✨ Add ValidatingAdmissionPolicy to enforce package uniqueness acros…

…s `ClusterExtension` (#774) * Add `ValidatingAdmissionPolicy` To enforce package uniqueness across `ClusterExtension` Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com> * Kustomize `ValidatingAdmissionPolicyBinding` This is a workaround for kustomize issue where it does not prefix `ValidatingAdmissionPolicy`'s name in `ValidatingAdmissionPolicyBinding`'s field `spec.policyName`. This results in manifests which can still be applied to a cluster, but the policy will not be working due to broken policy binding. These APIs are now stable in 1.30 so one might expect that Kustomize will eventually support these by default. If this happens - we will be able to remove this change. Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com> --------- Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>
operator-framework · Apr 24, 2024 · 189b42a · 189b42a
1 parent ebd95a8
commit 189b42a
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 0 deletions.
diff --git a/config/admission/admission.yaml b/config/admission/admission.yaml
@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "clusterextensions-package-uniqueness"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: olm.operatorframework.io/v1alpha1
+    kind: ClusterExtension
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["olm.operatorframework.io"]
+      apiVersions: ["v1alpha1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["clusterextensions"]
+  matchConditions:
+    # Only apply the policy when the request operation is CREATE
+    # or when the package is being changed
+    - name: 'only-create-or-package-change'
+      expression: request.operation == 'CREATE' || oldObject.spec.packageName != object.spec.packageName
+  validations:
+    - expression: object.spec.packageName != params.spec.packageName
+      messageExpression: "'Package \"' + string(object.spec.packageName) + '\" is already installed via ClusterExtension \"' +  string(params.metadata.name) + '\"'"
+      reason: Invalid
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "clusterextensions-package-uniqueness-binding"
+spec:
+  policyName: "clusterextensions-package-uniqueness"
+  validationActions: [Deny]
+  paramRef:
+    parameterNotFoundAction: Allow
+    selector: {}
diff --git a/config/admission/kustomization.yaml b/config/admission/kustomization.yaml
@@ -0,0 +1,5 @@
+configurations:
+- kustomizeconfig.yaml
+
+resources:
+- admission.yaml
diff --git a/config/admission/kustomizeconfig.yaml b/config/admission/kustomizeconfig.yaml
@@ -0,0 +1,9 @@
+# This file is for teaching kustomize how to substitute name in ValidatingAdmissionPolicyBinding
+# This might become obsolete depending on the outcome of https://github.com/kubernetes-sigs/kustomize/issues/5674
+nameReference:
+- kind: ValidatingAdmissionPolicy
+  group: admissionregistration.k8s.io
+  fieldSpecs:
+  - kind: ValidatingAdmissionPolicyBinding
+    group: admissionregistration.k8s.io
+    path: spec/policyName
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -16,6 +16,7 @@ namePrefix: operator-controller-
 
 resources:
 - ../crd
+- ../admission
 - ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in