Do not allow pods in one namespace to create certificates for hostnames from another namespace. (#54)
* Do not allow pods in one namespace to create certificates for hostnames from another namespace. * Make cluster domain configurable, clean up shouldMutate() logic, and make namespace restrictions configurable with restrictCertificatesToNamespace. * Return certificate hostname validation errors in the admission webhook response. * Appease the gometalinter.pull/57/head^2
parent
d85a083ce2
commit
351c01cf7e
@ -0,0 +1,75 @@
|
|||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestGetClusterDomain(t *testing.T) {
|
||||||
|
c := Config{}
|
||||||
|
if c.GetClusterDomain() != "cluster.local" {
|
||||||
|
t.Errorf("cluster domain should default to cluster.local, not: %s", c.GetClusterDomain())
|
||||||
|
}
|
||||||
|
|
||||||
|
c.ClusterDomain = "mydomain.com"
|
||||||
|
if c.GetClusterDomain() != "mydomain.com" {
|
||||||
|
t.Errorf("cluster domain should default to cluster.local, not: %s", c.GetClusterDomain())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestShouldMutate(t *testing.T) {
|
||||||
|
testCases := []struct {
|
||||||
|
description string
|
||||||
|
subject string
|
||||||
|
namespace string
|
||||||
|
expected bool
|
||||||
|
}{
|
||||||
|
{"full cluster domain", "test.default.svc.cluster.local", "default", true},
|
||||||
|
{"full cluster domain wrong ns", "test.default.svc.cluster.local", "kube-system", false},
|
||||||
|
{"left dots get stripped", ".test.default.svc.cluster.local", "default", true},
|
||||||
|
{"left dots get stripped wrong ns", ".test.default.svc.cluster.local", "kube-system", false},
|
||||||
|
{"right dots get stripped", "test.default.svc.cluster.local.", "default", true},
|
||||||
|
{"right dots get stripped wrong ns", "test.default.svc.cluster.local.", "kube-system", false},
|
||||||
|
{"dots get stripped", ".test.default.svc.cluster.local.", "default", true},
|
||||||
|
{"dots get stripped wrong ns", ".test.default.svc.cluster.local.", "kube-system", false},
|
||||||
|
{"partial cluster domain", "test.default.svc.cluster", "default", true},
|
||||||
|
{"partial cluster domain wrong ns is still allowed because not valid hostname", "test.default.svc.cluster", "kube-system", true},
|
||||||
|
{"service domain", "test.default.svc", "default", true},
|
||||||
|
{"service domain wrong ns", "test.default.svc", "kube-system", false},
|
||||||
|
{"two part domain", "test.default", "default", true},
|
||||||
|
{"two part domain different ns", "test.default", "kube-system", true},
|
||||||
|
{"one hostname", "test", "default", true},
|
||||||
|
{"no subject specified", "", "default", false},
|
||||||
|
{"three part not cluster", "test.default.com", "kube-system", true},
|
||||||
|
{"four part not cluster", "test.default.svc.com", "kube-system", true},
|
||||||
|
{"five part not cluster", "test.default.svc.cluster.com", "kube-system", true},
|
||||||
|
{"six part not cluster", "test.default.svc.cluster.local.com", "kube-system", true},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, testCase := range testCases {
|
||||||
|
t.Run(testCase.description, func(t *testing.T) {
|
||||||
|
mutationAllowed, validationErr := shouldMutate(&metav1.ObjectMeta{
|
||||||
|
Annotations: map[string]string{
|
||||||
|
admissionWebhookAnnotationKey: testCase.subject,
|
||||||
|
},
|
||||||
|
}, testCase.namespace, "cluster.local", true)
|
||||||
|
if mutationAllowed != testCase.expected {
|
||||||
|
t.Errorf("shouldMutate did not return %t for %s", testCase.expected, testCase.description)
|
||||||
|
}
|
||||||
|
if testCase.subject != "" && mutationAllowed == false && validationErr == nil {
|
||||||
|
t.Errorf("shouldMutate should return validation error for invalid hostname")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestShouldMutateNotRestrictToNamespace(t *testing.T) {
|
||||||
|
mutationAllowed, _ := shouldMutate(&metav1.ObjectMeta{
|
||||||
|
Annotations: map[string]string{
|
||||||
|
admissionWebhookAnnotationKey: "test.default.svc.cluster.local",
|
||||||
|
},
|
||||||
|
}, "kube-system", "cluster.local", false)
|
||||||
|
if mutationAllowed == false {
|
||||||
|
t.Errorf("shouldMutate should return true even with a wrong namespace if restrictToNamespace is false.")
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue