Merge pull request #128013 from seans3/admission-configuration-strict

AdmissionConfiguration now uses strict validation
2025-08-02 16:29:21 +00:00 · 2024-10-28 22:18:54 +00:00 · 2024-10-28 22:18:54 +00:00 · eb5c8965be
commit eb5c8965be
parent 8aae9aabf3 ae20937ea6
2 changed files with 33 additions and 5 deletions
--- a/staging/src/k8s.io/apiserver/pkg/admission/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/config.go
@ -63,7 +63,7 @@ func ReadAdmissionConfiguration(pluginNames []string, configFilePath string, con
 	if err != nil {
 		return nil, fmt.Errorf("unable to read admission control configuration from %q [%v]", configFilePath, err)
 	}
-	codecs := serializer.NewCodecFactory(configScheme)
+	codecs := serializer.NewCodecFactory(configScheme, serializer.EnableStrict)
 	decoder := codecs.UniversalDecoder()
 	decodedObj, err := runtime.Decode(decoder, data)
 	// we were able to decode the file successfully
--- a/staging/src/k8s.io/apiserver/pkg/admission/config_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/config_test.go
@ -22,6 +22,7 @@ import (
 	"reflect"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/runtime"
@ -52,7 +53,28 @@ func TestReadAdmissionConfiguration(t *testing.T) {
 		ConfigBody              string
 		ExpectedAdmissionConfig *apiserver.AdmissionConfiguration
 		PluginNames             []string
 		ExpectedError           string
 	}{
 		"duplicate field configuration error": {
 			ConfigBody: `{
 "apiVersion": "apiserver.k8s.io/v1alpha1",
 "kind": "AdmissionConfiguration",
 "plugins": [
  {"name": "ImagePolicyWebhook-duplicate", "name": "ImagePolicyWebhook", "path": "image-policy-webhook.json"},
  {"name": "ResourceQuota"}
 ]}`,
 			ExpectedError: "strict decoding error: duplicate field",
 		},
 		"unknown field configuration error": {
 			ConfigBody: `{
 "apiVersion": "apiserver.k8s.io/v1alpha1",
 "kind": "AdmissionConfiguration",
 "plugins": [
  {"foo": "bar", "name": "ImagePolicyWebhook", "path": "image-policy-webhook.json"},
  {"name": "ResourceQuota"}
 ]}`,
 			ExpectedError: "strict decoding error: unknown field",
 		},
 		"v1alpha1 configuration - path fixup": {
 			ConfigBody: `{
 "apiVersion": "apiserver.k8s.io/v1alpha1",
@ -192,12 +214,18 @@ func TestReadAdmissionConfiguration(t *testing.T) {
 			t.Fatalf("unexpected err writing temp file: %v", err)
 		}
 		config, err := ReadAdmissionConfiguration(testCase.PluginNames, configFileName, scheme)
-		if err != nil {
+		if testCase.ExpectedError != "" {
 			if err != nil {
 				assert.Contains(t, err.Error(), testCase.ExpectedError)
 			} else {
 				t.Fatalf("expected error %q but received none", testCase.ExpectedError)
 			}
 		} else if err != nil {
 			t.Fatalf("unexpected err: %v", err)
 		} else if !reflect.DeepEqual(config.(configProvider).config, testCase.ExpectedAdmissionConfig) {
 			t.Fatalf("%s: Expected:\n\t%#v\nGot:\n\t%#v", testName, testCase.ExpectedAdmissionConfig, config.(configProvider).config)
 		}
-		if !reflect.DeepEqual(config.(configProvider).config, testCase.ExpectedAdmissionConfig) {
+
 			t.Errorf("%s: Expected:\n\t%#v\nGot:\n\t%#v", testName, testCase.ExpectedAdmissionConfig, config.(configProvider).config)
 		}
 	}
 }