From 39b5c4a397d917512fa8c1c3226c6bf0e6c947c2 Mon Sep 17 00:00:00 2001 From: alex <8968914+acpana@users.noreply.github.com> Date: Tue, 14 Nov 2023 20:27:27 -0800 Subject: [PATCH] fix: only validate gk res (#3158) Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com> --- pkg/webhook/common.go | 2 ++ pkg/webhook/policy.go | 4 ++++ pkg/webhook/policy_test.go | 23 +++++++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 71f5497abe5..32f6db53d56 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -99,6 +99,8 @@ func (h *webhookHandler) isGatekeeperResource(req *admission.Request) bool { req.AdmissionRequest.Kind.Group == "constraints.gatekeeper.sh" || req.AdmissionRequest.Kind.Group == mutationsGroup || req.AdmissionRequest.Kind.Group == "config.gatekeeper.sh" || + req.AdmissionRequest.Kind.Group == externalDataGroup || + req.AdmissionRequest.Kind.Group == "expansion.gatekeeper.sh" || req.AdmissionRequest.Kind.Group == "status.gatekeeper.sh" { return true } diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index cb9c707d160..f6116a19ead 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -336,6 +336,10 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm // validateGatekeeperResources returns whether an issue is user error (vs internal) and any errors // validating internal resources. func (h *validationHandler) validateGatekeeperResources(ctx context.Context, req *admission.Request) (bool, error) { + if !h.isGatekeeperResource(req) { + return false, nil + } + if req.Operation == admissionv1.Delete && req.Name == "" { // Allow the general DELETE of resources like "/apis/config.gatekeeper.sh/v1alpha1/namespaces//configs" return true, nil diff --git a/pkg/webhook/policy_test.go b/pkg/webhook/policy_test.go index b2a4b8c76f7..771a1462cb4 100644 --- a/pkg/webhook/policy_test.go +++ b/pkg/webhook/policy_test.go @@ -16,6 +16,7 @@ import ( configv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" + "github.com/open-policy-agent/gatekeeper/v3/pkg/fakes" "github.com/open-policy-agent/gatekeeper/v3/pkg/mutation" "github.com/open-policy-agent/gatekeeper/v3/pkg/target" "github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard" @@ -126,6 +127,7 @@ spec: - apiGroups: [""] kinds: ["Pod"] ` + nameLargerThan63 = "abignameabignameabignameabignameabignameabignameabignameabigname" ) func validProvider() *externadatav1alpha1.Provider { @@ -522,6 +524,27 @@ func Test_ConstrainTemplate_Name(t *testing.T) { require.ErrorContains(t, err, "resource cannot have metadata.name larger than 63 char") } +func Test_NonGkResource_Name(t *testing.T) { + h := &validationHandler{log: log} + fp := fakes.Pod(fakes.WithName(nameLargerThan63)) + + b, err := convertToRawExtension(fp) + require.NoError(t, err) + + review := &admission.Request{ + AdmissionRequest: admissionv1.AdmissionRequest{ + Kind: metav1.GroupVersionKind(fp.GroupVersionKind()), + Object: *b, + Name: fp.Name, + }, + } + + // since this is not a gatekeeper resource, we should not enforce the metadata.name len check + got, err := h.validateGatekeeperResources(context.Background(), review) + require.False(t, got) + require.NoError(t, err) +} + func TestTracing(t *testing.T) { tc := []struct { Name string