mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00
Code Activity
kyverno/pkg/webhookconfig/configmanager_test.go

144 lines
4.4 KiB
Go
Raw Normal View History

Fix check for generated webhook rules being equal to what the API server has (#3407) * Add webhookRulesEqual function and test Signed-off-by: Thomas Hartland <thomas.hartland@diamond.ac.uk> * Handle edge cases in webhookRulesEqual function Signed-off-by: Thomas Hartland <thomas.hartland@diamond.ac.uk>
2022-03-21 12:41:53 +00:00
package webhookconfig
import (
"testing"
"gotest.tools/assert"
)
var (
emptyInternalRules []interface{}
emptyAPIRules []interface{}
configmapsInternalRules []interface{}
configmapsAPIRules []interface{}
configmapsSecretsInternalRules []interface{}
configmapsSecretsAPIRules []interface{}
secretsConfigmapsInternalRules []interface{}
secretsConfigmapsAPIRules []interface{}
badAPIRules []interface{}
)
func init() {
// No rules.
// Internal representation is a rule with no selectors.
// API server representation is no rule (nil).
emptyInternalRules = []interface{}{map[string]interface{}{}}
emptyAPIRules = nil
// Rule selecting configmaps.
// API server representation matches the internal
// representation but has extra fields "operations" and "scope",
// and is of interface types instead of strings.
configmapsInternalRules = []interface{}{
map[string]interface{}{
"apiGroups": []string{""},
"apiVersions": []string{"v1"},
"resources": []string{"configmaps"},
},
}
configmapsAPIRules = []interface{}{
map[string]interface{}{
"apiGroups": []interface{}{""},
"apiVersions": []interface{}{"v1"},
"resources": []interface{}{"configmaps"},
"operations": []interface{}{"CREATE", "UPDATE", "DELETE", "CONNECT"},
"scope": "*",
},
}
// Rule selecting configmaps and secrets.
// API server representation matches the internal
// representation but has extra fields "operations" and "scope",
// and is of interface types instead of strings.
configmapsSecretsInternalRules = []interface{}{
map[string]interface{}{
"apiGroups": []string{""},
"apiVersions": []string{"v1"},
"resources": []string{"configmaps", "secrets"},
},
}
configmapsSecretsAPIRules = []interface{}{
map[string]interface{}{
"apiGroups": []interface{}{""},
"apiVersions": []interface{}{"v1"},
"resources": []interface{}{"configmaps", "secrets"},
"operations": []interface{}{"CREATE", "UPDATE", "DELETE", "CONNECT"},
"scope": "*",
},
}
// Same as previous but reversing the order of configmaps and secrets.
secretsConfigmapsInternalRules = []interface{}{
map[string]interface{}{
"apiGroups": []string{""},
"apiVersions": []string{"v1"},
"resources": []string{"secrets", "configmaps"},
},
}
secretsConfigmapsAPIRules = []interface{}{
map[string]interface{}{
"apiGroups": []interface{}{""},
"apiVersions": []interface{}{"v1"},
"resources": []interface{}{"secrets", "configmaps"},
"operations": []interface{}{"CREATE", "UPDATE", "DELETE", "CONNECT"},
"scope": "*",
},
}
// API rules with missing fields.
badAPIRules = []interface{}{
map[string]interface{}{
"apiGroups": []interface{}{""},
},
}
}
func TestRulesEqual(t *testing.T) {
tests := []struct {
name string
internal []interface{}
apiserver []interface{}
equal bool
shouldErr bool
}{
// Both empty. Should be equal.
{"empty-equal", emptyInternalRules, emptyAPIRules, true, false},
// Both rules select configmaps. Should be equal.
{"configmaps-equal", configmapsInternalRules, configmapsAPIRules, true, false},
// Both rules select configmaps and secrets. Should be equal.
{"cm-secrets-equal", configmapsSecretsInternalRules, configmapsSecretsAPIRules, true, false},
// Both rules select secrets and configmaps (reversed compared to previous). Should be equal.
{"secrets-cm-equal", secretsConfigmapsInternalRules, secretsConfigmapsAPIRules, true, false},
fix: webhooks are not configured correctly (#3660) * Fix webhook rules equality when internal is empty The current implementation of the 'webhookRulesEqual' didn't check for the corner case were both the internal representation and the API have length of one, but the internal representation has 1 rule with no selectors. In this case the 'webhookRulesEqual' should return false, as the 2 configurations are not the same. Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com> * Fix tests Add a small time delay when checking if a Policy is ready in tests to ensure that the Policy is actually ready. Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
2022-04-25 18:19:39 +03:00
// Internal empty, API has one rule. Not equal.
{"internal-empty-api-single", emptyInternalRules, configmapsSecretsAPIRules, false, false},
Fix check for generated webhook rules being equal to what the API server has (#3407) * Add webhookRulesEqual function and test Signed-off-by: Thomas Hartland <thomas.hartland@diamond.ac.uk> * Handle edge cases in webhookRulesEqual function Signed-off-by: Thomas Hartland <thomas.hartland@diamond.ac.uk>
2022-03-21 12:41:53 +00:00
// Internal is updated from nothing to configmaps. Not equal.
{"add-configmaps", configmapsInternalRules, emptyAPIRules, false, false},
// Internal is updated from configmaps to configmaps and secrets. Not equal.
{"add-secrets", configmapsSecretsInternalRules, configmapsAPIRules, false, false},
// Order of configmaps and secrets is switched. Not equal.
{"order-switched", configmapsSecretsInternalRules, secretsConfigmapsAPIRules, false, false},
// Malformed API rules, if modified by user or something like that. Not equal.
{"bad-api-rules", configmapsInternalRules, badAPIRules, false, false},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
equal, err := webhookRulesEqual(test.apiserver, test.internal)
assert.Equal(t, err != nil, test.shouldErr)
assert.Equal(t, equal, test.equal)
})
}
}
Copy permalink