Merge pull request #104 from skeeey/rbac-accept

enhance cluster accept check

pkg/webhook/cluster/validating_webhook.go

@@ -91,7 +91,7 @@ func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *a
 	if managedCluster.Spec.HubAcceptsClient {
 		// the HubAcceptsClient field is changed, we need to check the request user whether
 		// has been allowed to change the HubAcceptsClient field with SubjectAccessReview api
-		if status := a.allowUpdateAcceptField(request.UserInfo); !status.Allowed {
+		if status := a.allowUpdateAcceptField(managedCluster.Name, request.UserInfo); !status.Allowed {
 			return status
 		}
 	}
@@ -133,7 +133,7 @@ func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *a
 	if newManagedCluster.Spec.HubAcceptsClient != oldManagedCluster.Spec.HubAcceptsClient {
 		// the HubAcceptsClient field is changed, we need to check the request user whether
 		// has been allowed to update the HubAcceptsClient field with SubjectAccessReview api
-		if status := a.allowUpdateAcceptField(request.UserInfo); !status.Allowed {
+		if status := a.allowUpdateAcceptField(newManagedCluster.Name, request.UserInfo); !status.Allowed {
 			return status
 		}
 	}
@@ -176,7 +176,7 @@ func (a *ManagedClusterValidatingAdmissionHook) validateManagedClusterObj(reques
 
 // allowUpdateHubAcceptsClientField using SubjectAccessReview API to check whether a request user has been authorized to update
 // HubAcceptsClient field
-func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse {
+func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse {
 	status := &admissionv1beta1.AdmissionResponse{}
 
 	extra := make(map[string]authorizationv1.ExtraValue)
@@ -195,6 +195,7 @@ func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(userInfo
 				Resource:    "managedclusters",
 				Verb:        "update",
 				Subresource: "accept",
+				Name:        clusterName,
 			},
 		},
 	}

test/e2e/webhook_test.go

@@ -126,6 +126,31 @@ var _ = ginkgo.Describe("Admission webhook", func() {
 				)))
 			})
 
+			ginkgo.It("Should accept the request when creating an accepted managed cluster by authorized user", func() {
+				sa := fmt.Sprintf("webhook-sa-%s", rand.String(6))
+				clusterName := fmt.Sprintf("webhook-spoke-%s", rand.String(6))
+
+				ginkgo.By(fmt.Sprintf("create an managed cluster %q with authorized service account %q", clusterName, sa))
+				authorizedClient, err := buildClusterClient(saNamespace, sa, []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{"cluster.open-cluster-management.io"},
+						Resources: []string{"managedclusters"},
+						Verbs:     []string{"create", "get", "update"},
+					},
+					{
+						APIGroups:     []string{"register.open-cluster-management.io"},
+						Resources:     []string{"managedclusters/accept"},
+						ResourceNames: []string{clusterName},
+						Verbs:         []string{"update"},
+					},
+				}, nil)
+				gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+				managedCluster := newManagedCluster(clusterName, true, validURL)
+				_, err = authorizedClient.ClusterV1().ManagedClusters().Create(context.TODO(), managedCluster, metav1.CreateOptions{})
+				gomega.Expect(err).ToNot(gomega.HaveOccurred())
+			})
+
 			ginkgo.It("Should accept the request when creating a managed cluster with clusterset specified by authorized user", func() {
 				clusterSetName := fmt.Sprintf("webhook-spoke-%s", rand.String(6))
 				ginkgo.By(fmt.Sprintf("create a managed cluster set %q", clusterSetName))