diff --git a/api/policies/v1/admissionpolicy_webhook_test.go b/api/policies/v1/admissionpolicy_webhook_test.go index 2ecc992f..979ed822 100644 --- a/api/policies/v1/admissionpolicy_webhook_test.go +++ b/api/policies/v1/admissionpolicy_webhook_test.go @@ -23,7 +23,7 @@ import ( ) func TestAdmissionPolicyDefault(t *testing.T) { - policy := admissionPolicyFactory() + policy := AdmissionPolicy{} policy.Default() require.Equal(t, constants.DefaultPolicyServer, policy.GetPolicyServer()) @@ -31,23 +31,23 @@ func TestAdmissionPolicyDefault(t *testing.T) { } func TestAdmissionPolicyValidateCreate(t *testing.T) { - policy := admissionPolicyFactory() + policy := NewAdmissionPolicyFactory().Build() warnings, err := policy.ValidateCreate() require.NoError(t, err) require.Empty(t, warnings) } func TestAdmissionPolicyValidateUpdate(t *testing.T) { - oldPolicy := admissionPolicyFactory() - newPolicy := admissionPolicyFactory() + oldPolicy := NewAdmissionPolicyFactory().Build() + newPolicy := NewAdmissionPolicyFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.NoError(t, err) require.Empty(t, warnings) } func TestAdmissionPolicyValidateUpdateWithInvalidOldPolicy(t *testing.T) { - oldPolicy := clusterAdmissionPolicyFactory(nil, nil, "", "protect") - newPolicy := admissionPolicyFactory() + oldPolicy := NewClusterAdmissionPolicyFactory().Build() + newPolicy := NewAdmissionPolicyFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.Empty(t, warnings) require.ErrorContains(t, err, "object is not of type AdmissionPolicy") diff --git a/api/policies/v1/admissionpolicygroup_webhook_test.go b/api/policies/v1/admissionpolicygroup_webhook_test.go index 802d462e..f2783f88 100644 --- a/api/policies/v1/admissionpolicygroup_webhook_test.go +++ b/api/policies/v1/admissionpolicygroup_webhook_test.go @@ -23,7 +23,7 @@ import ( ) func TestAdmissionPolicyGroupDefault(t *testing.T) { - policy := admissionPolicyGroupFactory() + policy := AdmissionPolicyGroup{} policy.Default() require.Equal(t, constants.DefaultPolicyServer, policy.GetPolicyServer()) @@ -31,14 +31,14 @@ func TestAdmissionPolicyGroupDefault(t *testing.T) { } func TestAdmissionPolicyGroupValidateCreate(t *testing.T) { - policy := admissionPolicyGroupFactory() + policy := NewAdmissionPolicyGroupFactory().Build() warnings, err := policy.ValidateCreate() require.NoError(t, err) require.Empty(t, warnings) } func TestClusterAdmissionPolicyValidateCreateWithNoMembers(t *testing.T) { - policy := admissionPolicyGroupFactory() + policy := NewAdmissionPolicyGroupFactory().Build() policy.Spec.Policies = nil warnings, err := policy.ValidateCreate() require.Error(t, err) @@ -47,16 +47,16 @@ func TestClusterAdmissionPolicyValidateCreateWithNoMembers(t *testing.T) { } func TestAdmissionPolicyGroupValidateUpdate(t *testing.T) { - oldPolicy := admissionPolicyGroupFactory() - newPolicy := admissionPolicyGroupFactory() + oldPolicy := NewAdmissionPolicyGroupFactory().Build() + newPolicy := NewAdmissionPolicyGroupFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.NoError(t, err) require.Empty(t, warnings) } func TestAdmissionPolicyGroupValidateUpdateWithInvalidOldPolicy(t *testing.T) { - oldPolicy := clusterAdmissionPolicyGroupFactory() - newPolicy := admissionPolicyGroupFactory() + oldPolicy := NewClusterAdmissionPolicyGroupFactory().Build() + newPolicy := NewAdmissionPolicyGroupFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.Empty(t, warnings) require.ErrorContains(t, err, "object is not of type AdmissionPolicyGroup") diff --git a/api/policies/v1/clusteradmissionpolicy_webhook_test.go b/api/policies/v1/clusteradmissionpolicy_webhook_test.go index 72117b91..e77bedf7 100644 --- a/api/policies/v1/clusteradmissionpolicy_webhook_test.go +++ b/api/policies/v1/clusteradmissionpolicy_webhook_test.go @@ -23,7 +23,7 @@ import ( ) func TestClusterAdmissionPolicyDefault(t *testing.T) { - policy := clusterAdmissionPolicyFactory(nil, nil, "", "protect") + policy := ClusterAdmissionPolicy{} policy.Default() require.Equal(t, constants.DefaultPolicyServer, policy.GetPolicyServer()) @@ -31,23 +31,23 @@ func TestClusterAdmissionPolicyDefault(t *testing.T) { } func TestClusterAdmissionPolicyValidateCreate(t *testing.T) { - policy := clusterAdmissionPolicyFactory(nil, nil, "", "protect") + policy := NewClusterAdmissionPolicyFactory().Build() warnings, err := policy.ValidateCreate() require.NoError(t, err) require.Empty(t, warnings) } func TestClusterAdmissionPolicyValidateUpdate(t *testing.T) { - oldPolicy := clusterAdmissionPolicyFactory(nil, nil, "", "protect") - newPolicy := clusterAdmissionPolicyFactory(nil, nil, "", "protect") + oldPolicy := NewClusterAdmissionPolicyFactory().Build() + newPolicy := NewClusterAdmissionPolicyFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.NoError(t, err) require.Empty(t, warnings) } func TestClusterAdmissionPolicyValidateUpdateWithInvalidOldPolicy(t *testing.T) { - oldPolicy := admissionPolicyFactory() - newPolicy := clusterAdmissionPolicyFactory(nil, nil, "", "protect") + oldPolicy := NewAdmissionPolicyFactory().Build() + newPolicy := NewClusterAdmissionPolicyFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.Empty(t, warnings) require.ErrorContains(t, err, "object is not of type ClusterAdmissionPolicy") diff --git a/api/policies/v1/clusteradmissionpolicygroup_webhook_test.go b/api/policies/v1/clusteradmissionpolicygroup_webhook_test.go index 2f3d92f4..4d0e400a 100644 --- a/api/policies/v1/clusteradmissionpolicygroup_webhook_test.go +++ b/api/policies/v1/clusteradmissionpolicygroup_webhook_test.go @@ -23,7 +23,7 @@ import ( ) func TestClusterClusterAdmissionPolicyDefault(t *testing.T) { - policy := clusterAdmissionPolicyGroupFactory() + policy := ClusterAdmissionPolicyGroup{} policy.Default() require.Equal(t, constants.DefaultPolicyServer, policy.GetPolicyServer()) @@ -31,14 +31,14 @@ func TestClusterClusterAdmissionPolicyDefault(t *testing.T) { } func TestClusterClusterAdmissionPolicyValidateCreate(t *testing.T) { - policy := clusterAdmissionPolicyGroupFactory() + policy := NewClusterAdmissionPolicyGroupFactory().Build() warnings, err := policy.ValidateCreate() require.NoError(t, err) require.Empty(t, warnings) } func TestClusterClusterAdmissionPolicyValidateCreateWithNoMembers(t *testing.T) { - policy := clusterAdmissionPolicyGroupFactory() + policy := NewClusterAdmissionPolicyGroupFactory().Build() policy.Spec.Policies = nil warnings, err := policy.ValidateCreate() require.Error(t, err) @@ -47,16 +47,16 @@ func TestClusterClusterAdmissionPolicyValidateCreateWithNoMembers(t *testing.T) } func TestClusterClusterAdmissionPolicyValidateUpdate(t *testing.T) { - oldPolicy := clusterAdmissionPolicyGroupFactory() - newPolicy := clusterAdmissionPolicyGroupFactory() + oldPolicy := NewClusterAdmissionPolicyGroupFactory().Build() + newPolicy := NewClusterAdmissionPolicyGroupFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.NoError(t, err) require.Empty(t, warnings) } func TestClusterClusterAdmissionPolicyValidateUpdateWithInvalidOldPolicy(t *testing.T) { - oldPolicy := admissionPolicyGroupFactory() - newPolicy := clusterAdmissionPolicyGroupFactory() + oldPolicy := NewAdmissionPolicyGroupFactory().Build() + newPolicy := NewClusterAdmissionPolicyGroupFactory().Build() warnings, err := newPolicy.ValidateUpdate(oldPolicy) require.Empty(t, warnings) require.ErrorContains(t, err, "object is not of type ClusterAdmissionPolicyGroup") diff --git a/api/policies/v1/factories.go b/api/policies/v1/factories.go new file mode 100644 index 00000000..c119a2c2 --- /dev/null +++ b/api/policies/v1/factories.go @@ -0,0 +1,467 @@ +package v1 + +import ( + "fmt" + "math/rand" + "os" + + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/kubewarden/kubewarden-controller/internal/constants" +) + +const ( + integrationTestsFinalizer = "integration-tests-safety-net-finalizer" + defaultKubewardenRepository = "ghcr.io/kubewarden/policy-server" + maxNameSuffixLength = 8 +) + +type AdmissionPolicyFactory struct { + name string + namespace string + policyServer string + mutating bool + rules []admissionregistrationv1.RuleWithOperations + module string + matchConds []admissionregistrationv1.MatchCondition +} + +func NewAdmissionPolicyFactory() *AdmissionPolicyFactory { + return &AdmissionPolicyFactory{ + name: newName("admission-policy"), + namespace: "default", + policyServer: "", + mutating: false, + rules: []admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{ + admissionregistrationv1.Create, + admissionregistrationv1.Update, + }, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"Pods"}, + }, + }, + }, + module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", + matchConds: []admissionregistrationv1.MatchCondition{ + {Name: "noop", Expression: "true"}, + }, + } +} + +func (fac *AdmissionPolicyFactory) WithName(name string) *AdmissionPolicyFactory { + fac.name = name + return fac +} + +func (fac *AdmissionPolicyFactory) WithNamespace(namespace string) *AdmissionPolicyFactory { + fac.namespace = namespace + return fac +} + +func (fac *AdmissionPolicyFactory) WithPolicyServer(policyServer string) *AdmissionPolicyFactory { + fac.policyServer = policyServer + return fac +} + +func (fac *AdmissionPolicyFactory) WithMutating(mutating bool) *AdmissionPolicyFactory { + fac.mutating = mutating + return fac +} + +func (fac *AdmissionPolicyFactory) WithRules(rules []admissionregistrationv1.RuleWithOperations) *AdmissionPolicyFactory { + fac.rules = rules + return fac +} + +func (fac *AdmissionPolicyFactory) WithMatchConditions(matchConditions []admissionregistrationv1.MatchCondition) *AdmissionPolicyFactory { + fac.matchConds = matchConditions + return fac +} + +func (fac *AdmissionPolicyFactory) Build() *AdmissionPolicy { + policy := AdmissionPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: fac.name, + Namespace: fac.namespace, + Finalizers: []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + }, + }, + Spec: AdmissionPolicySpec{ + PolicySpec: PolicySpec{ + PolicyServer: fac.policyServer, + Module: fac.module, + Rules: fac.rules, + Mutating: fac.mutating, + MatchConditions: fac.matchConds, + }, + }, + } + return &policy +} + +type ClusterAdmissionPolicyFactory struct { + name string + policyServer string + mutating bool + rules []admissionregistrationv1.RuleWithOperations + module string + contextAwareResources []ContextAwareResource + matchConds []admissionregistrationv1.MatchCondition + mode PolicyMode +} + +func NewClusterAdmissionPolicyFactory() *ClusterAdmissionPolicyFactory { + return &ClusterAdmissionPolicyFactory{ + name: newName("cluster-admission"), + policyServer: "", + mutating: false, + rules: []admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{ + admissionregistrationv1.Create, + admissionregistrationv1.Update, + }, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"Pods"}, + }, + }, + }, + module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", + contextAwareResources: []ContextAwareResource{}, + matchConds: []admissionregistrationv1.MatchCondition{ + {Name: "noop", Expression: "true"}, + }, + mode: "protect", + } +} + +func (fac *ClusterAdmissionPolicyFactory) WithName(name string) *ClusterAdmissionPolicyFactory { + fac.name = name + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) WithPolicyServer(policyServer string) *ClusterAdmissionPolicyFactory { + fac.policyServer = policyServer + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) WithMutating(mutating bool) *ClusterAdmissionPolicyFactory { + fac.mutating = mutating + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) WithContextAwareResources(resources []ContextAwareResource) *ClusterAdmissionPolicyFactory { + fac.contextAwareResources = resources + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) WithRules(rules []admissionregistrationv1.RuleWithOperations) *ClusterAdmissionPolicyFactory { + fac.rules = rules + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) WithMatchConditions(matchConditions []admissionregistrationv1.MatchCondition) *ClusterAdmissionPolicyFactory { + fac.matchConds = matchConditions + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) WithMode(mode PolicyMode) *ClusterAdmissionPolicyFactory { + fac.mode = mode + return fac +} + +func (fac *ClusterAdmissionPolicyFactory) Build() *ClusterAdmissionPolicy { + clusterAdmissionPolicy := ClusterAdmissionPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: fac.name, + Finalizers: []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + }}, + Spec: ClusterAdmissionPolicySpec{ + ContextAwareResources: fac.contextAwareResources, + PolicySpec: PolicySpec{ + PolicyServer: fac.policyServer, + Module: fac.module, + Rules: fac.rules, + Mutating: fac.mutating, + MatchConditions: fac.matchConds, + Mode: fac.mode, + }, + }, + } + return &clusterAdmissionPolicy +} + +type PolicyServerBuilder struct { + name string +} + +func NewPolicyServerFactory() *PolicyServerBuilder { + return &PolicyServerBuilder{ + name: newName("policy-server"), + } +} + +func (fac *PolicyServerBuilder) WithName(name string) *PolicyServerBuilder { + fac.name = name + return fac +} + +func (fac *PolicyServerBuilder) Build() *PolicyServer { + policyServer := PolicyServer{ + ObjectMeta: metav1.ObjectMeta{ + Name: fac.name, + Finalizers: []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + }, + }, + Spec: PolicyServerSpec{ + Image: policyServerRepository() + ":" + policyServerVersion(), + Replicas: 1, + }, + } + return &policyServer +} + +type AdmissionPolicyGroupFactory struct { + name string + namespace string + policyServer string + rules []admissionregistrationv1.RuleWithOperations + expression string + policyMembers PolicyGroupMembers + matchConds []admissionregistrationv1.MatchCondition +} + +func NewAdmissionPolicyGroupFactory() *AdmissionPolicyGroupFactory { + return &AdmissionPolicyGroupFactory{ + name: newName("admissing-policy-group"), + namespace: "default", + policyServer: "", + rules: []admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{ + admissionregistrationv1.Create, + admissionregistrationv1.Update, + }, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"Pods"}, + }, + }, + }, + expression: "pod_privileged()", + policyMembers: PolicyGroupMembers{ + "pod_privileged": { + Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", + }, + }, + matchConds: []admissionregistrationv1.MatchCondition{ + {Name: "noop", Expression: "true"}, + }, + } +} + +func (fac *AdmissionPolicyGroupFactory) WithName(name string) *AdmissionPolicyGroupFactory { + fac.name = name + return fac +} + +func (fac *AdmissionPolicyGroupFactory) WithNamespace(namespace string) *AdmissionPolicyGroupFactory { + fac.namespace = namespace + return fac +} + +func (fac *AdmissionPolicyGroupFactory) WithPolicyServer(policyServer string) *AdmissionPolicyGroupFactory { + fac.policyServer = policyServer + return fac +} + +func (fac *AdmissionPolicyGroupFactory) WithRules(rules []admissionregistrationv1.RuleWithOperations) *AdmissionPolicyGroupFactory { + fac.rules = rules + return fac +} + +func (fac *AdmissionPolicyGroupFactory) WithMatchConditions(matchContions []admissionregistrationv1.MatchCondition) *AdmissionPolicyGroupFactory { + fac.matchConds = matchContions + return fac +} + +func (fac *AdmissionPolicyGroupFactory) Build() *AdmissionPolicyGroup { + return &AdmissionPolicyGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: fac.name, + Namespace: fac.namespace, + Finalizers: []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + }, + }, + Spec: AdmissionPolicyGroupSpec{ + PolicyGroupSpec: PolicyGroupSpec{ + PolicyServer: fac.policyServer, + Policies: fac.policyMembers, + Expression: fac.expression, + Rules: fac.rules, + MatchConditions: fac.matchConds, + }, + }, + } +} + +type ClusterAdmissionPolicyGroupFactory struct { + name string + policyServer string + rules []admissionregistrationv1.RuleWithOperations + expression string + policyMembers PolicyGroupMembers + matchConds []admissionregistrationv1.MatchCondition +} + +func NewClusterAdmissionPolicyGroupFactory() *ClusterAdmissionPolicyGroupFactory { + return &ClusterAdmissionPolicyGroupFactory{ + name: newName("cluster-admission-policy-group"), + policyServer: "", + rules: []admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{ + admissionregistrationv1.Create, + admissionregistrationv1.Update, + }, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"Pods"}, + }, + }, + }, + expression: "pod_privileged() && user_group_psp()", + policyMembers: PolicyGroupMembers{ + "pod_privileged": { + Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", + }, + "user_group_psp": { + Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9", + }, + }, + matchConds: []admissionregistrationv1.MatchCondition{ + {Name: "noop", Expression: "true"}, + }, + } +} + +func (fac *ClusterAdmissionPolicyGroupFactory) WithName(name string) *ClusterAdmissionPolicyGroupFactory { + fac.name = name + return fac +} + +func (fac *ClusterAdmissionPolicyGroupFactory) WithPolicyServer(policyServer string) *ClusterAdmissionPolicyGroupFactory { + fac.policyServer = policyServer + return fac +} + +func (fac *ClusterAdmissionPolicyGroupFactory) WithMembers(members PolicyGroupMembers) *ClusterAdmissionPolicyGroupFactory { + fac.policyMembers = members + return fac +} + +func (fac *ClusterAdmissionPolicyGroupFactory) WithRules(rules []admissionregistrationv1.RuleWithOperations) *ClusterAdmissionPolicyGroupFactory { + fac.rules = rules + return fac +} + +func (fac *ClusterAdmissionPolicyGroupFactory) WithMatchConditions(matchConditions []admissionregistrationv1.MatchCondition) *ClusterAdmissionPolicyGroupFactory { + fac.matchConds = matchConditions + return fac +} + +func (fac *ClusterAdmissionPolicyGroupFactory) Build() *ClusterAdmissionPolicyGroup { + clusterAdmissionPolicy := ClusterAdmissionPolicyGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: fac.name, + Finalizers: []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + }, + }, + Spec: ClusterAdmissionPolicyGroupSpec{ + PolicyGroupSpec: PolicyGroupSpec{ + PolicyServer: fac.policyServer, + Policies: fac.policyMembers, + Expression: fac.expression, + Rules: fac.rules, + MatchConditions: fac.matchConds, + }, + }, + } + return &clusterAdmissionPolicy +} + +func policyServerRepository() string { + repository, ok := os.LookupEnv("POLICY_SERVER_REPOSITORY") + if !ok { + return defaultKubewardenRepository + } + return repository +} + +func policyServerVersion() string { + version, ok := os.LookupEnv("POLICY_SERVER_VERSION") + if !ok { + return "latest" + } + + return version +} + +func randStringRunes(n int) string { + letterRunes := []rune("abcdefghijklmnopqrstuvwxyz1234567890") + b := make([]rune, n) + for i := range b { + //nolint:gosec // this is a test code. + b[i] = letterRunes[rand.Intn(len(letterRunes))] + } + + return string(b) +} + +func newName(prefix string) string { + return fmt.Sprintf("%s-%s", prefix, randStringRunes(maxNameSuffixLength)) +} diff --git a/api/policies/v1/policy_utils_test.go b/api/policies/v1/policy_utils_test.go deleted file mode 100644 index 49af3303..00000000 --- a/api/policies/v1/policy_utils_test.go +++ /dev/null @@ -1,127 +0,0 @@ -/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1 - -import ( - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" -) - -func admissionPolicyFactory() *AdmissionPolicy { - return &AdmissionPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testing-policy", - Namespace: "default", - }, - Spec: AdmissionPolicySpec{ - PolicySpec: PolicySpec{ - PolicyServer: "", - Settings: runtime.RawExtension{ - Raw: []byte("{}"), - }, - Rules: getRules(nil), - Mode: "protect", - }, - }, - } -} - -func admissionPolicyGroupFactory() *AdmissionPolicyGroup { - return &AdmissionPolicyGroup{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testing-policy-group", - Namespace: "default", - }, - Spec: AdmissionPolicyGroupSpec{ - PolicyGroupSpec: PolicyGroupSpec{ - PolicyServer: "", - Rules: getRules(nil), - Mode: "protect", - Expression: "mypolicy()", - Message: "This is a test policy", - Policies: map[string]PolicyGroupMember{ - "mypolicy": { - Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9", - Settings: runtime.RawExtension{}, - ContextAwareResources: []ContextAwareResource{}, - }, - }, - }, - }, - } -} - -func clusterAdmissionPolicyFactory(customRules []admissionregistrationv1.RuleWithOperations, matchConds []admissionregistrationv1.MatchCondition, policyServer string, policyMode PolicyMode) *ClusterAdmissionPolicy { - return &ClusterAdmissionPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testing-policy", - Namespace: "default", - }, - Spec: ClusterAdmissionPolicySpec{ - PolicySpec: PolicySpec{ - PolicyServer: policyServer, - Settings: runtime.RawExtension{ - Raw: []byte("{}"), - }, - Rules: getRules(customRules), - Mode: policyMode, - MatchConditions: matchConds, - }, - }, - } -} - -func clusterAdmissionPolicyGroupFactory() *ClusterAdmissionPolicyGroup { - return &ClusterAdmissionPolicyGroup{ - ObjectMeta: metav1.ObjectMeta{ - Name: "testing-cluster-policy-group", - Namespace: "default", - }, - Spec: ClusterAdmissionPolicyGroupSpec{ - PolicyGroupSpec: PolicyGroupSpec{ - PolicyServer: "", - Rules: getRules(nil), - Mode: "protect", - MatchConditions: []admissionregistrationv1.MatchCondition{}, - Expression: "mypolicy()", - Message: "This is a test policy", - Policies: map[string]PolicyGroupMember{ - "mypolicy": { - Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9", - Settings: runtime.RawExtension{}, - ContextAwareResources: []ContextAwareResource{}, - }, - }, - }, - }, - } -} - -func getRules(customRules []admissionregistrationv1.RuleWithOperations) []admissionregistrationv1.RuleWithOperations { - rules := customRules - - if rules == nil { - rules = append(rules, admissionregistrationv1.RuleWithOperations{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{"*"}, - Resources: []string{"*/*"}, - }, - }) - } - return rules -} diff --git a/api/policies/v1/policy_validation_test.go b/api/policies/v1/policy_validation_test.go index cd6133b6..57765137 100644 --- a/api/policies/v1/policy_validation_test.go +++ b/api/policies/v1/policy_validation_test.go @@ -29,137 +29,172 @@ func TestValidateRulesField(t *testing.T) { expectedErrorMessage string // use empty string when no error is expected }{ { - "with valid APIVersion and resources. But with empty APIGroup", clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{""}, - APIVersions: []string{"v1"}, - Resources: []string{"pods"}, - }, - }}, nil, "default", "protect"), + "with valid APIVersion and resources. But with empty APIGroup", + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"pods"}, + }, + }, + }). + WithPolicyServer("default").Build(), "", }, { "with valid APIVersion, Resources and APIGroup", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"apps"}, + APIVersions: []string{"v1"}, + Resources: []string{"deployments"}, + }, + }, + }). + WithPolicyServer("default").Build(), "", }, { "with no operations and API groups and resources", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{}). + WithPolicyServer("default").Build(), "spec.rules: Required value: a value must be specified", }, { "with empty objects", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{}}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{}}). + WithPolicyServer("default").Build(), "spec.rules.operations: Required value: a value must be specified", }, { "with no operations", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{"*"}, - Resources: []string{"*/*"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + Resources: []string{"*/*"}, + }}, + }). + WithPolicyServer("default").Build(), "spec.rules.operations: Required value: a value must be specified", }, { "with null operations", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: nil, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{"*"}, - Resources: []string{"*/*"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: nil, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + Resources: []string{"*/*"}, + }, + }}). + WithPolicyServer("default").Build(), "spec.rules.operations: Required value: a value must be specified", }, { "with empty operations string", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{""}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{"*"}, - Resources: []string{"*/*"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{""}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + Resources: []string{"*/*"}, + }, + }}). + WithPolicyServer("default").Build(), "spec.rules.operations[0]: Required value: must be non-empty", }, { "with no apiVersion", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{}, - Resources: []string{"*/*"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{}, + Resources: []string{"*/*"}, + }, + }}). + WithPolicyServer("default").Build(), "spec.rules: Required value: apiVersions and resources must have specified values", }, { "with no resources", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{"*"}, - Resources: []string{}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + Resources: []string{}, + }, + }}).WithPolicyServer("default").Build(), "spec.rules: Required value: apiVersions and resources must have specified values", }, { "with empty apiVersion string", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{""}, - Resources: []string{"*/*"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{""}, + Resources: []string{"*/*"}, + }, + }}).WithPolicyServer("defaule").Build(), "spec.rules.rule.apiVersions[0]: Required value: must be non-empty", }, { "with empty resources string", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"*"}, - APIVersions: []string{"*"}, - Resources: []string{""}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + Resources: []string{""}, + }, + }}).WithPolicyServer("default").Build(), "spec.rules.rule.resources[0]: Required value: must be non-empty", }, { "with some of the resources are empty strings", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{""}, - APIVersions: []string{"v1"}, - Resources: []string{"", "pods"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"", "pods"}, + }, + }}).WithPolicyServer("default").Build(), "spec.rules.rule.resources[0]: Required value: must be non-empty", }, { "with all operations and API groups and resources", - clusterAdmissionPolicyFactory(nil, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules([]admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + Resources: []string{"*/*"}, + }, + }}).Build(), "", }, } @@ -179,6 +214,12 @@ func TestValidateRulesField(t *testing.T) { } func TestValidateMatchConditionsField(t *testing.T) { + defaultRules := []admissionregistrationv1.RuleWithOperations{ + { + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}}, + }, + } tests := []struct { name string policy Policy @@ -186,49 +227,54 @@ func TestValidateMatchConditionsField(t *testing.T) { }{ { "with empty MatchConditions", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}}, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + Build(), "", }, { "with valid MatchConditions", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}}, - }}, []admissionregistrationv1.MatchCondition{ - { - Name: "foo", - Expression: "true", - }, - }, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions([]admissionregistrationv1.MatchCondition{ + { + Name: "foo", + Expression: "true", + }, + }). + WithPolicyServer("default"). + Build(), "", }, { "with non-boolean MatchConditions", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}}, - }}, []admissionregistrationv1.MatchCondition{ - { - Name: "foo", - Expression: "1 + 1", - }, - }, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions([]admissionregistrationv1.MatchCondition{ + { + Name: "foo", + Expression: "1 + 1", + }, + }). + WithPolicyServer("default"). + Build(), "Invalid value: \"1 + 1\": must evaluate to bool", }, { "with invalid expression in MatchConditions", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}}, - }}, []admissionregistrationv1.MatchCondition{ - { - Name: "foo", - Expression: "invalid expression", - }, - }, "default", "protect"), "Syntax error: extraneous input 'expression'", + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions([]admissionregistrationv1.MatchCondition{ + { + Name: "foo", + Expression: "invalid expression", + }, + }). + WithPolicyServer("default"). + Build(), + "Syntax error: extraneous input 'expression'", }, } @@ -247,6 +293,14 @@ func TestValidateMatchConditionsField(t *testing.T) { } func TestValidatePolicyServerField(t *testing.T) { + defaultRules := []admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"apps"}, + APIVersions: []string{"v1"}, + Resources: []string{"deployments"}, + }, + }} tests := []struct { name string oldPolicy Policy @@ -255,42 +309,34 @@ func TestValidatePolicyServerField(t *testing.T) { }{ { "policy server unchanged", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "old-policy-server", "monitor"), - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "old-policy-server", "monitor"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("old-policy-server"). + WithMode("monitor"). + Build(), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("old-policy-server"). + WithMode("monitor"). + Build(), "", }, { "policy server changed", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "old-policy-server", "monitor"), - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "new-policy-server", "monitor"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("old-policy-server"). + WithMode("monitor"). + Build(), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("new-policy-server"). + WithMode("monitor"). + Build(), "spec.policyServer: Forbidden: the field is immutable", }, } @@ -309,6 +355,14 @@ func TestValidatePolicyServerField(t *testing.T) { } func TestValidatePolicyModeField(t *testing.T) { + defaultRules := []admissionregistrationv1.RuleWithOperations{{ + Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"apps"}, + APIVersions: []string{"v1"}, + Resources: []string{"deployments"}, + }, + }} tests := []struct { name string oldPolicy Policy @@ -317,62 +371,50 @@ func TestValidatePolicyModeField(t *testing.T) { }{ { "policy mode unchanged", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "protect"), - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + WithMode("protect"). + Build(), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + WithMode("protect"). + Build(), "", }, { "policy mode changed from monitor to protect", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "monitor"), - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "protect"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + WithMode("monitor"). + Build(), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + WithMode("protect"). + Build(), "", }, { "policy mode changed from protect to monitor", - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "protect"), - clusterAdmissionPolicyFactory([]admissionregistrationv1.RuleWithOperations{{ - Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll}, - Rule: admissionregistrationv1.Rule{ - APIGroups: []string{"apps"}, - APIVersions: []string{"v1"}, - Resources: []string{"deployments"}, - }, - }}, nil, "default", "monitor"), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + WithMode("protect"). + Build(), + NewClusterAdmissionPolicyFactory(). + WithRules(defaultRules). + WithMatchConditions(nil). + WithPolicyServer("default"). + WithMode("monitor"). + Build(), "spec.mode: Forbidden: field cannot transition from protect to monitor. Recreate instead.", }, } diff --git a/api/policies/v1/zz_generated.deepcopy.go b/api/policies/v1/zz_generated.deepcopy.go index f00c2c67..12cd2b21 100644 --- a/api/policies/v1/zz_generated.deepcopy.go +++ b/api/policies/v1/zz_generated.deepcopy.go @@ -55,6 +55,33 @@ func (in *AdmissionPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdmissionPolicyFactory) DeepCopyInto(out *AdmissionPolicyFactory) { + *out = *in + if in.rules != nil { + in, out := &in.rules, &out.rules + *out = make([]admissionregistrationv1.RuleWithOperations, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.matchConds != nil { + in, out := &in.matchConds, &out.matchConds + *out = make([]admissionregistrationv1.MatchCondition, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyFactory. +func (in *AdmissionPolicyFactory) DeepCopy() *AdmissionPolicyFactory { + if in == nil { + return nil + } + out := new(AdmissionPolicyFactory) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdmissionPolicyGroup) DeepCopyInto(out *AdmissionPolicyGroup) { *out = *in @@ -82,6 +109,40 @@ func (in *AdmissionPolicyGroup) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdmissionPolicyGroupFactory) DeepCopyInto(out *AdmissionPolicyGroupFactory) { + *out = *in + if in.rules != nil { + in, out := &in.rules, &out.rules + *out = make([]admissionregistrationv1.RuleWithOperations, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.policyMembers != nil { + in, out := &in.policyMembers, &out.policyMembers + *out = make(PolicyGroupMembers, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.matchConds != nil { + in, out := &in.matchConds, &out.matchConds + *out = make([]admissionregistrationv1.MatchCondition, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyGroupFactory. +func (in *AdmissionPolicyGroupFactory) DeepCopy() *AdmissionPolicyGroupFactory { + if in == nil { + return nil + } + out := new(AdmissionPolicyGroupFactory) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdmissionPolicyGroupList) DeepCopyInto(out *AdmissionPolicyGroupList) { *out = *in @@ -205,6 +266,38 @@ func (in *ClusterAdmissionPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterAdmissionPolicyFactory) DeepCopyInto(out *ClusterAdmissionPolicyFactory) { + *out = *in + if in.rules != nil { + in, out := &in.rules, &out.rules + *out = make([]admissionregistrationv1.RuleWithOperations, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.contextAwareResources != nil { + in, out := &in.contextAwareResources, &out.contextAwareResources + *out = make([]ContextAwareResource, len(*in)) + copy(*out, *in) + } + if in.matchConds != nil { + in, out := &in.matchConds, &out.matchConds + *out = make([]admissionregistrationv1.MatchCondition, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyFactory. +func (in *ClusterAdmissionPolicyFactory) DeepCopy() *ClusterAdmissionPolicyFactory { + if in == nil { + return nil + } + out := new(ClusterAdmissionPolicyFactory) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterAdmissionPolicyGroup) DeepCopyInto(out *ClusterAdmissionPolicyGroup) { *out = *in @@ -232,6 +325,40 @@ func (in *ClusterAdmissionPolicyGroup) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterAdmissionPolicyGroupFactory) DeepCopyInto(out *ClusterAdmissionPolicyGroupFactory) { + *out = *in + if in.rules != nil { + in, out := &in.rules, &out.rules + *out = make([]admissionregistrationv1.RuleWithOperations, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.policyMembers != nil { + in, out := &in.policyMembers, &out.policyMembers + *out = make(PolicyGroupMembers, len(*in)) + for key, val := range *in { + (*out)[key] = *val.DeepCopy() + } + } + if in.matchConds != nil { + in, out := &in.matchConds, &out.matchConds + *out = make([]admissionregistrationv1.MatchCondition, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyGroupFactory. +func (in *ClusterAdmissionPolicyGroupFactory) DeepCopy() *ClusterAdmissionPolicyGroupFactory { + if in == nil { + return nil + } + out := new(ClusterAdmissionPolicyGroupFactory) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterAdmissionPolicyGroupList) DeepCopyInto(out *ClusterAdmissionPolicyGroupList) { *out = *in @@ -486,6 +613,21 @@ func (in *PolicyServer) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyServerBuilder) DeepCopyInto(out *PolicyServerBuilder) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerBuilder. +func (in *PolicyServerBuilder) DeepCopy() *PolicyServerBuilder { + if in == nil { + return nil + } + out := new(PolicyServerBuilder) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyServerList) DeepCopyInto(out *PolicyServerList) { *out = *in diff --git a/internal/controller/admissionpolicy_controller_test.go b/internal/controller/admissionpolicy_controller_test.go index 6ebf3204..c0c6d33e 100644 --- a/internal/controller/admissionpolicy_controller_test.go +++ b/internal/controller/admissionpolicy_controller_test.go @@ -53,16 +53,17 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() { BeforeAll(func() { policyServerName = newName("policy-server") - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build() createPolicyServerAndWaitForItsService(ctx, policyServer) policyName = newName("validating-policy") - policy = newAdmissionPolicyFactory(). - withName(policyName). - withNamespace(policyNamespace). - withPolicyServer(policyServerName). - withMutating(false). - build() + policy = policiesv1.NewAdmissionPolicyFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + WithPolicyServer(policyServerName). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) }) @@ -183,16 +184,18 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() { BeforeAll(func() { policyServerName = newName("policy-server") - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build() createPolicyServerAndWaitForItsService(ctx, policyServer) policyName = newName("mutating-policy") - policy = newAdmissionPolicyFactory(). - withName(policyName). - withNamespace(policyNamespace). - withPolicyServer(policyServerName). - withMutating(true). - build() + policy = policiesv1.NewAdmissionPolicyFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + WithPolicyServer(policyServerName). + WithMutating(true). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) }) @@ -309,7 +312,10 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() { It("should set policy status to unscheduled when creating an AdmissionPolicy without a PolicyServer assigned", func() { policyName := newName("unscheduled-policy") Expect( - k8sClient.Create(ctx, newAdmissionPolicyFactory().withName(policyName).withNamespace(policyNamespace).build()), + k8sClient.Create(ctx, policiesv1.NewAdmissionPolicyFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + Build()), ).To(haveSucceededOrAlreadyExisted()) Eventually(func() (*policiesv1.AdmissionPolicy, error) { @@ -325,7 +331,11 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() { BeforeAll(func() { Expect( - k8sClient.Create(ctx, newAdmissionPolicyFactory().withName(policyName).withNamespace(policyNamespace).withPolicyServer(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewAdmissionPolicyFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + WithPolicyServer(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) }) @@ -340,7 +350,9 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() { It("should set the policy status to active when the PolicyServer is created", func() { By("creating the PolicyServer") Expect( - k8sClient.Create(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) By("changing the policy status to pending") diff --git a/internal/controller/admissionpolicygroup_controller_test.go b/internal/controller/admissionpolicygroup_controller_test.go index 66fff667..69d2224c 100644 --- a/internal/controller/admissionpolicygroup_controller_test.go +++ b/internal/controller/admissionpolicygroup_controller_test.go @@ -52,10 +52,16 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func( BeforeAll(func() { policyServerName = newName("policy-server") - createPolicyServerAndWaitForItsService(ctx, newPolicyServerFactory().withName(policyServerName).build()) + createPolicyServerAndWaitForItsService(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()) policyName = newName("validating-policy") - policy = newAdmissionPolicyGroupFactory().withName(policyName).withNamespace(policyNamespace).withPolicyServer(policyServerName).build() + policy = policiesv1.NewAdmissionPolicyGroupFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + WithPolicyServer(policyServerName). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) }) @@ -172,7 +178,11 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func( It("should set policy status to unscheduled when creating an AdmissionPolicyGroup without a PolicyServer assigned", func() { policyName := newName("unscheduled-policy") Expect( - k8sClient.Create(ctx, newAdmissionPolicyGroupFactory().withName(policyName).withNamespace(policyNamespace).withPolicyServer("").build()), + k8sClient.Create(ctx, policiesv1.NewAdmissionPolicyGroupFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + WithPolicyServer(""). + Build()), ).To(haveSucceededOrAlreadyExisted()) Eventually(func() (*policiesv1.AdmissionPolicyGroup, error) { @@ -188,7 +198,11 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func( BeforeAll(func() { Expect( - k8sClient.Create(ctx, newAdmissionPolicyGroupFactory().withName(policyName).withNamespace(policyNamespace).withPolicyServer(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewAdmissionPolicyGroupFactory(). + WithName(policyName). + WithNamespace(policyNamespace). + WithPolicyServer(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) }) @@ -203,7 +217,9 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func( It("should set the policy status to active when the PolicyServer is created", func() { By("creating the PolicyServer") Expect( - k8sClient.Create(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) By("changing the policy status to pending") diff --git a/internal/controller/clusteradmissionpolicy_controller_test.go b/internal/controller/clusteradmissionpolicy_controller_test.go index a11672fc..7263ca2d 100644 --- a/internal/controller/clusteradmissionpolicy_controller_test.go +++ b/internal/controller/clusteradmissionpolicy_controller_test.go @@ -40,10 +40,16 @@ var _ = Describe("ClusterAdmissionPolicy controller", Label("real-cluster"), fun BeforeAll(func() { policyServerName = newName("policy-server") - createPolicyServerAndWaitForItsService(ctx, newPolicyServerFactory().withName(policyServerName).build()) + createPolicyServerAndWaitForItsService(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()) policyName = newName("validating-policy") - policy = newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(false).build() + policy = policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + WithMutating(false). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) }) @@ -148,10 +154,16 @@ var _ = Describe("ClusterAdmissionPolicy controller", Label("real-cluster"), fun BeforeAll(func() { policyServerName = newName("policy-server") - createPolicyServerAndWaitForItsService(ctx, newPolicyServerFactory().withName(policyServerName).build()) + createPolicyServerAndWaitForItsService(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()) policyName = newName("mutating-policy") - policy = newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(true).build() + policy = policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + WithMutating(true). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) }) @@ -251,7 +263,9 @@ var _ = Describe("ClusterAdmissionPolicy controller", Label("real-cluster"), fun It("should set policy status to unscheduled when creating an ClusterAdmissionPolicy without a PolicyServer assigned", func() { policyName := newName("unscheduled-policy") Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer("").withMutating(false).build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + Build()), ).To(haveSucceededOrAlreadyExisted()) Eventually(func() (*policiesv1.ClusterAdmissionPolicy, error) { @@ -267,13 +281,19 @@ var _ = Describe("ClusterAdmissionPolicy controller", Label("real-cluster"), fun BeforeAll(func() { Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(false).build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) }) It("should set the policy status to scheduled", func() { Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(false).build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) Eventually(func() (*policiesv1.ClusterAdmissionPolicy, error) { @@ -286,7 +306,9 @@ var _ = Describe("ClusterAdmissionPolicy controller", Label("real-cluster"), fun It("should set the policy status to active when the PolicyServer is created", func() { By("creating the PolicyServer") Expect( - k8sClient.Create(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) By("changing the policy status to pending") diff --git a/internal/controller/clusteradmissionpolicygroup_controller_test.go b/internal/controller/clusteradmissionpolicygroup_controller_test.go index b621fcbc..b14d01e0 100644 --- a/internal/controller/clusteradmissionpolicygroup_controller_test.go +++ b/internal/controller/clusteradmissionpolicygroup_controller_test.go @@ -40,10 +40,15 @@ var _ = Describe("ClusterAdmissionPolicyGroup controller", Label("real-cluster") BeforeAll(func() { policyServerName = newName("policy-server") - createPolicyServerAndWaitForItsService(ctx, newPolicyServerFactory().withName(policyServerName).build()) + createPolicyServerAndWaitForItsService(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()) policyName = newName("validating-policy") - policy = newClusterAdmissionPolicyGroupFactory().withName(policyName).withPolicyServer(policyServerName).build() + policy = policiesv1.NewClusterAdmissionPolicyGroupFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) }) @@ -144,7 +149,10 @@ var _ = Describe("ClusterAdmissionPolicyGroup controller", Label("real-cluster") It("should set policy status to unscheduled when creating an ClusterAdmissionPolicyGroup without a PolicyServer assigned", func() { policyName := newName("unscheduled-policy") Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyGroupFactory().withName(policyName).withPolicyServer("").build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyGroupFactory(). + WithName(policyName). + WithPolicyServer(""). + Build()), ).To(haveSucceededOrAlreadyExisted()) Eventually(func() (*policiesv1.ClusterAdmissionPolicyGroup, error) { @@ -160,13 +168,19 @@ var _ = Describe("ClusterAdmissionPolicyGroup controller", Label("real-cluster") BeforeAll(func() { Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyGroupFactory().withName(policyName).withPolicyServer(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyGroupFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) }) It("should set the policy status to scheduled", func() { Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyGroupFactory().withName(policyName).withPolicyServer(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyGroupFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) Eventually(func() (*policiesv1.ClusterAdmissionPolicyGroup, error) { @@ -179,7 +193,9 @@ var _ = Describe("ClusterAdmissionPolicyGroup controller", Label("real-cluster") It("should set the policy status to active when the PolicyServer is created", func() { By("creating the PolicyServer") Expect( - k8sClient.Create(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Create(ctx, policiesv1.NewPolicyServerFactory(). + WithName(policyServerName). + Build()), ).To(haveSucceededOrAlreadyExisted()) By("changing the policy status to pending") diff --git a/internal/controller/factories_test.go b/internal/controller/factories_test.go deleted file mode 100644 index fd1d21e1..00000000 --- a/internal/controller/factories_test.go +++ /dev/null @@ -1,318 +0,0 @@ -package controller - -import ( - "os" - - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - policiesv1 "github.com/kubewarden/kubewarden-controller/api/policies/v1" - "github.com/kubewarden/kubewarden-controller/internal/constants" -) - -type admissionPolicyFactory struct { - name string - namespace string - policyServer string - mutating bool - rules []admissionregistrationv1.RuleWithOperations - module string -} - -func newAdmissionPolicyFactory() *admissionPolicyFactory { - return &admissionPolicyFactory{ - name: newName("validating-policy"), - namespace: "", - policyServer: "", - mutating: false, - rules: []admissionregistrationv1.RuleWithOperations{}, - module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", - } -} - -func (fac *admissionPolicyFactory) withName(name string) *admissionPolicyFactory { - fac.name = name - return fac -} - -func (fac *admissionPolicyFactory) withNamespace(namespace string) *admissionPolicyFactory { - fac.namespace = namespace - return fac -} - -func (fac *admissionPolicyFactory) withPolicyServer(policyServer string) *admissionPolicyFactory { - fac.policyServer = policyServer - return fac -} - -func (fac *admissionPolicyFactory) withMutating(mutating bool) *admissionPolicyFactory { - fac.mutating = mutating - return fac -} - -func (fac *admissionPolicyFactory) build() *policiesv1.AdmissionPolicy { - policy := policiesv1.AdmissionPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: fac.name, - Namespace: fac.namespace, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }, - }, - Spec: policiesv1.AdmissionPolicySpec{ - PolicySpec: policiesv1.PolicySpec{ - PolicyServer: fac.policyServer, - Module: fac.module, - Rules: fac.rules, - Mutating: fac.mutating, - MatchConditions: []admissionregistrationv1.MatchCondition{ - { - Name: "noop", - Expression: "true", - }, - }, - }, - }, - } - return &policy -} - -type clusterAdmissionPolicyFactory struct { - name string - policyServer string - mutating bool - rules []admissionregistrationv1.RuleWithOperations - module string -} - -func newClusterAdmissionPolicyFactory() *clusterAdmissionPolicyFactory { - return &clusterAdmissionPolicyFactory{ - name: newName("validating-cluster-policy"), - policyServer: "", - mutating: false, - rules: []admissionregistrationv1.RuleWithOperations{}, - module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", - } -} - -func (fac *clusterAdmissionPolicyFactory) withName(name string) *clusterAdmissionPolicyFactory { - fac.name = name - return fac -} - -func (fac *clusterAdmissionPolicyFactory) withPolicyServer(policyServer string) *clusterAdmissionPolicyFactory { - fac.policyServer = policyServer - return fac -} - -func (fac *clusterAdmissionPolicyFactory) withMutating(mutating bool) *clusterAdmissionPolicyFactory { - fac.mutating = mutating - return fac -} - -func (fac *clusterAdmissionPolicyFactory) build() *policiesv1.ClusterAdmissionPolicy { - clusterAdmissionPolicy := policiesv1.ClusterAdmissionPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: fac.name, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }}, - Spec: policiesv1.ClusterAdmissionPolicySpec{ - PolicySpec: policiesv1.PolicySpec{ - PolicyServer: fac.policyServer, - Module: fac.module, - Rules: fac.rules, - Mutating: fac.mutating, - MatchConditions: []admissionregistrationv1.MatchCondition{ - {Name: "noop", Expression: "true"}, - }, - }, - }, - } - return &clusterAdmissionPolicy -} - -type policyServerBuilder struct { - name string -} - -func newPolicyServerFactory() *policyServerBuilder { - return &policyServerBuilder{ - name: newName("policy-server"), - } -} - -func (fac *policyServerBuilder) withName(name string) *policyServerBuilder { - fac.name = name - return fac -} - -func (fac *policyServerBuilder) build() *policiesv1.PolicyServer { - policyServer := policiesv1.PolicyServer{ - ObjectMeta: metav1.ObjectMeta{ - Name: fac.name, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }, - }, - Spec: policiesv1.PolicyServerSpec{ - Image: policyServerRepository() + ":" + policyServerVersion(), - Replicas: 1, - }, - } - return &policyServer -} - -type admissionPolicyGroupFactory struct { - name string - namespace string - policyServer string -} - -func newAdmissionPolicyGroupFactory() *admissionPolicyGroupFactory { - return &admissionPolicyGroupFactory{ - name: newName("validating-policygroup"), - namespace: "", - policyServer: "", - } -} - -func (fac *admissionPolicyGroupFactory) withName(name string) *admissionPolicyGroupFactory { - fac.name = name - return fac -} - -func (fac *admissionPolicyGroupFactory) withNamespace(namespace string) *admissionPolicyGroupFactory { - fac.namespace = namespace - return fac -} - -func (fac *admissionPolicyGroupFactory) withPolicyServer(policyServer string) *admissionPolicyGroupFactory { - fac.policyServer = policyServer - return fac -} - -func (fac *admissionPolicyGroupFactory) build() *policiesv1.AdmissionPolicyGroup { - admissionPolicy := policiesv1.AdmissionPolicyGroup{ - ObjectMeta: metav1.ObjectMeta{ - Name: fac.name, - Namespace: fac.namespace, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }, - }, - Spec: policiesv1.AdmissionPolicyGroupSpec{ - PolicyGroupSpec: policiesv1.PolicyGroupSpec{ - PolicyServer: fac.policyServer, - Policies: policiesv1.PolicyGroupMembers{ - "pod-privileged": { - Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", - }, - }, - Rules: []admissionregistrationv1.RuleWithOperations{}, - MatchConditions: []admissionregistrationv1.MatchCondition{ - {Name: "noop", Expression: "true"}, - }, - }, - }, - } - return &admissionPolicy -} - -type clusterAdmissionPolicyGroupFactory struct { - name string - policyServer string -} - -func newClusterAdmissionPolicyGroupFactory() *clusterAdmissionPolicyGroupFactory { - return &clusterAdmissionPolicyGroupFactory{ - name: newName("validating-policygroup"), - policyServer: "", - } -} - -func (fac *clusterAdmissionPolicyGroupFactory) withName(name string) *clusterAdmissionPolicyGroupFactory { - fac.name = name - return fac -} - -func (fac *clusterAdmissionPolicyGroupFactory) withPolicyServer(policyServer string) *clusterAdmissionPolicyGroupFactory { - fac.policyServer = policyServer - return fac -} - -func (fac *clusterAdmissionPolicyGroupFactory) build() *policiesv1.ClusterAdmissionPolicyGroup { - clusterAdmissionPolicy := policiesv1.ClusterAdmissionPolicyGroup{ - ObjectMeta: metav1.ObjectMeta{ - Name: fac.name, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }, - }, - Spec: policiesv1.ClusterAdmissionPolicyGroupSpec{ - PolicyGroupSpec: policiesv1.PolicyGroupSpec{ - Rules: []admissionregistrationv1.RuleWithOperations{}, - PolicyServer: fac.policyServer, - MatchConditions: []admissionregistrationv1.MatchCondition{ - {Name: "noop", Expression: "true"}, - }, - Policies: policiesv1.PolicyGroupMembers{ - "pod-privileged": { - Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", - }, - "user-group-psp": { - Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9", - }, - }, - }, - }, - } - return &clusterAdmissionPolicy -} - -func policyServerRepository() string { - repository, ok := os.LookupEnv("POLICY_SERVER_REPOSITORY") - if !ok { - return defaultKubewardenRepository - } - return repository -} - -func policyServerVersion() string { - version, ok := os.LookupEnv("POLICY_SERVER_VERSION") - if !ok { - return "latest" - } - - return version -} diff --git a/internal/controller/policyserver_controller_test.go b/internal/controller/policyserver_controller_test.go index 5bb69b4f..3f7eb966 100644 --- a/internal/controller/policyserver_controller_test.go +++ b/internal/controller/policyserver_controller_test.go @@ -48,7 +48,7 @@ var _ = Describe("PolicyServer controller", func() { When("creating a PolicyServer", func() { It("should use the policy server tolerations configuration in the policy server deployment", func() { tolerationSeconds := int64(10) - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() policyServer.Spec.Tolerations = []corev1.Toleration{{ Key: "key1", Operator: corev1.TolerationOpEqual, @@ -89,7 +89,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should use the policy server affinity configuration in the policy server deployment", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() policyServer.Spec.Affinity = corev1.Affinity{ NodeAffinity: &corev1.NodeAffinity{ RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ @@ -128,7 +128,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create policy server deployment with some default configuration", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) deployment, err := getTestPolicyServerDeployment(ctx, policyServerName) @@ -178,7 +178,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create the policy server deployment and use the user defined security contexts", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() runAsUser := int64(1000) privileged := true runAsNonRoot := false @@ -229,7 +229,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create the policy server configmap empty if no policies are assigned ", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) configmap, err := getTestPolicyServerConfigMap(ctx, policyServerName) @@ -244,47 +244,57 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create the policy server configmap with the assigned policies", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) - admissionPolicy := newAdmissionPolicyFactory().withName(newName("admission-policy")).withNamespace("default").withPolicyServer(policyServerName).build() + admissionPolicy := policiesv1.NewAdmissionPolicyFactory(). + WithPolicyServer(policyServerName). + Build() Expect(k8sClient.Create(ctx, admissionPolicy)).To(Succeed()) - clusterAdmissionPolicy := newClusterAdmissionPolicyFactory().withName(newName("cluster-admission")).withPolicyServer(policyServerName).withMutating(false).build() - clusterAdmissionPolicy.Spec.ContextAwareResources = []policiesv1.ContextAwareResource{ - { - APIVersion: "v1", - Kind: "Pod", - }, - { - APIVersion: "v1", - Kind: "Deployment", - }, - } + clusterAdmissionPolicy := policiesv1.NewClusterAdmissionPolicyFactory(). + WithPolicyServer(policyServerName). + WithContextAwareResources([]policiesv1.ContextAwareResource{ + { + APIVersion: "v1", + Kind: "Pod", + }, + { + APIVersion: "v1", + Kind: "Deployment", + }, + }). + Build() Expect(k8sClient.Create(ctx, clusterAdmissionPolicy)).To(Succeed()) - admissionPolicyGroup := newAdmissionPolicyGroupFactory().withName(newName("admissing-policy-group")).withNamespace("default").withPolicyServer(policyServerName).build() + admissionPolicyGroup := policiesv1.NewAdmissionPolicyGroupFactory(). + WithPolicyServer(policyServerName). + Build() Expect(k8sClient.Create(ctx, admissionPolicyGroup)).To(Succeed()) - clusterPolicyGroup := newClusterAdmissionPolicyGroupFactory().withName(newName("cluster-admission-policy-group")).withPolicyServer(policyServerName).build() - podPrivilegedPolicy := clusterPolicyGroup.Spec.Policies["pod-privileged"] - podPrivilegedPolicy.ContextAwareResources = []policiesv1.ContextAwareResource{ - { - APIVersion: "v1", - Kind: "Pod", - }, - } - clusterPolicyGroup.Spec.Policies["pod-privileged"] = podPrivilegedPolicy - - userGroupPolicy := clusterPolicyGroup.Spec.Policies["user-group-psp"] - userGroupPolicy.ContextAwareResources = []policiesv1.ContextAwareResource{ - { - APIVersion: "v1", - Kind: "Deployment", - }, - } - clusterPolicyGroup.Spec.Policies["user-group-psp"] = userGroupPolicy - + clusterPolicyGroup := policiesv1.NewClusterAdmissionPolicyGroupFactory(). + WithPolicyServer(policyServerName). + WithMembers(policiesv1.PolicyGroupMembers{ + "pod_privileged": { + Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5", + ContextAwareResources: []policiesv1.ContextAwareResource{ + { + APIVersion: "v1", + Kind: "Pod", + }, + }, + }, + "user_group_psp": { + Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9", + ContextAwareResources: []policiesv1.ContextAwareResource{ + { + APIVersion: "v1", + Kind: "Deployment", + }, + }, + }, + }). + Build() Expect(k8sClient.Create(ctx, clusterPolicyGroup)).To(Succeed()) policiesMap := policyConfigEntryMap{} @@ -393,8 +403,8 @@ var _ = Describe("PolicyServer controller", func() { "Name": Equal(admissionPolicyGroup.GetName()), }), "policies": MatchKeys(IgnoreExtras, Keys{ - "pod-privileged": MatchKeys(IgnoreExtras, Keys{ - "module": Equal(admissionPolicyGroup.GetPolicyGroupMembers()["pod-privileged"].Module), + "pod_privileged": MatchKeys(IgnoreExtras, Keys{ + "module": Equal(admissionPolicyGroup.GetPolicyGroupMembers()["pod_privileged"].Module), }), }), "policyMode": Equal(string(admissionPolicyGroup.GetPolicyMode())), @@ -407,16 +417,16 @@ var _ = Describe("PolicyServer controller", func() { "Name": Equal(clusterPolicyGroup.GetName()), }), "policies": MatchKeys(IgnoreExtras, Keys{ - "pod-privileged": MatchAllKeys(Keys{ - "module": Equal(clusterPolicyGroup.GetPolicyGroupMembers()["pod-privileged"].Module), + "pod_privileged": MatchAllKeys(Keys{ + "module": Equal(clusterPolicyGroup.GetPolicyGroupMembers()["pod_privileged"].Module), "settings": Ignore(), "contextAwareResources": And(ContainElement(MatchAllKeys(Keys{ "apiVersion": Equal("v1"), "kind": Equal("Pod"), })), HaveLen(1)), }), - "user-group-psp": MatchAllKeys(Keys{ - "module": Equal(clusterPolicyGroup.GetPolicyGroupMembers()["user-group-psp"].Module), + "user_group_psp": MatchAllKeys(Keys{ + "module": Equal(clusterPolicyGroup.GetPolicyGroupMembers()["user_group_psp"].Module), "settings": Ignore(), "contextAwareResources": And(ContainElement(MatchAllKeys(Keys{ "apiVersion": Equal("v1"), @@ -441,7 +451,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create the policy server configmap with the sources authorities", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() policyServer.Spec.InsecureSources = []string{"localhost:5000"} policyServer.Spec.SourceAuthorities = map[string][]string{ "myprivateregistry:5000": {"cert1", "cert2"}, @@ -481,7 +491,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create PodDisruptionBudget when policy server has MinAvailable configuration set", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() minAvailable := intstr.FromInt(2) policyServer.Spec.MinAvailable = &minAvailable createPolicyServerAndWaitForItsService(ctx, policyServer) @@ -493,7 +503,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create PodDisruptionBudget when policy server has MaxUnavailable configuration set", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() maxUnavailable := intstr.FromInt(2) policyServer.Spec.MaxUnavailable = &maxUnavailable createPolicyServerAndWaitForItsService(ctx, policyServer) @@ -505,7 +515,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should not create PodDisruptionBudget when policy server has no PDB configuration", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) Consistently(func() error { @@ -515,7 +525,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create the PolicyServer deployment with the limits and the requests", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() policyServer.Spec.Limits = corev1.ResourceList{ "cpu": resource.MustParse("100m"), "memory": resource.MustParse("1Gi"), @@ -534,7 +544,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create deployment with owner reference", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) Eventually(func() error { @@ -561,7 +571,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create configmap with owner reference", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) Eventually(func() error { @@ -587,7 +597,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create service with owner reference", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) Eventually(func() error { @@ -613,7 +623,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should create the policy server secrets", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) Eventually(func() error { @@ -645,7 +655,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should set the configMap version as a deployment annotation", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) configmap, err := getTestPolicyServerConfigMap(ctx, policyServerName) @@ -667,7 +677,7 @@ var _ = Describe("PolicyServer controller", func() { }) It("should update the configMap version after adding a policy", func() { - policyServer := newPolicyServerFactory().withName(policyServerName).build() + policyServer := policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) initalConfigMap, err := getTestPolicyServerConfigMap(ctx, policyServerName) @@ -688,7 +698,10 @@ var _ = Describe("PolicyServer controller", func() { }, timeout, pollInterval).Should(Succeed()) policyName := newName("validating-policy") - policy := newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(false).build() + policy := policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build() Expect(k8sClient.Create(ctx, policy)).To(Succeed()) Eventually(func() error { @@ -718,7 +731,7 @@ var _ = Describe("PolicyServer controller", func() { var policyServer *policiesv1.PolicyServer BeforeEach(func() { - policyServer = newPolicyServerFactory().withName(policyServerName).build() + policyServer = policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build() createPolicyServerAndWaitForItsService(ctx, policyServer) }) @@ -998,13 +1011,13 @@ var _ = Describe("PolicyServer controller", func() { When("deleting a PolicyServer", func() { BeforeEach(func() { - createPolicyServerAndWaitForItsService(ctx, newPolicyServerFactory().withName(policyServerName).build()) + createPolicyServerAndWaitForItsService(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()) }) Context("with no assigned policies", func() { It("should get its finalizer removed", func() { Expect( - k8sClient.Delete(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Delete(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()), ).To(Succeed()) Eventually(func() (*policiesv1.PolicyServer, error) { @@ -1036,7 +1049,7 @@ var _ = Describe("PolicyServer controller", func() { }, timeout, pollInterval).Should(Succeed()) Expect( - k8sClient.Delete(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Delete(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()), ).To(Succeed()) Eventually(func() (*policiesv1.PolicyServer, error) { @@ -1053,7 +1066,10 @@ var _ = Describe("PolicyServer controller", func() { BeforeEach(func() { policyName = newName("policy") Expect( - k8sClient.Create(ctx, newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(false).build()), + k8sClient.Create(ctx, policiesv1.NewClusterAdmissionPolicyFactory(). + WithName(policyName). + WithPolicyServer(policyServerName). + Build()), ).To(Succeed()) Eventually(func() error { _, err := getTestClusterAdmissionPolicy(ctx, policyName) @@ -1068,7 +1084,7 @@ var _ = Describe("PolicyServer controller", func() { It("should delete assigned policies", func() { Expect( - k8sClient.Delete(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Delete(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()), ).To(Succeed()) Eventually(func() (*policiesv1.ClusterAdmissionPolicy, error) { @@ -1099,7 +1115,7 @@ var _ = Describe("PolicyServer controller", func() { }, timeout, pollInterval).Should(Succeed()) Expect( - k8sClient.Delete(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Delete(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()), ).To(Succeed()) Eventually(func() (*policiesv1.ClusterAdmissionPolicy, error) { @@ -1114,7 +1130,7 @@ var _ = Describe("PolicyServer controller", func() { It("should not delete its managed resources until all the scheduled policies are gone", func() { Expect( - k8sClient.Delete(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Delete(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()), ).To(Succeed()) Eventually(func() (*policiesv1.ClusterAdmissionPolicy, error) { @@ -1142,7 +1158,7 @@ var _ = Describe("PolicyServer controller", func() { }).Should(Succeed()) Expect( - k8sClient.Delete(ctx, newPolicyServerFactory().withName(policyServerName).build()), + k8sClient.Delete(ctx, policiesv1.NewPolicyServerFactory().WithName(policyServerName).Build()), ).To(Succeed()) // wait for the reconciliation loop of the ClusterAdmissionPolicy to remove the resource