From 2dc1a3ae19bab8cf6dc9b6c1c93967b7038c4797 Mon Sep 17 00:00:00 2001
From: rahulii <r.sawra@gmail.com>
Date: Wed, 19 Jan 2022 23:03:21 +0530
Subject: [PATCH] Protect all labels and annotations on propagated objects

Before this change, only non-HNC labels/annotations were protected by the webhook.
This change extends that protection to _all_ labels and annotations.

Tested: new unit tests fail without this fix and pass with it

Signed-off-by: rahulii <r.sawra@gmail.com>
---
 internal/objects/validator.go      |  6 ++++
 internal/objects/validator_test.go | 54 ++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/internal/objects/validator.go b/internal/objects/validator.go
index 35ab4d79f..7a624cb27 100644
--- a/internal/objects/validator.go
+++ b/internal/objects/validator.go
@@ -281,6 +281,12 @@ func (v *Validator) handleInherited(ctx context.Context, op k8sadm.Operation, ne
 				"Cannot modify object propagated from namespace \""+oldSource+"\"")
 		}
 
+		// Check for all the labels and annotations (including HNC and non HNC)
+		if !reflect.DeepEqual(oldInst.GetLabels(), inst.GetLabels()) || !reflect.DeepEqual(oldInst.GetAnnotations(), inst.GetAnnotations()) {
+			return webhooks.Deny(metav1.StatusReasonForbidden,
+				"Cannot modify object propagated from namespace \""+oldSource+"\"")
+		}
+
 		return webhooks.Allow("no illegal updates to propagated object")
 	}
 
diff --git a/internal/objects/validator_test.go b/internal/objects/validator_test.go
index bb0754d39..de0cbbac7 100644
--- a/internal/objects/validator_test.go
+++ b/internal/objects/validator_test.go
@@ -210,6 +210,60 @@ func TestUserChanges(t *testing.T) {
 				},
 			},
 		},
+	}, {
+		name: "Deny changes to HNC annotations in propagated objects",
+		fail: true,
+		oldInst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+					},
+				},
+			},
+		},
+		inst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+					},
+					"annotations": map[string]interface{}{
+						api.AnnotationPropagatePrefix + "/select": "abc",
+					},
+				},
+			},
+		},
+	}, {
+		name: "Deny changes to HNC labels in propagated objects",
+		fail: true,
+		oldInst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+					},
+				},
+			},
+		},
+		inst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+						api.MetaGroup + "/foo": "foo",
+					},
+				},
+			},
+		},
 	}, {
 		name: "Deny spec changes to propagated objects",
 		fail: true,