Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Webhook for Role/RoleBinding #425

Merged
merged 7 commits into from
Jul 14, 2023
Merged

feat: Webhook for Role/RoleBinding #425

merged 7 commits into from
Jul 14, 2023

Conversation

Arvindthiru
Copy link
Contributor

@Arvindthiru Arvindthiru commented Jul 11, 2023
edited
Loading

Description of your changes

Fixes #

I have:

  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Special notes for your reviewer

@Arvindthiru Arvindthiru marked this pull request as ready for review July 11, 2023 02:50
ryanzhang-oss
ryanzhang-oss reviewed Jul 11, 2023
View reviewed changes
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go Outdated Show resolved Hide resolved
pkg/webhook/webhook.go Outdated Show resolved Hide resolved
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go Show resolved Hide resolved
pkg/webhook/validation/uservalidation.go Outdated Show resolved Hide resolved
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go Outdated Show resolved Hide resolved
pkg/webhook/validation/uservalidation.go Outdated Show resolved Hide resolved
pkg/webhook/validation/uservalidation.go Outdated
return slices.Contains(whiteListedUsers, userInfo.Username) || slices.Contains(userInfo.Groups, mastersGroup)
}

// IsUserAuthenticatedServiceAccount returns true if user is a valid/authenticated service account.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a hunch that this should always be allowed for any resources

michaelawyu
michaelawyu reviewed Jul 14, 2023
View reviewed changes
pkg/webhook/validation/uservalidation.go Outdated
return true
// ValidateUserForFleetCRD checks to see if user is not allowed to modify fleet CRDs.
func ValidateUserForFleetCRD(group string, namespacedName types.NamespacedName, whiteListedUsers []string, userInfo authenticationv1.UserInfo) admission.Response {
if !checkCRDGroup(group) && isMasterGroupUserOrWhiteListedUser(whiteListedUsers, userInfo) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Arvind! Should this be an OR term?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the condition to only allow master group users and whitelisted users to modfiy fleet CRDs. We allow any user to modify other CRDs created by the user

michaelawyu
michaelawyu reviewed Jul 14, 2023
View reviewed changes
Copy link
Contributor

@michaelawyu michaelawyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the comment things LGTM.

ryanzhang-oss
ryanzhang-oss reviewed Jul 14, 2023
View reviewed changes
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go
return admission.Denied(fmt.Sprintf("failed to validate user: %s in groups: %v to modify fleet CRD: %s", req.UserInfo.Username, req.UserInfo.Groups, crd.Name))
}
return admission.Allowed(fmt.Sprintf("user: %s in groups: %v is allowed to modify CRD: %s", req.UserInfo.Username, req.UserInfo.Groups, crd.Name))
return validation.ValidateUserForFleetCRD(group, types.NamespacedName{Name: crd.Name, Namespace: crd.Namespace}, v.whiteListedUsers, req.UserInfo)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRD has no namespace

pkg/webhook/validation/uservalidation.go

// ValidateUserForResource checks to see if user is allowed to modify argued fleet resource.
func ValidateUserForResource(resKind string, namespacedName types.NamespacedName, whiteListedUsers []string, userInfo authenticationv1.UserInfo) admission.Response {
if isMasterGroupUserOrWhiteListedUser(whiteListedUsers, userInfo) || isUserAuthenticatedServiceAccount(userInfo) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like resKind is not used in the validation?

@Arvindthiru Arvindthiru merged commit 36b3987 into Azure:main Jul 14, 2023
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelawyu michaelawyu michaelawyu left review comments

@ryanzhang-oss ryanzhang-oss ryanzhang-oss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Arvindthiru @michaelawyu @ryanzhang-oss