resolve comments

Author: jwtty

pkg/webhook/pod/pod_validating_webhook.go

@@ -65,7 +65,7 @@ func (v *podValidator) Handle(_ context.Context, req admission.Request) admissio
 			return admission.Errored(http.StatusBadRequest, err)
 		}
 		if !utils.IsReservedNamespace(pod.Namespace) && !utils.HasReconcileLabel(pod.Labels) {
-			klog.V(2).InfoS(deniedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
+			klog.V(2).InfoS(deniedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName, "hasReconcileLabel", utils.HasReconcileLabel(pod.Labels))
 			return admission.Denied(fmt.Sprintf(podDeniedFormat, pod.Namespace, pod.Name))
 		}
 	}

pkg/webhook/replicaset/replicaset_validating_webhook.go

@@ -64,7 +64,7 @@ func (v *replicaSetValidator) Handle(_ context.Context, req admission.Request) a
 			return admission.Errored(http.StatusBadRequest, err)
 		}
 		if !utils.IsReservedNamespace(rs.Namespace) && !utils.HasReconcileLabel(rs.Labels) {
-			klog.V(2).InfoS(deniedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
+			klog.V(2).InfoS(deniedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName, "hasReconcileLabel", utils.HasReconcileLabel(rs.Labels))
 			return admission.Denied(fmt.Sprintf(replicaSetDeniedFormat, rs.Namespace, rs.Name))
 		}
 	}

test/e2e/fleet_guard_rail_test.go

@@ -35,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	clusterv1beta1 "go.goms.io/fleet/apis/cluster/v1beta1"
 	placementv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
@@ -1477,12 +1478,14 @@ var _ = Describe("fleet deployment webhook tests for validating and mutating dep
 			Expect(notMasterUser.Create(ctx, deploy)).Should(Succeed())
 
 			// Verify the reconcile label was NOT injected.
-			var d appsv1.Deployment
-			Expect(hubClient.Get(ctx, types.NamespacedName{Name: deploy.Name, Namespace: deploy.Namespace}, &d)).Should(Succeed())
-			Expect(d.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
-				"deployment metadata should NOT have reconcile label for regular user")
-			Expect(d.Spec.Template.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
-				"pod template should NOT have reconcile label for regular user")
+			Eventually(func(g Gomega) {
+				var d appsv1.Deployment
+				g.Expect(hubClient.Get(ctx, types.NamespacedName{Name: deploy.Name, Namespace: deploy.Namespace}, &d)).Should(Succeed())
+				g.Expect(d.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
+					"deployment metadata should NOT have reconcile label for regular user")
+				g.Expect(d.Spec.Template.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
+					"pod template should NOT have reconcile label for regular user")
+			}, eventuallyDuration, eventuallyInterval).Should(Succeed())
 		})
 	})
 
@@ -1495,12 +1498,112 @@ var _ = Describe("fleet deployment webhook tests for validating and mutating dep
 			Expect(sysMastersClient.Create(ctx, deploy)).Should(Succeed())
 
 			// Verify the reconcile label was NOT injected for reserved namespace.
-			var d appsv1.Deployment
-			Expect(hubClient.Get(ctx, types.NamespacedName{Name: deploy.Name, Namespace: deploy.Namespace}, &d)).Should(Succeed())
-			Expect(d.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
-				"deployment in kube-system should NOT have reconcile label auto-injected")
-			Expect(d.Spec.Template.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
-				"pod template in kube-system should NOT have reconcile label auto-injected")
+			Eventually(func(g Gomega) {
+				var d appsv1.Deployment
+				g.Expect(hubClient.Get(ctx, types.NamespacedName{Name: deploy.Name, Namespace: deploy.Namespace}, &d)).Should(Succeed())
+				g.Expect(d.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
+					"deployment in kube-system should NOT have reconcile label auto-injected")
+				g.Expect(d.Spec.Template.Labels).ShouldNot(HaveKey(utils.ReconcileLabelKey),
+					"pod template in kube-system should NOT have reconcile label auto-injected")
+			}, eventuallyDuration, eventuallyInterval).Should(Succeed())
+		})
+	})
+
+	Context("end-to-end deployment lifecycle with webhook enforcement", func() {
+		It("should block RS and Pod creation when non-aksService user creates a deployment", func() {
+			deployName := "test-deploy-e2e-noaks"
+			deploy := newDeployment(deployName, testNS, nil, nil)
+			DeferCleanup(func() {
+				_ = hubClient.Delete(ctx, deploy)
+			})
+
+			By("creating deployment as non-aksService user")
+			Expect(notMasterUser.Create(ctx, deploy)).Should(Succeed())
+
+			By("waiting for deployment to appear in the cache")
+			Eventually(func(g Gomega) {
+				var d appsv1.Deployment
+				g.Expect(hubClient.Get(ctx, types.NamespacedName{Name: deployName, Namespace: testNS}, &d)).Should(Succeed())
+			}, eventuallyDuration, eventuallyInterval).Should(Succeed())
+
+			By("verifying deployment exists but has no available replicas because RS creation is blocked")
+			Consistently(func(g Gomega) {
+				var d appsv1.Deployment
+				g.Expect(hubClient.Get(ctx, types.NamespacedName{Name: deployName, Namespace: testNS}, &d)).Should(Succeed())
+				g.Expect(d.Status.AvailableReplicas).Should(Equal(int32(0)),
+					"deployment should have 0 available replicas because RS/Pod creation is blocked by validating webhooks")
+				g.Expect(d.Status.ReadyReplicas).Should(Equal(int32(0)),
+					"deployment should have 0 ready replicas")
+
+				// Verify no ReplicaSets exist for this deployment.
+				var rsList appsv1.ReplicaSetList
+				g.Expect(hubClient.List(ctx, &rsList, client.InNamespace(testNS), client.MatchingLabels{"app": deployName})).Should(Succeed())
+				g.Expect(rsList.Items).Should(BeEmpty(),
+					"no ReplicaSets should exist because the RS validating webhook blocks creation without the reconcile label")
+
+				// Verify no Pods exist for this deployment.
+				var podList corev1.PodList
+				g.Expect(hubClient.List(ctx, &podList, client.InNamespace(testNS), client.MatchingLabels{"app": deployName})).Should(Succeed())
+				g.Expect(podList.Items).Should(BeEmpty(),
+					"no Pods should exist because the Pod validating webhook blocks creation without the reconcile label")
+			}, consistentlyDuration, consistentlyInterval).Should(Succeed())
+		})
+
+		It("should allow RS and Pod creation when aksService user creates a deployment", func() {
+			deployName := "test-deploy-e2e-aks"
+			deploy := newDeployment(deployName, testNS, nil, nil)
+			DeferCleanup(func() {
+				_ = hubClient.Delete(ctx, deploy)
+			})
+
+			By("creating deployment as aksService user (mutating webhook injects reconcile label)")
+			Expect(sysMastersClient.Create(ctx, deploy)).Should(Succeed())
+
+			By("verifying the mutating webhook injected the reconcile label")
+			Eventually(func(g Gomega) {
+				var d appsv1.Deployment
+				g.Expect(hubClient.Get(ctx, types.NamespacedName{Name: deployName, Namespace: testNS}, &d)).Should(Succeed())
+				g.Expect(d.Labels).Should(HaveKeyWithValue(utils.ReconcileLabelKey, utils.ReconcileLabelValue),
+					"deployment metadata should have reconcile label injected by mutating webhook")
+				g.Expect(d.Spec.Template.Labels).Should(HaveKeyWithValue(utils.ReconcileLabelKey, utils.ReconcileLabelValue),
+					"pod template should have reconcile label injected by mutating webhook")
+			}, eventuallyDuration, eventuallyInterval).Should(Succeed())
+
+			By("verifying ReplicaSet is created with the reconcile label")
+			Eventually(func(g Gomega) {
+				var rsList appsv1.ReplicaSetList
+				g.Expect(hubClient.List(ctx, &rsList, client.InNamespace(testNS), client.MatchingLabels{"app": deployName})).Should(Succeed())
+				g.Expect(rsList.Items).ShouldNot(BeEmpty(),
+					"at least one ReplicaSet should be created for the deployment")
+
+				rs := rsList.Items[0]
+				g.Expect(rs.Labels).Should(HaveKeyWithValue(utils.ReconcileLabelKey, utils.ReconcileLabelValue),
+					"ReplicaSet should inherit the reconcile label from the pod template")
+			}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed())
+
+			By("verifying Pods are running with the reconcile label")
+			Eventually(func(g Gomega) {
+				var podList corev1.PodList
+				g.Expect(hubClient.List(ctx, &podList, client.InNamespace(testNS), client.MatchingLabels{"app": deployName})).Should(Succeed())
+				g.Expect(podList.Items).ShouldNot(BeEmpty(),
+					"at least one Pod should be created for the deployment")
+
+				pod := podList.Items[0]
+				g.Expect(pod.Labels).Should(HaveKeyWithValue(utils.ReconcileLabelKey, utils.ReconcileLabelValue),
+					"Pod should inherit the reconcile label from the pod template")
+				g.Expect(pod.Status.Phase).Should(Equal(corev1.PodRunning),
+					"Pod should be in Running phase")
+			}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed())
+
+			By("verifying deployment reports available replicas")
+			Eventually(func(g Gomega) {
+				var d appsv1.Deployment
+				g.Expect(hubClient.Get(ctx, types.NamespacedName{Name: deployName, Namespace: testNS}, &d)).Should(Succeed())
+				g.Expect(d.Status.AvailableReplicas).Should(Equal(int32(1)),
+					"deployment should have 1 available replica")
+				g.Expect(d.Status.ReadyReplicas).Should(Equal(int32(1)),
+					"deployment should have 1 ready replica")
+			}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed())
 		})
 	})
 })

test/e2e/setup.sh

@@ -148,11 +148,11 @@ helm install hub-agent ../../charts/hub-agent/ \
     --set crdInstaller.image.pullPolicy=Never \
     --set namespace=fleet-system \
     --set logVerbosity=5 \
-    --set replicaCount=3 \
-    --set useCertManager=true \
+    --set replicaCount=1 \
+    --set useCertManager=false \
     --set webhookCertSecretName=fleet-webhook-server-cert \
     --set enableWebhook=true \
-    --set enableWorkload=true \
+    --set enableWorkload=false \
     --set webhookClientConnectionType=service \
     --set forceDeleteWaitTime="1m0s" \
     --set clusterUnhealthyThreshold="3m0s" \