Skip to content

Commit

Permalink
fix: only validate gk res (#3158)
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
  • Loading branch information
acpana authored Nov 15, 2023
1 parent 2055dcc commit 39b5c4a
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 0 deletions.
2 changes: 2 additions & 0 deletions pkg/webhook/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,8 @@ func (h *webhookHandler) isGatekeeperResource(req *admission.Request) bool {
req.AdmissionRequest.Kind.Group == "constraints.gatekeeper.sh" ||
req.AdmissionRequest.Kind.Group == mutationsGroup ||
req.AdmissionRequest.Kind.Group == "config.gatekeeper.sh" ||
req.AdmissionRequest.Kind.Group == externalDataGroup ||
req.AdmissionRequest.Kind.Group == "expansion.gatekeeper.sh" ||
req.AdmissionRequest.Kind.Group == "status.gatekeeper.sh" {
return true
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/webhook/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,10 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm
// validateGatekeeperResources returns whether an issue is user error (vs internal) and any errors
// validating internal resources.
func (h *validationHandler) validateGatekeeperResources(ctx context.Context, req *admission.Request) (bool, error) {
if !h.isGatekeeperResource(req) {
return false, nil
}

if req.Operation == admissionv1.Delete && req.Name == "" {
// Allow the general DELETE of resources like "/apis/config.gatekeeper.sh/v1alpha1/namespaces/<ns>/configs"
return true, nil
Expand Down
23 changes: 23 additions & 0 deletions pkg/webhook/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
configv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process"
"github.com/open-policy-agent/gatekeeper/v3/pkg/expansion"
"github.com/open-policy-agent/gatekeeper/v3/pkg/fakes"
"github.com/open-policy-agent/gatekeeper/v3/pkg/mutation"
"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
Expand Down Expand Up @@ -126,6 +127,7 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
`
nameLargerThan63 = "abignameabignameabignameabignameabignameabignameabignameabigname"
)

func validProvider() *externadatav1alpha1.Provider {
Expand Down Expand Up @@ -522,6 +524,27 @@ func Test_ConstrainTemplate_Name(t *testing.T) {
require.ErrorContains(t, err, "resource cannot have metadata.name larger than 63 char")
}

func Test_NonGkResource_Name(t *testing.T) {
h := &validationHandler{log: log}
fp := fakes.Pod(fakes.WithName(nameLargerThan63))

b, err := convertToRawExtension(fp)
require.NoError(t, err)

review := &admission.Request{
AdmissionRequest: admissionv1.AdmissionRequest{
Kind: metav1.GroupVersionKind(fp.GroupVersionKind()),
Object: *b,
Name: fp.Name,
},
}

// since this is not a gatekeeper resource, we should not enforce the metadata.name len check
got, err := h.validateGatekeeperResources(context.Background(), review)
require.False(t, got)
require.NoError(t, err)
}

func TestTracing(t *testing.T) {
tc := []struct {
Name string
Expand Down

0 comments on commit 39b5c4a

Please sign in to comment.