in pkg/admission/plugin/webhook/testing/testcase.go [309:692]
func NewNonMutatingTestCases(url *url.URL) []ValidatingTest {
policyFail := registrationv1.Fail
policyIgnore := registrationv1.Ignore
ccfgURL := urlConfigGenerator{url}.ccfgURL
return []ValidatingTest{
{
Name: "no match",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "nomatch",
ClientConfig: ccfgSVC("disallow"),
Rules: []registrationv1.RuleWithOperations{{
Operations: []registrationv1.OperationType{registrationv1.Create},
}},
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
},
{
Name: "match & allow",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow.example.com",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
},
{
Name: "match & disallow",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "disallow",
ClientConfig: ccfgSVC("disallow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectStatusCode: http.StatusForbidden,
ErrorContains: "without explanation",
},
{
Name: "match & disallow ii",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "disallowReason",
ClientConfig: ccfgSVC("disallowReason"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectStatusCode: http.StatusForbidden,
ErrorContains: "you shall not pass",
},
{
Name: "match & disallow & but allowed because namespaceSelector exempt the ns",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "disallow",
ClientConfig: ccfgSVC("disallow"),
Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: "runlevel",
Values: []string{"1"},
Operator: metav1.LabelSelectorOpIn,
}},
},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
},
{
Name: "match & disallow & but allowed because namespaceSelector exempt the ns ii",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "disallow",
ClientConfig: ccfgSVC("disallow"),
Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: "runlevel",
Values: []string{"0"},
Operator: metav1.LabelSelectorOpNotIn,
}},
},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
},
{
Name: "match & fail (but allow because fail open)",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "internalErr A",
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "internalErr B",
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "internalErr C",
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}},
SkipBenchmark: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{
"failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "internalErr A",
"failed-open.validating.webhook.admission.k8s.io/round_0_index_1": "internalErr B",
"failed-open.validating.webhook.admission.k8s.io/round_0_index_2": "internalErr C",
},
},
{
Name: "match & fail (but disallow because fail close on nil FailurePolicy)",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "internalErr A",
ClientConfig: ccfgSVC("internalErr"),
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "internalErr B",
ClientConfig: ccfgSVC("internalErr"),
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "internalErr C",
ClientConfig: ccfgSVC("internalErr"),
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectStatusCode: http.StatusInternalServerError,
ExpectAllow: false,
},
{
Name: "match & fail (but fail because fail closed)",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "internalErr A",
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
FailurePolicy: &policyFail,
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "internalErr B",
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
FailurePolicy: &policyFail,
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "internalErr C",
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
FailurePolicy: &policyFail,
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectStatusCode: http.StatusInternalServerError,
ExpectAllow: false,
},
{
Name: "match & allow (url)",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow.example.com",
ClientConfig: ccfgURL("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
},
{
Name: "match & disallow (url)",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "disallow",
ClientConfig: ccfgURL("disallow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectStatusCode: http.StatusForbidden,
ErrorContains: "without explanation",
}, {
Name: "absent response and fail open",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "nilResponse",
ClientConfig: ccfgURL("nilResponse"),
FailurePolicy: &policyIgnore,
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
SkipBenchmark: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{"failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "nilResponse"},
},
{
Name: "absent response and fail closed",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "nilResponse",
ClientConfig: ccfgURL("nilResponse"),
FailurePolicy: &policyFail,
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectStatusCode: http.StatusInternalServerError,
ErrorContains: "webhook response was absent",
},
{
Name: "no match dry run",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "nomatch",
ClientConfig: ccfgSVC("allow"),
Rules: []registrationv1.RuleWithOperations{{
Operations: []registrationv1.OperationType{registrationv1.Create},
}},
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsSome,
AdmissionReviewVersions: []string{"v1beta1"},
}},
IsDryRun: true,
ExpectAllow: true,
},
{
Name: "match dry run side effects Unknown",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsUnknown,
AdmissionReviewVersions: []string{"v1beta1"},
}},
IsDryRun: true,
ExpectStatusCode: http.StatusBadRequest,
ErrorContains: "does not support dry run",
},
{
Name: "match dry run side effects None",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsNone,
AdmissionReviewVersions: []string{"v1beta1"},
}},
IsDryRun: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow/key1": "value1"},
},
{
Name: "match dry run side effects Some",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsSome,
AdmissionReviewVersions: []string{"v1beta1"},
}},
IsDryRun: true,
ExpectStatusCode: http.StatusBadRequest,
ErrorContains: "does not support dry run",
},
{
Name: "match dry run side effects NoneOnDryRun",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsNoneOnDryRun,
AdmissionReviewVersions: []string{"v1beta1"},
}},
IsDryRun: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow/key1": "value1"},
},
{
Name: "illegal annotation format",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "invalidAnnotation",
ClientConfig: ccfgURL("invalidAnnotation"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
},
{
Name: "skip webhook whose objectSelector does not match",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow.example.com",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "shouldNotBeCalled",
ClientConfig: ccfgSVC("shouldNotBeCalled"),
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label": "nonexistent",
},
},
Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}},
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
},
{
Name: "skip webhook whose objectSelector does not match CRD's labels",
Webhooks: []registrationv1.ValidatingWebhook{{
Name: "allow.example.com",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}, {
Name: "shouldNotBeCalled",
ClientConfig: ccfgSVC("shouldNotBeCalled"),
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label": "nonexistent",
},
},
Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}},
IsCRD: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
},
// No need to test everything with the url case, since only the
// connection is different.
}
}