Skip to content
Permalink
Browse files

Upgrade AdmissionReview e2e test image to also support v1

  • Loading branch information...
jpbetz committed Aug 11, 2019
1 parent f4e39af commit 6b2f98b1eb70df42d6f7697a541918e9ddb69b14
@@ -9,7 +9,12 @@ go_library(
name = "go_default_library",
srcs = ["fuzzer.go"],
importpath = "k8s.io/kubernetes/pkg/apis/admission/fuzzer",
deps = ["//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library"],
deps = [
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
"//vendor/github.com/google/gofuzz:go_default_library",
],
)

filegroup(
@@ -17,10 +17,20 @@ limitations under the License.
package fuzzer

import (
fuzz "github.com/google/gofuzz"

"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
)

// Funcs returns the fuzzer functions for the admission api group.
var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
return []interface{}{}
return []interface{}{
func(s *runtime.RawExtension, c fuzz.Continue) {
u := unstructured.Unstructured{}
c.Fuzz(u)
s.Object = u
},
}
}
@@ -1 +1 @@
2.4
2.5
Binary file not shown.
@@ -17,6 +17,7 @@ limitations under the License.
package crdconvwebhook

import (
"fmt"
"net/http"

"github.com/spf13/cobra"
@@ -27,6 +28,7 @@ import (
var (
certFile string
keyFile string
port int
)

// CmdCrdConversionWebhook is used by agnhost Cobra.
@@ -48,6 +50,8 @@ func init() {
"after server cert.")
CmdCrdConversionWebhook.Flags().StringVar(&keyFile, "tls-private-key-file", "",
"File containing the default x509 private key matching --tls-cert-file.")
CmdCrdConversionWebhook.Flags().IntVar(&port, "port", 443,
"Secure port that the webhook listens on")
}

// Config contains the server (the webhook) cert and key.
@@ -62,8 +66,11 @@ func main(cmd *cobra.Command, args []string) {
http.HandleFunc("/crdconvert", converter.ServeExampleConvert)
clientset := getClient()
server := &http.Server{
Addr: ":443",
Addr: fmt.Sprintf(":%d", port),
TLSConfig: configTLS(config, clientset),
}
server.ListenAndServeTLS("", "")
err := server.ListenAndServeTLS("", "")
if err != nil {
panic(err)
}
}
@@ -8,6 +8,7 @@ go_library(
"alwaysdeny.go",
"config.go",
"configmap.go",
"convert.go",
"crd.go",
"customresource.go",
"main.go",
@@ -17,7 +18,9 @@ go_library(
importpath = "k8s.io/kubernetes/test/images/agnhost/webhook",
visibility = ["//visibility:public"],
deps = [
"//staging/src/k8s.io/api/admission/v1:go_default_library",
"//staging/src/k8s.io/api/admission/v1beta1:go_default_library",
"//staging/src/k8s.io/api/admissionregistration/v1:go_default_library",
"//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
@@ -48,15 +51,22 @@ go_test(
name = "go_default_test",
srcs = [
"addlabel_test.go",
"convert_test.go",
"patch_test.go",
],
embed = [":go_default_library"],
deps = [
"//pkg/apis/admission/fuzzer:go_default_library",
"//staging/src/k8s.io/api/admission/v1:go_default_library",
"//staging/src/k8s.io/api/admission/v1beta1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/apitesting/fuzzer:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/github.com/evanphx/json-patch:go_default_library",
"//vendor/github.com/google/gofuzz:go_default_library",
],
)
@@ -19,7 +19,7 @@ package webhook
import (
"encoding/json"

"k8s.io/api/admission/v1beta1"
"k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/klog"
)
@@ -37,7 +37,7 @@ const (
)

// Add a label {"added-label": "yes"} to the object
func addLabel(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
func addLabel(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("calling add-label")
obj := struct {
metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -46,13 +46,13 @@ func addLabel(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
err := json.Unmarshal(raw, &obj)
if err != nil {
klog.Error(err)
return toAdmissionResponse(err)
return toV1AdmissionResponse(err)
}

reviewResponse := v1beta1.AdmissionResponse{}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = true

pt := v1beta1.PatchTypeJSONPatch
pt := v1.PatchTypeJSONPatch
labelValue, hasLabel := obj.ObjectMeta.Labels["added-label"]
switch {
case len(obj.ObjectMeta.Labels) == 0:
@@ -22,7 +22,7 @@ import (
"testing"

jsonpatch "github.com/evanphx/json-patch"
"k8s.io/api/admission/v1beta1"
"k8s.io/api/admission/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
@@ -58,7 +58,7 @@ func TestAddLabel(t *testing.T) {
if err != nil {
t.Fatal(err)
}
review := v1beta1.AdmissionReview{Request: &v1beta1.AdmissionRequest{Object: runtime.RawExtension{Raw: raw}}}
review := v1.AdmissionReview{Request: &v1.AdmissionRequest{Object: runtime.RawExtension{Raw: raw}}}
response := addLabel(review)
if response.Patch != nil {
patchObj, err := jsonpatch.DecodePatch([]byte(response.Patch))
@@ -19,17 +19,17 @@ package webhook
import (
"time"

"k8s.io/api/admission/v1beta1"
"k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/klog"
)

// alwaysAllowDelayFiveSeconds sleeps for five seconds and allows all requests made to this function.
func alwaysAllowDelayFiveSeconds(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
func alwaysAllowDelayFiveSeconds(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("always-allow-with-delay sleeping for 5 seconds")
time.Sleep(5 * time.Second)
klog.V(2).Info("calling always-allow")
reviewResponse := v1beta1.AdmissionResponse{}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = true
reviewResponse.Result = &metav1.Status{Message: "this webhook allows all requests"}
return &reviewResponse
@@ -17,15 +17,15 @@ limitations under the License.
package webhook

import (
"k8s.io/api/admission/v1beta1"
"k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/klog"
)

// alwaysDeny all requests made to this function.
func alwaysDeny(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
func alwaysDeny(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("calling always-deny")
reviewResponse := v1beta1.AdmissionResponse{}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = false
reviewResponse.Result = &metav1.Status{Message: "this webhook denies all requests"}
return &reviewResponse
@@ -17,7 +17,7 @@ limitations under the License.
package webhook

import (
"k8s.io/api/admission/v1beta1"
v1 "k8s.io/api/admission/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/klog"
@@ -33,7 +33,7 @@ const (
)

// deny configmaps with specific key-value pair.
func admitConfigMaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
func admitConfigMaps(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("admitting configmaps")
configMapResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
if ar.Request.Resource != configMapResource {
@@ -42,7 +42,7 @@ func admitConfigMaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
}

var raw []byte
if ar.Request.Operation == v1beta1.Delete {
if ar.Request.Operation == v1.Delete {
raw = ar.Request.OldObject.Raw
} else {
raw = ar.Request.Object.Raw
@@ -51,19 +51,19 @@ func admitConfigMaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
deserializer := codecs.UniversalDeserializer()
if _, _, err := deserializer.Decode(raw, nil, &configmap); err != nil {
klog.Error(err)
return toAdmissionResponse(err)
return toV1AdmissionResponse(err)
}
reviewResponse := v1beta1.AdmissionResponse{}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = true
for k, v := range configmap.Data {
if k == "webhook-e2e-test" && v == "webhook-disallow" &&
(ar.Request.Operation == v1beta1.Create || ar.Request.Operation == v1beta1.Update) {
(ar.Request.Operation == v1.Create || ar.Request.Operation == v1.Update) {
reviewResponse.Allowed = false
reviewResponse.Result = &metav1.Status{
Reason: "the configmap contains unwanted key and value",
}
}
if k == "webhook-e2e-test" && v == "webhook-nondeletable" && ar.Request.Operation == v1beta1.Delete {
if k == "webhook-e2e-test" && v == "webhook-nondeletable" && ar.Request.Operation == v1.Delete {
reviewResponse.Allowed = false
reviewResponse.Result = &metav1.Status{
Reason: "the configmap cannot be deleted because it contains unwanted key and value",
@@ -73,7 +73,7 @@ func admitConfigMaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
return &reviewResponse
}

func mutateConfigmaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
func mutateConfigmaps(ar v1.AdmissionReview) *v1.AdmissionResponse {
klog.V(2).Info("mutating configmaps")
configMapResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
if ar.Request.Resource != configMapResource {
@@ -86,9 +86,9 @@ func mutateConfigmaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
deserializer := codecs.UniversalDeserializer()
if _, _, err := deserializer.Decode(raw, nil, &configmap); err != nil {
klog.Error(err)
return toAdmissionResponse(err)
return toV1AdmissionResponse(err)
}
reviewResponse := v1beta1.AdmissionResponse{}
reviewResponse := v1.AdmissionResponse{}
reviewResponse.Allowed = true
if configmap.Data["mutation-start"] == "yes" {
reviewResponse.Patch = []byte(configMapPatch1)
@@ -97,7 +97,7 @@ func mutateConfigmaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
reviewResponse.Patch = []byte(configMapPatch2)
}

pt := v1beta1.PatchTypeJSONPatch
pt := v1.PatchTypeJSONPatch
reviewResponse.PatchType = &pt

return &reviewResponse
@@ -0,0 +1,103 @@
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package webhook

import (
v1 "k8s.io/api/admission/v1"
"k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func convertAdmissionRequestToV1(r *v1beta1.AdmissionRequest) *v1.AdmissionRequest {
return &v1.AdmissionRequest{
Kind: r.Kind,
Namespace: r.Namespace,
Name: r.Name,
Object: r.Object,
Resource: r.Resource,
Operation: v1.Operation(r.Operation),
UID: r.UID,
DryRun: r.DryRun,
OldObject: r.OldObject,
Options: r.Options,
RequestKind: r.RequestKind,
RequestResource: r.RequestResource,
RequestSubResource: r.RequestSubResource,
SubResource: r.SubResource,
UserInfo: r.UserInfo,
}
}

func convertAdmissionRequestToV1beta1(r *v1.AdmissionRequest) *v1beta1.AdmissionRequest {
return &v1beta1.AdmissionRequest{
Kind: r.Kind,
Namespace: r.Namespace,
Name: r.Name,
Object: r.Object,
Resource: r.Resource,
Operation: v1beta1.Operation(r.Operation),
UID: r.UID,
DryRun: r.DryRun,
OldObject: r.OldObject,
Options: r.Options,
RequestKind: r.RequestKind,
RequestResource: r.RequestResource,
RequestSubResource: r.RequestSubResource,
SubResource: r.SubResource,
UserInfo: r.UserInfo,
}
}

func convertAdmissionResponseToV1(r *v1beta1.AdmissionResponse) *v1.AdmissionResponse {
var pt *v1.PatchType
if r.PatchType != nil {
t := v1.PatchType(*r.PatchType)
pt = &t
}
return &v1.AdmissionResponse{
UID: r.UID,
Allowed: r.Allowed,
AuditAnnotations: r.AuditAnnotations,
Patch: r.Patch,
PatchType: pt,
Result: r.Result,
}
}

func convertAdmissionResponseToV1beta1(r *v1.AdmissionResponse) *v1beta1.AdmissionResponse {
var pt *v1beta1.PatchType
if r.PatchType != nil {
t := v1beta1.PatchType(*r.PatchType)
pt = &t
}
return &v1beta1.AdmissionResponse{
UID: r.UID,
Allowed: r.Allowed,
AuditAnnotations: r.AuditAnnotations,
Patch: r.Patch,
PatchType: pt,
Result: r.Result,
}
}

func toV1AdmissionResponse(err error) *v1.AdmissionResponse {
return &v1.AdmissionResponse{
Result: &metav1.Status{
Message: err.Error(),
},
}
}

0 comments on commit 6b2f98b

Please sign in to comment.
You can’t perform that action at this time.