github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d698404adc
kubernetes/pkg/apis/admissionregistration/validation/validation_test.go
Kubernetes Submit Queue 12f96e2e35 Merge pull request #51283 from caesarxuchao/fix-initializer-validate 
Automatic merge from submit-queue (batch tested with PRs 51583, 51283, 51374, 51690, 51716)

Unify initializer name validation

Unify the validation rules on initializer names. Fix https://github.com/kubernetes/kubernetes/issues/51843.

```release-note
Action required: validation rule on metadata.initializers.pending[x].name is tightened. The initializer name needs to contain at least three segments separated by dots. If you create objects with pending initializers, (i.e., not relying on apiserver adding pending initializers according to initializerconfiguration), you need to update the initializer name in existing objects and in configuration files to comply to the new validation rule.
```
2017-09-02 20:35:22 -07:00

500 lines
15 KiB
Go
Raw Blame History

/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package validation
import (
"strings"
"testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/apis/admissionregistration"
)
func getInitializerConfiguration(initializers []admissionregistration.Initializer) *admissionregistration.InitializerConfiguration {
return &admissionregistration.InitializerConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: "config",
},
Initializers: initializers,
}
}
func TestValidateInitializerConfiguration(t *testing.T) {
tests := []struct {
name string
config *admissionregistration.InitializerConfiguration
expectedError string
}{
{
name: "0 rule is valid",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
},
}),
},
{
name: "all initializers must have a fully qualified name",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
},
{
Name: "k8s.io",
},
{
Name: "",
},
}),
expectedError: `initializers[1].name: Invalid value: "k8s.io": should be a domain with at least three segments separated by dots, initializers[2].name: Required value`,
},
{
name: "APIGroups must not be empty or nil",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
{
APIGroups: nil,
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
},
}),
expectedError: `initializers[0].rules[0].apiGroups: Required value, initializers[0].rules[1].apiGroups: Required value`,
},
{
name: "APIVersions must not be empty or nil",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a"},
APIVersions: []string{},
Resources: []string{"a"},
},
{
APIGroups: []string{"a"},
APIVersions: nil,
Resources: []string{"a"},
},
},
},
}),
expectedError: `initializers[0].rules[0].apiVersions: Required value, initializers[0].rules[1].apiVersions: Required value`,
},
{
name: "Resources must not be empty or nil",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{},
},
{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: nil,
},
},
},
}),
expectedError: `initializers[0].rules[0].resources: Required value, initializers[0].rules[1].resources: Required value`,
},
{
name: "\"\" is a valid APIGroup",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a", ""},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
},
}),
},
{
name: "\"\" is NOT a valid APIVersion",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a"},
APIVersions: []string{"a", ""},
Resources: []string{"a"},
},
},
},
}),
expectedError: "apiVersions[1]: Required value",
},
{
name: "\"\" is NOT a valid Resource",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a", ""},
},
},
},
}),
expectedError: "resources[1]: Required value",
},
{
name: "wildcard cannot be mixed with other strings for APIGroups or APIVersions or Resources",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a", "*"},
APIVersions: []string{"a", "*"},
Resources: []string{"a", "*"},
},
},
},
}),
expectedError: `[initializers[0].rules[0].apiGroups: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other API groups, initializers[0].rules[0].apiVersions: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other API versions, initializers[0].rules[0].resources: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other resources]`,
},
{
name: "Subresource not allowed",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a/b"},
},
},
},
}),
expectedError: ` "a/b": must not specify subresources`,
},
}
for _, test := range tests {
errs := ValidateInitializerConfiguration(test.config)
err := errs.ToAggregate()
if err != nil {
if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" {
t.Errorf("test case %s, expected to contain %s, got %s", test.name, e, a)
}
} else {
if test.expectedError != "" {
t.Errorf("test case %s, unexpected no error, expected to contain %s", test.name, test.expectedError)
}
}
}
}
func getExternalAdmissionHookConfiguration(hooks []admissionregistration.ExternalAdmissionHook) *admissionregistration.ExternalAdmissionHookConfiguration {
return &admissionregistration.ExternalAdmissionHookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: "config",
},
ExternalAdmissionHooks: hooks,
}
}
func TestValidateExternalAdmissionHookConfiguration(t *testing.T) {
tests := []struct {
name string
config *admissionregistration.ExternalAdmissionHookConfiguration
expectedError string
}{
{
name: "all ExternalAdmissionHook must have a fully qualified name",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
},
{
Name: "k8s.io",
},
{
Name: "",
},
}),
expectedError: `externalAdmissionHooks[1].name: Invalid value: "k8s.io": should be a domain with at least three segments separated by dots, externalAdmissionHooks[2].name: Required value`,
},
{
name: "Operations must not be empty or nil",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
{
Operations: nil,
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].operations: Required value, externalAdmissionHooks[0].rules[1].operations: Required value`,
},
{
name: "\"\" is NOT a valid operation",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE", ""},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
},
},
}),
expectedError: `Unsupported value: ""`,
},
{
name: "operation must be either create/update/delete/connect",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"PATCH"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
},
},
}),
expectedError: `Unsupported value: "PATCH"`,
},
{
name: "wildcard operation cannot be mixed with other strings",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE", "*"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a"},
},
},
},
},
}),
expectedError: `if '*' is present, must not specify other operations`,
},
{
name: `resource "*" can co-exist with resources that have subresources`,
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*", "a/b", "a/*", "*/b"},
},
},
},
},
}),
},
{
name: `resource "*" cannot mix with resources that don't have subresources`,
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*", "a"},
},
},
},
},
}),
expectedError: `if '*' is present, must not specify other resources without subresources`,
},
{
name: "resource a/* cannot mix with a/x",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a/*", "a/x"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].resources[1]: Invalid value: "a/x": if 'a/*' is present, must not specify a/x`,
},
{
name: "resource a/* can mix with a",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a/*", "a"},
},
},
},
},
}),
},
{
name: "resource */a cannot mix with x/a",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*/a", "x/a"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].resources[1]: Invalid value: "x/a": if '*/a' is present, must not specify x/a`,
},
{
name: "resource */* cannot mix with other resources",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*/*", "a"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].resources: Invalid value: []string{"*/*", "a"}: if '*/*' is present, must not specify other resources`,
},
{
name: "FailurePolicy can only be \"Ignore\"",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
FailurePolicy: func() *admissionregistration.FailurePolicyType {
r := admissionregistration.Fail
return &r
}(),
},
}),
expectedError: `failurePolicy: Unsupported value: "Fail": supported values: Ignore`,
},
}
for _, test := range tests {
errs := ValidateExternalAdmissionHookConfiguration(test.config)
err := errs.ToAggregate()
if err != nil {
if e, a := test.expectedError, err.Error(); !strings.Contains(a, e) || e == "" {
t.Errorf("test case %s, expected to contain %s, got %s", test.name, e, a)
}
} else {
if test.expectedError != "" {
t.Errorf("test case %s, unexpected no error, expected to contain %s", test.name, test.expectedError)
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink