From bb9f76595a491dc15ab53d4df7a38d091a6fe3c0 Mon Sep 17 00:00:00 2001 From: liuwei Date: Thu, 17 Dec 2020 13:42:13 +0800 Subject: [PATCH] check resource name for cluster accept Signed-off-by: liuwei --- pkg/webhook/cluster/validating_webhook.go | 7 ++++--- test/e2e/webhook_test.go | 25 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/pkg/webhook/cluster/validating_webhook.go b/pkg/webhook/cluster/validating_webhook.go index 4e5ff7047..936c5d93a 100644 --- a/pkg/webhook/cluster/validating_webhook.go +++ b/pkg/webhook/cluster/validating_webhook.go @@ -91,7 +91,7 @@ func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *a if managedCluster.Spec.HubAcceptsClient { // the HubAcceptsClient field is changed, we need to check the request user whether // has been allowed to change the HubAcceptsClient field with SubjectAccessReview api - if status := a.allowUpdateAcceptField(request.UserInfo); !status.Allowed { + if status := a.allowUpdateAcceptField(managedCluster.Name, request.UserInfo); !status.Allowed { return status } } @@ -133,7 +133,7 @@ func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *a if newManagedCluster.Spec.HubAcceptsClient != oldManagedCluster.Spec.HubAcceptsClient { // the HubAcceptsClient field is changed, we need to check the request user whether // has been allowed to update the HubAcceptsClient field with SubjectAccessReview api - if status := a.allowUpdateAcceptField(request.UserInfo); !status.Allowed { + if status := a.allowUpdateAcceptField(newManagedCluster.Name, request.UserInfo); !status.Allowed { return status } } @@ -176,7 +176,7 @@ func (a *ManagedClusterValidatingAdmissionHook) validateManagedClusterObj(reques // allowUpdateHubAcceptsClientField using SubjectAccessReview API to check whether a request user has been authorized to update // HubAcceptsClient field -func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse { +func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse { status := &admissionv1beta1.AdmissionResponse{} extra := make(map[string]authorizationv1.ExtraValue) @@ -195,6 +195,7 @@ func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(userInfo Resource: "managedclusters", Verb: "update", Subresource: "accept", + Name: clusterName, }, }, } diff --git a/test/e2e/webhook_test.go b/test/e2e/webhook_test.go index 506001aa9..0c469c362 100644 --- a/test/e2e/webhook_test.go +++ b/test/e2e/webhook_test.go @@ -126,6 +126,31 @@ var _ = ginkgo.Describe("Admission webhook", func() { ))) }) + ginkgo.It("Should accept the request when creating an accepted managed cluster by authorized user", func() { + sa := fmt.Sprintf("webhook-sa-%s", rand.String(6)) + clusterName := fmt.Sprintf("webhook-spoke-%s", rand.String(6)) + + ginkgo.By(fmt.Sprintf("create an managed cluster %q with authorized service account %q", clusterName, sa)) + authorizedClient, err := buildClusterClient(saNamespace, sa, []rbacv1.PolicyRule{ + { + APIGroups: []string{"cluster.open-cluster-management.io"}, + Resources: []string{"managedclusters"}, + Verbs: []string{"create", "get", "update"}, + }, + { + APIGroups: []string{"register.open-cluster-management.io"}, + Resources: []string{"managedclusters/accept"}, + ResourceNames: []string{clusterName}, + Verbs: []string{"update"}, + }, + }, nil) + gomega.Expect(err).ToNot(gomega.HaveOccurred()) + + managedCluster := newManagedCluster(clusterName, true, validURL) + _, err = authorizedClient.ClusterV1().ManagedClusters().Create(context.TODO(), managedCluster, metav1.CreateOptions{}) + gomega.Expect(err).ToNot(gomega.HaveOccurred()) + }) + ginkgo.It("Should accept the request when creating a managed cluster with clusterset specified by authorized user", func() { clusterSetName := fmt.Sprintf("webhook-spoke-%s", rand.String(6)) ginkgo.By(fmt.Sprintf("create a managed cluster set %q", clusterSetName))