1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

fix: skip rules without operation in resource webhook creation (#10146)

* fix: skip rules without operation in resource webhook creation

Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>

* test: add unit test for buildRulesWithOperations

Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>

* fix liniting issues

Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>

---------

Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Norwin Schnyder 2024-04-30 19:05:44 +02:00 committed by GitHub
parent e66a550560
commit 5d50022f43
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 66 additions and 1 deletions

View file

@ -80,6 +80,12 @@ func (wh *webhook) buildRulesWithOperations(final map[string][]admissionregistra
if (gv.Group == "" || gv.Group == "*") && (gv.Version == "v1" || gv.Version == "*") && (resources.Has("pods") || resources.Has("*")) {
resources.Insert("pods/ephemeralcontainers")
}
operations := findKeyContainingSubstring(final, firstResource, defaultOpn)
if len(operations) == 0 {
continue
}
rules = append(rules, admissionregistrationv1.RuleWithOperations{
Rule: admissionregistrationv1.Rule{
APIGroups: []string{gv.Group},
@ -87,7 +93,7 @@ func (wh *webhook) buildRulesWithOperations(final map[string][]admissionregistra
Resources: sets.List(resources),
Scope: ptr.To(gv.scopeType),
},
Operations: findKeyContainingSubstring(final, firstResource, defaultOpn),
Operations: operations,
})
}
less := func(a []string, b []string) (int, bool) {

View file

@ -10,7 +10,10 @@ import (
"github.com/kyverno/kyverno/pkg/autogen"
"gotest.tools/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/utils/ptr"
)
func Test_webhook_isEmpty(t *testing.T) {
@ -361,3 +364,59 @@ func TestComputeOperationsForValidatingWebhookConf(t *testing.T) {
})
}
}
func TestBuildRulesWithOperations(t *testing.T) {
testCases := []struct {
name string
rules map[groupVersionScope]sets.Set[string]
mapResourceToOpnType map[string][]admissionregistrationv1.OperationType
expectedResult []admissionregistrationv1.RuleWithOperations
}{
{
name: "Test Case 1",
rules: map[groupVersionScope]sets.Set[string]{
groupVersionScope{
GroupVersion: corev1.SchemeGroupVersion,
scopeType: admissionregistrationv1.AllScopes,
}: {
"namespaces": sets.Empty{},
},
groupVersionScope{
GroupVersion: corev1.SchemeGroupVersion,
scopeType: admissionregistrationv1.NamespacedScope,
}: {
"pods": sets.Empty{},
"configmaps": sets.Empty{},
},
},
mapResourceToOpnType: map[string][]admissionregistrationv1.OperationType{
"Namespace": {},
"Pod": {webhookCreate, webhookUpdate},
},
expectedResult: []admissionregistrationv1.RuleWithOperations{
{
Operations: []admissionregistrationv1.OperationType{webhookCreate, webhookUpdate},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"configmaps", "pods", "pods/ephemeralcontainers"},
Scope: ptr.To(admissionregistrationv1.NamespacedScope),
},
},
},
},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
wh := &webhook{
rules: testCase.rules,
}
result := wh.buildRulesWithOperations(testCase.mapResourceToOpnType, []admissionregistrationv1.OperationType{webhookCreate, webhookUpdate})
if !reflect.DeepEqual(result, testCase.expectedResult) {
t.Errorf("Expected %v, but got %v", testCase.expectedResult, result)
}
})
}
}