Merge pull request #128013 from seans3/admission-configuration-strict

AdmissionConfiguration now uses strict validation
2025-08-01 07:47:56 +00:00 · 2024-10-28 22:18:54 +00:00 · 2024-10-28 22:18:54 +00:00 · eb5c8965be
commit eb5c8965be
parent 8aae9aabf3 ae20937ea6
2 changed files with 33 additions and 5 deletions
--- a/staging/src/k8s.io/apiserver/pkg/admission/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/config.go
@ -63,7 +63,7 @@ func ReadAdmissionConfiguration(pluginNames []string, configFilePath string, con
 	if err != nil {
 		return nil, fmt.Errorf("unable to read admission control configuration from %q [%v]", configFilePath, err)
 	}
-	codecs := serializer.NewCodecFactory(configScheme)
+	codecs := serializer.NewCodecFactory(configScheme, serializer.EnableStrict)
 	decoder := codecs.UniversalDecoder()
 	decodedObj, err := runtime.Decode(decoder, data)
 	// we were able to decode the file successfully
--- a/staging/src/k8s.io/apiserver/pkg/admission/config_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/config_test.go
@ -22,6 +22,7 @@ import (
 	"reflect"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"k8s.io/apimachinery/pkg/runtime"
@ -52,7 +53,28 @@ func TestReadAdmissionConfiguration(t *testing.T) {
 		ConfigBody              string
 		ExpectedAdmissionConfig *apiserver.AdmissionConfiguration
 		PluginNames             []string
+		ExpectedError           string
 	}{
+		"duplicate field configuration error": {
+			ConfigBody: `{
+"apiVersion": "apiserver.k8s.io/v1alpha1",
+"kind": "AdmissionConfiguration",
+"plugins": [
+  {"name": "ImagePolicyWebhook-duplicate", "name": "ImagePolicyWebhook", "path": "image-policy-webhook.json"},
+  {"name": "ResourceQuota"}
+]}`,
+			ExpectedError: "strict decoding error: duplicate field",
+		},
+		"unknown field configuration error": {
+			ConfigBody: `{
+"apiVersion": "apiserver.k8s.io/v1alpha1",
+"kind": "AdmissionConfiguration",
+"plugins": [
+  {"foo": "bar", "name": "ImagePolicyWebhook", "path": "image-policy-webhook.json"},
+  {"name": "ResourceQuota"}
+]}`,
+			ExpectedError: "strict decoding error: unknown field",
+		},
 		"v1alpha1 configuration - path fixup": {
 			ConfigBody: `{
 "apiVersion": "apiserver.k8s.io/v1alpha1",
@ -192,12 +214,18 @@ func TestReadAdmissionConfiguration(t *testing.T) {
 			t.Fatalf("unexpected err writing temp file: %v", err)
 		}
 		config, err := ReadAdmissionConfiguration(testCase.PluginNames, configFileName, scheme)
-		if err != nil {
+		if testCase.ExpectedError != "" {
+			if err != nil {
+				assert.Contains(t, err.Error(), testCase.ExpectedError)
+			} else {
+				t.Fatalf("expected error %q but received none", testCase.ExpectedError)
+			}
+		} else if err != nil {
 			t.Fatalf("unexpected err: %v", err)
+		} else if !reflect.DeepEqual(config.(configProvider).config, testCase.ExpectedAdmissionConfig) {
+			t.Fatalf("%s: Expected:\n\t%#v\nGot:\n\t%#v", testName, testCase.ExpectedAdmissionConfig, config.(configProvider).config)
 		}
-		if !reflect.DeepEqual(config.(configProvider).config, testCase.ExpectedAdmissionConfig) {
-			t.Errorf("%s: Expected:\n\t%#v\nGot:\n\t%#v", testName, testCase.ExpectedAdmissionConfig, config.(configProvider).config)
-		}
+
 	}
 }