Merge pull request #338 from raulcabello/controller-bug

fix: exclude kubewarden namespace in webhooks
kubewarden · Nov 7, 2022 · 2d74983 · 2d74983
2 parents aa2d643 + a878f9c
commit 2d74983
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 5 deletions.
diff --git a/apis/policies/v1/admissionpolicy_types.go b/apis/policies/v1/admissionpolicy_types.go
@@ -115,7 +115,7 @@ func (r *AdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyT
 }
 
 // GetNamespaceSelector returns the namespace of the AdmissionPolicy since it is the only namespace we want the policy to be applied to.
-func (r *AdmissionPolicy) GetNamespaceSelector() *metav1.LabelSelector {
+func (r *AdmissionPolicy) GetUpdatedNamespaceSelector(string) *metav1.LabelSelector {
 	return &metav1.LabelSelector{
 		MatchLabels: map[string]string{"kubernetes.io/metadata.name": r.ObjectMeta.Namespace},
 	}

diff --git a/apis/policies/v1/clusteradmissionpolicy_types.go b/apis/policies/v1/clusteradmissionpolicy_types.go
@@ -151,7 +151,24 @@ func (r *ClusterAdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOp
 	return r.Spec.Rules
 }
 
-func (r *ClusterAdmissionPolicy) GetNamespaceSelector() *metav1.LabelSelector {
+func (r *ClusterAdmissionPolicy) GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector {
+	// exclude namespace where kubewarden was deployed
+	if r.Spec.NamespaceSelector != nil {
+		r.Spec.NamespaceSelector.MatchExpressions = append(r.Spec.NamespaceSelector.MatchExpressions, metav1.LabelSelectorRequirement{
+			Key:      "kubernetes.io/metadata.name",
+			Operator: "NotIn",
+			Values:   []string{deploymentNamespace},
+		})
+	} else {
+		r.Spec.NamespaceSelector = &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{{
+				Key:      "kubernetes.io/metadata.name",
+				Operator: "NotIn",
+				Values:   []string{deploymentNamespace},
+			}},
+		}
+	}
+
 	return r.Spec.NamespaceSelector
 }
 

diff --git a/apis/policies/v1/clusteradmissionpolicy_types_test.go b/apis/policies/v1/clusteradmissionpolicy_types_test.go
@@ -0,0 +1,56 @@
+package v1
+
+import (
+	"testing"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestGetNamespaceSelectorWithEmptyNamespaceSelector(t *testing.T) {
+	kubewardenNs := "kubewarden"
+	c := ClusterAdmissionPolicy{}
+	nsSelector := c.GetUpdatedNamespaceSelector(kubewardenNs)
+	isKubewardenNsFound := isNamespaceFoundInSelector(nsSelector, kubewardenNs)
+
+	if !isKubewardenNsFound {
+		t.Errorf("Kubewarden namespace not added to namespace selector")
+	}
+}
+
+func TestGetNamespaceSelectorWithExistingMatchExpressions(t *testing.T) {
+	kubewardenNs := "kubewarden"
+	policy := ClusterAdmissionPolicy{
+		Spec: ClusterAdmissionPolicySpec{
+			NamespaceSelector: &v1.LabelSelector{
+				MatchExpressions: []v1.LabelSelectorRequirement{
+					{
+						Key:      "In",
+						Operator: "kubernetes.io/metadata.name",
+						Values:   []string{"foo"},
+					},
+				},
+			},
+		},
+	}
+	nsSelector := policy.GetUpdatedNamespaceSelector(kubewardenNs)
+	isKubewardenNsFound := isNamespaceFoundInSelector(nsSelector, kubewardenNs)
+
+	if !isKubewardenNsFound {
+		t.Errorf("Kubewarden namespace not added to namespace selector")
+	}
+}
+
+func isNamespaceFoundInSelector(selector *v1.LabelSelector, namespace string) bool {
+	isKubewardenNsFound := false
+
+	for _, matchExpression := range selector.MatchExpressions {
+		if len(matchExpression.Values) == 1 &&
+			matchExpression.Values[0] == namespace &&
+			matchExpression.Key == "kubernetes.io/metadata.name" &&
+			matchExpression.Operator == "NotIn" {
+			isKubewardenNsFound = true
+		}
+	}
+
+	return isKubewardenNsFound
+}
diff --git a/apis/policies/v1/policy.go b/apis/policies/v1/policy.go
@@ -90,7 +90,7 @@ type Policy interface {
 	GetRules() []admissionregistrationv1.RuleWithOperations
 	GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
 	GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
-	GetNamespaceSelector() *metav1.LabelSelector
+	GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector
 	GetObjectSelector() *metav1.LabelSelector
 	GetTimeoutSeconds() *int32
 	GetObjectMeta() *metav1.ObjectMeta

diff --git a/internal/pkg/admission/mutating-webhook.go b/internal/pkg/admission/mutating-webhook.go
@@ -95,7 +95,7 @@ func (r *Reconciler) mutatingWebhookConfiguration(
 				Rules:                   policy.GetRules(),
 				FailurePolicy:           policy.GetFailurePolicy(),
 				MatchPolicy:             policy.GetMatchPolicy(),
-				NamespaceSelector:       policy.GetNamespaceSelector(),
+				NamespaceSelector:       policy.GetUpdatedNamespaceSelector(r.DeploymentsNamespace),
 				ObjectSelector:          policy.GetObjectSelector(),
 				SideEffects:             sideEffects,
 				TimeoutSeconds:          policy.GetTimeoutSeconds(),

diff --git a/internal/pkg/admission/validating-webhook.go b/internal/pkg/admission/validating-webhook.go
@@ -95,7 +95,7 @@ func (r *Reconciler) validatingWebhookConfiguration(
 				Rules:                   policy.GetRules(),
 				FailurePolicy:           policy.GetFailurePolicy(),
 				MatchPolicy:             policy.GetMatchPolicy(),
-				NamespaceSelector:       policy.GetNamespaceSelector(),
+				NamespaceSelector:       policy.GetUpdatedNamespaceSelector(r.DeploymentsNamespace),
 				ObjectSelector:          policy.GetObjectSelector(),
 				SideEffects:             sideEffects,
 				TimeoutSeconds:          policy.GetTimeoutSeconds(),