Merge pull request #131 from boranx/OSD-3296/exclude-managed-resources

openshift-merge-robot · web-flow · commit 5c54b7c6f639 · 2021-02-09T08:24:29.000-05:00
feat: add hiveownership webhook
diff --git a/build/selectorsyncset.yaml b/build/selectorsyncset.yaml
@@ -121,6 +121,40 @@ objects:
           scope: Cluster
         sideEffects: None
         timeoutSeconds: 2
+    - apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+        creationTimestamp: null
+        name: sre-hiveownership-validation
+      webhooks:
+      - admissionReviewVersions:
+        - v1beta1
+        clientConfig:
+          service:
+            name: validation-webhook
+            namespace: openshift-validation-webhook
+            path: /hiveownership-validation
+        failurePolicy: Ignore
+        matchPolicy: Equivalent
+        name: hiveownership-validation.managed.openshift.io
+        objectSelector:
+          matchLabels:
+            hive.openshift.io/managed: "true"
+        rules:
+        - apiGroups:
+          - quota.openshift.io
+          apiVersions:
+          - '*'
+          operations:
+          - UPDATE
+          - DELETE
+          resources:
+          - ClusterResourceQuota
+          scope: Cluster
+        sideEffects: None
+        timeoutSeconds: 2
     - apiVersion: admissionregistration.k8s.io/v1
       kind: ValidatingWebhookConfiguration
       metadata:
diff --git a/pkg/webhooks/add_hiveownership.go b/pkg/webhooks/add_hiveownership.go
@@ -0,0 +1,9 @@
+package webhooks
+
+import (
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/hiveownership"
+)
+
+func init() {
+	Register(hiveownership.WebhookName, func() Webhook { return hiveownership.NewWebhook() })
+}
diff --git a/pkg/webhooks/hiveownership/hiveownership.go b/pkg/webhooks/hiveownership/hiveownership.go
@@ -0,0 +1,134 @@
+package hiveownership
+
+import (
+	"sync"
+
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
+	admissionregv1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/api/apps/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	admissionctl "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// const
+const (
+	WebhookName string = "hiveownership-validation"
+	docString   string = `Managed OpenShift customers may not edit certain managed resources. A managed resource has a "hive.openshift.io/managed": "true" label.`
+)
+
+// HiveOwnershipWebhook denies requests
+// if it made by a customer to manage hive-labeled resources
+type HiveOwnershipWebhook struct {
+	mu sync.Mutex
+	s  runtime.Scheme
+}
+
+var (
+	privilegedUsers = []string{"kube:admin", "system:admin", "system:serviceaccount:kube-system:generic-garbage-collector"}
+	adminGroups     = []string{"osd-sre-admins", "osd-sre-cluster-admins"}
+
+	log = logf.Log.WithName(WebhookName)
+
+	scope = admissionregv1.ClusterScope
+	rules = []admissionregv1.RuleWithOperations{
+		{
+			Operations: []admissionregv1.OperationType{"UPDATE", "DELETE"},
+			Rule: admissionregv1.Rule{
+				APIGroups:   []string{"quota.openshift.io"},
+				APIVersions: []string{"*"},
+				Resources:   []string{"ClusterResourceQuota"},
+				Scope:       &scope,
+			},
+		},
+	}
+)
+
+// TimeoutSeconds implements Webhook interface
+func (s *HiveOwnershipWebhook) TimeoutSeconds() int32 { return 2 }
+
+// MatchPolicy implements Webhook interface
+func (s *HiveOwnershipWebhook) MatchPolicy() admissionregv1.MatchPolicyType {
+	return admissionregv1.Equivalent
+}
+
+// Name implements Webhook interface
+func (s *HiveOwnershipWebhook) Name() string { return WebhookName }
+
+// FailurePolicy implements Webhook interface
+func (s *HiveOwnershipWebhook) FailurePolicy() admissionregv1.FailurePolicyType {
+	return admissionregv1.Ignore
+}
+
+// Rules implements Webhook interface
+func (s *HiveOwnershipWebhook) Rules() []admissionregv1.RuleWithOperations { return rules }
+
+// GetURI implements Webhook interface
+func (s *HiveOwnershipWebhook) GetURI() string { return "/" + WebhookName }
+
+// SideEffects implements Webhook interface
+func (s *HiveOwnershipWebhook) SideEffects() admissionregv1.SideEffectClass {
+	return admissionregv1.SideEffectClassNone
+}
+
+// Validate is the incoming request even valid?
+func (s *HiveOwnershipWebhook) Validate(req admissionctl.Request) bool {
+	valid := true
+	valid = valid && (req.UserInfo.Username != "")
+
+	return valid
+}
+
+// Doc documents the hook
+func (s *HiveOwnershipWebhook) Doc() string {
+	return docString
+}
+
+// ObjectSelector intercepts based on having the label
+// .metadata.labels["hive.openshift.io/managed"] == "true"
+func (s *HiveOwnershipWebhook) ObjectSelector() *metav1.LabelSelector {
+	return &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"hive.openshift.io/managed": "true",
+		},
+	}
+}
+
+func (s *HiveOwnershipWebhook) authorized(request admissionctl.Request) admissionctl.Response {
+	var ret admissionctl.Response
+
+	// Admin users
+	if utils.SliceContains(request.AdmissionRequest.UserInfo.Username, privilegedUsers) {
+		ret = admissionctl.Allowed("Admin users may edit managed resources")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
+	// Users in admin groups
+	for _, group := range request.AdmissionRequest.UserInfo.Groups {
+		if utils.SliceContains(group, adminGroups) {
+			ret = admissionctl.Allowed("Members of admin group may edit managed resources")
+			ret.UID = request.AdmissionRequest.UID
+			return ret
+		}
+	}
+
+	ret = admissionctl.Denied("Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support")
+	ret.UID = request.AdmissionRequest.UID
+	return ret
+}
+
+// Authorized implements Webhook interface
+func (s *HiveOwnershipWebhook) Authorized(request admissionctl.Request) admissionctl.Response {
+	return s.authorized(request)
+}
+
+// NewWebhook creates a new webhook
+func NewWebhook() *HiveOwnershipWebhook {
+	scheme := runtime.NewScheme()
+	v1beta1.AddToScheme(scheme)
+
+	return &HiveOwnershipWebhook{
+		s: *scheme,
+	}
+}
diff --git a/pkg/webhooks/hiveownership/hiveownership_test.go b/pkg/webhooks/hiveownership/hiveownership_test.go
@@ -0,0 +1,162 @@
+package hiveownership
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
+
+	"k8s.io/api/admission/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+type hiveOwnershipTestSuites struct {
+	testName        string
+	testID          string
+	username        string
+	userGroups      []string
+	oldObject       *runtime.RawExtension
+	operation       v1beta1.Operation
+	labels          map[string]string
+	shouldBeAllowed bool
+}
+
+const testObjectRaw string = `{
+	"metadata": {
+	  "name": "%s",
+	  "uid": "%s",
+	  "creationTimestamp": "2020-05-10T07:51:00Z",
+	  "labels": %s
+	},
+	"users": null
+  }`
+
+// labelsMapToString is a helper to turn a map into a JSON fragment to be
+// inserted into the testNamespaceRaw const. See createRawJSONString.
+func labelsMapToString(labels map[string]string) string {
+	ret, _ := json.Marshal(labels)
+	return string(ret)
+}
+
+func createRawJSONString(name, uid string, labels map[string]string) string {
+	return fmt.Sprintf(testObjectRaw, name, uid, labelsMapToString(labels))
+}
+func createOldObject(name, uid string, labels map[string]string) *runtime.RawExtension {
+	return &runtime.RawExtension{
+		Raw: []byte(createRawJSONString(name, uid, labels)),
+	}
+}
+
+func runTests(t *testing.T, tests []hiveOwnershipTestSuites) {
+	gvk := metav1.GroupVersionKind{
+		Group:   "quota.openshift.io",
+		Version: "v1",
+		Kind:    "ClusterResourceQuota",
+	}
+	gvr := metav1.GroupVersionResource{
+		Group:    "quota.openshift.io",
+		Version:  "v1",
+		Resource: "clusterresourcequotas",
+	}
+
+	for _, test := range tests {
+		obj := createOldObject(test.testName, test.testID, test.labels)
+		hook := NewWebhook()
+		httprequest, err := testutils.CreateHTTPRequest(hook.GetURI(),
+			test.testID,
+			gvk, gvr, test.operation, test.username, test.userGroups, obj, test.oldObject)
+		if err != nil {
+			t.Fatalf("Expected no error, got %s", err.Error())
+		}
+
+		response, err := testutils.SendHTTPRequest(httprequest, hook)
+		if err != nil {
+			t.Fatalf("Expected no error, got %s", err.Error())
+		}
+		if response.UID == "" {
+			t.Fatalf("No tracking UID associated with the response: %+v", response)
+		}
+
+		if response.Allowed != test.shouldBeAllowed {
+			t.Fatalf("Mismatch: %s (groups=%s) %s %s. Test's expectation is that the user %s",
+				test.username, test.userGroups,
+				testutils.CanCanNot(response.Allowed), string(test.operation),
+				testutils.CanCanNot(test.shouldBeAllowed))
+		}
+	}
+}
+
+func TestThing(t *testing.T) {
+	tests := []hiveOwnershipTestSuites{
+		{
+			testID:          "kube-admin-test",
+			username:        "kube:admin",
+			userGroups:      []string{"kube:system", "system:authenticated", "system:authenticated:oauth"},
+			operation:       v1beta1.Create,
+			shouldBeAllowed: true,
+		},
+		{
+			testID:          "sre-test",
+			username:        "sre-foo@redhat.com",
+			userGroups:      []string{adminGroups[0], "system:authenticated", "system:authenticated:oauth"},
+			operation:       v1beta1.Update,
+			shouldBeAllowed: true,
+		},
+		{
+			// dedicated-admin users. This should be blocked as making changes as CU on clusterresourcequota which are managed are prohibited.
+			testID:          "dedicated-admin-test",
+			username:        "bob@foo.com",
+			userGroups:      []string{"dedicated-admins", "system:authenticated", "system:authenticated:oauth"},
+			operation:       v1beta1.Update,
+			labels:          map[string]string{"hive.openshift.io/managed": "true"},
+			shouldBeAllowed: false,
+		},
+		{
+			// no special privileges, only an authenticated user. This should be blocked as making changes on clusterresourcequota which are managed are prohibited.
+			testID:          "unpriv-update-test",
+			username:        "unpriv-user",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth"},
+			operation:       v1beta1.Update,
+			labels:          map[string]string{"hive.openshift.io/managed": "true"},
+			shouldBeAllowed: false,
+		},
+	}
+	runTests(t, tests)
+}
+
+func TestBadRequests(t *testing.T) {
+	t.Skip()
+}
+
+func TestName(t *testing.T) {
+	if NewWebhook().Name() == "" {
+		t.Fatalf("Empty hook name")
+	}
+}
+
+func TestRules(t *testing.T) {
+	if len(NewWebhook().Rules()) == 0 {
+		t.Log("No rules for this webhook?")
+	}
+}
+
+func TestGetURI(t *testing.T) {
+	if NewWebhook().GetURI()[0] != '/' {
+		t.Fatalf("Hook URI does not begin with a /")
+	}
+}
+
+func TestObjectSelector(t *testing.T) {
+	obj := &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"hive.openshift.io/managed": "true",
+		},
+	}
+
+	if !reflect.DeepEqual(NewWebhook().ObjectSelector(), obj) {
+		t.Fatalf("hive managed resources label name is not correct.")
+	}
+}
