github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
121,390 Commits 1 Branch 31 Tags 1,019 MiB
fcd6c19c24
Commit Graph

32 Commits

Author SHA1 Message Date
Alexander Zielenski
b636984004 test: remove unnecessary skip healthz check from test 
snuck in there while I was working on the test, but is ultimately not necessary to test the functionality.

skipping healthz check resulted in leaking goroutines from poststarthooks.
 2024-02-01 14:50:54 -08:00
Alexander Zielenski
71559bd026 bugfix: dont skip reconcile for unchanged policy if last sync failed 2024-01-29 11:16:59 -08:00
carlory
57a5db8da3 remove feature-gate APISelfSubjectReview 2023-11-24 16:59:21 +08:00
Jiahui Feng
e4776e0f85 avoid infinite recursion for type resolvers. 2023-10-31 10:23:50 -07:00
Jiahui Feng
3f73cdcf2a extend SchemaResolver for more types of schemas. 2023-10-26 10:25:41 -07:00
Alexander Zielenski
3b9af47118 add admission policy integration test all resources 
duplicates a lot of existing webhook integration test code
 2023-07-24 10:54:54 -07:00
Alexander Zielenski
d647958744 update codegen 2023-07-21 13:56:23 -07:00
Alexander Zielenski
ef8670c946 refactor: replace usage of v1alpha1 with v1beta1 
v1alpha -> v1beta

fill in DenyAction where there is no ParameterNotFoundAction
 2023-07-21 13:41:24 -07:00
Alexander Zielenski
b5e9e0168c feature: add multiple params capability to VAP controller 2023-07-20 09:30:10 -07:00
Cici Huang
13172cba5c
ValidatingAdmissionPolicy: support namespace access (#118267) 
* Support namespace access from cel expression in validatingadmissionpolicy.

* Whitelist the exposed fields in namespace object and add test

* better handling of cluster-scoped resources.

* [API REVIEW] namespaceObject in Expression doc.

* compatibility with composition.

* generated: ./hack/update-codegen.sh && ./hack/update-openapi-spec.sh

* workaround namespace of namespace is unexpectedly set.

* basic test coverage for namespaceObject.

---------

Co-authored-by: Jiahui Feng <jhf@google.com>
 2023-07-14 17:53:08 -07:00
Jiahui Feng
049614f884
ValidatingAdmissionPolicy controller for Type Checking (#117377) 
* [API REVIEW] ValidatingAdmissionPolicyStatucController config.

worker count.

* ValidatingAdmissionPolicyStatus controller.

* remove CEL typechecking from API server.

* fix initializer tests.

* remove type checking integration tests

from API server integration tests.

* validatingadmissionpolicy-status options.

* grant access to VAP controller.

* add defaulting unit test.

* generated: ./hack/update-codegen.sh

* add OWNERS for VAP status controller.

* type checking test case.
 2023-07-13 13:41:50 -07:00
Ben Luddy
f1700e4b95
Cache authz decisions within validating policy admission. 
This avoids the surprise of identical authorization checks within a
policy evaluating to different decisions during the same admission
pass, and reduces the overhead of repeatedly referencing the same
authorization check.
 2023-06-28 15:30:04 -04:00
Joe Betz
68901de898 Enable optionals and add tests 2023-05-31 18:36:50 -04:00
Joe Betz
e740f8340e Introduce CEL EnvSets for managing safe rollout of new CEL features, libraries and expression variables 2023-05-08 11:52:31 -04:00
Jiahui Feng
0a954cc10d always get fresh object before updating. 2023-03-08 15:17:58 -08:00
Jiahui Feng
feb18b3f5f implmementing type checking 
with multi-type support.
 2023-03-07 15:49:19 -08:00
Joe Betz
c2b3871502 Add integration tests 2023-03-06 21:51:33 -05:00
Joe Betz
4d30c43494 Add integration tests for secondary authz 2023-03-06 12:08:53 -05:00
Jiahui Feng
5c6d8a939c add int. test for CEL type resolution. 2022-12-14 09:19:36 -08:00
Kermit Alexander II
19242ec349 Add TestBindingRemoval. 2022-11-17 02:10:07 +00:00
Kermit Alexander II
cd3d014614 Add TestCRDParams. 2022-11-17 02:09:47 +00:00
Andrew Sy Kim
34a2d265d7 test/integration/apiserver/cel: update createAndWaitReady to retry on error including 'not yet synced to use for admission' 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 22:27:16 -05:00
Andrew Sy Kim
7127f565f6 test/integration/apiserver/cel: add Test_ValidatingAdmissionPolicy_UpdateParamResource 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 21:48:12 -05:00
Andrew Sy Kim
0fb038fb15 test/integration/apiserver/cel: add lifecycle tests for deleting/recreating policy, policy bindings, and param resources 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 21:48:12 -05:00
Andrew Sy Kim
3f477f847d test/integration/apiserver/cel: update feature gate name CELValidatingAdmission -> ValidatingAdmissionPolicy 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 21:48:12 -05:00
Andrew Sy Kim
38d884580b test/integration/apiserver/cel: add tests for match resources and match policy 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 21:48:12 -05:00
Andrew Sy Kim
894063908f test/integration/apiserver/cel: add additional test cases to Test_ValidateNamespace_NoParams for unguarded params 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 11:03:52 -05:00
Andrew Sy Kim
e2ce260f7a test/integration/apiserver/cel: add Test_ValidatingAdmissionPolicy_UpdateParamRef 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 11:03:52 -05:00
Andrew Sy Kim
cbcc22eb9c test/integration/apiserver/cel: add Test_ValidatingAdmissionPolicy_UpdateParamKind 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 11:03:52 -05:00
Andrew Sy Kim
3d30b97cd8 test/integration/apiserver/cel: add Test_PolicyExemption 
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
 2022-11-14 11:03:52 -05:00
Cici Huang
2973712486 Rename FG to ValidatingAdmissionPolicy 2022-11-10 03:37:35 +00:00
Cici Huang
d86cfa9854 Add integration test. 
Co-authored-by: Kermit Alexander II <kermitalexandr@google.com>
 2022-11-07 21:35:58 +00:00