openshift · openshift-merge-robot · Feb 11, 2021 · Feb 11, 2021 · wgordon17 · Feb 11, 2021
diff --git a/pkg/webhooks/regularuser/regularuser.go b/pkg/webhooks/regularuser/regularuser.go
@@ -17,14 +17,17 @@ import (
 )
 
 const (
-	WebhookName string = "regular-user-validation"
-	docString   string = `Managed OpenShift customers may not manage any objects in the following APIgroups %s, nor may Managed OpenShift customers alter the ClusterVersion, Node or SubjectPermission objects.`
+	WebhookName       string = "regular-user-validation"
+	docString         string = `Managed OpenShift customers may not manage any objects in the following APIgroups %s, nor may Managed OpenShift customers alter the ClusterVersion, Node or SubjectPermission objects.`
+	mustGatherKind    string = "MustGather"
+	mustGatherGroup   string = "managed.openshift.io"
+	customDomainKind  string = "CustomDomain"
+	customDomainGroup string = "managed.openshift.io"
 )
 
 var (
-	adminGroups           = []string{"osd-sre-admins", "osd-sre-cluster-admins"}
-	ceeGroup       string = "osd-devaccess"
-	mustGatherKind string = "MustGather"
+	adminGroups        = []string{"osd-sre-admins", "osd-sre-cluster-admins"}
+	ceeGroup    string = "osd-devaccess"
 
 	scope = admissionregv1.AllScopes
 	rules = []admissionregv1.RuleWithOperations{
@@ -168,18 +171,26 @@ func (s *RegularuserWebhook) authorized(request admissionctl.Request) admissionc
 		ret.UID = request.AdmissionRequest.UID
 		return ret
 	}
+	if utils.SliceContains("dedicated-admins", request.UserInfo.Groups) &&
+		request.Kind.Kind == customDomainKind &&
+		request.Kind.Group == customDomainGroup {
+		ret = admissionctl.Allowed("dedicated-admins may manage Custom Domains")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
+	if utils.SliceContains(ceeGroup, request.UserInfo.Groups) &&
+		request.Kind.Kind == mustGatherKind &&
+		request.Kind.Group == mustGatherGroup {
+		ret = admissionctl.Allowed("Members of CEE may manage MustGather CRs")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
 	for _, userGroup := range request.UserInfo.Groups {
 		if utils.SliceContains(userGroup, adminGroups) {
 			ret = admissionctl.Allowed("Members of admin groups are allowed")
 			ret.UID = request.AdmissionRequest.UID
 			return ret
 		}
-
-		if (userGroup == ceeGroup) && (request.Kind.Kind == mustGatherKind) {
-			ret = admissionctl.Allowed("Members of CEE may manage MustGather CRs")
-			ret.UID = request.AdmissionRequest.UID
-			return ret
-		}
 	}
 
 	log.Info("Denying access", "request", request.AdmissionRequest)

diff --git a/pkg/webhooks/regularuser/regularuser_test.go b/pkg/webhooks/regularuser/regularuser_test.go
@@ -329,6 +329,68 @@ func TestNodesSubjectPermissionsClusterVersions(t *testing.T) {
 	runRegularuserTests(t, tests)
 }
 
+func TestCustomDomains(t *testing.T) {
+	tests := []regularuserTests{
+		{
+			testID:          "customdomain-unauth-user",
+			targetResource:  "customdomains",
+			targetKind:      "CustomDomain",
+			targetVersion:   "v1alpha1",
+			targetGroup:     "managed.openshift.io",
+			username:        "system:unauthenticated",
+			userGroups:      []string{"system:unauthenticated"},
+			operation:       v1beta1.Create,
+			shouldBeAllowed: false,
+		},
+		{
+			testID:          "customdomain-dedicated-admins",
+			targetResource:  "customdomains",
+			targetKind:      "CustomDomain",
+			targetVersion:   "v1alpha1",
+			targetGroup:     "managed.openshift.io",
+			username:        "dedi-admin",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth", "dedicated-admins"},
+			operation:       v1beta1.Create,
+			shouldBeAllowed: true,
+		},
+		{
+			testID:          "customdomain-dedicated-admins-edit",
+			targetResource:  "customdomains",
+			targetKind:      "CustomDomain",
+			targetVersion:   "v1alpha1",
+			targetGroup:     "managed.openshift.io",
+			username:        "dedi-admin",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth", "dedicated-admins"},
+			operation:       v1beta1.Update,
+			shouldBeAllowed: true,
+		},
+		{
+			testID:          "customdomain-dedicated-admins-delete",
+			targetResource:  "customdomains",
+			targetKind:      "CustomDomain",
+			targetVersion:   "v1alpha1",
+			targetGroup:     "managed.openshift.io",
+			username:        "dedi-admin",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth", "dedicated-admins"},
+			operation:       v1beta1.Delete,
+			shouldBeAllowed: true,
+		},
+		{
+			// shouldn't be able to create a CustomDomain from machine.openshift.io if that should come to exist
+			testID:          "customdomain-dedicated-admins-wrong-group",
+			targetResource:  "customdomains",
+			targetKind:      "CustomDomain",
+			targetVersion:   "v1alpha1",
+			targetGroup:     "machine.openshift.io",
+			username:        "dedi-admin",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth", "dedicated-admins"},
+			operation:       v1beta1.Create,
+			shouldBeAllowed: false,
+		},
+	}
+	runRegularuserTests(t, tests)
+}
+
 func TestMustGathers(t *testing.T) {
 	tests := []regularuserTests{
 		{