Add VM validation webhook (#607)

* Add VM validation webhook * Fix tests * Remove user check * Update tests * Fix lint error * Add comments to explain what the webhooks do * Update pkg/webhook/validatingwebhook/validate_vm_request.go Co-authored-by: Francisc Munteanu <[email protected]> * Consolidate test to use HandleValidate * Fix lint error * Fix mutate webhook apiVersions * Fix test --------- Co-authored-by: Francisc Munteanu <[email protected]>
codeready-toolchain · Nov 26, 2024 · 3ec7d15 · 3ec7d15
1 parent 6e75b2a
commit 3ec7d15
Show file tree

Hide file tree

Showing 7 changed files with 340 additions and 6 deletions.
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -107,13 +107,17 @@ func main() {
 	sspRequestValidator := &validatingwebhook.SSPRequestValidator{
 		Client: cl,
 	}
+	vmRequestValidator := &validatingwebhook.VMRequestValidator{
+		Client: cl,
+	}
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/mutate-users-pods", mutatingwebhook.HandleMutateUserPods)
 	mux.HandleFunc("/mutate-virtual-machines", mutatingwebhook.HandleMutateVirtualMachines)
 	mux.HandleFunc("/validate-users-rolebindings", rolebindingValidator.HandleValidate)
 	mux.HandleFunc("/validate-spacebindingrequests", spacebindingrequestValidator.HandleValidate)
 	mux.HandleFunc("/validate-ssprequests", sspRequestValidator.HandleValidate) // SSP is a CNV specific resource
+	mux.HandleFunc("/validate-vmrequests", vmRequestValidator.HandleValidate)
 
 	webhookServer := &http.Server{ //nolint:gosec //TODO: configure ReadHeaderTimeout (gosec G112)
 		Addr:    ":8443",

diff --git a/deploy/webhook/member-operator-webhook.yaml b/deploy/webhook/member-operator-webhook.yaml
@@ -180,7 +180,7 @@ objects:
     rules:
     - operations: ["CREATE"]
       apiGroups: ["kubevirt.io"]
-      apiVersions: ["v1"]
+      apiVersions: ["*"]
       resources: ["virtualmachines"]
       scope: "Namespaced"
     sideEffects: None
@@ -251,6 +251,9 @@ objects:
       namespaceSelector:
         matchLabels:
           toolchain.dev.openshift.com/provider: codeready-toolchain
+    # The users.virtualmachines.ssp.webhook.sandbox webhook validates SSP CRs,
+    # Specifically it blocks the creation/update of SSP resources by sandbox users because it should only be managed by the Virtualization operator
+    # The webhook code is available at member-operator/pkg/webhook/validatingwebhook/validate_ssp_request.go
     - name: users.virtualmachines.ssp.webhook.sandbox
       admissionReviewVersions:
         - v1
@@ -275,6 +278,33 @@ objects:
       namespaceSelector:
         matchLabels:
           toolchain.dev.openshift.com/provider: codeready-toolchain
+    # The users.virtualmachines.validating.webhook.sandbox webhook validates VirtualMachine CRs,
+    # Specifically it blocks the creation/update of VirtualMachine resources that have '.spec.RunStrategy' set because it interferes with the Idler.
+    # The webhook code is available at member-operator/pkg/webhook/validatingwebhook/validate_vm_request.go
+    - name: users.virtualmachines.validating.webhook.sandbox
+      admissionReviewVersions:
+        - v1
+      clientConfig:
+        caBundle: ${CA_BUNDLE}
+        service:
+          name: member-operator-webhook
+          namespace: ${NAMESPACE}
+          path: "/validate-vmrequests"
+          port: 443
+      matchPolicy: Equivalent
+      rules:
+        - operations: ["CREATE", "UPDATE"]
+          apiGroups: ["kubevirt.io"]
+          apiVersions: ["*"]
+          resources: ["virtualmachines"]
+          scope: "Namespaced"
+      sideEffects: None
+      timeoutSeconds: 5
+      reinvocationPolicy: Never
+      failurePolicy: Fail
+      namespaceSelector:
+        matchLabels:
+          toolchain.dev.openshift.com/provider: codeready-toolchain
 parameters:
 - name: NAMESPACE
   value: 'toolchain-member-operator'

diff --git a/pkg/webhook/deploy/deployment_test.go b/pkg/webhook/deploy/deployment_test.go
@@ -223,11 +223,11 @@ func deployment(namespace, sa string, image string) string {
 }
 
 func mutatingWebhookConfig(namespace, caBundle string) string {
-	return fmt.Sprintf(`{"apiVersion":"admissionregistration.k8s.io/v1","kind":"MutatingWebhookConfiguration","metadata":{"name":"member-operator-webhook-%[2]s","labels":{"app":"member-operator-webhook","toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"webhooks":[{"name":"users.pods.webhook.sandbox","admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/mutate-users-pods","port":443}},"matchPolicy":"Equivalent","rules":[{"operations":["CREATE"],"apiGroups":[""],"apiVersions":["v1"],"resources":["pods"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5,"reinvocationPolicy":"Never","failurePolicy":"Ignore","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}}},{"name":"users.virtualmachines.webhook.sandbox","admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/mutate-virtual-machines","port":443}},"matchPolicy":"Equivalent","rules":[{"operations":["CREATE"],"apiGroups":["kubevirt.io"],"apiVersions":["v1"],"resources":["virtualmachines"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5,"reinvocationPolicy":"Never","failurePolicy":"Fail","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}}}]}`, caBundle, namespace)
+	return fmt.Sprintf(`{"apiVersion":"admissionregistration.k8s.io/v1","kind":"MutatingWebhookConfiguration","metadata":{"name":"member-operator-webhook-%[2]s","labels":{"app":"member-operator-webhook","toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"webhooks":[{"name":"users.pods.webhook.sandbox","admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/mutate-users-pods","port":443}},"matchPolicy":"Equivalent","rules":[{"operations":["CREATE"],"apiGroups":[""],"apiVersions":["v1"],"resources":["pods"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5,"reinvocationPolicy":"Never","failurePolicy":"Ignore","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}}},{"name":"users.virtualmachines.webhook.sandbox","admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/mutate-virtual-machines","port":443}},"matchPolicy":"Equivalent","rules":[{"operations":["CREATE"],"apiGroups":["kubevirt.io"],"apiVersions":["*"],"resources":["virtualmachines"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5,"reinvocationPolicy":"Never","failurePolicy":"Fail","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}}}]}`, caBundle, namespace)
 }
 
 func validatingWebhookConfig(namespace, caBundle string) string {
-	return fmt.Sprintf(`{"apiVersion": "admissionregistration.k8s.io/v1","kind": "ValidatingWebhookConfiguration","metadata": {"labels": {"app": "member-operator-webhook","toolchain.dev.openshift.com/provider": "codeready-toolchain"},"name": "member-operator-validating-webhook-%[2]s"},"webhooks": [{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-users-rolebindings","port": 443}},"failurePolicy": "Ignore","matchPolicy": "Equivalent","name": "users.rolebindings.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["rbac.authorization.k8s.io","authorization.openshift.io"],"apiVersions": ["v1"],"operations": ["CREATE","UPDATE"],"resources": ["rolebindings"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5},{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-spacebindingrequests","port": 443}},"failurePolicy": "Fail","matchPolicy": "Equivalent","name": "users.spacebindingrequests.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["toolchain.dev.openshift.com"],"apiVersions": ["v1alpha1"],"operations": ["CREATE","UPDATE"],"resources": ["spacebindingrequests"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5},{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-ssprequests","port": 443}},"failurePolicy": "Fail","matchPolicy": "Equivalent","name": "users.virtualmachines.ssp.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["ssp.kubevirt.io"],"apiVersions": ["*"],"operations": ["CREATE","UPDATE"],"resources": ["ssps"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5}]}`, caBundle, namespace)
+	return fmt.Sprintf(`{"apiVersion": "admissionregistration.k8s.io/v1","kind": "ValidatingWebhookConfiguration","metadata": {"labels": {"app": "member-operator-webhook","toolchain.dev.openshift.com/provider": "codeready-toolchain"},"name": "member-operator-validating-webhook-%[2]s"},"webhooks": [{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-users-rolebindings","port": 443}},"failurePolicy": "Ignore","matchPolicy": "Equivalent","name": "users.rolebindings.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["rbac.authorization.k8s.io","authorization.openshift.io"],"apiVersions": ["v1"],"operations": ["CREATE","UPDATE"],"resources": ["rolebindings"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5},{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-spacebindingrequests","port": 443}},"failurePolicy": "Fail","matchPolicy": "Equivalent","name": "users.spacebindingrequests.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["toolchain.dev.openshift.com"],"apiVersions": ["v1alpha1"],"operations": ["CREATE","UPDATE"],"resources": ["spacebindingrequests"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5},{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-ssprequests","port": 443}},"failurePolicy": "Fail","matchPolicy": "Equivalent","name": "users.virtualmachines.ssp.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["ssp.kubevirt.io"],"apiVersions": ["*"],"operations": ["CREATE","UPDATE"],"resources": ["ssps"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5},{"admissionReviewVersions": ["v1"],"clientConfig": {"caBundle": "%[1]s","service": {"name": "member-operator-webhook","namespace": "%[2]s","path": "/validate-vmrequests","port": 443}},"failurePolicy": "Fail","matchPolicy": "Equivalent","name": "users.virtualmachines.validating.webhook.sandbox","namespaceSelector": {"matchLabels": {"toolchain.dev.openshift.com/provider": "codeready-toolchain"}},"reinvocationPolicy": "Never","rules": [{"apiGroups": ["kubevirt.io"],"apiVersions": ["*"],"operations": ["CREATE","UPDATE"],"resources": ["virtualmachines"],"scope": "Namespaced"}],"sideEffects": "None","timeoutSeconds": 5}]}`, caBundle, namespace)
 }
 
 func serviceAccount(namespace string) string {

diff --git a/pkg/webhook/validatingwebhook/test/verify_utils.go b/pkg/webhook/validatingwebhook/test/verify_utils.go
@@ -12,9 +12,9 @@ import (
 func VerifyRequestBlocked(t *testing.T, response []byte, msg string, UID string) {
 	reviewResponse := toReviewResponse(t, response)
 	assert.False(t, reviewResponse.Allowed)
-	assert.NotEmpty(t, reviewResponse.Result)
-	assert.Contains(t, reviewResponse.Result.Message, msg)
 	assert.Equal(t, UID, string(reviewResponse.UID))
+	require.NotEmpty(t, reviewResponse.Result)
+	assert.Contains(t, reviewResponse.Result.Message, msg)
 }
 
 func VerifyRequestAllowed(t *testing.T, response []byte, UID string) {

diff --git a/pkg/webhook/validatingwebhook/validate_ssp_request_test.go b/pkg/webhook/validatingwebhook/validate_ssp_request_test.go
@@ -54,7 +54,7 @@ func TestValidateSSPAdmissionRequest(t *testing.T) {
 	t.Run("sandbox user trying to update a SSP resource is denied", func(t *testing.T) {
 		// given
 		v := newSSPRequestValidator(t, "johnsmith", true)
-		req := newCreateSSPAdmissionRequest(t, SSPAdmReviewTmplParams{"CREATE", "johnsmith"})
+		req := newCreateSSPAdmissionRequest(t, SSPAdmReviewTmplParams{"UPDATE", "johnsmith"})
 
 		// when
 		response := v.validate(context.TODO(), req)

diff --git a/pkg/webhook/validatingwebhook/validate_vm_request.go b/pkg/webhook/validatingwebhook/validate_vm_request.go
@@ -0,0 +1,76 @@
+package validatingwebhook
+
+import (
+	"html"
+	"io"
+	"net/http"
+
+	"github.com/pkg/errors"
+	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	runtimeClient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type VMRequestValidator struct {
+	Client runtimeClient.Client
+}
+
+func (v VMRequestValidator) HandleValidate(w http.ResponseWriter, r *http.Request) {
+	var respBody []byte
+	body, err := io.ReadAll(r.Body)
+	defer func() {
+		if err := r.Body.Close(); err != nil {
+			log.Error(err, "unable to close the body")
+		}
+	}()
+	if err != nil {
+		log.Error(err, "unable to read the body of the request")
+		w.WriteHeader(http.StatusInternalServerError)
+		respBody = []byte("unable to read the body of the request")
+	} else {
+		// validate the request
+		respBody = v.validate(body)
+		w.WriteHeader(http.StatusOK)
+	}
+	if _, err := io.WriteString(w, string(respBody)); err != nil {
+		log.Error(err, "unable to write response")
+	}
+}
+
+func (v VMRequestValidator) validate(body []byte) []byte {
+	log.Info("incoming request", "body", string(body))
+	admReview := admissionv1.AdmissionReview{}
+	if _, _, err := deserializer.Decode(body, nil, &admReview); err != nil {
+		// sanitize the body
+		escapedBody := html.EscapeString(string(body))
+		log.Error(err, "unable to deserialize the admission review object", "body", escapedBody)
+		return denyAdmissionRequest(admReview, errors.Wrapf(err, "unable to deserialize the admission review object - body: %v", escapedBody))
+	}
+
+	unstructuredRequestObj := &unstructured.Unstructured{}
+	if err := unstructuredRequestObj.UnmarshalJSON(admReview.Request.Object.Raw); err != nil {
+		log.Error(err, "unable to check runStrategy in VirtualMachine", "VirtualMachine", unstructuredRequestObj)
+		return denyAdmissionRequest(admReview, errors.New("failed to validate VirtualMachine request"))
+	}
+
+	hasRunStrategy, err := hasRunningStrategy(unstructuredRequestObj)
+	if err != nil {
+		log.Error(err, "failed to unmarshal VirtualMachine json object", "AdmissionReview", admReview)
+		return denyAdmissionRequest(admReview, errors.New("failed to validate VirtualMachine request"))
+	}
+	if hasRunStrategy {
+		log.Info("sandbox user is trying to create a VM with RunStrategy configured", "AdmissionReview", admReview) // not allowed because it interferes with the Dev Sandbox Idler
+		return denyAdmissionRequest(admReview, errors.New("this is a Dev Sandbox enforced restriction. Configuring RunStrategy is not allowed"))
+	}
+	// the user is not creating a VM with the 'runStrategy' configured, allowing the request.
+	return allowAdmissionRequest(admReview)
+}
+
+func hasRunningStrategy(unstructuredObj *unstructured.Unstructured) (bool, error) {
+	_, runStrategyFound, err := unstructured.NestedString(unstructuredObj.Object, "spec", "runStrategy")
+	if err != nil {
+		return runStrategyFound, err
+	}
+
+	return runStrategyFound, nil
+}