feat: add validator functions for eviction to use in webhook (#61)

britaniar · web-flow · commit 6c0dde2e51d8 · 2025-05-19T22:08:30.000-07:00
diff --git a/pkg/utils/common.go b/pkg/utils/common.go
@@ -171,6 +171,12 @@ var (
 		Kind:    placementv1beta1.ClusterResourcePlacementKind,
 	}
 
+	ClusterResourcePlacementEvictionMetaGVK = metav1.GroupVersionKind{
+		Group:   placementv1beta1.GroupVersion.Group,
+		Version: placementv1beta1.GroupVersion.Version,
+		Kind:    placementv1beta1.ClusterResourcePlacementEvictionKind,
+	}
+
 	ConfigMapGVK = schema.GroupVersionKind{
 		Group:   corev1.GroupName,
 		Version: corev1.SchemeGroupVersion.Version,
diff --git a/pkg/utils/validator/clusterresourceplacementeviction.go b/pkg/utils/validator/clusterresourceplacementeviction.go
@@ -0,0 +1,45 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package validator provides utils to validate ClusterResourcePlacementEviction resources.
+package validator
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/errors"
+
+	fleetv1beta1 "github.com/kubefleet-dev/kubefleet/apis/placement/v1beta1"
+)
+
+// ValidateClusterResourcePlacementForEviction validates cluster resource placement fields for eviction and returns error.
+func ValidateClusterResourcePlacementForEviction(crp fleetv1beta1.ClusterResourcePlacement) error {
+	allErr := make([]error, 0)
+
+	// Check Cluster Resource Placement is not deleting
+	if crp.DeletionTimestamp != nil {
+		allErr = append(allErr, fmt.Errorf("cluster resource placement %s is being deleted", crp.Name))
+		return errors.NewAggregate(allErr)
+	}
+	// Check Cluster Resource Placement Policy
+	if crp.Spec.Policy != nil {
+		if crp.Spec.Policy.PlacementType == fleetv1beta1.PickFixedPlacementType {
+			allErr = append(allErr, fmt.Errorf("cluster resource placement policy type %s is not supported", crp.Spec.Policy.PlacementType))
+		}
+	}
+
+	return errors.NewAggregate(allErr)
+}
diff --git a/pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook.go b/pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook.go
@@ -0,0 +1,82 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package clusterresourceplacementeviction provides a validating webhook for the clusterresourceplacementeviction custom resource in the KubeFleet API group.
+package clusterresourceplacementeviction
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	fleetv1beta1 "github.com/kubefleet-dev/kubefleet/apis/placement/v1beta1"
+	"github.com/kubefleet-dev/kubefleet/pkg/utils"
+	"github.com/kubefleet-dev/kubefleet/pkg/utils/condition"
+	"github.com/kubefleet-dev/kubefleet/pkg/utils/validator"
+)
+
+var (
+	// ValidationPath is the webhook service path which admission requests are routed to for validating clusterresourceplacementeviction resources.
+	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, fleetv1beta1.GroupVersion.Group, fleetv1beta1.GroupVersion.Version, "clusterresourceplacementeviction")
+)
+
+type clusterResourcePlacementEvictionValidator struct {
+	client  client.Client
+	decoder webhook.AdmissionDecoder
+}
+
+// Add registers the webhook for K8s bulit-in object types.
+func Add(mgr manager.Manager) error {
+	hookServer := mgr.GetWebhookServer()
+	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourcePlacementEvictionValidator{mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())}})
+	return nil
+}
+
+// Handle clusterResourcePlacementEvictionValidator checks to see if resource override is valid.
+func (v *clusterResourcePlacementEvictionValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+	var crpe fleetv1beta1.ClusterResourcePlacementEviction
+	klog.V(2).InfoS("Validating webhook handling cluster resource placement eviction", "operation", req.Operation, "clusterResourcePlacementEviction", req.Name)
+	if err := v.decoder.Decode(req, &crpe); err != nil {
+		klog.ErrorS(err, "Failed to decode cluster resource placement eviction object for validating fields", "userName", req.UserInfo.Username, "groups", req.UserInfo.Groups, "clusterResourcePlacementEviction", req.Name)
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	// Get the ClusterResourcePlacement object
+	var crp fleetv1beta1.ClusterResourcePlacement
+	if err := v.client.Get(ctx, types.NamespacedName{Name: crpe.Spec.PlacementName}, &crp); err != nil {
+		if k8serrors.IsNotFound(err) {
+			klog.V(2).InfoS(condition.EvictionInvalidMissingCRPMessage, "clusterResourcePlacementEviction", crpe.Name, "clusterResourcePlacement", crpe.Spec.PlacementName)
+			return admission.Denied(err.Error())
+		}
+		return admission.Errored(http.StatusBadRequest, fmt.Errorf("failed to get clusterResourcePlacement %s for clusterResourcePlacementEviction %s: %w", crpe.Spec.PlacementName, crpe.Name, err))
+	}
+
+	if err := validator.ValidateClusterResourcePlacementForEviction(crp); err != nil {
+		klog.V(2).ErrorS(err, "ClusterResourcePlacement has invalid fields, request is denied", "operation", req.Operation, "clusterResourcePlacementEviction", crpe.Name)
+		return admission.Denied(err.Error())
+	}
+
+	klog.V(2).InfoS("ClusterResourcePlacementEviction has valid fields", "clusterResourcePlacementEviction", crpe.Name)
+	return admission.Allowed("clusterResourcePlacementEviction has valid fields")
+}
diff --git a/pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook_test.go b/pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook_test.go
@@ -0,0 +1,234 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterresourceplacementeviction
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	admissionv1 "k8s.io/api/admission/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	placementv1beta1 "github.com/kubefleet-dev/kubefleet/apis/placement/v1beta1"
+	"github.com/kubefleet-dev/kubefleet/pkg/utils"
+)
+
+func TestHandle(t *testing.T) {
+	validCRPEObject := &placementv1beta1.ClusterResourcePlacementEviction{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-crpe",
+		},
+		Spec: placementv1beta1.PlacementEvictionSpec{
+			PlacementName: "test-crp",
+		},
+	}
+	invalidCRPEObjectInvalidPlacementName := &placementv1beta1.ClusterResourcePlacementEviction{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-crpe",
+		},
+		Spec: placementv1beta1.PlacementEvictionSpec{
+			PlacementName: "does-not-exist",
+		},
+	}
+	invalidCRPEObjectCRPDeleting := &placementv1beta1.ClusterResourcePlacementEviction{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-crpe",
+		},
+		Spec: placementv1beta1.PlacementEvictionSpec{
+			PlacementName: "crp-deleting",
+		},
+	}
+	invalidCRPEObjectInvalidPlacementType := &placementv1beta1.ClusterResourcePlacementEviction{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-crpe",
+		},
+		Spec: placementv1beta1.PlacementEvictionSpec{
+			PlacementName: "crp-pickfixed",
+		},
+	}
+
+	validCRPEObjectBytes, err := json.Marshal(validCRPEObject)
+	assert.Nil(t, err)
+	invalidCRPEObjectInvalidPlacementNameBytes, err := json.Marshal(invalidCRPEObjectInvalidPlacementName)
+	assert.Nil(t, err)
+	invalidCRPEObjectCRPDeletingBytes, err := json.Marshal(invalidCRPEObjectCRPDeleting)
+	assert.Nil(t, err)
+	invalidCRPEObjectInvalidPlacementTypeBytes, err := json.Marshal(invalidCRPEObjectInvalidPlacementType)
+	assert.Nil(t, err)
+
+	validCRP := &placementv1beta1.ClusterResourcePlacement{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-crp",
+		},
+		Spec: placementv1beta1.ClusterResourcePlacementSpec{
+			ResourceSelectors: []placementv1beta1.ClusterResourceSelector{},
+			Policy: &placementv1beta1.PlacementPolicy{
+				PlacementType: placementv1beta1.PickAllPlacementType,
+			},
+		},
+	}
+	invalidCRPDeleting := &placementv1beta1.ClusterResourcePlacement{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "crp-deleting",
+			DeletionTimestamp: &metav1.Time{
+				Time: time.Now().Add(10 * time.Minute),
+			},
+			Finalizers: []string{placementv1beta1.ClusterResourcePlacementCleanupFinalizer},
+		},
+		Spec: placementv1beta1.ClusterResourcePlacementSpec{
+			ResourceSelectors: []placementv1beta1.ClusterResourceSelector{},
+			Policy: &placementv1beta1.PlacementPolicy{
+				PlacementType: placementv1beta1.PickAllPlacementType,
+			},
+		},
+	}
+	invalidCRPPickFixed := &placementv1beta1.ClusterResourcePlacement{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "crp-pickfixed",
+		},
+		Spec: placementv1beta1.ClusterResourcePlacementSpec{
+			ResourceSelectors: []placementv1beta1.ClusterResourceSelector{},
+			Policy: &placementv1beta1.PlacementPolicy{
+				PlacementType: placementv1beta1.PickFixedPlacementType,
+				ClusterNames:  []string{"cluster1", "cluster2"},
+			},
+		},
+	}
+
+	objects := []client.Object{validCRP, invalidCRPDeleting, invalidCRPPickFixed}
+	scheme := runtime.NewScheme()
+	err = placementv1beta1.AddToScheme(scheme)
+	assert.Nil(t, err)
+	decoder := admission.NewDecoder(scheme)
+	assert.Nil(t, err)
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(objects...).
+		Build()
+
+	testCases := map[string]struct {
+		req               admission.Request
+		resourceValidator clusterResourcePlacementEvictionValidator
+		wantResponse      admission.Response
+	}{
+		"allow CRPE create": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name: "test-crpe",
+					Object: runtime.RawExtension{
+						Raw:    validCRPEObjectBytes,
+						Object: validCRPEObject,
+					},
+					UserInfo: authenticationv1.UserInfo{
+						Username: "test-user",
+						Groups:   []string{"system:masters"},
+					},
+					RequestKind: &utils.ClusterResourcePlacementEvictionMetaGVK,
+					Operation:   admissionv1.Create,
+				},
+			},
+			resourceValidator: clusterResourcePlacementEvictionValidator{
+				decoder: decoder,
+				client:  fakeClient,
+			},
+			wantResponse: admission.Allowed("clusterResourcePlacementEviction has valid fields"),
+		},
+		"deny CRPE create - invalid CRPE object": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name: "test-crpe",
+					Object: runtime.RawExtension{
+						Raw:    invalidCRPEObjectInvalidPlacementNameBytes,
+						Object: invalidCRPEObjectInvalidPlacementName,
+					},
+					UserInfo: authenticationv1.UserInfo{
+						Username: "test-user",
+						Groups:   []string{"system:masters"},
+					},
+					RequestKind: &utils.ClusterResourcePlacementMetaGVK,
+					Operation:   admissionv1.Create,
+				},
+			},
+			resourceValidator: clusterResourcePlacementEvictionValidator{
+				decoder: decoder,
+				client:  fakeClient,
+			},
+			wantResponse: admission.Denied("clusterresourceplacements.placement.kubernetes-fleet.io \"does-not-exist\" not found"),
+		},
+		"deny CRPE create - CRP is deleting": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name: "test-crpe",
+					Object: runtime.RawExtension{
+						Raw:    invalidCRPEObjectCRPDeletingBytes,
+						Object: invalidCRPEObjectCRPDeleting,
+					},
+					UserInfo: authenticationv1.UserInfo{
+						Username: "test-user",
+						Groups:   []string{"system:masters"},
+					},
+					RequestKind: &utils.ClusterResourcePlacementEvictionMetaGVK,
+					Operation:   admissionv1.Create,
+				},
+			},
+			resourceValidator: clusterResourcePlacementEvictionValidator{
+				decoder: decoder,
+				client:  fakeClient,
+			},
+			wantResponse: admission.Denied("cluster resource placement crp-deleting is being deleted"),
+		},
+		"deny CRPE create - CRP with PickFixed placement type": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name: "test-crpe",
+					Object: runtime.RawExtension{
+						Raw:    invalidCRPEObjectInvalidPlacementTypeBytes,
+						Object: invalidCRPEObjectInvalidPlacementType,
+					},
+					UserInfo: authenticationv1.UserInfo{
+						Username: "test-user",
+						Groups:   []string{"system:masters"},
+					},
+					RequestKind: &utils.ClusterResourcePlacementEvictionMetaGVK,
+					Operation:   admissionv1.Create,
+				},
+			},
+			resourceValidator: clusterResourcePlacementEvictionValidator{
+				decoder: decoder,
+				client:  fakeClient,
+			},
+			wantResponse: admission.Denied("cluster resource placement policy type PickFixed is not supported"),
+		},
+	}
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			gotResult := testCase.resourceValidator.Handle(context.Background(), testCase.req)
+			if diff := cmp.Diff(testCase.wantResponse, gotResult); diff != "" {
+				t.Errorf("ClusterResourcePlacementEvictionValidator Handle() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
