policy: Validate ServerAuthorization resources #8076
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io>
hawkw
approved these changes
Mar 16, 2022
Comment on lines
+168
to
+170
| resources: | ||
| - serverauthorizations | ||
| - servers |
There was a problem hiding this comment.
very minor ntipick: elsewhere in the chart it looks like we use [...] syntax for YAML arrays, should we try to keep that consistent here?
There was a problem hiding this comment.
In at least this case: no. If anything we should probably move some of the others to use explicit lists. My reasoning is that:
- we're going to add more soon, and this line is going to get very long.
- this helps minimize diffs as there are changes (lines are inserted/removed, instead of the whole line changing).
| type AdmissionRequest = kube::core::admission::AdmissionRequest<DynamicObject>; | ||
| type AdmissionResponse = kube::core::admission::AdmissionResponse; | ||
| type AdmissionReview = kube::core::admission::AdmissionReview<DynamicObject>; | ||
| fn parse_spec<T: DeserializeOwned>(req: AdmissionRequest) -> Result<(String, String, T)> { |
There was a problem hiding this comment.
hmm, i don't love returning a (String, String, T) instead of a struct with named fields, but since this is only called in one place, it's probably not worth introducing a whole new type just for that...probably best the way it is...
olix0r
added a commit
that referenced
this pull request
Mar 31, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Mar 31, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Apr 7, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Apr 8, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ServerAuthorizationresources are not validated by the admissioncontroller.
This change enables validation for
ServerAuthorizationresources,based on changes to the admission controller proposed as a part of
#8007. This admission controller is generalized to
support arbitrary resource types. The
ServerAuthoriationvalidationcurrently only ensures that network blocks are valid CIDRs and that they
are coherent. We use the new schemars feature of
ipnetv2.4.0 tosupport using IpNet data structures directly in the custom resource
type bindings.
This change also adds an integration test to validate that the admission
controller behaves as expected.
Signed-off-by: Oliver Gould ver@buoyant.io