/* Copyright 2017 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package apimachinery import ( "context" "encoding/json" "fmt" "reflect" "strings" "time" "k8s.io/utils/pointer" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" crdclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/dynamic" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/util/retry" "k8s.io/kubernetes/test/e2e/framework" e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment" e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" "k8s.io/kubernetes/test/utils/crd" imageutils "k8s.io/kubernetes/test/utils/image" admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" // ensure libs have a chance to initialize _ "github.com/stretchr/testify/assert" ) const ( secretName = "sample-webhook-secret" deploymentName = "sample-webhook-deployment" serviceName = "e2e-test-webhook" roleBindingName = "webhook-auth-reader" skipNamespaceLabelKey = "skip-webhook-admission" skipNamespaceLabelValue = "yes" skipNamespaceBaseName = "exempted-namespace" disallowedPodName = "disallowed-pod" toBeAttachedPodName = "to-be-attached-pod" hangingPodName = "hanging-pod" disallowedConfigMapName = "disallowed-configmap" allowedConfigMapName = "allowed-configmap" failNamespaceLabelKey = "fail-closed-webhook" failNamespaceLabelValue = "yes" failNamespaceBaseName = "fail-closed-namespace" addedLabelKey = "added-label" addedLabelValue = "yes" ) var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() { var certCtx *certContext f := framework.NewDefaultFramework("webhook") f.NamespacePodSecurityLevel = admissionapi.LevelBaseline servicePort := int32(8443) containerPort := int32(8444) var client clientset.Interface var namespaceName string var markersNamespaceName string ginkgo.BeforeEach(func(ctx context.Context) { client = f.ClientSet namespaceName = f.Namespace.Name // Make sure the namespace created for the test is labeled to be selected by the webhooks labelNamespace(ctx, f, f.Namespace.Name) markersNamespaceName = createWebhookConfigurationReadyNamespace(ctx, f) ginkgo.By("Setting up server cert") certCtx = setupServerCert(namespaceName, serviceName) createAuthReaderRoleBinding(ctx, f, namespaceName) deployWebhookAndService(ctx, f, imageutils.GetE2EImage(imageutils.Agnhost), certCtx, servicePort, containerPort) }) ginkgo.AfterEach(func(ctx context.Context) { cleanWebhookTest(ctx, client, namespaceName) }) /* Release: v1.16 Testname: Admission webhook, discovery document Description: The admissionregistration.k8s.io API group MUST exists in the /apis discovery document. The admissionregistration.k8s.io/v1 API group/version MUST exists in the /apis discovery document. The mutatingwebhookconfigurations and validatingwebhookconfigurations resources MUST exist in the /apis/admissionregistration.k8s.io/v1 discovery document. */ framework.ConformanceIt("should include webhook resources in discovery documents", func(ctx context.Context) { { ginkgo.By("fetching the /apis discovery document") apiGroupList := &metav1.APIGroupList{} err := client.Discovery().RESTClient().Get().AbsPath("/apis").Do(ctx).Into(apiGroupList) framework.ExpectNoError(err, "fetching /apis") ginkgo.By("finding the admissionregistration.k8s.io API group in the /apis discovery document") var group *metav1.APIGroup for _, g := range apiGroupList.Groups { if g.Name == admissionregistrationv1.GroupName { group = &g break } } gomega.Expect(group).ToNot(gomega.BeNil(), "admissionregistration.k8s.io API group not found in /apis discovery document") ginkgo.By("finding the admissionregistration.k8s.io/v1 API group/version in the /apis discovery document") var version *metav1.GroupVersionForDiscovery for _, v := range group.Versions { if v.Version == admissionregistrationv1.SchemeGroupVersion.Version { version = &v break } } gomega.Expect(version).ToNot(gomega.BeNil(), "admissionregistration.k8s.io/v1 API group version not found in /apis discovery document") } { ginkgo.By("fetching the /apis/admissionregistration.k8s.io discovery document") group := &metav1.APIGroup{} err := client.Discovery().RESTClient().Get().AbsPath("/apis/admissionregistration.k8s.io").Do(ctx).Into(group) framework.ExpectNoError(err, "fetching /apis/admissionregistration.k8s.io") gomega.Expect(group.Name).To(gomega.Equal(admissionregistrationv1.GroupName), "verifying API group name in /apis/admissionregistration.k8s.io discovery document") ginkgo.By("finding the admissionregistration.k8s.io/v1 API group/version in the /apis/admissionregistration.k8s.io discovery document") var version *metav1.GroupVersionForDiscovery for _, v := range group.Versions { if v.Version == admissionregistrationv1.SchemeGroupVersion.Version { version = &v break } } gomega.Expect(version).ToNot(gomega.BeNil(), "admissionregistration.k8s.io/v1 API group version not found in /apis/admissionregistration.k8s.io discovery document") } { ginkgo.By("fetching the /apis/admissionregistration.k8s.io/v1 discovery document") apiResourceList := &metav1.APIResourceList{} err := client.Discovery().RESTClient().Get().AbsPath("/apis/admissionregistration.k8s.io/v1").Do(ctx).Into(apiResourceList) framework.ExpectNoError(err, "fetching /apis/admissionregistration.k8s.io/v1") gomega.Expect(apiResourceList.GroupVersion).To(gomega.Equal(admissionregistrationv1.SchemeGroupVersion.String()), "verifying API group/version in /apis/admissionregistration.k8s.io/v1 discovery document") ginkgo.By("finding mutatingwebhookconfigurations and validatingwebhookconfigurations resources in the /apis/admissionregistration.k8s.io/v1 discovery document") var ( mutatingWebhookResource *metav1.APIResource validatingWebhookResource *metav1.APIResource ) for i := range apiResourceList.APIResources { if apiResourceList.APIResources[i].Name == "mutatingwebhookconfigurations" { mutatingWebhookResource = &apiResourceList.APIResources[i] } if apiResourceList.APIResources[i].Name == "validatingwebhookconfigurations" { validatingWebhookResource = &apiResourceList.APIResources[i] } } gomega.Expect(mutatingWebhookResource).ToNot(gomega.BeNil(), "mutatingwebhookconfigurations resource not found in /apis/admissionregistration.k8s.io/v1 discovery document") gomega.Expect(validatingWebhookResource).ToNot(gomega.BeNil(), "validatingwebhookconfigurations resource not found in /apis/admissionregistration.k8s.io/v1 discovery document") } }) /* Release: v1.16 Testname: Admission webhook, deny create Description: Register an admission webhook configuration that admits pod and configmap. Attempts to create non-compliant pods and configmaps, or update/patch compliant pods and configmaps to be non-compliant MUST be denied. An attempt to create a pod that causes a webhook to hang MUST result in a webhook timeout error, and the pod creation MUST be denied. An attempt to create a non-compliant configmap in a whitelisted namespace based on the webhook namespace selector MUST be allowed. */ framework.ConformanceIt("should be able to deny pod and configmap creation", func(ctx context.Context) { registerWebhook(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) testWebhook(ctx, f) }) /* Release: v1.16 Testname: Admission webhook, deny attach Description: Register an admission webhook configuration that denies connecting to a pod's attach sub-resource. Attempts to attach MUST be denied. */ framework.ConformanceIt("should be able to deny attaching pod", func(ctx context.Context) { registerWebhookForAttachingPod(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) testAttachingPodWebhook(ctx, f) }) /* Release: v1.16 Testname: Admission webhook, deny custom resource create and delete Description: Register an admission webhook configuration that denies creation, update and deletion of custom resources. Attempts to create, update and delete custom resources MUST be denied. */ framework.ConformanceIt("should be able to deny custom resource creation, update and deletion", func(ctx context.Context) { testcrd, err := crd.CreateTestCRD(f) if err != nil { return } ginkgo.DeferCleanup(testcrd.CleanUp) registerWebhookForCustomResource(ctx, f, markersNamespaceName, f.UniqueName, certCtx, testcrd, servicePort) testCustomResourceWebhook(ctx, f, testcrd.Crd, testcrd.DynamicClients["v1"]) testBlockingCustomResourceUpdateDeletion(ctx, f, testcrd.Crd, testcrd.DynamicClients["v1"]) }) /* Release: v1.16 Testname: Admission webhook, fail closed Description: Register a webhook with a fail closed policy and without CA bundle so that it cannot be called. Attempt operations that require the admission webhook; all MUST be denied. */ framework.ConformanceIt("should unconditionally reject operations on fail closed webhook", func(ctx context.Context) { registerFailClosedWebhook(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) testFailClosedWebhook(ctx, f) }) /* Release: v1.16 Testname: Admission webhook, ordered mutation Description: Register a mutating webhook configuration with two webhooks that admit configmaps, one that adds a data key if the configmap already has a specific key, and another that adds a key if the key added by the first webhook is present. Attempt to create a config map; both keys MUST be added to the config map. */ framework.ConformanceIt("should mutate configmap", func(ctx context.Context) { registerMutatingWebhookForConfigMap(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) testMutatingConfigMapWebhook(ctx, f) }) /* Release: v1.16 Testname: Admission webhook, mutation with defaulting Description: Register a mutating webhook that adds an InitContainer to pods. Attempt to create a pod; the InitContainer MUST be added the TerminationMessagePolicy MUST be defaulted. */ framework.ConformanceIt("should mutate pod and apply defaults after mutation", func(ctx context.Context) { registerMutatingWebhookForPod(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) testMutatingPodWebhook(ctx, f) }) /* Release: v1.16 Testname: Admission webhook, admission control not allowed on webhook configuration objects Description: Register webhooks that mutate and deny deletion of webhook configuration objects. Attempt to create and delete a webhook configuration object; both operations MUST be allowed and the webhook configuration object MUST NOT be mutated the webhooks. */ framework.ConformanceIt("should not be able to mutate or prevent deletion of webhook configuration objects", func(ctx context.Context) { registerValidatingWebhookForWebhookConfigurations(ctx, f, markersNamespaceName, f.UniqueName+"blocking", certCtx, servicePort) registerMutatingWebhookForWebhookConfigurations(ctx, f, markersNamespaceName, f.UniqueName+"blocking", certCtx, servicePort) testWebhooksForWebhookConfigurations(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) }) /* Release: v1.16 Testname: Admission webhook, mutate custom resource Description: Register a webhook that mutates a custom resource. Attempt to create custom resource object; the custom resource MUST be mutated. */ framework.ConformanceIt("should mutate custom resource", func(ctx context.Context) { testcrd, err := crd.CreateTestCRD(f) if err != nil { return } ginkgo.DeferCleanup(testcrd.CleanUp) registerMutatingWebhookForCustomResource(ctx, f, markersNamespaceName, f.UniqueName, certCtx, testcrd, servicePort) testMutatingCustomResourceWebhook(ctx, f, testcrd.Crd, testcrd.DynamicClients["v1"], false) }) /* Release: v1.16 Testname: Admission webhook, deny custom resource definition Description: Register a webhook that denies custom resource definition create. Attempt to create a custom resource definition; the create request MUST be denied. */ framework.ConformanceIt("should deny crd creation", func(ctx context.Context) { registerValidatingWebhookForCRD(ctx, f, markersNamespaceName, f.UniqueName, certCtx, servicePort) testCRDDenyWebhook(ctx, f) }) /* Release: v1.16 Testname: Admission webhook, mutate custom resource with different stored version Description: Register a webhook that mutates custom resources on create and update. Register a custom resource definition using v1 as stored version. Create a custom resource. Patch the custom resource definition to use v2 as the stored version. Attempt to patch the custom resource with a new field and value; the patch MUST be applied successfully. */ framework.ConformanceIt("should mutate custom resource with different stored version", func(ctx context.Context) { testcrd, err := createAdmissionWebhookMultiVersionTestCRDWithV1Storage(f) if err != nil { return } ginkgo.DeferCleanup(testcrd.CleanUp) registerMutatingWebhookForCustomResource(ctx, f, markersNamespaceName, f.UniqueName, certCtx, testcrd, servicePort) testMultiVersionCustomResourceWebhook(ctx, f, testcrd) }) /* Release: v1.16 Testname: Admission webhook, mutate custom resource with pruning Description: Register mutating webhooks that adds fields to custom objects. Register a custom resource definition with a schema that includes only one of the data keys added by the webhooks. Attempt to a custom resource; the fields included in the schema MUST be present and field not included in the schema MUST NOT be present. */ framework.ConformanceIt("should mutate custom resource with pruning", func(ctx context.Context) { const prune = true testcrd, err := createAdmissionWebhookMultiVersionTestCRDWithV1Storage(f, func(crd *apiextensionsv1.CustomResourceDefinition) { crd.Spec.PreserveUnknownFields = false for i := range crd.Spec.Versions { crd.Spec.Versions[i].Schema = &apiextensionsv1.CustomResourceValidation{ OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{ Type: "object", Properties: map[string]apiextensionsv1.JSONSchemaProps{ "data": { Type: "object", Properties: map[string]apiextensionsv1.JSONSchemaProps{ "mutation-start": {Type: "string"}, "mutation-stage-1": {Type: "string"}, // mutation-stage-2 is intentionally missing such that it is pruned }, }, }, }, } } }) if err != nil { return } ginkgo.DeferCleanup(testcrd.CleanUp) registerMutatingWebhookForCustomResource(ctx, f, markersNamespaceName, f.UniqueName, certCtx, testcrd, servicePort) testMutatingCustomResourceWebhook(ctx, f, testcrd.Crd, testcrd.DynamicClients["v1"], prune) }) /* Release: v1.16 Testname: Admission webhook, honor timeout Description: Using a webhook that waits 5 seconds before admitting objects, configure the webhook with combinations of timeouts and failure policy values. Attempt to create a config map with each combination. Requests MUST timeout if the configured webhook timeout is less than 5 seconds and failure policy is fail. Requests must not timeout if the failure policy is ignore. Requests MUST NOT timeout if configured webhook timeout is 10 seconds (much longer than the webhook wait duration). */ framework.ConformanceIt("should honor timeout", func(ctx context.Context) { policyFail := admissionregistrationv1.Fail policyIgnore := admissionregistrationv1.Ignore ginkgo.By("Setting timeout (1s) shorter than webhook latency (5s)") slowWebhookCleanup := registerSlowWebhook(ctx, f, markersNamespaceName, f.UniqueName, certCtx, &policyFail, pointer.Int32(1), servicePort) testSlowWebhookTimeoutFailEarly(ctx, f) slowWebhookCleanup(ctx) ginkgo.By("Having no error when timeout is shorter than webhook latency and failure policy is ignore") slowWebhookCleanup = registerSlowWebhook(ctx, f, markersNamespaceName, f.UniqueName, certCtx, &policyIgnore, pointer.Int32(1), servicePort) testSlowWebhookTimeoutNoError(ctx, f) slowWebhookCleanup(ctx) ginkgo.By("Having no error when timeout is longer than webhook latency") slowWebhookCleanup = registerSlowWebhook(ctx, f, markersNamespaceName, f.UniqueName, certCtx, &policyFail, pointer.Int32(10), servicePort) testSlowWebhookTimeoutNoError(ctx, f) slowWebhookCleanup(ctx) ginkgo.By("Having no error when timeout is empty (defaulted to 10s in v1)") slowWebhookCleanup = registerSlowWebhook(ctx, f, markersNamespaceName, f.UniqueName, certCtx, &policyFail, nil, servicePort) testSlowWebhookTimeoutNoError(ctx, f) slowWebhookCleanup(ctx) }) /* Release: v1.16 Testname: Admission webhook, update validating webhook Description: Register a validating admission webhook configuration. Update the webhook to not apply to the create operation and attempt to create an object; the webhook MUST NOT deny the create. Patch the webhook to apply to the create operation again and attempt to create an object; the webhook MUST deny the create. */ framework.ConformanceIt("patching/updating a validating webhook should work", func(ctx context.Context) { client := f.ClientSet admissionClient := client.AdmissionregistrationV1() ginkgo.By("Creating a validating webhook configuration") hook, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: f.UniqueName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ newDenyConfigMapWebhookFixture(f, certCtx, servicePort), newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "Creating validating webhook configuration") defer func() { err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, hook.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting validating webhook configuration") }() // ensure backend is ready before proceeding err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.By("Creating a configMap that does not comply to the validation webhook rules") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedNonCompliantConfigMap(string(uuid.NewUUID()), f) _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err == nil { err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") return false, nil } if !strings.Contains(err.Error(), "denied") { return false, err } return true, nil }) ginkgo.By("Updating a validating webhook configuration's rules to not include the create operation") err = retry.RetryOnConflict(retry.DefaultRetry, func() error { h, err := admissionClient.ValidatingWebhookConfigurations().Get(ctx, f.UniqueName, metav1.GetOptions{}) framework.ExpectNoError(err, "Getting validating webhook configuration") h.Webhooks[0].Rules[0].Operations = []admissionregistrationv1.OperationType{admissionregistrationv1.Update} _, err = admissionClient.ValidatingWebhookConfigurations().Update(ctx, h, metav1.UpdateOptions{}) return err }) framework.ExpectNoError(err, "Updating validating webhook configuration") ginkgo.By("Creating a configMap that does not comply to the validation webhook rules") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedNonCompliantConfigMap(string(uuid.NewUUID()), f) _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err != nil { if !strings.Contains(err.Error(), "denied") { return false, err } return false, nil } err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") return true, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be allowed creation since webhook was updated to not validate create", f.Namespace.Name) ginkgo.By("Patching a validating webhook configuration's rules to include the create operation") hook, err = admissionClient.ValidatingWebhookConfigurations().Patch(ctx, f.UniqueName, types.JSONPatchType, []byte(`[{"op": "replace", "path": "/webhooks/0/rules/0/operations", "value": ["CREATE"]}]`), metav1.PatchOptions{}) framework.ExpectNoError(err, "Patching validating webhook configuration") ginkgo.By("Creating a configMap that does not comply to the validation webhook rules") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedNonCompliantConfigMap(string(uuid.NewUUID()), f) _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err == nil { err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") return false, nil } if !strings.Contains(err.Error(), "denied") { return false, err } return true, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be denied creation by validating webhook", f.Namespace.Name) }) /* Release: v1.16 Testname: Admission webhook, update mutating webhook Description: Register a mutating admission webhook configuration. Update the webhook to not apply to the create operation and attempt to create an object; the webhook MUST NOT mutate the object. Patch the webhook to apply to the create operation again and attempt to create an object; the webhook MUST mutate the object. */ framework.ConformanceIt("patching/updating a mutating webhook should work", func(ctx context.Context) { client := f.ClientSet admissionClient := client.AdmissionregistrationV1() ginkgo.By("Creating a mutating webhook configuration") hook, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: f.UniqueName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ newMutateConfigMapWebhookFixture(f, certCtx, 1, servicePort), newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "Creating mutating webhook configuration") defer func() { err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(ctx, hook.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting mutating webhook configuration") }() // ensure backend is ready before proceeding err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") hook, err = admissionClient.MutatingWebhookConfigurations().Get(ctx, f.UniqueName, metav1.GetOptions{}) framework.ExpectNoError(err, "Getting mutating webhook configuration") ginkgo.By("Updating a mutating webhook configuration's rules to not include the create operation") hook.Webhooks[0].Rules[0].Operations = []admissionregistrationv1.OperationType{admissionregistrationv1.Update} hook, err = admissionClient.MutatingWebhookConfigurations().Update(ctx, hook, metav1.UpdateOptions{}) framework.ExpectNoError(err, "Updating mutating webhook configuration") ginkgo.By("Creating a configMap that should not be mutated") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedToBeMutatedConfigMap(string(uuid.NewUUID()), f) created, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err != nil { return false, err } err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") _, ok := created.Data["mutation-stage-1"] return !ok, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s this is not mutated", f.Namespace.Name) ginkgo.By("Patching a mutating webhook configuration's rules to include the create operation") hook, err = admissionClient.MutatingWebhookConfigurations().Patch(ctx, f.UniqueName, types.JSONPatchType, []byte(`[{"op": "replace", "path": "/webhooks/0/rules/0/operations", "value": ["CREATE"]}]`), metav1.PatchOptions{}) framework.ExpectNoError(err, "Patching mutating webhook configuration") ginkgo.By("Creating a configMap that should be mutated") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedToBeMutatedConfigMap(string(uuid.NewUUID()), f) created, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err != nil { return false, err } err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") _, ok := created.Data["mutation-stage-1"] return ok, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be mutated", f.Namespace.Name) }) /* Release: v1.16 Testname: Admission webhook, list validating webhooks Description: Create 10 validating webhook configurations, all with a label. Attempt to list the webhook configurations matching the label; all the created webhook configurations MUST be present. Attempt to create an object; the create MUST be denied. Attempt to remove the webhook configurations matching the label with deletecollection; all webhook configurations MUST be deleted. Attempt to create an object; the create MUST NOT be denied. */ framework.ConformanceIt("listing validating webhooks should work", func(ctx context.Context) { testListSize := 10 testUUID := string(uuid.NewUUID()) for i := 0; i < testListSize; i++ { name := fmt.Sprintf("%s-%d", f.UniqueName, i) _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: name, Labels: map[string]string{"e2e-list-test-uuid": testUUID}, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ newDenyConfigMapWebhookFixture(f, certCtx, servicePort), newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "Creating validating webhook configuration") } selectorListOpts := metav1.ListOptions{LabelSelector: "e2e-list-test-uuid=" + testUUID} ginkgo.By("Listing all of the created validation webhooks") list, err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().List(ctx, selectorListOpts) framework.ExpectNoError(err, "Listing validating webhook configurations") gomega.Expect(list.Items).To(gomega.HaveLen(testListSize)) // ensure backend is ready before proceeding err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.By("Creating a configMap that does not comply to the validation webhook rules") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedNonCompliantConfigMap(string(uuid.NewUUID()), f) _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err == nil { err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") return false, nil } if !strings.Contains(err.Error(), "denied") { return false, err } return true, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be denied creation by validating webhook", f.Namespace.Name) ginkgo.By("Deleting the collection of validation webhooks") err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().DeleteCollection(ctx, metav1.DeleteOptions{}, selectorListOpts) framework.ExpectNoError(err, "Deleting collection of validating webhook configurations") ginkgo.By("Creating a configMap that does not comply to the validation webhook rules") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedNonCompliantConfigMap(string(uuid.NewUUID()), f) _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err != nil { if !strings.Contains(err.Error(), "denied") { return false, err } return false, nil } err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") return true, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be allowed creation since there are no webhooks", f.Namespace.Name) }) /* Release: v1.16 Testname: Admission webhook, list mutating webhooks Description: Create 10 mutating webhook configurations, all with a label. Attempt to list the webhook configurations matching the label; all the created webhook configurations MUST be present. Attempt to create an object; the object MUST be mutated. Attempt to remove the webhook configurations matching the label with deletecollection; all webhook configurations MUST be deleted. Attempt to create an object; the object MUST NOT be mutated. */ framework.ConformanceIt("listing mutating webhooks should work", func(ctx context.Context) { testListSize := 10 testUUID := string(uuid.NewUUID()) for i := 0; i < testListSize; i++ { name := fmt.Sprintf("%s-%d", f.UniqueName, i) _, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: name, Labels: map[string]string{"e2e-list-test-uuid": testUUID}, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ newMutateConfigMapWebhookFixture(f, certCtx, 1, servicePort), newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "Creating mutating webhook configuration") } selectorListOpts := metav1.ListOptions{LabelSelector: "e2e-list-test-uuid=" + testUUID} ginkgo.By("Listing all of the created validation webhooks") list, err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().List(ctx, selectorListOpts) framework.ExpectNoError(err, "Listing mutating webhook configurations") gomega.Expect(list.Items).To(gomega.HaveLen(testListSize)) // ensure backend is ready before proceeding err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.By("Creating a configMap that should be mutated") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedToBeMutatedConfigMap(string(uuid.NewUUID()), f) created, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err != nil { return false, err } err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") _, ok := created.Data["mutation-stage-1"] return ok, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be mutated", f.Namespace.Name) ginkgo.By("Deleting the collection of validation webhooks") err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().DeleteCollection(ctx, metav1.DeleteOptions{}, selectorListOpts) framework.ExpectNoError(err, "Deleting collection of mutating webhook configurations") ginkgo.By("Creating a configMap that should not be mutated") err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { cm := namedToBeMutatedConfigMap(string(uuid.NewUUID()), f) created, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) if err != nil { return false, err } err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, cm.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "Deleting successfully created configMap") _, ok := created.Data["mutation-stage-1"] return !ok, nil }) framework.ExpectNoError(err, "Waiting for configMap in namespace %s this is not mutated", f.Namespace.Name) }) /* Release: v1.28 Testname: Validating Admission webhook, create and update validating webhook configuration with matchConditions Description: Register a validating webhook configuration. Verify that the match conditions field are properly stored in the api-server. Update the validating webhook configuration and retrieve it; the retrieved object must contain the newly update matchConditions fields. */ framework.ConformanceIt("should be able to create and update validating webhook configurations with match conditions", func(ctx context.Context) { initalMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "expression-1", Expression: "object.metadata.namespace == 'production'", }, } ginkgo.By("creating a validating webhook with match conditions") validatingWebhookConfiguration := newValidatingWebhookWithMatchConditions(f, servicePort, certCtx, initalMatchConditions) _, err := createValidatingWebhookConfiguration(ctx, f, validatingWebhookConfiguration) framework.ExpectNoError(err) ginkgo.By("verifying the validating webhook match conditions") validatingWebhookConfiguration, err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(ctx, f.UniqueName, metav1.GetOptions{}) framework.ExpectNoError(err) gomega.Expect(validatingWebhookConfiguration.Webhooks[0].MatchConditions).To(gomega.Equal(initalMatchConditions), "verifying that match conditions are created") defer func() { err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, validatingWebhookConfiguration.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "deleting mutating webhook configuration") }() ginkgo.By("updating the validating webhook match conditions") updatedMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "expression-1", Expression: "object.metadata.namespace == 'production'", }, { Name: "expression-2", Expression: "object.metadata.namespace == 'staging'", }, } validatingWebhookConfiguration.Webhooks[0].MatchConditions = updatedMatchConditions _, err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(ctx, validatingWebhookConfiguration, metav1.UpdateOptions{}) framework.ExpectNoError(err) ginkgo.By("verifying the validating webhook match conditions") validatingWebhookConfiguration, err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(ctx, f.UniqueName, metav1.GetOptions{}) framework.ExpectNoError(err) gomega.Expect(validatingWebhookConfiguration.Webhooks[0].MatchConditions).To(gomega.Equal(updatedMatchConditions), "verifying that match conditions are updated") }) /* Release: v1.28 Testname: Mutating Admission webhook, create and update mutating webhook configuration with matchConditions Description: Register a mutating webhook configuration. Verify that the match conditions field are properly stored in the api-server. Update the mutating webhook configuration and retrieve it; the retrieved object must contain the newly update matchConditions fields. */ framework.ConformanceIt("should be able to create and update mutating webhook configurations with match conditions", func(ctx context.Context) { initalMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "expression-1", Expression: "object.metadata.namespace == 'production'", }, } ginkgo.By("creating a mutating webhook with match conditions") mutatingWebhookConfiguration := newMutatingWebhookWithMatchConditions(f, servicePort, certCtx, initalMatchConditions) _, err := createMutatingWebhookConfiguration(ctx, f, mutatingWebhookConfiguration) framework.ExpectNoError(err) ginkgo.By("verifying the mutating webhook match conditions") mutatingWebhookConfiguration, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, f.UniqueName, metav1.GetOptions{}) framework.ExpectNoError(err) gomega.Expect(mutatingWebhookConfiguration.Webhooks[0].MatchConditions).To(gomega.Equal(initalMatchConditions), "verifying that match conditions are created") defer func() { err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(ctx, mutatingWebhookConfiguration.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "deleting mutating webhook configuration") }() ginkgo.By("updating the mutating webhook match conditions") updatedMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "expression-1", Expression: "object.metadata.namespace == 'production'", }, { Name: "expression-2", Expression: "object.metadata.namespace == 'staging'", }, } mutatingWebhookConfiguration.Webhooks[0].MatchConditions = updatedMatchConditions _, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Update(ctx, mutatingWebhookConfiguration, metav1.UpdateOptions{}) framework.ExpectNoError(err) ginkgo.By("verifying the mutating webhook match conditions") mutatingWebhookConfiguration, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, f.UniqueName, metav1.GetOptions{}) framework.ExpectNoError(err) gomega.Expect(mutatingWebhookConfiguration.Webhooks[0].MatchConditions).To(gomega.Equal(updatedMatchConditions), "verifying that match conditions are updated") }) /* Release: v1.28 Testname: Validing Admission webhook, reject validating webhook configurations with invalid matchConditions Description: Creates a validating webhook configuration with an invalid CEL expression in it's matchConditions field. The api-server server should reject the create request with a "compilation failed" error message. */ framework.ConformanceIt("should reject validating webhook configurations with invalid match conditions", func(ctx context.Context) { initalMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "invalid-expression-1", Expression: "... [] bad expression", }, } ginkgo.By("creating a validating webhook with match conditions") validatingWebhookConfiguration := newValidatingWebhookWithMatchConditions(f, servicePort, certCtx, initalMatchConditions) _, err := createValidatingWebhookConfiguration(ctx, f, validatingWebhookConfiguration) gomega.Expect(err).To(gomega.HaveOccurred(), "create validatingwebhookconfiguration should have been denied by the api-server") expectedErrMsg := "compilation failed" gomega.Expect(strings.Contains(err.Error(), expectedErrMsg)).To(gomega.BeTrue()) }) /* Release: v1.28 Testname: Mutating Admission webhook, reject mutating webhook configurations with invalid matchConditions Description: Creates a mutating webhook configuration with an invalid CEL expression in it's matchConditions field. The api-server server should reject the create request with a "compilation failed" error message. */ framework.ConformanceIt("should reject mutating webhook configurations with invalid match conditions", func(ctx context.Context) { initalMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "invalid-expression-1", Expression: "... [] bad expression", }, } ginkgo.By("creating a mutating webhook with match conditions") mutatingWebhookConfiguration := newMutatingWebhookWithMatchConditions(f, servicePort, certCtx, initalMatchConditions) _, err := createMutatingWebhookConfiguration(ctx, f, mutatingWebhookConfiguration) gomega.Expect(err).To(gomega.HaveOccurred(), "create mutatingwebhookconfiguration should have been denied by the api-server") expectedErrMsg := "compilation failed" gomega.Expect(strings.Contains(err.Error(), expectedErrMsg)).To(gomega.BeTrue()) }) /* Release: v1.28 Testname: Mutating Admission webhook, mutating webhook excluding object with specific name Description: Create a mutating webhook configuration with matchConditions field that will reject all resources except ones with a specific name 'skip-me'. Create a configMap with the name 'skip-me' and verify that it's mutated. Create a configMap with a different name than 'skip-me' and verify that it's mustated. */ framework.ConformanceIt("should mutate everything except 'skip-me' configmaps", func(ctx context.Context) { skipMeMatchConditions := []admissionregistrationv1.MatchCondition{ { Name: "skip-me", Expression: "object.metadata.name != 'skip-me'", }, } ginkgo.By("creating a mutating webhook with match conditions") namespace := f.Namespace.Name mutatingWebhook1 := newMutateConfigMapWebhookFixture(f, certCtx, 1, servicePort) mutatingWebhook1.MatchConditions = skipMeMatchConditions created, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: f.UniqueName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ mutatingWebhook1, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering mutating webhook config %s with namespace %s", f.UniqueName, namespace) defer func() { err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(ctx, created.Name, metav1.DeleteOptions{}) framework.ExpectNoError(err, "deleting mutating webhook configuration") }() err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete), f.UniqueName, metav1.DeleteOptions{}) // ensure backend is ready before proceeding err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.By("create the configmap with a random name") cm := namedToBeMutatedConfigMap(string(uuid.NewUUID()), f) mutatedCM, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) framework.ExpectNoError(err, "creating configMap object") ginkgo.By("verify the configmap is mutated") expectedConfigMapData := map[string]string{ "mutation-start": "yes", "mutation-stage-1": "yes", } gomega.Expect(reflect.DeepEqual(expectedConfigMapData, mutatedCM.Data)).To(gomega.BeTrue()) ginkgo.By("create the configmap with 'skip-me' name") cm = namedToBeMutatedConfigMap("skip-me", f) skippedCM, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, cm, metav1.CreateOptions{}) framework.ExpectNoError(err, "creating configMap object") expectedConfigMapData = map[string]string{ "mutation-start": "yes", } gomega.Expect(reflect.DeepEqual(expectedConfigMapData, skippedCM.Data)).To(gomega.BeTrue()) }) }) func newValidatingWebhookWithMatchConditions( f *framework.Framework, servicePort int32, certCtx *certContext, matchConditions []admissionregistrationv1.MatchCondition, ) *admissionregistrationv1.ValidatingWebhookConfiguration { sideEffects := admissionregistrationv1.SideEffectClassNone equivalent := admissionregistrationv1.Equivalent return &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: f.UniqueName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "validation-webhook-with-match-conditions.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/always-deny"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffects, MatchPolicy: &equivalent, AdmissionReviewVersions: []string{"v1"}, // Scope the webhook to just the markers namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, MatchConditions: matchConditions, }, newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, } } func newMutatingWebhookWithMatchConditions( f *framework.Framework, servicePort int32, certCtx *certContext, matchConditions []admissionregistrationv1.MatchCondition, ) *admissionregistrationv1.MutatingWebhookConfiguration { sideEffects := admissionregistrationv1.SideEffectClassNone return &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: f.UniqueName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ { Name: "adding-configmap-data.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/mutating-configmaps"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffects, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, MatchConditions: matchConditions, }, newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, } } func createAuthReaderRoleBinding(ctx context.Context, f *framework.Framework, namespace string) { ginkgo.By("Create role binding to let webhook read extension-apiserver-authentication") client := f.ClientSet // Create the role binding to allow the webhook read the extension-apiserver-authentication configmap _, err := client.RbacV1().RoleBindings("kube-system").Create(ctx, &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: roleBindingName, Annotations: map[string]string{ rbacv1.AutoUpdateAnnotationKey: "true", }, }, RoleRef: rbacv1.RoleRef{ APIGroup: "", Kind: "Role", Name: "extension-apiserver-authentication-reader", }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Name: "default", Namespace: namespace, }, }, }, metav1.CreateOptions{}) if err != nil && apierrors.IsAlreadyExists(err) { framework.Logf("role binding %s already exists", roleBindingName) } else { framework.ExpectNoError(err, "creating role binding %s:webhook to access configMap", namespace) } } func deployWebhookAndService(ctx context.Context, f *framework.Framework, image string, certCtx *certContext, servicePort int32, containerPort int32) { ginkgo.By("Deploying the webhook pod") client := f.ClientSet // Creating the secret that contains the webhook's cert. secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, }, Type: v1.SecretTypeOpaque, Data: map[string][]byte{ "tls.crt": certCtx.cert, "tls.key": certCtx.key, }, } namespace := f.Namespace.Name _, err := client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}) framework.ExpectNoError(err, "creating secret %q in namespace %q", secretName, namespace) // Create the deployment of the webhook podLabels := map[string]string{"app": "sample-webhook", "webhook": "true"} replicas := int32(1) mounts := []v1.VolumeMount{ { Name: "webhook-certs", ReadOnly: true, MountPath: "/webhook.local.config/certificates", }, } volumes := []v1.Volume{ { Name: "webhook-certs", VolumeSource: v1.VolumeSource{ Secret: &v1.SecretVolumeSource{SecretName: secretName}, }, }, } containers := []v1.Container{ { Name: "sample-webhook", VolumeMounts: mounts, Args: []string{ "webhook", "--tls-cert-file=/webhook.local.config/certificates/tls.crt", "--tls-private-key-file=/webhook.local.config/certificates/tls.key", "-v=4", // Use a non-default port for containers. fmt.Sprintf("--port=%d", containerPort), }, ReadinessProbe: &v1.Probe{ ProbeHandler: v1.ProbeHandler{ HTTPGet: &v1.HTTPGetAction{ Scheme: v1.URISchemeHTTPS, Port: intstr.FromInt32(containerPort), Path: "/readyz", }, }, PeriodSeconds: 1, SuccessThreshold: 1, FailureThreshold: 30, }, Image: image, Ports: []v1.ContainerPort{{ContainerPort: containerPort}}, }, } d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, "", "", appsv1.RollingUpdateDeploymentStrategyType) d.Spec.Template.Spec.Containers = containers d.Spec.Template.Spec.Volumes = volumes deployment, err := client.AppsV1().Deployments(namespace).Create(ctx, d, metav1.CreateOptions{}) framework.ExpectNoError(err, "creating deployment %s in namespace %s", deploymentName, namespace) ginkgo.By("Wait for the deployment to be ready") err = e2edeployment.WaitForDeploymentRevisionAndImage(client, namespace, deploymentName, "1", image) framework.ExpectNoError(err, "waiting for the deployment of image %s in %s in %s to complete", image, deploymentName, namespace) err = e2edeployment.WaitForDeploymentComplete(client, deployment) framework.ExpectNoError(err, "waiting for the deployment status valid", image, deploymentName, namespace) ginkgo.By("Deploying the webhook service") serviceLabels := map[string]string{"webhook": "true"} service := &v1.Service{ ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, Name: serviceName, Labels: map[string]string{"test": "webhook"}, }, Spec: v1.ServiceSpec{ Selector: serviceLabels, Ports: []v1.ServicePort{ { Protocol: v1.ProtocolTCP, Port: servicePort, TargetPort: intstr.FromInt32(containerPort), }, }, }, } _, err = client.CoreV1().Services(namespace).Create(ctx, service, metav1.CreateOptions{}) framework.ExpectNoError(err, "creating service %s in namespace %s", serviceName, namespace) ginkgo.By("Verifying the service has paired with the endpoint") err = framework.WaitForServiceEndpointsNum(ctx, client, namespace, serviceName, 1, 1*time.Second, 30*time.Second) framework.ExpectNoError(err, "waiting for service %s/%s have %d endpoint", namespace, serviceName, 1) } func strPtr(s string) *string { return &s } func registerWebhook(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { client := f.ClientSet ginkgo.By("Registering the webhook via the AdmissionRegistration API") namespace := f.Namespace.Name // A webhook that cannot talk to server, with fail-open policy failOpenHook := failingWebhook(namespace, "fail-open.k8s.io", servicePort) policyIgnore := admissionregistrationv1.Ignore failOpenHook.FailurePolicy = &policyIgnore failOpenHook.NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, } _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ newDenyPodWebhookFixture(f, certCtx, servicePort), newDenyConfigMapWebhookFixture(f, certCtx, servicePort), // Server cannot talk to this webhook, so it always fails. // Because this webhook is configured fail-open, request should be admitted after the call fails. failOpenHook, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func registerWebhookForAttachingPod(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { client := f.ClientSet ginkgo.By("Registering the webhook via the AdmissionRegistration API") namespace := f.Namespace.Name sideEffectsNone := admissionregistrationv1.SideEffectClassNone _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "deny-attaching-pod.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Connect}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"pods/attach"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/pods/attach"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func registerMutatingWebhookForConfigMap(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { client := f.ClientSet ginkgo.By("Registering the mutating configmap webhook via the AdmissionRegistration API") namespace := f.Namespace.Name _, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ newMutateConfigMapWebhookFixture(f, certCtx, 1, servicePort), newMutateConfigMapWebhookFixture(f, certCtx, 2, servicePort), // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering mutating webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func testMutatingConfigMapWebhook(ctx context.Context, f *framework.Framework) { ginkgo.By("create a configmap that should be updated by the webhook") client := f.ClientSet configMap := toBeMutatedConfigMap(f) mutatedConfigMap, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, configMap, metav1.CreateOptions{}) framework.ExpectNoError(err) expectedConfigMapData := map[string]string{ "mutation-start": "yes", "mutation-stage-1": "yes", "mutation-stage-2": "yes", } if !reflect.DeepEqual(expectedConfigMapData, mutatedConfigMap.Data) { framework.Failf("\nexpected %#v\n, got %#v\n", expectedConfigMapData, mutatedConfigMap.Data) } } func registerMutatingWebhookForPod(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { client := f.ClientSet ginkgo.By("Registering the mutating pod webhook via the AdmissionRegistration API") namespace := f.Namespace.Name sideEffectsNone := admissionregistrationv1.SideEffectClassNone _, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ { Name: "adding-init-container.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"pods"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/mutating-pods"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering mutating webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func testMutatingPodWebhook(ctx context.Context, f *framework.Framework) { ginkgo.By("create a pod that should be updated by the webhook") client := f.ClientSet pod := toBeMutatedPod(f) mutatedPod, err := client.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) framework.ExpectNoError(err) if len(mutatedPod.Spec.InitContainers) != 1 { framework.Failf("expect pod to have 1 init container, got %#v", mutatedPod.Spec.InitContainers) } if got, expected := mutatedPod.Spec.InitContainers[0].Name, "webhook-added-init-container"; got != expected { framework.Failf("expect the init container name to be %q, got %q", expected, got) } if got, expected := mutatedPod.Spec.InitContainers[0].TerminationMessagePolicy, v1.TerminationMessageReadFile; got != expected { framework.Failf("expect the init terminationMessagePolicy to be default to %q, got %q", expected, got) } } func toBeMutatedPod(f *framework.Framework) *v1.Pod { return &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: "webhook-to-be-mutated", }, Spec: v1.PodSpec{ Containers: []v1.Container{ { Name: "example", Image: imageutils.GetPauseImageName(), }, }, }, } } func testWebhook(ctx context.Context, f *framework.Framework) { ginkgo.By("create a pod that should be denied by the webhook") client := f.ClientSet // Creating the pod, the request should be rejected pod := nonCompliantPod(f) _, err := client.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create pod %s in namespace %s should have been denied by webhook", pod.Name, f.Namespace.Name) expectedErrMsg1 := "the pod contains unwanted container name" if !strings.Contains(err.Error(), expectedErrMsg1) { framework.Failf("expect error contains %q, got %q", expectedErrMsg1, err.Error()) } expectedErrMsg2 := "the pod contains unwanted label" if !strings.Contains(err.Error(), expectedErrMsg2) { framework.Failf("expect error contains %q, got %q", expectedErrMsg2, err.Error()) } ginkgo.By("create a pod that causes the webhook to hang") client = f.ClientSet // Creating the pod, the request should be rejected pod = hangingPod(f) _, err = client.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create pod %s in namespace %s should have caused webhook to hang", pod.Name, f.Namespace.Name) // ensure the error is webhook-related, not client-side if !strings.Contains(err.Error(), "webhook") { framework.Failf("expect error %q, got %q", "webhook", err.Error()) } // ensure the error is a timeout if !strings.Contains(err.Error(), "deadline") { framework.Failf("expect error %q, got %q", "deadline", err.Error()) } // ensure the pod was not actually created if _, err := client.CoreV1().Pods(f.Namespace.Name).Get(ctx, pod.Name, metav1.GetOptions{}); !apierrors.IsNotFound(err) { framework.Failf("expect notfound error looking for rejected pod, got %v", err) } ginkgo.By("create a configmap that should be denied by the webhook") // Creating the configmap, the request should be rejected configmap := nonCompliantConfigMap(f) _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, configmap, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create configmap %s in namespace %s should have been denied by the webhook", configmap.Name, f.Namespace.Name) expectedErrMsg := "the configmap contains unwanted key and value" if !strings.Contains(err.Error(), expectedErrMsg) { framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error()) } ginkgo.By("create a configmap that should be admitted by the webhook") // Creating the configmap, the request should be admitted configmap = &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: allowedConfigMapName, }, Data: map[string]string{ "admit": "this", }, } _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, configmap, metav1.CreateOptions{}) framework.ExpectNoError(err, "failed to create configmap %s in namespace: %s", configmap.Name, f.Namespace.Name) ginkgo.By("update (PUT) the admitted configmap to a non-compliant one should be rejected by the webhook") toNonCompliantFn := func(cm *v1.ConfigMap) { if cm.Data == nil { cm.Data = map[string]string{} } cm.Data["webhook-e2e-test"] = "webhook-disallow" } _, err = updateConfigMap(ctx, client, f.Namespace.Name, allowedConfigMapName, toNonCompliantFn) gomega.Expect(err).To(gomega.HaveOccurred(), "update (PUT) admitted configmap %s in namespace %s to a non-compliant one should be rejected by webhook", allowedConfigMapName, f.Namespace.Name) if !strings.Contains(err.Error(), expectedErrMsg) { framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error()) } ginkgo.By("update (PATCH) the admitted configmap to a non-compliant one should be rejected by the webhook") patch := nonCompliantConfigMapPatch() _, err = client.CoreV1().ConfigMaps(f.Namespace.Name).Patch(ctx, allowedConfigMapName, types.StrategicMergePatchType, []byte(patch), metav1.PatchOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "update admitted configmap %s in namespace %s by strategic merge patch to a non-compliant one should be rejected by webhook. Patch: %+v", allowedConfigMapName, f.Namespace.Name, patch) if !strings.Contains(err.Error(), expectedErrMsg) { framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error()) } ginkgo.By("create a namespace that bypass the webhook") // skipNamespace will be deleted by framework at the end of the test skipNamespace, err := f.CreateNamespace(ctx, skipNamespaceBaseName, map[string]string{ skipNamespaceLabelKey: skipNamespaceLabelValue, f.UniqueName: "true", }) framework.ExpectNoError(err, "creating namespace %q", skipNamespaceBaseName) skipNamespaceName := skipNamespace.Name ginkgo.By("create a configmap that violates the webhook policy but is in a whitelisted namespace") configmap = nonCompliantConfigMap(f) _, err = client.CoreV1().ConfigMaps(skipNamespaceName).Create(ctx, configmap, metav1.CreateOptions{}) framework.ExpectNoError(err, "failed to create configmap %s in namespace: %s", configmap.Name, skipNamespaceName) } func testAttachingPodWebhook(ctx context.Context, f *framework.Framework) { ginkgo.By("create a pod") client := f.ClientSet pod := toBeAttachedPod(f) _, err := client.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) framework.ExpectNoError(err, "failed to create pod %s in namespace: %s", pod.Name, f.Namespace.Name) err = e2epod.WaitForPodNameRunningInNamespace(ctx, client, pod.Name, f.Namespace.Name) framework.ExpectNoError(err, "error while waiting for pod %s to go to Running phase in namespace: %s", pod.Name, f.Namespace.Name) ginkgo.By("'kubectl attach' the pod, should be denied by the webhook") timer := time.NewTimer(30 * time.Second) defer timer.Stop() _, err = e2ekubectl.NewKubectlCommand(f.Namespace.Name, "attach", fmt.Sprintf("--namespace=%v", f.Namespace.Name), pod.Name, "-i", "-c=container1").WithTimeout(timer.C).Exec() gomega.Expect(err).To(gomega.HaveOccurred(), "'kubectl attach' the pod, should be denied by the webhook") if e, a := "attaching to pod 'to-be-attached-pod' is not allowed", err.Error(); !strings.Contains(a, e) { framework.Failf("unexpected 'kubectl attach' error message. expected to contain %q, got %q", e, a) } } // failingWebhook returns a webhook with rule of create configmaps, // but with an invalid client config so that server cannot communicate with it func failingWebhook(namespace, name string, servicePort int32) admissionregistrationv1.ValidatingWebhook { sideEffectsNone := admissionregistrationv1.SideEffectClassNone return admissionregistrationv1.ValidatingWebhook{ Name: name, Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/configmaps"), Port: pointer.Int32(servicePort), }, // Without CA bundle, the call to webhook always fails CABundle: nil, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, } } func registerFailClosedWebhook(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { ginkgo.By("Registering a webhook that server cannot talk to, with fail closed policy, via the AdmissionRegistration API") namespace := f.Namespace.Name // A webhook that cannot talk to server, with fail-closed policy policyFail := admissionregistrationv1.Fail hook := failingWebhook(namespace, "fail-closed.k8s.io", servicePort) hook.FailurePolicy = &policyFail hook.NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, MatchExpressions: []metav1.LabelSelectorRequirement{ { Key: failNamespaceLabelKey, Operator: metav1.LabelSelectorOpIn, Values: []string{failNamespaceLabelValue}, }, }, } _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ // Server cannot talk to this webhook, so it always fails. // Because this webhook is configured fail-closed, request should be rejected after the call fails. hook, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(f.ClientSet.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func testFailClosedWebhook(ctx context.Context, f *framework.Framework) { client := f.ClientSet ginkgo.By("create a namespace for the webhook") // failNamespace will be deleted by framework at the end of the test failNamespace, err := f.CreateNamespace(ctx, failNamespaceBaseName, map[string]string{ failNamespaceLabelKey: failNamespaceLabelValue, f.UniqueName: "true", }) framework.ExpectNoError(err, "creating namespace %q", failNamespaceBaseName) failNamespaceName := failNamespace.Name ginkgo.By("create a configmap should be unconditionally rejected by the webhook") configmap := &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", }, } _, err = client.CoreV1().ConfigMaps(failNamespaceName).Create(ctx, configmap, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create configmap in namespace: %s should be unconditionally rejected by the webhook", failNamespaceName) if !apierrors.IsInternalError(err) { framework.Failf("expect an internal error, got %#v", err) } } func registerValidatingWebhookForWebhookConfigurations(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { var err error client := f.ClientSet ginkgo.By("Registering a validating webhook on ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects, via the AdmissionRegistration API") namespace := f.Namespace.Name failurePolicy := admissionregistrationv1.Fail sideEffectsNone := admissionregistrationv1.SideEffectClassNone // This webhook denies all requests to Delete validating webhook configuration and // mutating webhook configuration objects. It should never be called, however, because // dynamic admission webhooks should not be called on requests involving webhook configuration objects. _, err = createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "deny-webhook-configuration-deletions.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Delete}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{"admissionregistration.k8s.io"}, APIVersions: []string{"*"}, Resources: []string{ "validatingwebhookconfigurations", "mutatingwebhookconfigurations", }, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/always-deny"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, FailurePolicy: &failurePolicy, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func registerMutatingWebhookForWebhookConfigurations(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { var err error client := f.ClientSet ginkgo.By("Registering a mutating webhook on ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects, via the AdmissionRegistration API") namespace := f.Namespace.Name failurePolicy := admissionregistrationv1.Fail sideEffectsNone := admissionregistrationv1.SideEffectClassNone // This webhook adds a label to all requests create to validating webhook configuration and // mutating webhook configuration objects. It should never be called, however, because // dynamic admission webhooks should not be called on requests involving webhook configuration objects. _, err = createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ { Name: "add-label-to-webhook-configurations.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{"admissionregistration.k8s.io"}, APIVersions: []string{"*"}, Resources: []string{ "validatingwebhookconfigurations", "mutatingwebhookconfigurations", }, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/add-label"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, FailurePolicy: &failurePolicy, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } // This test assumes that the deletion-rejecting webhook defined in // registerValidatingWebhookForWebhookConfigurations and the webhook-config-mutating // webhook defined in registerMutatingWebhookForWebhookConfigurations already exist. func testWebhooksForWebhookConfigurations(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { var err error client := f.ClientSet ginkgo.By("Creating a dummy validating-webhook-configuration object") namespace := f.Namespace.Name failurePolicy := admissionregistrationv1.Ignore sideEffectsNone := admissionregistrationv1.SideEffectClassNone mutatedValidatingWebhookConfiguration, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "dummy-validating-webhook.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, // This will not match any real resources so this webhook should never be called. Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"invalid"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, // This path not recognized by the webhook service, // so the call to this webhook will always fail, // but because the failure policy is ignore, it will // have no effect on admission requests. Path: strPtr(""), Port: pointer.Int32(servicePort), }, CABundle: nil, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, FailurePolicy: &failurePolicy, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) if mutatedValidatingWebhookConfiguration.ObjectMeta.Labels != nil && mutatedValidatingWebhookConfiguration.ObjectMeta.Labels[addedLabelKey] == addedLabelValue { framework.Failf("expected %s not to be mutated by mutating webhooks but it was", configName) } err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.By("Deleting the validating-webhook-configuration, which should be possible to remove") err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, configName, metav1.DeleteOptions{}) framework.ExpectNoError(err, "deleting webhook config %s with namespace %s", configName, namespace) ginkgo.By("Creating a dummy mutating-webhook-configuration object") mutatedMutatingWebhookConfiguration, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ { Name: "dummy-mutating-webhook.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, // This will not match any real resources so this webhook should never be called. Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"invalid"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, // This path not recognized by the webhook service, // so the call to this webhook will always fail, // but because the failure policy is ignore, it will // have no effect on admission requests. Path: strPtr(""), Port: pointer.Int32(servicePort), }, CABundle: nil, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, FailurePolicy: &failurePolicy, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering webhook config %s with namespace %s", configName, namespace) if mutatedMutatingWebhookConfiguration.ObjectMeta.Labels != nil && mutatedMutatingWebhookConfiguration.ObjectMeta.Labels[addedLabelKey] == addedLabelValue { framework.Failf("expected %s not to be mutated by mutating webhooks but it was", configName) } err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.By("Deleting the mutating-webhook-configuration, which should be possible to remove") err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(ctx, configName, metav1.DeleteOptions{}) framework.ExpectNoError(err, "deleting webhook config %s with namespace %s", configName, namespace) } func nonCompliantPod(f *framework.Framework) *v1.Pod { return &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: disallowedPodName, Labels: map[string]string{ "webhook-e2e-test": "webhook-disallow", }, }, Spec: v1.PodSpec{ Containers: []v1.Container{ { Name: "webhook-disallow", Image: imageutils.GetPauseImageName(), }, }, }, } } func hangingPod(f *framework.Framework) *v1.Pod { return &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: hangingPodName, Labels: map[string]string{ "webhook-e2e-test": "wait-forever", }, }, Spec: v1.PodSpec{ Containers: []v1.Container{ { Name: "wait-forever", Image: imageutils.GetPauseImageName(), }, }, }, } } func toBeAttachedPod(f *framework.Framework) *v1.Pod { return &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: toBeAttachedPodName, }, Spec: v1.PodSpec{ Containers: []v1.Container{ { Name: "container1", Image: imageutils.GetPauseImageName(), }, }, }, } } func nonCompliantConfigMap(f *framework.Framework) *v1.ConfigMap { return namedNonCompliantConfigMap(disallowedConfigMapName, f) } func namedNonCompliantConfigMap(name string, f *framework.Framework) *v1.ConfigMap { return &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: name, }, Data: map[string]string{ "webhook-e2e-test": "webhook-disallow", }, } } func toBeMutatedConfigMap(f *framework.Framework) *v1.ConfigMap { return namedToBeMutatedConfigMap("to-be-mutated", f) } func namedToBeMutatedConfigMap(name string, f *framework.Framework) *v1.ConfigMap { return &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: name, }, Data: map[string]string{ "mutation-start": "yes", }, } } func nonCompliantConfigMapPatch() string { return fmt.Sprint(`{"data":{"webhook-e2e-test":"webhook-disallow"}}`) } type updateConfigMapFn func(cm *v1.ConfigMap) func updateConfigMap(ctx context.Context, c clientset.Interface, ns, name string, update updateConfigMapFn) (*v1.ConfigMap, error) { var cm *v1.ConfigMap pollErr := wait.PollImmediate(2*time.Second, 1*time.Minute, func() (bool, error) { var err error if cm, err = c.CoreV1().ConfigMaps(ns).Get(ctx, name, metav1.GetOptions{}); err != nil { return false, err } update(cm) if cm, err = c.CoreV1().ConfigMaps(ns).Update(ctx, cm, metav1.UpdateOptions{}); err == nil { return true, nil } // Only retry update on conflict if !apierrors.IsConflict(err) { return false, err } return false, nil }) return cm, pollErr } type updateCustomResourceFn func(cm *unstructured.Unstructured) func updateCustomResource(ctx context.Context, c dynamic.ResourceInterface, ns, name string, update updateCustomResourceFn) (*unstructured.Unstructured, error) { var cr *unstructured.Unstructured pollErr := wait.PollImmediate(2*time.Second, 1*time.Minute, func() (bool, error) { var err error if cr, err = c.Get(ctx, name, metav1.GetOptions{}); err != nil { return false, err } update(cr) if cr, err = c.Update(ctx, cr, metav1.UpdateOptions{}); err == nil { return true, nil } // Only retry update on conflict if !apierrors.IsConflict(err) { return false, err } return false, nil }) return cr, pollErr } func cleanWebhookTest(ctx context.Context, client clientset.Interface, namespaceName string) { _ = client.CoreV1().Services(namespaceName).Delete(ctx, serviceName, metav1.DeleteOptions{}) _ = client.AppsV1().Deployments(namespaceName).Delete(ctx, deploymentName, metav1.DeleteOptions{}) _ = client.CoreV1().Secrets(namespaceName).Delete(ctx, secretName, metav1.DeleteOptions{}) _ = client.RbacV1().RoleBindings("kube-system").Delete(ctx, roleBindingName, metav1.DeleteOptions{}) } func registerWebhookForCustomResource(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, testcrd *crd.TestCrd, servicePort int32) { client := f.ClientSet ginkgo.By("Registering the custom resource webhook via the AdmissionRegistration API") namespace := f.Namespace.Name sideEffectsNone := admissionregistrationv1.SideEffectClassNone _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "deny-unwanted-custom-resource-data.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update, admissionregistrationv1.Delete}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{testcrd.Crd.Spec.Group}, APIVersions: servedAPIVersions(testcrd.Crd), Resources: []string{testcrd.Crd.Spec.Names.Plural}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/custom-resource"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering custom resource webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func registerMutatingWebhookForCustomResource(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, testcrd *crd.TestCrd, servicePort int32) { client := f.ClientSet ginkgo.By(fmt.Sprintf("Registering the mutating webhook for custom resource %s via the AdmissionRegistration API", testcrd.Crd.Name)) namespace := f.Namespace.Name sideEffectsNone := admissionregistrationv1.SideEffectClassNone _, err := createMutatingWebhookConfiguration(ctx, f, &admissionregistrationv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.MutatingWebhook{ { Name: "mutate-custom-resource-data-stage-1.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{testcrd.Crd.Spec.Group}, APIVersions: servedAPIVersions(testcrd.Crd), Resources: []string{testcrd.Crd.Spec.Names.Plural}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/mutating-custom-resource"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, { Name: "mutate-custom-resource-data-stage-2.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{testcrd.Crd.Spec.Group}, APIVersions: servedAPIVersions(testcrd.Crd), Resources: []string{testcrd.Crd.Spec.Names.Plural}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/mutating-custom-resource"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newMutatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering custom resource webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func testCustomResourceWebhook(ctx context.Context, f *framework.Framework, crd *apiextensionsv1.CustomResourceDefinition, customResourceClient dynamic.ResourceInterface) { ginkgo.By("Creating a custom resource that should be denied by the webhook") crInstanceName := "cr-instance-1" crInstance := &unstructured.Unstructured{ Object: map[string]interface{}{ "kind": crd.Spec.Names.Kind, "apiVersion": crd.Spec.Group + "/" + crd.Spec.Versions[0].Name, "metadata": map[string]interface{}{ "name": crInstanceName, "namespace": f.Namespace.Name, }, "data": map[string]interface{}{ "webhook-e2e-test": "webhook-disallow", }, }, } _, err := customResourceClient.Create(ctx, crInstance, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create custom resource %s in namespace %s should be denied by webhook", crInstanceName, f.Namespace.Name) expectedErrMsg := "the custom resource contains unwanted data" if !strings.Contains(err.Error(), expectedErrMsg) { framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error()) } } func testBlockingCustomResourceUpdateDeletion(ctx context.Context, f *framework.Framework, crd *apiextensionsv1.CustomResourceDefinition, customResourceClient dynamic.ResourceInterface) { ginkgo.By("Creating a custom resource whose deletion would be denied by the webhook") crInstanceName := "cr-instance-2" crInstance := &unstructured.Unstructured{ Object: map[string]interface{}{ "kind": crd.Spec.Names.Kind, "apiVersion": crd.Spec.Group + "/" + crd.Spec.Versions[0].Name, "metadata": map[string]interface{}{ "name": crInstanceName, "namespace": f.Namespace.Name, }, "data": map[string]interface{}{ "webhook-e2e-test": "webhook-nondeletable", }, }, } _, err := customResourceClient.Create(ctx, crInstance, metav1.CreateOptions{}) framework.ExpectNoError(err, "failed to create custom resource %s in namespace: %s", crInstanceName, f.Namespace.Name) ginkgo.By("Updating the custom resource with disallowed data should be denied") toNonCompliantFn := func(cr *unstructured.Unstructured) { if _, ok := cr.Object["data"]; !ok { cr.Object["data"] = map[string]interface{}{} } data := cr.Object["data"].(map[string]interface{}) data["webhook-e2e-test"] = "webhook-disallow" } _, err = updateCustomResource(ctx, customResourceClient, f.Namespace.Name, crInstanceName, toNonCompliantFn) gomega.Expect(err).To(gomega.HaveOccurred(), "updating custom resource %s in namespace: %s should be denied", crInstanceName, f.Namespace.Name) expectedErrMsg := "the custom resource contains unwanted data" if !strings.Contains(err.Error(), expectedErrMsg) { framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error()) } ginkgo.By("Deleting the custom resource should be denied") err = customResourceClient.Delete(ctx, crInstanceName, metav1.DeleteOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "deleting custom resource %s in namespace: %s should be denied", crInstanceName, f.Namespace.Name) expectedErrMsg1 := "the custom resource cannot be deleted because it contains unwanted key and value" if !strings.Contains(err.Error(), expectedErrMsg1) { framework.Failf("expect error contains %q, got %q", expectedErrMsg1, err.Error()) } ginkgo.By("Remove the offending key and value from the custom resource data") toCompliantFn := func(cr *unstructured.Unstructured) { if _, ok := cr.Object["data"]; !ok { cr.Object["data"] = map[string]interface{}{} } data := cr.Object["data"].(map[string]interface{}) data["webhook-e2e-test"] = "webhook-allow" } _, err = updateCustomResource(ctx, customResourceClient, f.Namespace.Name, crInstanceName, toCompliantFn) framework.ExpectNoError(err, "failed to update custom resource %s in namespace: %s", crInstanceName, f.Namespace.Name) ginkgo.By("Deleting the updated custom resource should be successful") err = customResourceClient.Delete(ctx, crInstanceName, metav1.DeleteOptions{}) framework.ExpectNoError(err, "failed to delete custom resource %s in namespace: %s", crInstanceName, f.Namespace.Name) } func testMutatingCustomResourceWebhook(ctx context.Context, f *framework.Framework, crd *apiextensionsv1.CustomResourceDefinition, customResourceClient dynamic.ResourceInterface, prune bool) { ginkgo.By("Creating a custom resource that should be mutated by the webhook") crName := "cr-instance-1" cr := &unstructured.Unstructured{ Object: map[string]interface{}{ "kind": crd.Spec.Names.Kind, "apiVersion": crd.Spec.Group + "/" + crd.Spec.Versions[0].Name, "metadata": map[string]interface{}{ "name": crName, "namespace": f.Namespace.Name, }, "data": map[string]interface{}{ "mutation-start": "yes", }, }, } mutatedCR, err := customResourceClient.Create(ctx, cr, metav1.CreateOptions{}) framework.ExpectNoError(err, "failed to create custom resource %s in namespace: %s", crName, f.Namespace.Name) expectedCRData := map[string]interface{}{ "mutation-start": "yes", "mutation-stage-1": "yes", } if !prune { expectedCRData["mutation-stage-2"] = "yes" } if !reflect.DeepEqual(expectedCRData, mutatedCR.Object["data"]) { framework.Failf("\nexpected %#v\n, got %#v\n", expectedCRData, mutatedCR.Object["data"]) } } func testMultiVersionCustomResourceWebhook(ctx context.Context, f *framework.Framework, testcrd *crd.TestCrd) { customResourceClient := testcrd.DynamicClients["v1"] ginkgo.By("Creating a custom resource while v1 is storage version") crName := "cr-instance-1" cr := &unstructured.Unstructured{ Object: map[string]interface{}{ "kind": testcrd.Crd.Spec.Names.Kind, "apiVersion": testcrd.Crd.Spec.Group + "/" + testcrd.Crd.Spec.Versions[0].Name, "metadata": map[string]interface{}{ "name": crName, "namespace": f.Namespace.Name, }, "data": map[string]interface{}{ "mutation-start": "yes", }, }, } _, err := customResourceClient.Create(ctx, cr, metav1.CreateOptions{}) framework.ExpectNoError(err, "failed to create custom resource %s in namespace: %s", crName, f.Namespace.Name) ginkgo.By("Patching Custom Resource Definition to set v2 as storage") apiVersionWithV2StoragePatch := `{ "spec": { "versions": [ { "name": "v1", "storage": false, "served": true, "schema": { "openAPIV3Schema": {"x-kubernetes-preserve-unknown-fields": true, "type": "object"} } }, { "name": "v2", "storage": true, "served": true, "schema": { "openAPIV3Schema": {"x-kubernetes-preserve-unknown-fields": true, "type": "object"} } } ] } }` _, err = testcrd.APIExtensionClient.ApiextensionsV1().CustomResourceDefinitions().Patch(ctx, testcrd.Crd.Name, types.StrategicMergePatchType, []byte(apiVersionWithV2StoragePatch), metav1.PatchOptions{}) framework.ExpectNoError(err, "failed to patch custom resource definition %s in namespace: %s", testcrd.Crd.Name, f.Namespace.Name) ginkgo.By("Patching the custom resource while v2 is storage version") crDummyPatch := fmt.Sprint(`[{ "op": "add", "path": "/dummy", "value": "test" }]`) mutatedCR, err := testcrd.DynamicClients["v2"].Patch(ctx, crName, types.JSONPatchType, []byte(crDummyPatch), metav1.PatchOptions{}) framework.ExpectNoError(err, "failed to patch custom resource %s in namespace: %s", crName, f.Namespace.Name) expectedCRData := map[string]interface{}{ "mutation-start": "yes", "mutation-stage-1": "yes", "mutation-stage-2": "yes", } if !reflect.DeepEqual(expectedCRData, mutatedCR.Object["data"]) { framework.Failf("\nexpected %#v\n, got %#v\n", expectedCRData, mutatedCR.Object["data"]) } if !reflect.DeepEqual("test", mutatedCR.Object["dummy"]) { framework.Failf("\nexpected %#v\n, got %#v\n", "test", mutatedCR.Object["dummy"]) } } func registerValidatingWebhookForCRD(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, servicePort int32) { client := f.ClientSet ginkgo.By("Registering the crd webhook via the AdmissionRegistration API") namespace := f.Namespace.Name sideEffectsNone := admissionregistrationv1.SideEffectClassNone // This webhook will deny the creation of CustomResourceDefinitions which have the // label "webhook-e2e-test":"webhook-disallow" // NOTE: Because tests are run in parallel and in an unpredictable order, it is critical // that no other test attempts to create CRD with that label. _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "deny-crd-with-unwanted-label.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{"apiextensions.k8s.io"}, APIVersions: []string{"*"}, Resources: []string{"customresourcedefinitions"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/crd"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this test ObjectSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering crd webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") ginkgo.DeferCleanup(framework.IgnoreNotFound(client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete), configName, metav1.DeleteOptions{}) } func testCRDDenyWebhook(ctx context.Context, f *framework.Framework) { ginkgo.By("Creating a custom resource definition that should be denied by the webhook") name := fmt.Sprintf("e2e-test-%s-%s-crd", f.BaseName, "deny") kind := fmt.Sprintf("E2e-test-%s-%s-crd", f.BaseName, "deny") group := fmt.Sprintf("%s.example.com", f.BaseName) apiVersions := []apiextensionsv1.CustomResourceDefinitionVersion{ { Name: "v1", Served: true, Storage: true, Schema: &apiextensionsv1.CustomResourceValidation{ OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{ XPreserveUnknownFields: pointer.BoolPtr(true), Type: "object", }, }, }, } // Creating a custom resource definition for use by assorted tests. config, err := framework.LoadConfig() if err != nil { framework.Failf("failed to load config: %v", err) return } apiExtensionClient, err := crdclientset.NewForConfig(config) if err != nil { framework.Failf("failed to initialize apiExtensionClient: %v", err) return } crd := &apiextensionsv1.CustomResourceDefinition{ ObjectMeta: metav1.ObjectMeta{ Name: name + "s." + group, Labels: map[string]string{ // this label ensures our object is routed to this test's webhook f.UniqueName: "true", // this is the label the webhook disallows "webhook-e2e-test": "webhook-disallow", }, }, Spec: apiextensionsv1.CustomResourceDefinitionSpec{ Group: group, Versions: apiVersions, Names: apiextensionsv1.CustomResourceDefinitionNames{ Singular: name, Kind: kind, ListKind: kind + "List", Plural: name + "s", }, Scope: apiextensionsv1.NamespaceScoped, }, } // create CRD _, err = apiExtensionClient.ApiextensionsV1().CustomResourceDefinitions().Create(ctx, crd, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create custom resource definition %s should be denied by webhook", crd.Name) expectedErrMsg := "the crd contains unwanted label" if !strings.Contains(err.Error(), expectedErrMsg) { framework.Failf("expect error contains %q, got %q", expectedErrMsg, err.Error()) } } func labelNamespace(ctx context.Context, f *framework.Framework, namespace string) { client := f.ClientSet // Add a unique label to the namespace nsPatch, err := json.Marshal(map[string]interface{}{ "metadata": map[string]interface{}{ "labels": map[string]string{f.UniqueName: "true"}, }, }) framework.ExpectNoError(err, "error marshaling namespace %s", namespace) _, err = client.CoreV1().Namespaces().Patch(ctx, namespace, types.StrategicMergePatchType, nsPatch, metav1.PatchOptions{}) framework.ExpectNoError(err, "error labeling namespace %s", namespace) } func registerSlowWebhook(ctx context.Context, f *framework.Framework, markersNamespaceName string, configName string, certCtx *certContext, policy *admissionregistrationv1.FailurePolicyType, timeout *int32, servicePort int32) func(ctx context.Context) { client := f.ClientSet ginkgo.By("Registering slow webhook via the AdmissionRegistration API") namespace := f.Namespace.Name sideEffectsNone := admissionregistrationv1.SideEffectClassNone _, err := createValidatingWebhookConfiguration(ctx, f, &admissionregistrationv1.ValidatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ Name: configName, }, Webhooks: []admissionregistrationv1.ValidatingWebhook{ { Name: "allow-configmap-with-delay-webhook.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: namespace, Name: serviceName, Path: strPtr("/always-allow-delay-5s"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, FailurePolicy: policy, TimeoutSeconds: timeout, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, }, // Register a webhook that can be probed by marker requests to detect when the configuration is ready. newValidatingIsReadyWebhookFixture(f, certCtx, servicePort), }, }) framework.ExpectNoError(err, "registering slow webhook config %s with namespace %s", configName, namespace) err = waitWebhookConfigurationReady(ctx, f, markersNamespaceName) framework.ExpectNoError(err, "waiting for webhook configuration to be ready") cleanup := func(ctx context.Context) { err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, configName, metav1.DeleteOptions{}) if !apierrors.IsNotFound(err) { framework.ExpectNoError(err) } } // We clean up ourselves if the caller doesn't get to it, but we also // give the caller a chance to do it in the middle of the test. ginkgo.DeferCleanup(cleanup) return cleanup } func testSlowWebhookTimeoutFailEarly(ctx context.Context, f *framework.Framework) { ginkgo.By("Request fails when timeout (1s) is shorter than slow webhook latency (5s)") client := f.ClientSet name := "e2e-test-slow-webhook-configmap" _, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: name}}, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred(), "create configmap in namespace %s should have timed-out reaching slow webhook", f.Namespace.Name) // http timeout message: context deadline exceeded // dial timeout message: dial tcp {address}: i/o timeout isTimeoutError := strings.Contains(err.Error(), `context deadline exceeded`) || strings.Contains(err.Error(), `timeout`) isErrorQueryingWebhook := strings.Contains(err.Error(), `/always-allow-delay-5s?timeout=1s`) if !isTimeoutError || !isErrorQueryingWebhook { framework.Failf("expect an HTTP/dial timeout error querying the slow webhook, got: %q", err.Error()) } } func testSlowWebhookTimeoutNoError(ctx context.Context, f *framework.Framework) { client := f.ClientSet name := "e2e-test-slow-webhook-configmap" _, err := client.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: name}}, metav1.CreateOptions{}) framework.ExpectNoError(err) err = client.CoreV1().ConfigMaps(f.Namespace.Name).Delete(ctx, name, metav1.DeleteOptions{}) framework.ExpectNoError(err) } // createAdmissionWebhookMultiVersionTestCRDWithV1Storage creates a new CRD specifically // for the admission webhook calling test. func createAdmissionWebhookMultiVersionTestCRDWithV1Storage(f *framework.Framework, opts ...crd.Option) (*crd.TestCrd, error) { group := fmt.Sprintf("%s.example.com", f.BaseName) return crd.CreateMultiVersionTestCRD(f, group, append([]crd.Option{func(crd *apiextensionsv1.CustomResourceDefinition) { crd.Spec.Versions = []apiextensionsv1.CustomResourceDefinitionVersion{ { Name: "v1", Served: true, Storage: true, Schema: &apiextensionsv1.CustomResourceValidation{ OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{ XPreserveUnknownFields: pointer.BoolPtr(true), Type: "object", }, }, }, { Name: "v2", Served: true, Storage: false, Schema: &apiextensionsv1.CustomResourceValidation{ OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{ XPreserveUnknownFields: pointer.BoolPtr(true), Type: "object", }, }, }, } }}, opts...)...) } // servedAPIVersions returns the API versions served by the CRD. func servedAPIVersions(crd *apiextensionsv1.CustomResourceDefinition) []string { ret := []string{} for _, v := range crd.Spec.Versions { if v.Served { ret = append(ret, v.Name) } } return ret } // createValidatingWebhookConfiguration ensures the webhook config scopes object or namespace selection // to avoid interfering with other tests, then creates the config. func createValidatingWebhookConfiguration(ctx context.Context, f *framework.Framework, config *admissionregistrationv1.ValidatingWebhookConfiguration) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) { for _, webhook := range config.Webhooks { if webhook.NamespaceSelector != nil && webhook.NamespaceSelector.MatchLabels[f.UniqueName] == "true" { continue } if webhook.ObjectSelector != nil && webhook.ObjectSelector.MatchLabels[f.UniqueName] == "true" { continue } framework.Failf(`webhook %s in config %s has no namespace or object selector with %s="true", and can interfere with other tests`, webhook.Name, config.Name, f.UniqueName) } return f.ClientSet.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(ctx, config, metav1.CreateOptions{}) } // createMutatingWebhookConfiguration ensures the webhook config scopes object or namespace selection // to avoid interfering with other tests, then creates the config. func createMutatingWebhookConfiguration(ctx context.Context, f *framework.Framework, config *admissionregistrationv1.MutatingWebhookConfiguration) (*admissionregistrationv1.MutatingWebhookConfiguration, error) { for _, webhook := range config.Webhooks { if webhook.NamespaceSelector != nil && webhook.NamespaceSelector.MatchLabels[f.UniqueName] == "true" { continue } if webhook.ObjectSelector != nil && webhook.ObjectSelector.MatchLabels[f.UniqueName] == "true" { continue } framework.Failf(`webhook %s in config %s has no namespace or object selector with %s="true", and can interfere with other tests`, webhook.Name, config.Name, f.UniqueName) } return f.ClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(ctx, config, metav1.CreateOptions{}) } func newDenyPodWebhookFixture(f *framework.Framework, certCtx *certContext, servicePort int32) admissionregistrationv1.ValidatingWebhook { sideEffectsNone := admissionregistrationv1.SideEffectClassNone return admissionregistrationv1.ValidatingWebhook{ Name: "deny-unwanted-pod-container-name-and-label.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"pods"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/pods"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, } } func newDenyConfigMapWebhookFixture(f *framework.Framework, certCtx *certContext, servicePort int32) admissionregistrationv1.ValidatingWebhook { sideEffectsNone := admissionregistrationv1.SideEffectClassNone return admissionregistrationv1.ValidatingWebhook{ Name: "deny-unwanted-configmap-data.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update, admissionregistrationv1.Delete}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, // The webhook skips the namespace that has label "skip-webhook-admission":"yes" NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, MatchExpressions: []metav1.LabelSelectorRequirement{ { Key: skipNamespaceLabelKey, Operator: metav1.LabelSelectorOpNotIn, Values: []string{skipNamespaceLabelValue}, }, }, }, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/configmaps"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, } } func newMutateConfigMapWebhookFixture(f *framework.Framework, certCtx *certContext, stage int, servicePort int32) admissionregistrationv1.MutatingWebhook { sideEffectsNone := admissionregistrationv1.SideEffectClassNone return admissionregistrationv1.MutatingWebhook{ Name: fmt.Sprintf("adding-configmap-data-stage-%d.k8s.io", stage), Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/mutating-configmaps"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just this namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, } } // createWebhookConfigurationReadyNamespace creates a separate namespace for webhook configuration ready markers to // prevent cross-talk with webhook configurations being tested. It returns the name of the created namespace. func createWebhookConfigurationReadyNamespace(ctx context.Context, f *framework.Framework) string { baseName := f.BaseName + "-markers" // the framework will taker care of deleting the namespace ns, err := f.CreateNamespace(ctx, baseName, map[string]string{ f.UniqueName + "-markers": "true", }) framework.ExpectNoError(err, "creating namespace for webhook configuration ready markers") return ns.Name } // waitWebhookConfigurationReady sends "marker" requests until a webhook configuration is ready. // A webhook created with newValidatingIsReadyWebhookFixture or newMutatingIsReadyWebhookFixture should first be added to // the webhook configuration. func waitWebhookConfigurationReady(ctx context.Context, f *framework.Framework, markersNamespaceName string) error { cmClient := f.ClientSet.CoreV1().ConfigMaps(markersNamespaceName) return wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) { marker := &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: string(uuid.NewUUID()), Labels: map[string]string{ f.UniqueName: "true", }, }, } _, err := cmClient.Create(ctx, marker, metav1.CreateOptions{}) if err != nil { // The always-deny webhook does not provide a reason, so check for the error string we expect if strings.Contains(err.Error(), "denied") { return true, nil } return false, err } // best effort cleanup of markers that are no longer needed _ = cmClient.Delete(ctx, marker.GetName(), metav1.DeleteOptions{}) framework.Logf("Waiting for webhook configuration to be ready...") return false, nil }) } // newValidatingIsReadyWebhookFixture creates a validating webhook that can be added to a webhook configuration and then probed // with "marker" requests via waitWebhookConfigurationReady to wait for a webhook configuration to be ready. func newValidatingIsReadyWebhookFixture(f *framework.Framework, certCtx *certContext, servicePort int32) admissionregistrationv1.ValidatingWebhook { sideEffectsNone := admissionregistrationv1.SideEffectClassNone failOpen := admissionregistrationv1.Ignore return admissionregistrationv1.ValidatingWebhook{ Name: "validating-is-webhook-configuration-ready.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/always-deny"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, // network failures while the service network routing is being set up should be ignored by the marker FailurePolicy: &failOpen, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just the markers namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName + "-markers": "true"}, }, // appease createValidatingWebhookConfiguration isolation requirements ObjectSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, } } // newMutatingIsReadyWebhookFixture creates a mutating webhook that can be added to a webhook configuration and then probed // with "marker" requests via waitWebhookConfigurationReady to wait for a webhook configuration to be ready. func newMutatingIsReadyWebhookFixture(f *framework.Framework, certCtx *certContext, servicePort int32) admissionregistrationv1.MutatingWebhook { sideEffectsNone := admissionregistrationv1.SideEffectClassNone failOpen := admissionregistrationv1.Ignore return admissionregistrationv1.MutatingWebhook{ Name: "mutating-is-webhook-configuration-ready.k8s.io", Rules: []admissionregistrationv1.RuleWithOperations{{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create}, Rule: admissionregistrationv1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"configmaps"}, }, }}, ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ Namespace: f.Namespace.Name, Name: serviceName, Path: strPtr("/always-deny"), Port: pointer.Int32(servicePort), }, CABundle: certCtx.signingCert, }, // network failures while the service network routing is being set up should be ignored by the marker FailurePolicy: &failOpen, SideEffects: &sideEffectsNone, AdmissionReviewVersions: []string{"v1", "v1beta1"}, // Scope the webhook to just the markers namespace NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName + "-markers": "true"}, }, // appease createMutatingWebhookConfiguration isolation requirements ObjectSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{f.UniqueName: "true"}, }, } }