cache" + "k8s.io/klog/v2" +) + +type policySource[P runtime.Object, B runtime.Object, E Evaluator] struct { + ctx context.Context + policyInformer generic.Informer[P] + bindingInformer generic.Informer[B] + restMapper meta.RESTMapper + newPolicyAccessor func(P) PolicyAccessor + newBindingAccessor func(B) BindingAccessor + + informerFactory informers.SharedInformerFactory + dynamicClient dynamic.Interface + + compiler func(P) E + + // Currently compiled list of valid/active policy-binding pairs + policies atomic.Pointer[[]PolicyHook[P, B, E]] + // Whether the cache of policies is dirty and needs to be recompiled + policiesDirty atomic.Bool + + lock sync.Mutex + compiledPolicies map[types.NamespacedName]compiledPolicyEntry[E] + + // Temporary until we use the dynamic informer factory + paramsCRDControllers map[schema.GroupVersionKind]*paramInfo +} + +type paramInfo struct { + mapping meta.RESTMapping + + // When the param is changed, or the informer is done being used, the cancel + // func should be called to stop/cleanup the original informer + cancelFunc func() + + // The lister for this param + informer informers.GenericInformer +} + +type compiledPolicyEntry[E Evaluator] struct { + policyVersion string + evaluator E +} + +type PolicyHook[P runtime.Object, B runtime.Object, E Evaluator] struct { + Policy P + Bindings []B + ParamInformer informers.GenericInformer + ParamScope meta.RESTScope + + Evaluator E + ConfigurationError error +} + +var _ Source[PolicyHook[runtime.Object, runtime.Object, Evaluator]] = &policySource[runtime.Object, runtime.Object, Evaluator]{} + +func NewPolicySource[P runtime.Object, B runtime.Object, E Evaluator]( + policyInformer cache.SharedIndexInformer, + bindingInformer cache.SharedIndexInformer, + newPolicyAccessor func(P) PolicyAccessor, + newBindingAccessor func(B) BindingAccessor, + compiler func(P) E, + paramInformerFactory informers.SharedInformerFactory, + dynamicClient dynamic.Interface, + restMapper meta.RESTMapper, +) Source[PolicyHook[P, B, E]] { + res := &policySource[P, B, E]{ + compiler: compiler, + policyInformer: generic.NewInformer[P](policyInformer), + bindingInformer: generic.NewInformer[B](bindingInformer), + compiledPolicies: map[types.NamespacedName]compiledPolicyEntry[E]{}, + newPolicyAccessor: newPolicyAccessor, + newBindingAccessor: newBindingAccessor, + paramsCRDControllers: map[schema.GroupVersionKind]*paramInfo{}, + informerFactory: paramInformerFactory, + dynamicClient: dynamicClient, + restMapper: restMapper, + } + return res +} + +func (s *policySource[P, B, E]) Run(ctx context.Context) error { + if s.ctx != nil { + return fmt.Errorf("policy source already running") + } + + // Wait for initial cache sync of policies and informers before reconciling + // any + if !cache.WaitForNamedCacheSync(fmt.Sprintf("%T", s), ctx.Done(), s.UpstreamHasSynced) { + err := ctx.Err() + if err == nil { + err = fmt.Errorf("initial cache sync for %T failed", s) + } + return err + } + + s.ctx = ctx + + // Perform initial policy compilation after initial list has finished + s.notify() + s.refreshPolicies() + + notifyFuncs := cache.ResourceEventHandlerFuncs{ + AddFunc: func(_ interface{}) { + s.notify() + }, + UpdateFunc: func(_, _ interface{}) { + s.notify() + }, + DeleteFunc: func(_ interface{}) { + s.notify() + }, + } + handle, err := s.policyInformer.AddEventHandler(notifyFuncs) + if err != nil { + return err + } + defer func() { + if err := s.policyInformer.RemoveEventHandler(handle); err != nil { + utilruntime.HandleError(fmt.Errorf("failed to remove policy event handler: %v", err)) + } + }() + + bindingHandle, err := s.bindingInformer.AddEventHandler(notifyFuncs) + if err != nil { + return err + } + defer func() { + if err := s.bindingInformer.RemoveEventHandler(bindingHandle); err != nil { + utilruntime.HandleError(fmt.Errorf("failed to remove binding event handler: %v", err)) + } + }() + + // Start a worker that checks every second to see if policy data is dirty + // and needs to be recompiled + go func() { + // Loop every 1 second until context is cancelled, refreshing policies + wait.Until(s.refreshPolicies, 1*time.Second, ctx.Done()) + }() + + <-ctx.Done() + return nil +} + +func (s *policySource[P, B, E]) UpstreamHasSynced() bool { + return s.policyInformer.HasSynced() && s.bindingInformer.HasSynced() +} + +// HasSynced implements Source. +func (s *policySource[P, B, E]) HasSynced() bool { + // As an invariant we never store `nil` into the atomic list of processed + // policy hooks. If it is nil, then we haven't compiled all the policies + // and stored them yet. + return s.Hooks() != nil +} + +// Hooks implements Source. +func (s *policySource[P, B, E]) Hooks() []PolicyHook[P, B, E] { + res := s.policies.Load() + + // Error case should not happen since evaluation function never + // returns error + if res == nil { + // Not yet synced + return nil + } + + return *res +} + +func (s *policySource[P, B, E]) refreshPolicies() { + if !s.UpstreamHasSynced() { + return + } else if !s.policiesDirty.Swap(false) { + return + } + + // It is ok the cache gets marked dirty again between us clearing the + // flag and us calculating the policies. The dirty flag would be marked again, + // and we'd have a no-op after comparing resource versions on the next sync. + klog.Infof("refreshing policies") + policies, err := s.calculatePolicyData() + + // Intentionally store policy list regardless of error. There may be + // an error returned if there was a configuration error in one of the policies, + // but we would still want those policies evaluated + // (for instance to return error on failaction). Or if there was an error + // listing all policies at all, we would want to wipe the list. + s.policies.Store(&policies) + + if err != nil { + // An error was generated while syncing policies. Mark it as dirty again + // so we can retry later + utilruntime.HandleError(fmt.Errorf("encountered error syncing policies: %v. Rescheduling policy sync", err)) + s.notify() + } +} + +func (s *policySource[P, B, E]) notify() { + s.policiesDirty.Store(true) +} + +// calculatePolicyData calculates the list of policies and bindings for each +// policy. If there is an error in generation, it will return the error and +// the partial list of policies that were able to be generated. Policies that +// have an error will have a non-nil ConfigurationError field, but still be +// included in the result. +// +// This function caches the result of the intermediate compilations +func (s *policySource[P, B, E]) calculatePolicyData() ([]PolicyHook[P, B, E], error) { + if !s.UpstreamHasSynced() { + return nil, fmt.Errorf("cannot calculate policy data until upstream has synced") + } + + // Fat-fingered lock that can be made more fine-tuned if required + s.lock.Lock() + defer s.lock.Unlock() + + // Create a local copy of all policies and bindings + policiesToBindings := map[types.NamespacedName][]B{} + bindingList, err := s.bindingInformer.List(labels.Everything()) + if err != nil { + // This should never happen unless types are misconfigured + // (can't use meta.accessor on them) + return nil, err + } + + // Gather a list of all active policy bindings + for _, bindingSpec := range bindingList { + bindingAccessor := s.newBindingAccessor(bindingSpec) + policyKey := bindingAccessor.GetPolicyName() + + // Add this binding to the list of bindings for this policy + policiesToBindings[policyKey] = append(policiesToBindings[policyKey], bindingSpec) + } + + result := make([]PolicyHook[P, B, E], 0, len(bindingList)) + usedParams := map[schema.GroupVersionKind]struct{}{} + var errs []error + for policyKey, bindingSpecs := range policiesToBindings { + var inf generic.NamespacedLister[P] = s.policyInformer + if len(policyKey.Namespace) > 0 { + inf = s.policyInformer.Namespaced(policyKey.Namespace) + } + policySpec, err := inf.Get(policyKey.Name) + if errors.IsNotFound(err) { + // Policy for bindings doesn't exist. This can happen if the policy + // was deleted before the binding, or the binding was created first. + // + // Just skip bindings that refer to non-existent policies + // If the policy is recreated, the cache will be marked dirty and + // this function will run again. + continue + } else if err != nil { + // This should never happen since fetching from a cache should never + // fail and this function checks that the cache was synced before + // even getting to this point. + errs = append(errs, err) + continue + } + + policyAccessor := s.newPolicyAccessor(policySpec) + paramInformer, paramScope, configurationError := s.ensureParamsForPolicyLocked(policyAccessor.GetParamKind()) + result = append(result, PolicyHook[P, B, E]{ + Policy: policySpec, + Bindings: bindingSpecs, + Evaluator: s.compilePolicyLocked(policySpec), + ParamInformer: paramInformer, + ParamScope: paramScope, + ConfigurationError: configurationError, + }) + + // TEMPORARY UNTIL WE HAVE SHARED PARAM INFORMERS + if paramKind := policyAccessor.GetParamKind(); paramKind != nil { + usedParams[*paramKind] = struct{}{} + } + + // Should queue a re-sync for policy sync error. If our shared param + // informer can notify us when CRD discovery changes we can remove this + // and just rely on the informer to notify us when the CRDs change + if configurationError != nil { + errs = append(errs, configurationError) + } + } + + // Clean up orphaned policies by replacing the old cache of compiled policies + // (the map of used policies is updated by `compilePolicy`) + for policyKey := range s.compiledPolicies { + if _, wasSeen := policiesToBindings[policyKey]; !wasSeen { + delete(s.compiledPolicies, policyKey) + } + } + + // Clean up orphaned param informers + for paramKind, info := range s.paramsCRDControllers { + if _, wasSeen := usedParams[paramKind]; !wasSeen { + info.cancelFunc() + delete(s.paramsCRDControllers, paramKind) + } + } + + err = nil + if len(errs) > 0 { + err = goerrors.Join(errs...) + } + return result, err +} + +// ensureParamsForPolicyLocked ensures that the informer for the paramKind is +// started and returns the informer and the scope of the paramKind. +// +// Must be called under write lock +func (s *policySource[P, B, E]) ensureParamsForPolicyLocked(paramSource *schema.GroupVersionKind) (informers.GenericInformer, meta.RESTScope, error) { + if paramSource == nil { + return nil, nil, nil + } else if info, ok := s.paramsCRDControllers[*paramSource]; ok { + return info.informer, info.mapping.Scope, nil + } + + mapping, err := s.restMapper.RESTMapping(schema.GroupKind{ + Group: paramSource.Group, + Kind: paramSource.Kind, + }, paramSource.Version) + + if err != nil { + // Failed to resolve. Return error so we retry again (rate limited) + // Save a record of this definition with an evaluator that unconditionally + return nil, nil, fmt.Errorf("failed to find resource referenced by paramKind: '%v'", *paramSource) + } + + // We are not watching this param. Start an informer for it. + instanceContext, instanceCancel := context.WithCancel(s.ctx) + + var informer informers.GenericInformer + + // Try to see if our provided informer factory has an informer for this type. + // We assume the informer is already started, and starts all types associated + // with it. + if genericInformer, err := s.informerFactory.ForResource(mapping.Resource); err == nil { + informer = genericInformer + + // Start the informer + s.informerFactory.Start(instanceContext.Done()) + + } else { + // Dynamic JSON informer fallback. + // Cannot use shared dynamic informer since it would be impossible + // to clean CRD informers properly with multiple dependents + // (cannot start ahead of time, and cannot track dependencies via stopCh) + informer = dynamicinformer.NewFilteredDynamicInformer( + s.dynamicClient, + mapping.Resource, + corev1.NamespaceAll, + // Use same interval as is used for k8s typed sharedInformerFactory + // https://github.com/kubernetes/kubernetes/blob/7e0923899fed622efbc8679cca6b000d43633e38/cmd/kube-apiserver/app/server.go#L430 + 10*time.Minute, + cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, + nil, + ) + go informer.Informer().Run(instanceContext.Done()) + } + + klog.Infof("informer started for %v", *paramSource) + ret := ¶mInfo{ + mapping: *mapping, + cancelFunc: instanceCancel, + informer: informer, + } + s.paramsCRDControllers[*paramSource] = ret + return ret.informer, mapping.Scope, nil +} + +// For testing +func (s *policySource[P, B, E]) getParamInformer(param schema.GroupVersionKind) (informers.GenericInformer, meta.RESTScope) { + s.lock.Lock() + defer s.lock.Unlock() + + if info, ok := s.paramsCRDControllers[param]; ok { + return info.informer, info.mapping.Scope + } + + return nil, nil +} + +// compilePolicyLocked compiles the policy and returns the evaluator for it. +// If the policy has not changed since the last compilation, it will return +// the cached evaluator. +// +// Must be called under write lock +func (s *policySource[P, B, E]) compilePolicyLocked(policySpec P) E { + policyMeta, err := meta.Accessor(policySpec) + if err != nil { + // This should not happen if P, and B have ObjectMeta, but + // unfortunately there is no way to express "able to call + // meta.Accessor" as a type constraint + utilruntime.HandleError(err) + var emptyEvaluator E + return emptyEvaluator + } + key := types.NamespacedName{ + Namespace: policyMeta.GetNamespace(), + Name: policyMeta.GetName(), + } + + compiledPolicy, wasCompiled := s.compiledPolicies[key] + + // If the policy or binding has changed since it was last compiled, + // and if there is no configuration error (like a missing param CRD) + // then we recompile + if !wasCompiled || + compiledPolicy.policyVersion != policyMeta.GetResourceVersion() { + + compiledPolicy = compiledPolicyEntry[E]{ + policyVersion: policyMeta.GetResourceVersion(), + evaluator: s.compiler(policySpec), + } + s.compiledPolicies[key] = compiledPolicy + } + + return compiledPolicy.evaluator +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source_test.go new file mode 100644 index 00000000000..be17f9c602b --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source_test.go @@ -0,0 +1,233 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package generic_test + +import ( + "testing" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apiserver/pkg/admission/plugin/policy/generic" + "k8s.io/apiserver/pkg/admission/plugin/policy/matching" + "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/client-go/tools/cache" +) + +func makeTestDispatcher(authorizer.Authorizer, *matching.Matcher) generic.Dispatcher[generic.PolicyHook[*FakePolicy, *FakeBinding, generic.Evaluator]] { + return nil +} + +func TestPolicySourceHasSyncedEmpty(t *testing.T) { + testContext, testCancel, err := generic.NewPolicyTestContext( + func(fp *FakePolicy) generic.PolicyAccessor { return fp }, + func(fb *FakeBinding) generic.BindingAccessor { return fb }, + func(fp *FakePolicy) generic.Evaluator { return nil }, + makeTestDispatcher, + nil, + nil, + ) + require.NoError(t, err) + defer testCancel() + require.NoError(t, testContext.Start()) + + // Should be able to wait for cache sync + require.True(t, cache.WaitForCacheSync(testContext.Done(), testContext.Source.HasSynced), "cache should sync after informer running") +} + +func TestPolicySourceHasSyncedInitialList(t *testing.T) { + // Create a list of fake policies + initialObjects := []runtime.Object{ + &FakePolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "policy1", + }, + }, + &FakeBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "binding1", + }, + PolicyName: "policy1", + }, + } + + testContext, testCancel, err := generic.NewPolicyTestContext( + func(fp *FakePolicy) generic.PolicyAccessor { return fp }, + func(fb *FakeBinding) generic.BindingAccessor { return fb }, + func(fp *FakePolicy) generic.Evaluator { return nil }, + makeTestDispatcher, + initialObjects, + nil, + ) + require.NoError(t, err) + defer testCancel() + require.NoError(t, testContext.Start()) + // Should be able to wait for cache sync + require.Len(t, testContext.Source.Hooks(), 1, "should have one policy") + require.NoError(t, testContext.UpdateAndWait( + &FakePolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "policy2", + }, + }, + &FakeBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "binding2", + }, + PolicyName: "policy2", + }, + )) + require.Len(t, testContext.Source.Hooks(), 2, "should have two policies") + require.NoError(t, testContext.UpdateAndWait( + &FakePolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "policy3", + }, + }, + &FakeBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "binding3", + }, + PolicyName: "policy3", + }, + &FakePolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "policy2", + }, + ParamKind: &schema.GroupVersionKind{ + Group: "policy.example.com", + Version: "v1", + Kind: "FakeParam", + }, + }, + )) + require.Len(t, testContext.Source.Hooks(), 3, "should have 3 policies") + +} + +func TestPolicySourceBindsToPolicies(t *testing.T) { + // Create a list of fake policies + initialObjects := []runtime.Object{ + &FakePolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "policy1", + }, + }, + &FakeBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "binding1", + }, + PolicyName: "policy1", + }, + } + + testContext, testCancel, err := generic.NewPolicyTestContext( + func(fp *FakePolicy) generic.PolicyAccessor { return fp }, + func(fb *FakeBinding) generic.BindingAccessor { return fb }, + func(fp *FakePolicy) generic.Evaluator { return nil }, + makeTestDispatcher, + initialObjects, + nil, + ) + require.NoError(t, err) + defer testCancel() + require.NoError(t, testContext.Start()) + + require.Len(t, testContext.Source.Hooks(), 1, "should have one policy") + require.Len(t, testContext.Source.Hooks()[0].Bindings, 1, "should have one binding") + require.Equal(t, "binding1", testContext.Source.Hooks()[0].Bindings[0].GetName(), "should have one binding") + + // Change the binding to another policy (policies without bindings should + // be ignored, so it should remove the first + require.NoError(t, testContext.UpdateAndWait( + &FakePolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "policy2", + }, + }, + &FakeBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "binding1", + }, + PolicyName: "policy2", + })) + require.Len(t, testContext.Source.Hooks(), 1, "should have one policy") + require.Equal(t, "policy2", testContext.Source.Hooks()[0].Policy.GetName(), "policy name should be policy2") + require.Len(t, testContext.Source.Hooks()[0].Bindings, 1, "should have one binding") + require.Equal(t, "binding1", testContext.Source.Hooks()[0].Bindings[0].GetName(), "binding name should be binding1") + +} + +type FakePolicy struct { + metav1.TypeMeta + metav1.ObjectMeta + + ParamKind *schema.GroupVersionKind +} + +var _ generic.PolicyAccessor = &FakePolicy{} + +type FakeBinding struct { + metav1.TypeMeta + metav1.ObjectMeta + + PolicyName string +} + +var _ generic.BindingAccessor = &FakeBinding{} + +func (fp *FakePolicy) GetName() string { + return fp.Name +} + +func (fp *FakePolicy) GetNamespace() string { + return fp.Namespace +} + +func (fp *FakePolicy) GetParamKind() *schema.GroupVersionKind { + return fp.ParamKind +} + +func (fb *FakeBinding) GetName() string { + return fb.Name +} + +func (fb *FakeBinding) GetNamespace() string { + return fb.Namespace +} + +func (fb *FakeBinding) GetPolicyName() types.NamespacedName { + return types.NamespacedName{ + Name: fb.PolicyName, + } +} + +func (fp *FakePolicy) DeepCopyObject() runtime.Object { + // totally fudged deepcopy + newFP := &FakePolicy{} + *newFP = *fp + return newFP +} + +func (fb *FakeBinding) DeepCopyObject() runtime.Object { + // totally fudged deepcopy + newFB := &FakeBinding{} + *newFB = *fb + return newFB +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go new file mode 100644 index 00000000000..f47c000dd21 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go @@ -0,0 +1,608 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package generic + +import ( + "context" + "fmt" + "time" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/runtime/serializer" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/uuid" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/dynamic" + dynamicfake "k8s.io/client-go/dynamic/fake" + "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/fake" + clienttesting "k8s.io/client-go/testing" + "k8s.io/client-go/tools/cache" + "k8s.io/component-base/featuregate" + + "k8s.io/apiserver/pkg/admission" + "k8s.io/apiserver/pkg/admission/initializer" + "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/features" +) + +// PolicyTestContext is everything you need to unit test a policy plugin +type PolicyTestContext[P runtime.Object, B runtime.Object, E Evaluator] struct { + context.Context + Plugin *Plugin[PolicyHook[P, B, E]] + Source Source[PolicyHook[P, B, E]] + Start func() error + + scheme *runtime.Scheme + restMapper *meta.DefaultRESTMapper + policyGVR schema.GroupVersionResource + bindingGVR schema.GroupVersionResource + + policyGVK schema.GroupVersionKind + bindingGVK schema.GroupVersionKind + + nativeTracker clienttesting.ObjectTracker + policyAndBindingTracker clienttesting.ObjectTracker + unstructuredTracker clienttesting.ObjectTracker +} + +func NewPolicyTestContext[P, B runtime.Object, E Evaluator]( + newPolicyAccessor func(P) PolicyAccessor, + newBindingAccessor func(B) BindingAccessor, + compileFunc func(P) E, + dispatcher dispatcherFactory[PolicyHook[P, B, E]], + initialObjects []runtime.Object, + paramMappings []meta.RESTMapping, +) (*PolicyTestContext[P, B, E], func(), error) { + var Pexample P + var Bexample B + + // Create a fake resource and kind for the provided policy and binding types + fakePolicyGVR := schema.GroupVersionResource{ + Group: "policy.example.com", + Version: "v1", + Resource: "fakepolicies", + } + fakeBindingGVR := schema.GroupVersionResource{ + Group: "policy.example.com", + Version: "v1", + Resource: "fakebindings", + } + fakePolicyGVK := fakePolicyGVR.GroupVersion().WithKind("FakePolicy") + fakeBindingGVK := fakeBindingGVR.GroupVersion().WithKind("FakeBinding") + + policySourceTestScheme, err := func() (*runtime.Scheme, error) { + scheme := runtime.NewScheme() + + if err := fake.AddToScheme(scheme); err != nil { + return nil, err + } + + scheme.AddKnownTypeWithName(fakePolicyGVK, Pexample) + scheme.AddKnownTypeWithName(fakeBindingGVK, Bexample) + scheme.AddKnownTypeWithName(fakePolicyGVK.GroupVersion().WithKind(fakePolicyGVK.Kind+"List"), &FakeList[P]{}) + scheme.AddKnownTypeWithName(fakeBindingGVK.GroupVersion().WithKind(fakeBindingGVK.Kind+"List"), &FakeList[B]{}) + + for _, mapping := range paramMappings { + // Skip if it is in the scheme already + if scheme.Recognizes(mapping.GroupVersionKind) { + continue + } + scheme.AddKnownTypeWithName(mapping.GroupVersionKind, &unstructured.Unstructured{}) + scheme.AddKnownTypeWithName(mapping.GroupVersionKind.GroupVersion().WithKind(mapping.GroupVersionKind.Kind+"List"), &unstructured.UnstructuredList{}) + } + + return scheme, nil + }() + if err != nil { + return nil, nil, err + } + + fakeRestMapper := func() *meta.DefaultRESTMapper { + res := meta.NewDefaultRESTMapper([]schema.GroupVersion{ + { + Group: "", + Version: "v1", + }, + }) + + res.Add(fakePolicyGVK, meta.RESTScopeRoot) + res.Add(fakeBindingGVK, meta.RESTScopeRoot) + res.Add(corev1.SchemeGroupVersion.WithKind("ConfigMap"), meta.RESTScopeNamespace) + + for _, mapping := range paramMappings { + res.AddSpecific(mapping.GroupVersionKind, mapping.Resource, mapping.Resource, mapping.Scope) + } + + return res + }() + + nativeClient := fake.NewSimpleClientset() + dynamicClient := dynamicfake.NewSimpleDynamicClient(policySourceTestScheme) + fakeInformerFactory := informers.NewSharedInformerFactory(nativeClient, 30*time.Second) + + // Make an object tracker specifically for our policies and bindings + policiesAndBindingsTracker := clienttesting.NewObjectTracker( + policySourceTestScheme, + serializer.NewCodecFactory(policySourceTestScheme).UniversalDecoder()) + + // Make an informer for our policies and bindings + + policyInformer := cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { + return policiesAndBindingsTracker.List(fakePolicyGVR, fakePolicyGVK, "") + }, + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + return policiesAndBindingsTracker.Watch(fakePolicyGVR, "") + }, + }, + Pexample, + 30*time.Second, + cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, + ) + bindingInformer := cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { + return policiesAndBindingsTracker.List(fakeBindingGVR, fakeBindingGVK, "") + }, + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + return policiesAndBindingsTracker.Watch(fakeBindingGVR, "") + }, + }, + Bexample, + 30*time.Second, + cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, + ) + + var source Source[PolicyHook[P, B, E]] + plugin := NewPlugin[PolicyHook[P, B, E]]( + admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update), + func(sif informers.SharedInformerFactory, i1 kubernetes.Interface, i2 dynamic.Interface, r meta.RESTMapper) Source[PolicyHook[P, B, E]] { + source = NewPolicySource[P, B, E]( + policyInformer, + bindingInformer, + newPolicyAccessor, + newBindingAccessor, + compileFunc, + sif, + i2, + r, + ) + return source + }, dispatcher) + plugin.SetEnabled(true) + + featureGate := featuregate.NewFeatureGate() + err = featureGate.Add(map[featuregate.Feature]featuregate.FeatureSpec{ + //!TODO: move this to validating specific tests + features.ValidatingAdmissionPolicy: { + Default: true, PreRelease: featuregate.Beta}}) + if err != nil { + return nil, nil, err + } + err = featureGate.SetFromMap(map[string]bool{string(features.ValidatingAdmissionPolicy): true}) + if err != nil { + return nil, nil, err + } + + testContext, testCancel := context.WithCancel(context.Background()) + genericInitializer := initializer.New( + nativeClient, + dynamicClient, + fakeInformerFactory, + fakeAuthorizer{}, + featureGate, + testContext.Done(), + ) + genericInitializer.Initialize(plugin) + plugin.SetRESTMapper(fakeRestMapper) + + if err := plugin.ValidateInitialization(); err != nil { + testCancel() + return nil, nil, err + } + + res := &PolicyTestContext[P, B, E]{ + Context: testContext, + Plugin: plugin, + Source: source, + + restMapper: fakeRestMapper, + scheme: policySourceTestScheme, + policyGVK: fakePolicyGVK, + bindingGVK: fakeBindingGVK, + policyGVR: fakePolicyGVR, + bindingGVR: fakeBindingGVR, + nativeTracker: nativeClient.Tracker(), + policyAndBindingTracker: policiesAndBindingsTracker, + unstructuredTracker: dynamicClient.Tracker(), + } + + for _, obj := range initialObjects { + err := res.updateOne(obj) + if err != nil { + testCancel() + return nil, nil, err + } + } + + res.Start = func() error { + fakeInformerFactory.Start(res.Done()) + go policyInformer.Run(res.Done()) + go bindingInformer.Run(res.Done()) + + if !cache.WaitForCacheSync(res.Done(), res.Source.HasSynced) { + return fmt.Errorf("timed out waiting for initial cache sync") + } + return nil + } + return res, testCancel, nil +} + +// UpdateAndWait updates the given object in the test, or creates it if it doesn't exist +// Depending upon object type, waits afterward until the object is synced +// by the policy source +// +// Be aware the UpdateAndWait will modify the ResourceVersion of the +// provided objects. +func (p *PolicyTestContext[P, B, E]) UpdateAndWait(objects ...runtime.Object) error { + return p.update(true, objects...) +} + +// Update updates the given object in the test, or creates it if it doesn't exist +// +// Be aware the Update will modify the ResourceVersion of the +// provided objects. +func (p *PolicyTestContext[P, B, E]) Update(objects ...runtime.Object) error { + return p.update(false, objects...) +} + +// Objects the given object in the test, or creates it if it doesn't exist +// Depending upon object type, waits afterward until the object is synced +// by the policy source +func (p *PolicyTestContext[P, B, E]) update(wait bool, objects ...runtime.Object) error { + for _, object := range objects { + if err := p.updateOne(object); err != nil { + return err + } + } + + if wait { + timeoutCtx, timeoutCancel := context.WithTimeout(p, 3*time.Second) + defer timeoutCancel() + + for _, object := range objects { + if err := p.WaitForReconcile(timeoutCtx, object); err != nil { + return fmt.Errorf("error waiting for reconcile of %v: %v", object, err) + } + } + } + return nil +} + +// Depending upon object type, waits afterward until the object is synced +// by the policy source. Note that policies that are not bound are skipped, +// so you should not try to wait for an unbound policy. Create both the binding +// and policy, then wait. +func (p *PolicyTestContext[P, B, E]) WaitForReconcile(timeoutCtx context.Context, object runtime.Object) error { + if !p.Source.HasSynced() { + return nil + } + + objectMeta, err := meta.Accessor(object) + if err != nil { + return err + } + + objectGVK := object.GetObjectKind().GroupVersionKind() + switch objectGVK { + case p.policyGVK: + return wait.PollUntilContextCancel(timeoutCtx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { + policies := p.Source.Hooks() + for _, policy := range policies { + policyMeta, err := meta.Accessor(policy.Policy) + if err != nil { + return true, err + } else if policyMeta.GetName() == objectMeta.GetName() && policyMeta.GetResourceVersion() == objectMeta.GetResourceVersion() { + return true, nil + } + } + return false, nil + }) + case p.bindingGVK: + return wait.PollUntilContextCancel(timeoutCtx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { + policies := p.Source.Hooks() + for _, policy := range policies { + for _, binding := range policy.Bindings { + bindingMeta, err := meta.Accessor(binding) + if err != nil { + return true, err + } else if bindingMeta.GetName() == objectMeta.GetName() && bindingMeta.GetResourceVersion() == objectMeta.GetResourceVersion() { + return true, nil + } + } + } + return false, nil + }) + + default: + // Do nothing, params are visible immediately + // Loop until one of the params is visible via get of the param informer + return wait.PollUntilContextCancel(timeoutCtx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { + informer, scope := p.Source.(*policySource[P, B, E]).getParamInformer(objectGVK) + if informer == nil { + // Informer does not exist yet, keep waiting for sync + return false, nil + } + + if !cache.WaitForCacheSync(timeoutCtx.Done(), informer.Informer().HasSynced) { + return false, fmt.Errorf("timed out waiting for cache sync of param informer") + } + + var lister cache.GenericNamespaceLister = informer.Lister() + if scope == meta.RESTScopeNamespace { + lister = informer.Lister().ByNamespace(objectMeta.GetNamespace()) + } + + fetched, err := lister.Get(objectMeta.GetName()) + if err != nil { + if errors.IsNotFound(err) { + return false, nil + } + return true, err + } + + // Ensure RV matches + fetchedMeta, err := meta.Accessor(fetched) + if err != nil { + return true, err + } else if fetchedMeta.GetResourceVersion() != objectMeta.GetResourceVersion() { + return false, nil + } + + return true, nil + }) + } +} + +func (p *PolicyTestContext[P, B, E]) waitForDelete(ctx context.Context, objectGVK schema.GroupVersionKind, name types.NamespacedName) error { + srce := p.Source.(*policySource[P, B, E]) + + return wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { + switch objectGVK { + case p.policyGVK: + for _, hook := range p.Source.Hooks() { + accessor := srce.newPolicyAccessor(hook.Policy) + if accessor.GetName() == name.Name && accessor.GetNamespace() == name.Namespace { + return false, nil + } + } + + return true, nil + case p.bindingGVK: + for _, hook := range p.Source.Hooks() { + for _, binding := range hook.Bindings { + accessor := srce.newBindingAccessor(binding) + if accessor.GetName() == name.Name && accessor.GetNamespace() == name.Namespace { + return false, nil + } + } + } + return true, nil + default: + // Do nothing, params are visible immediately + // Loop until one of the params is visible via get of the param informer + informer, scope := p.Source.(*policySource[P, B, E]).getParamInformer(objectGVK) + if informer == nil { + return true, nil + } + + var lister cache.GenericNamespaceLister = informer.Lister() + if scope == meta.RESTScopeNamespace { + lister = informer.Lister().ByNamespace(name.Namespace) + } + + _, err = lister.Get(name.Name) + if err != nil { + if errors.IsNotFound(err) { + return true, nil + } + return false, err + } + return false, nil + } + }) +} + +func (p *PolicyTestContext[P, B, E]) updateOne(object runtime.Object) error { + objectMeta, err := meta.Accessor(object) + if err != nil { + return err + } + objectMeta.SetResourceVersion(string(uuid.NewUUID())) + objectGVK := object.GetObjectKind().GroupVersionKind() + + if objectGVK.Empty() { + // If the object doesn't have a GVK, ask the schema for preferred GVK + knownKinds, _, err := p.scheme.ObjectKinds(object) + if err != nil { + return err + } else if len(knownKinds) == 0 { + return fmt.Errorf("no known GVKs for object in schema: %T", object) + } + toTake := 0 + + // Prefer GVK if it is our fake policy or binding + for i, knownKind := range knownKinds { + if knownKind == p.policyGVK || knownKind == p.bindingGVK { + toTake = i + break + } + } + + objectGVK = knownKinds[toTake] + object.GetObjectKind().SetGroupVersionKind(objectGVK) + } + + // Make sure GVK is known to the fake rest mapper. To prevent cryptic error + mapping, err := p.restMapper.RESTMapping(objectGVK.GroupKind(), objectGVK.Version) + if err != nil { + return err + } + + switch objectGVK { + case p.policyGVK: + err := p.policyAndBindingTracker.Update(p.policyGVR, object, objectMeta.GetNamespace()) + if errors.IsNotFound(err) { + err = p.policyAndBindingTracker.Create(p.policyGVR, object, objectMeta.GetNamespace()) + } + + return err + case p.bindingGVK: + err := p.policyAndBindingTracker.Update(p.bindingGVR, object, objectMeta.GetNamespace()) + if errors.IsNotFound(err) { + err = p.policyAndBindingTracker.Create(p.bindingGVR, object, objectMeta.GetNamespace()) + } + + return err + default: + if _, ok := object.(*unstructured.Unstructured); ok { + if err := p.unstructuredTracker.Create(mapping.Resource, object, objectMeta.GetNamespace()); err != nil { + if errors.IsAlreadyExists(err) { + return p.unstructuredTracker.Update(mapping.Resource, object, objectMeta.GetNamespace()) + } + return err + } + return nil + } else if err := p.nativeTracker.Create(mapping.Resource, object, objectMeta.GetNamespace()); err != nil { + if errors.IsAlreadyExists(err) { + return p.nativeTracker.Update(mapping.Resource, object, objectMeta.GetNamespace()) + } + } + return nil + } +} + +// Depending upon object type, waits afterward until the object is synced +// by the policy source +func (p *PolicyTestContext[P, B, E]) DeleteAndWait(object ...runtime.Object) error { + for _, object := range object { + if err := p.deleteOne(object); err != nil && !errors.IsNotFound(err) { + return err + } + } + + timeoutCtx, timeoutCancel := context.WithTimeout(p, 3*time.Second) + defer timeoutCancel() + + for _, object := range object { + accessor, err := meta.Accessor(object) + if err != nil { + return err + } + + if err := p.waitForDelete( + timeoutCtx, + object.GetObjectKind().GroupVersionKind(), + types.NamespacedName{Name: accessor.GetName(), Namespace: accessor.GetNamespace()}); err != nil { + return err + } + } + return nil +} + +func (p *PolicyTestContext[P, B, E]) deleteOne(object runtime.Object) error { + objectMeta, err := meta.Accessor(object) + if err != nil { + return err + } + objectMeta.SetResourceVersion(string(uuid.NewUUID())) + objectGVK := object.GetObjectKind().GroupVersionKind() + + if objectGVK.Empty() { + // If the object doesn't have a GVK, ask the schema for preferred GVK + knownKinds, _, err := p.scheme.ObjectKinds(object) + if err != nil { + return err + } else if len(knownKinds) == 0 { + return fmt.Errorf("no known GVKs for object in schema: %T", object) + } + toTake := 0 + + // Prefer GVK if it is our fake policy or binding + for i, knownKind := range knownKinds { + if knownKind == p.policyGVK || knownKind == p.bindingGVK { + toTake = i + break + } + } + + objectGVK = knownKinds[toTake] + object.GetObjectKind().SetGroupVersionKind(objectGVK) + } + + // Make sure GVK is known to the fake rest mapper. To prevent cryptic error + mapping, err := p.restMapper.RESTMapping(objectGVK.GroupKind(), objectGVK.Version) + if err != nil { + return err + } + + switch objectGVK { + case p.policyGVK: + return p.policyAndBindingTracker.Delete(p.policyGVR, objectMeta.GetNamespace(), objectMeta.GetName()) + case p.bindingGVK: + return p.policyAndBindingTracker.Delete(p.bindingGVR, objectMeta.GetNamespace(), objectMeta.GetName()) + default: + if _, ok := object.(*unstructured.Unstructured); ok { + return p.unstructuredTracker.Delete(mapping.Resource, objectMeta.GetNamespace(), objectMeta.GetName()) + } + return p.nativeTracker.Delete(mapping.Resource, objectMeta.GetNamespace(), objectMeta.GetName()) + } +} + +type FakeList[T runtime.Object] struct { + metav1.TypeMeta + metav1.ListMeta + Items []T +} + +func (fl *FakeList[P]) DeepCopyObject() runtime.Object { + copiedItems := make([]P, len(fl.Items)) + for i, item := range fl.Items { + copiedItems[i] = item.DeepCopyObject().(P) + } + return &FakeList[P]{ + TypeMeta: fl.TypeMeta, + ListMeta: fl.ListMeta, + Items: copiedItems, + } +} + +type fakeAuthorizer struct{} + +func (f fakeAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) { + return authorizer.DecisionAllow, "", nil +}