mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Drop legacy validation logic for admission registration
This commit is contained in:
parent
39a1293cbc
commit
befffd1565
@ -22,7 +22,6 @@ import (
|
||||
|
||||
genericvalidation "k8s.io/apimachinery/pkg/api/validation"
|
||||
metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
@ -201,11 +200,11 @@ func validateAdmissionReviewVersions(versions []string, requireRecognizedAdmissi
|
||||
}
|
||||
|
||||
// ValidateValidatingWebhookConfiguration validates a webhook before creation.
|
||||
func ValidateValidatingWebhookConfiguration(e *admissionregistration.ValidatingWebhookConfiguration, requestGV schema.GroupVersion) field.ErrorList {
|
||||
func ValidateValidatingWebhookConfiguration(e *admissionregistration.ValidatingWebhookConfiguration) field.ErrorList {
|
||||
return validateValidatingWebhookConfiguration(e, validationOptions{
|
||||
requireNoSideEffects: requireNoSideEffects(requestGV),
|
||||
requireNoSideEffects: true,
|
||||
requireRecognizedAdmissionReviewVersion: true,
|
||||
requireUniqueWebhookNames: requireUniqueWebhookNames(requestGV),
|
||||
requireUniqueWebhookNames: true,
|
||||
})
|
||||
}
|
||||
|
||||
@ -226,11 +225,11 @@ func validateValidatingWebhookConfiguration(e *admissionregistration.ValidatingW
|
||||
}
|
||||
|
||||
// ValidateMutatingWebhookConfiguration validates a webhook before creation.
|
||||
func ValidateMutatingWebhookConfiguration(e *admissionregistration.MutatingWebhookConfiguration, requestGV schema.GroupVersion) field.ErrorList {
|
||||
func ValidateMutatingWebhookConfiguration(e *admissionregistration.MutatingWebhookConfiguration) field.ErrorList {
|
||||
return validateMutatingWebhookConfiguration(e, validationOptions{
|
||||
requireNoSideEffects: requireNoSideEffects(requestGV),
|
||||
requireNoSideEffects: true,
|
||||
requireRecognizedAdmissionReviewVersion: true,
|
||||
requireUniqueWebhookNames: requireUniqueWebhookNames(requestGV),
|
||||
requireUniqueWebhookNames: true,
|
||||
})
|
||||
}
|
||||
|
||||
@ -497,29 +496,19 @@ func validatingHasNoSideEffects(webhooks []admissionregistration.ValidatingWebho
|
||||
}
|
||||
|
||||
// ValidateValidatingWebhookConfigurationUpdate validates update of validating webhook configuration
|
||||
func ValidateValidatingWebhookConfigurationUpdate(newC, oldC *admissionregistration.ValidatingWebhookConfiguration, requestGV schema.GroupVersion) field.ErrorList {
|
||||
func ValidateValidatingWebhookConfigurationUpdate(newC, oldC *admissionregistration.ValidatingWebhookConfiguration) field.ErrorList {
|
||||
return validateValidatingWebhookConfiguration(newC, validationOptions{
|
||||
requireNoSideEffects: requireNoSideEffects(requestGV) && validatingHasNoSideEffects(oldC.Webhooks),
|
||||
requireNoSideEffects: validatingHasNoSideEffects(oldC.Webhooks),
|
||||
requireRecognizedAdmissionReviewVersion: validatingHasAcceptedAdmissionReviewVersions(oldC.Webhooks),
|
||||
requireUniqueWebhookNames: requireUniqueWebhookNames(requestGV) && validatingHasUniqueWebhookNames(oldC.Webhooks),
|
||||
requireUniqueWebhookNames: validatingHasUniqueWebhookNames(oldC.Webhooks),
|
||||
})
|
||||
}
|
||||
|
||||
// ValidateMutatingWebhookConfigurationUpdate validates update of mutating webhook configuration
|
||||
func ValidateMutatingWebhookConfigurationUpdate(newC, oldC *admissionregistration.MutatingWebhookConfiguration, requestGV schema.GroupVersion) field.ErrorList {
|
||||
func ValidateMutatingWebhookConfigurationUpdate(newC, oldC *admissionregistration.MutatingWebhookConfiguration) field.ErrorList {
|
||||
return validateMutatingWebhookConfiguration(newC, validationOptions{
|
||||
requireNoSideEffects: requireNoSideEffects(requestGV) && mutatingHasNoSideEffects(oldC.Webhooks),
|
||||
requireNoSideEffects: mutatingHasNoSideEffects(oldC.Webhooks),
|
||||
requireRecognizedAdmissionReviewVersion: mutatingHasAcceptedAdmissionReviewVersions(oldC.Webhooks),
|
||||
requireUniqueWebhookNames: requireUniqueWebhookNames(requestGV) && mutatingHasUniqueWebhookNames(oldC.Webhooks),
|
||||
requireUniqueWebhookNames: mutatingHasUniqueWebhookNames(oldC.Webhooks),
|
||||
})
|
||||
}
|
||||
|
||||
// requireUniqueWebhookNames returns true for all requests except v1beta1 (for backwards compatibility)
|
||||
func requireUniqueWebhookNames(requestGV schema.GroupVersion) bool {
|
||||
return requestGV != (schema.GroupVersion{Group: admissionregistration.GroupName, Version: "v1beta1"})
|
||||
}
|
||||
|
||||
// requireNoSideEffects returns true for all requests except v1beta1 (for backwards compatibility)
|
||||
func requireNoSideEffects(requestGV schema.GroupVersion) bool {
|
||||
return requestGV != (schema.GroupVersion{Group: admissionregistration.GroupName, Version: "v1beta1"})
|
||||
}
|
||||
|
@ -21,7 +21,6 @@ import (
|
||||
"testing"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/kubernetes/pkg/apis/admissionregistration"
|
||||
)
|
||||
|
||||
@ -46,6 +45,7 @@ func newValidatingWebhookConfiguration(hooks []admissionregistration.ValidatingW
|
||||
}
|
||||
|
||||
func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
noSideEffect := admissionregistration.SideEffectClassNone
|
||||
unknownSideEffect := admissionregistration.SideEffectClassUnknown
|
||||
validClientConfig := admissionregistration.WebhookClientConfig{
|
||||
URL: strPtr("https://example.com"),
|
||||
@ -53,7 +53,6 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
config *admissionregistration.ValidatingWebhookConfiguration
|
||||
gv schema.GroupVersion
|
||||
expectedError string
|
||||
}{
|
||||
{
|
||||
@ -83,11 +82,10 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
AdmissionReviewVersions: []string{"v1beta1"},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -96,11 +94,10 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
AdmissionReviewVersions: []string{"v1beta1", "invalid-version"},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -131,24 +128,23 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: `webhooks[1].name: Invalid value: "k8s.io": should be a domain with at least three segments separated by dots, webhooks[2].name: Required value`,
|
||||
},
|
||||
{
|
||||
name: "Webhooks must have unique names when not created via v1beta1",
|
||||
name: "Webhooks must have unique names when created",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
@ -161,26 +157,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "foo", Version: "bar"},
|
||||
expectedError: `webhooks[1].name: Duplicate value: "webhook.k8s.io"`,
|
||||
},
|
||||
{
|
||||
name: "Webhooks can have duplicate names when created via v1beta1",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
name: "Operations must not be empty or nil",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
@ -271,7 +249,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
Rules: []admissionregistration.RuleWithOperations{
|
||||
{
|
||||
Operations: []admissionregistration.OperationType{"CREATE"},
|
||||
@ -284,7 +262,6 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
},
|
||||
{
|
||||
name: `resource "*" cannot mix with resources that don't have subresources`,
|
||||
@ -334,7 +311,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
Rules: []admissionregistration.RuleWithOperations{
|
||||
{
|
||||
Operations: []admissionregistration.OperationType{"CREATE"},
|
||||
@ -347,7 +324,6 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
},
|
||||
{
|
||||
name: "resource */a cannot mix with x/a",
|
||||
@ -429,7 +405,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
expectedError: `webhooks[0].sideEffects: Required value: must specify one of None, NoneOnDryRun`,
|
||||
},
|
||||
{
|
||||
name: "SideEffects can only be \"Unknown\", \"None\", \"Some\", or \"NoneOnDryRun\" via v1beta1",
|
||||
name: "SideEffects can only be \"None\" or \"NoneOnDryRun\" when created",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
@ -440,22 +416,6 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
}(),
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: `webhooks[0].sideEffects: Unsupported value: "other": supported values: "None", "NoneOnDryRun", "Some", "Unknown"`,
|
||||
},
|
||||
{
|
||||
name: "SideEffects can only be \"None\" or \"NoneOnDryRun\" via v1",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: func() *admissionregistration.SideEffectClass {
|
||||
r := admissionregistration.SideEffectClass("other")
|
||||
return &r
|
||||
}(),
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1"},
|
||||
expectedError: `webhooks[0].sideEffects: Unsupported value: "other": supported values: "None", "NoneOnDryRun"`,
|
||||
},
|
||||
{
|
||||
@ -599,10 +559,9 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
Port: 443,
|
||||
},
|
||||
},
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -618,10 +577,9 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
Port: 443,
|
||||
},
|
||||
},
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -637,7 +595,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
Port: 443,
|
||||
},
|
||||
},
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
expectedError: `clientConfig.service.path: Invalid value: "//": segment[0] may not be empty`,
|
||||
@ -775,28 +733,27 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
TimeoutSeconds: int32Ptr(1),
|
||||
},
|
||||
{
|
||||
Name: "webhook2.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
TimeoutSeconds: int32Ptr(15),
|
||||
},
|
||||
{
|
||||
Name: "webhook3.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
TimeoutSeconds: int32Ptr(30),
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
},
|
||||
}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
errs := ValidateValidatingWebhookConfiguration(test.config, test.gv)
|
||||
errs := ValidateValidatingWebhookConfiguration(test.config)
|
||||
err := errs.ToAggregate()
|
||||
if err != nil {
|
||||
if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" {
|
||||
@ -821,7 +778,6 @@ func TestValidateValidatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
name string
|
||||
oldconfig *admissionregistration.ValidatingWebhookConfiguration
|
||||
config *admissionregistration.ValidatingWebhookConfiguration
|
||||
gv schema.GroupVersion
|
||||
expectedError string
|
||||
}{
|
||||
{
|
||||
@ -903,7 +859,7 @@ func TestValidateValidatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
expectedError: `Invalid value: []string{"invalid-v1"}`,
|
||||
},
|
||||
{
|
||||
name: "Webhooks must have unique names when not updated via v1beta1",
|
||||
name: "Webhooks must have unique names when old config has unique names",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
@ -923,7 +879,6 @@ func TestValidateValidatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, false),
|
||||
gv: schema.GroupVersion{Group: "foo", Version: "bar"},
|
||||
expectedError: `webhooks[1].name: Duplicate value: "webhook.k8s.io"`,
|
||||
},
|
||||
{
|
||||
@ -952,37 +907,12 @@ func TestValidateValidatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "foo", Version: "bar"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
name: "Webhooks can have duplicate names when updated via v1beta1",
|
||||
config: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
oldconfig: newValidatingWebhookConfiguration([]admissionregistration.ValidatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, false),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
errs := ValidateValidatingWebhookConfigurationUpdate(test.config, test.oldconfig, test.gv)
|
||||
errs := ValidateValidatingWebhookConfigurationUpdate(test.config, test.oldconfig)
|
||||
err := errs.ToAggregate()
|
||||
if err != nil {
|
||||
if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" {
|
||||
@ -1015,6 +945,7 @@ func newMutatingWebhookConfiguration(hooks []admissionregistration.MutatingWebho
|
||||
}
|
||||
|
||||
func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
noSideEffect := admissionregistration.SideEffectClassNone
|
||||
unknownSideEffect := admissionregistration.SideEffectClassUnknown
|
||||
validClientConfig := admissionregistration.WebhookClientConfig{
|
||||
URL: strPtr("https://example.com"),
|
||||
@ -1022,7 +953,6 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
config *admissionregistration.MutatingWebhookConfiguration
|
||||
gv schema.GroupVersion
|
||||
expectedError string
|
||||
}{
|
||||
{
|
||||
@ -1052,11 +982,10 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
AdmissionReviewVersions: []string{"v1beta1"},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -1065,11 +994,10 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
AdmissionReviewVersions: []string{"v1beta1", "invalid-version"},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -1100,24 +1028,23 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: `webhooks[1].name: Invalid value: "k8s.io": should be a domain with at least three segments separated by dots, webhooks[2].name: Required value`,
|
||||
},
|
||||
{
|
||||
name: "Webhooks must have unique names when not created via v1beta1",
|
||||
name: "Webhooks must have unique names when created",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
@ -1130,26 +1057,8 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "foo", Version: "bar"},
|
||||
expectedError: `webhooks[1].name: Duplicate value: "webhook.k8s.io"`,
|
||||
},
|
||||
{
|
||||
name: "Webhooks can have duplicate names when created via v1beta1",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
name: "Operations must not be empty or nil",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
@ -1240,7 +1149,7 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
Rules: []admissionregistration.RuleWithOperations{
|
||||
{
|
||||
Operations: []admissionregistration.OperationType{"CREATE"},
|
||||
@ -1253,7 +1162,6 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
},
|
||||
{
|
||||
name: `resource "*" cannot mix with resources that don't have subresources`,
|
||||
@ -1303,7 +1211,7 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
Rules: []admissionregistration.RuleWithOperations{
|
||||
{
|
||||
Operations: []admissionregistration.OperationType{"CREATE"},
|
||||
@ -1316,7 +1224,6 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
},
|
||||
{
|
||||
name: "resource */a cannot mix with x/a",
|
||||
@ -1398,7 +1305,7 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
expectedError: `webhooks[0].sideEffects: Required value: must specify one of None, NoneOnDryRun`,
|
||||
},
|
||||
{
|
||||
name: "SideEffects can only be \"Unknown\", \"None\", \"Some\", or \"NoneOnDryRun\" via v1beta1",
|
||||
name: "SideEffects can only be \"None\" or \"NoneOnDryRun\" when created",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
@ -1409,22 +1316,6 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
}(),
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: `webhooks[0].sideEffects: Unsupported value: "other": supported values: "None", "NoneOnDryRun", "Some", "Unknown"`,
|
||||
},
|
||||
{
|
||||
name: "SideEffects can only be \"None\" or \"NoneOnDryRun\" via v1",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: func() *admissionregistration.SideEffectClass {
|
||||
r := admissionregistration.SideEffectClass("other")
|
||||
return &r
|
||||
}(),
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1"},
|
||||
expectedError: `webhooks[0].sideEffects: Unsupported value: "other": supported values: "None", "NoneOnDryRun"`,
|
||||
},
|
||||
{
|
||||
@ -1568,10 +1459,9 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
Port: 443,
|
||||
},
|
||||
},
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -1587,10 +1477,9 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
Port: 443,
|
||||
},
|
||||
},
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
@ -1606,7 +1495,7 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
Port: 443,
|
||||
},
|
||||
},
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
expectedError: `clientConfig.service.path: Invalid value: "//": segment[0] may not be empty`,
|
||||
@ -1744,28 +1633,27 @@ func TestValidateMutatingWebhookConfiguration(t *testing.T) {
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
TimeoutSeconds: int32Ptr(1),
|
||||
},
|
||||
{
|
||||
Name: "webhook2.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
TimeoutSeconds: int32Ptr(15),
|
||||
},
|
||||
{
|
||||
Name: "webhook3.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
SideEffects: &noSideEffect,
|
||||
TimeoutSeconds: int32Ptr(30),
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
},
|
||||
}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
errs := ValidateMutatingWebhookConfiguration(test.config, test.gv)
|
||||
errs := ValidateMutatingWebhookConfiguration(test.config)
|
||||
err := errs.ToAggregate()
|
||||
if err != nil {
|
||||
if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" {
|
||||
@ -1791,7 +1679,6 @@ func TestValidateMutatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
name string
|
||||
oldconfig *admissionregistration.MutatingWebhookConfiguration
|
||||
config *admissionregistration.MutatingWebhookConfiguration
|
||||
gv schema.GroupVersion
|
||||
expectedError string
|
||||
}{
|
||||
{
|
||||
@ -1917,35 +1804,10 @@ func TestValidateMutatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "foo", Version: "bar"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
name: "Webhooks can have duplicate names when updated via v1beta1",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
oldconfig: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, false),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
name: "Webhooks can't have side effects when old config has no side effects via v1",
|
||||
name: "Webhooks can't have side effects when old config has no side effects",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
@ -1960,7 +1822,6 @@ func TestValidateMutatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1"},
|
||||
expectedError: `Unsupported value: "Unknown": supported values: "None", "NoneOnDryRun"`,
|
||||
},
|
||||
{
|
||||
@ -1979,32 +1840,12 @@ func TestValidateMutatingWebhookConfigurationUpdate(t *testing.T) {
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
gv: schema.GroupVersion{Group: "foo", Version: "bar"},
|
||||
expectedError: ``,
|
||||
},
|
||||
{
|
||||
name: "Webhooks can have side effects when updated via v1beta1",
|
||||
config: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &unknownSideEffect,
|
||||
},
|
||||
}, true),
|
||||
oldconfig: newMutatingWebhookConfiguration([]admissionregistration.MutatingWebhook{
|
||||
{
|
||||
Name: "webhook.k8s.io",
|
||||
ClientConfig: validClientConfig,
|
||||
SideEffects: &noSideEffect,
|
||||
},
|
||||
}, false),
|
||||
gv: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"},
|
||||
expectedError: ``,
|
||||
},
|
||||
}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
errs := ValidateMutatingWebhookConfigurationUpdate(test.config, test.oldconfig, test.gv)
|
||||
errs := ValidateMutatingWebhookConfigurationUpdate(test.config, test.oldconfig)
|
||||
err := errs.ToAggregate()
|
||||
if err != nil {
|
||||
if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" {
|
||||
|
@ -21,9 +21,7 @@ import (
|
||||
"reflect"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||
"k8s.io/apiserver/pkg/storage/names"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
"k8s.io/kubernetes/pkg/apis/admissionregistration"
|
||||
@ -70,13 +68,8 @@ func (mutatingWebhookConfigurationStrategy) PrepareForUpdate(ctx context.Context
|
||||
|
||||
// Validate validates a new mutatingWebhookConfiguration.
|
||||
func (mutatingWebhookConfigurationStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
|
||||
var groupVersion schema.GroupVersion
|
||||
if requestInfo, found := genericapirequest.RequestInfoFrom(ctx); found {
|
||||
groupVersion = schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion}
|
||||
}
|
||||
|
||||
ic := obj.(*admissionregistration.MutatingWebhookConfiguration)
|
||||
return validation.ValidateMutatingWebhookConfiguration(ic, groupVersion)
|
||||
return validation.ValidateMutatingWebhookConfiguration(ic)
|
||||
}
|
||||
|
||||
// Canonicalize normalizes the object after validation.
|
||||
@ -90,12 +83,7 @@ func (mutatingWebhookConfigurationStrategy) AllowCreateOnUpdate() bool {
|
||||
|
||||
// ValidateUpdate is the default update validation for an end user.
|
||||
func (mutatingWebhookConfigurationStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
|
||||
var groupVersion schema.GroupVersion
|
||||
if requestInfo, found := genericapirequest.RequestInfoFrom(ctx); found {
|
||||
groupVersion = schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion}
|
||||
}
|
||||
|
||||
return validation.ValidateMutatingWebhookConfigurationUpdate(obj.(*admissionregistration.MutatingWebhookConfiguration), old.(*admissionregistration.MutatingWebhookConfiguration), groupVersion)
|
||||
return validation.ValidateMutatingWebhookConfigurationUpdate(obj.(*admissionregistration.MutatingWebhookConfiguration), old.(*admissionregistration.MutatingWebhookConfiguration))
|
||||
}
|
||||
|
||||
// WarningsOnUpdate returns warnings for the given update.
|
||||
|
@ -21,9 +21,7 @@ import (
|
||||
"reflect"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||
"k8s.io/apiserver/pkg/storage/names"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
"k8s.io/kubernetes/pkg/apis/admissionregistration"
|
||||
@ -65,12 +63,7 @@ func (validatingWebhookConfigurationStrategy) PrepareForUpdate(ctx context.Conte
|
||||
|
||||
// Validate validates a new validatingWebhookConfiguration.
|
||||
func (validatingWebhookConfigurationStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
|
||||
var groupVersion schema.GroupVersion
|
||||
if requestInfo, found := genericapirequest.RequestInfoFrom(ctx); found {
|
||||
groupVersion = schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion}
|
||||
}
|
||||
|
||||
return validation.ValidateValidatingWebhookConfiguration(obj.(*admissionregistration.ValidatingWebhookConfiguration), groupVersion)
|
||||
return validation.ValidateValidatingWebhookConfiguration(obj.(*admissionregistration.ValidatingWebhookConfiguration))
|
||||
}
|
||||
|
||||
// WarningsOnCreate returns warnings for the creation of the given object.
|
||||
@ -89,12 +82,7 @@ func (validatingWebhookConfigurationStrategy) AllowCreateOnUpdate() bool {
|
||||
|
||||
// ValidateUpdate is the default update validation for an end user.
|
||||
func (validatingWebhookConfigurationStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
|
||||
var groupVersion schema.GroupVersion
|
||||
if requestInfo, found := genericapirequest.RequestInfoFrom(ctx); found {
|
||||
groupVersion = schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion}
|
||||
}
|
||||
|
||||
return validation.ValidateValidatingWebhookConfigurationUpdate(obj.(*admissionregistration.ValidatingWebhookConfiguration), old.(*admissionregistration.ValidatingWebhookConfiguration), groupVersion)
|
||||
return validation.ValidateValidatingWebhookConfigurationUpdate(obj.(*admissionregistration.ValidatingWebhookConfiguration), old.(*admissionregistration.ValidatingWebhookConfiguration))
|
||||
}
|
||||
|
||||
// WarningsOnUpdate returns warnings for the given update.
|
||||
|
Loading…
Reference in New Issue
Block a user