Set Default FailurePolicy for admission webhooks (#570)

* Set Default FailurePolicy for admission webhooks
flant · Dec 21, 2023 · d62bdee · d62bdee
1 parent 8d7ed98
commit d62bdee
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 32 deletions.
diff --git a/pkg/app/webhook.go b/pkg/app/webhook.go
@@ -17,8 +17,9 @@ var ValidatingWebhookSettings = &admission.WebhookSettings{
 		ListenAddr:     "0.0.0.0",
 		ListenPort:     "9680",
 	},
-	CAPath:            "/validating-certs/ca.crt",
-	ConfigurationName: "shell-operator-hooks",
+	CAPath:               "/validating-certs/ca.crt",
+	ConfigurationName:    "shell-operator-hooks",
+	DefaultFailurePolicy: "Fail",
 }
 
 var ConversionWebhookSettings = &conversion.WebhookSettings{
@@ -58,6 +59,10 @@ func DefineValidatingWebhookFlags(cmd *kingpin.CmdClause) {
 	cmd.Flag("validating-webhook-client-ca", "A path to a server certificate for ValidatingWebhookConfiguration. Can be set with $VALIDATING_WEBHOOK_CLIENT_CA.").
 		Envar("VALIDATING_WEBHOOK_CLIENT_CA").
 		StringsVar(&ValidatingWebhookSettings.ClientCAPaths)
+	cmd.Flag("validating-failure-policy", "Defines default FailurePolicy for ValidatingWebhookConfiguration.").
+		Default("Fail").
+		Envar("VALIDATING_FAILURE_POLICY").
+		EnumVar(&ValidatingWebhookSettings.DefaultFailurePolicy, "Fail", "Ignore")
 }
 
 // DefineConversionWebhookFlags defines flags for ConversionWebhook server.

diff --git a/pkg/shell-operator/bootstrap.go b/pkg/shell-operator/bootstrap.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
+	v1 "k8s.io/api/admissionregistration/v1"
 
 	"github.com/flant/shell-operator/pkg/app"
 	"github.com/flant/shell-operator/pkg/config"
@@ -173,6 +174,7 @@ func (op *ShellOperator) setupHookManagers(hooksDir string, tempDir string) {
 	op.AdmissionWebhookManager = admission.NewWebhookManager(op.KubeClient)
 	op.AdmissionWebhookManager.Settings = app.ValidatingWebhookSettings
 	op.AdmissionWebhookManager.Namespace = app.Namespace
+	op.AdmissionWebhookManager.DefaultFailurePolicy = v1.FailurePolicyType(app.ValidatingWebhookSettings.DefaultFailurePolicy)
 
 	// Initialize conversion webhooks manager.
 	op.ConversionWebhookManager = conversion.NewWebhookManager()

diff --git a/pkg/webhook/admission/manager.go b/pkg/webhook/admission/manager.go
@@ -4,6 +4,7 @@ import (
 	"os"
 
 	log "github.com/sirupsen/logrus"
+	v1 "k8s.io/api/admissionregistration/v1"
 
 	klient "github.com/flant/kube-client/client"
 	"github.com/flant/shell-operator/pkg/webhook/server"
@@ -26,6 +27,7 @@ type WebhookManager struct {
 	Namespace string
 
 	DefaultConfigurationId string
+	DefaultFailurePolicy   v1.FailurePolicyType
 
 	Server              *server.WebhookServer
 	ValidatingResources map[string]*ValidatingWebhookResource
@@ -94,6 +96,9 @@ func (m *WebhookManager) AddValidatingWebhook(config *ValidatingWebhookConfig) {
 		)
 		m.ValidatingResources[confId] = r
 	}
+	if config.FailurePolicy == nil {
+		config.FailurePolicy = &m.DefaultFailurePolicy
+	}
 	r.Set(config)
 }
 

diff --git a/pkg/webhook/admission/manager_test.go b/pkg/webhook/admission/manager_test.go
@@ -3,6 +3,7 @@ package admission
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/admissionregistration/v1"
 )
 
@@ -16,43 +17,82 @@ func Test_Manager_AddWebhook(t *testing.T) {
 	vs.ServerCertPath = "testdata/demo-certs/server.crt"
 	vs.CAPath = "testdata/demo-certs/ca.pem"
 	m.Settings = vs
+	m.DefaultFailurePolicy = v1.Ignore
 
 	err := m.Init()
 	if err != nil {
 		t.Fatalf("WebhookManager should init: %v", err)
 	}
 
-	fail := v1.Fail
-	none := v1.SideEffectClassNone
-	timeoutSeconds := int32(10)
-
-	cfg := &ValidatingWebhookConfig{
-		ValidatingWebhook: &v1.ValidatingWebhook{
-			Name: "test-validating",
-			Rules: []v1.RuleWithOperations{
-				{
-					Operations: []v1.OperationType{v1.OperationAll},
-					Rule: v1.Rule{
-						APIGroups:   []string{"apps"},
-						APIVersions: []string{"v1"},
-						Resources:   []string{"deployments"},
+	t.Run("Webhook with set FailurePolicy", func(t *testing.T) {
+		fail := v1.Fail
+		none := v1.SideEffectClassNone
+		timeoutSeconds := int32(10)
+
+		cfg := &ValidatingWebhookConfig{
+			ValidatingWebhook: &v1.ValidatingWebhook{
+				Name: "test-validating",
+				Rules: []v1.RuleWithOperations{
+					{
+						Operations: []v1.OperationType{v1.OperationAll},
+						Rule: v1.Rule{
+							APIGroups:   []string{"apps"},
+							APIVersions: []string{"v1"},
+							Resources:   []string{"deployments"},
+						},
 					},
 				},
+				FailurePolicy:  &fail,
+				SideEffects:    &none,
+				TimeoutSeconds: &timeoutSeconds,
 			},
-			FailurePolicy:  &fail,
-			SideEffects:    &none,
-			TimeoutSeconds: &timeoutSeconds,
-		},
-	}
-	m.AddValidatingWebhook(cfg)
+		}
+		m.AddValidatingWebhook(cfg)
 
-	if len(m.ValidatingResources) != 1 {
-		t.Fatalf("WebhookManager should have resources: got length %d", len(m.ValidatingResources))
-	}
+		if len(m.ValidatingResources) != 1 {
+			t.Fatalf("WebhookManager should have resources: got length %d", len(m.ValidatingResources))
+		}
 
-	for k, v := range m.ValidatingResources {
-		if len(v.hooks) != 1 {
-			t.Fatalf("Resource '%s' should have Webhooks: got length %d", k, len(m.ValidatingResources))
+		for k, v := range m.ValidatingResources {
+			if len(v.hooks) != 1 {
+				t.Fatalf("Resource '%s' should have Webhooks: got length %d", k, len(m.ValidatingResources))
+			}
+			assert.Equal(t, v1.Fail, *v.hooks[""].FailurePolicy)
 		}
-	}
+	})
+
+	t.Run("Webhook with default FailurePolicy", func(t *testing.T) {
+		none := v1.SideEffectClassNone
+		timeoutSeconds := int32(10)
+
+		cfg := &ValidatingWebhookConfig{
+			ValidatingWebhook: &v1.ValidatingWebhook{
+				Name: "test-validating",
+				Rules: []v1.RuleWithOperations{
+					{
+						Operations: []v1.OperationType{v1.OperationAll},
+						Rule: v1.Rule{
+							APIGroups:   []string{"apps"},
+							APIVersions: []string{"v1"},
+							Resources:   []string{"deployments"},
+						},
+					},
+				},
+				SideEffects:    &none,
+				TimeoutSeconds: &timeoutSeconds,
+			},
+		}
+		m.AddValidatingWebhook(cfg)
+
+		if len(m.ValidatingResources) != 1 {
+			t.Fatalf("WebhookManager should have resources: got length %d", len(m.ValidatingResources))
+		}
+
+		for k, v := range m.ValidatingResources {
+			if len(v.hooks) != 1 {
+				t.Fatalf("Resource '%s' should have Webhooks: got length %d", k, len(m.ValidatingResources))
+			}
+			assert.Equal(t, v1.Ignore, *v.hooks[""].FailurePolicy)
+		}
+	})
 }
diff --git a/pkg/webhook/admission/settings.go b/pkg/webhook/admission/settings.go
@@ -4,7 +4,8 @@ import "github.com/flant/shell-operator/pkg/webhook/server"
 
 type WebhookSettings struct {
 	server.Settings
-	CAPath            string
-	CABundle          []byte
-	ConfigurationName string
+	CAPath               string
+	CABundle             []byte
+	ConfigurationName    string
+	DefaultFailurePolicy string
 }