feat: add webhook configuration for cluster resource placement eviction (#70)

Author: britaniar

pkg/controllers/clusterresourceplacementeviction/controller_intergration_test.go

@@ -481,6 +481,55 @@ var _ = Describe("Test ClusterResourcePlacementEviction Controller", func() {
 			checkEvictionCompleteMetric(customRegistry, "true", "true")
 		})
 	})
+
+	It("Invalid Eviction Blocked - PickFixed CRP, invalid eviction denied - No PDB specified", func() {
+		crpName := fmt.Sprintf(crpNameTemplate, GinkgoParallelProcess())
+
+		// Create the CRP.
+		By("Create ClusterResourcePlacement", func() {
+			crp := placementv1beta1.ClusterResourcePlacement{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: crpName,
+				},
+				Spec: placementv1beta1.ClusterResourcePlacementSpec{
+					Policy: &placementv1beta1.PlacementPolicy{
+						PlacementType: placementv1beta1.PickFixedPlacementType,
+						ClusterNames:  []string{"test-cluster-1"},
+					},
+					ResourceSelectors: []placementv1beta1.ClusterResourceSelector{
+						{
+							Group:   "",
+							Kind:    "Namespace",
+							Version: "v1",
+							Name:    "test-ns",
+						},
+					},
+				},
+			}
+			Expect(k8sClient.Create(ctx, &crp)).Should(Succeed())
+			// ensure CRP exists.
+			Eventually(func() error {
+				return k8sClient.Get(ctx, types.NamespacedName{Name: crp.Name}, &crp)
+			}, eventuallyDuration, eventuallyInterval).Should(Succeed())
+		})
+
+		By("Create ClusterResourcePlacementEviction", func() {
+			eviction := buildTestEviction(evictionName, crpName, "test-cluster")
+			Expect(k8sClient.Create(ctx, eviction)).Should(Succeed())
+		})
+
+		By("Check eviction status", func() {
+			evictionStatusUpdatedActual := testutilseviction.StatusUpdatedActual(
+				ctx, k8sClient, evictionName,
+				&testutilseviction.IsValidEviction{IsValid: false, Msg: condition.EvictionInvalidPickFixedCRPMessage},
+				nil)
+			Eventually(evictionStatusUpdatedActual, eventuallyDuration, eventuallyInterval).Should(Succeed())
+		})
+
+		By("Ensure eviction complete metric was emitted", func() {
+			checkEvictionCompleteMetric(customRegistry, "false", "true")
+		})
+	})
 })
 
 func buildTestPickNCRP(crpName string, clusterCount int32) placementv1beta1.ClusterResourcePlacement {

pkg/webhook/add_handler.go

@@ -3,6 +3,7 @@ package webhook
 import (
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceoverride"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceplacement"
+	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceplacementeviction"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/fleetresourcehandler"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/membercluster"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/pod"
@@ -21,4 +22,5 @@ func init() {
 	AddToManagerFuncs = append(AddToManagerFuncs, membercluster.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, clusterresourceoverride.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, resourceoverride.Add)
+	AddToManagerFuncs = append(AddToManagerFuncs, clusterresourceplacementeviction.Add)
 }

pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook.go

@@ -53,7 +53,7 @@ func Add(mgr manager.Manager) error {
 	return nil
 }
 
-// Handle clusterResourcePlacementEvictionValidator checks to see if resource override is valid.
+// Handle clusterResourcePlacementEvictionValidator checks to see if the eviction is valid.
 func (v *clusterResourcePlacementEvictionValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var crpe fleetv1beta1.ClusterResourcePlacementEviction
 	klog.V(2).InfoS("Validating webhook handling cluster resource placement eviction", "operation", req.Operation, "clusterResourcePlacementEviction", req.Name)

pkg/webhook/webhook.go

@@ -59,6 +59,7 @@ import (
 	"github.com/kubefleet-dev/kubefleet/cmd/hubagent/options"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceoverride"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceplacement"
+	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceplacementeviction"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/fleetresourcehandler"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/membercluster"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/pod"
@@ -113,6 +114,7 @@ const (
 	podResourceName                      = "pods"
 	clusterResourceOverrideName          = "clusterresourceoverrides"
 	resourceOverrideName                 = "resourceoverrides"
+	evictionName                         = "clusterresourceplacementevictions"
 )
 
 var (
@@ -362,6 +364,22 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook {
 			},
 			TimeoutSeconds: longWebhookTimeout,
 		},
+		{
+			Name:                    "fleet.clusterresourceplacementeviction.validating",
+			ClientConfig:            w.createClientConfig(clusterresourceplacementeviction.ValidationPath),
+			FailurePolicy:           &failFailurePolicy,
+			SideEffects:             &sideEffortsNone,
+			AdmissionReviewVersions: admissionReviewVersions,
+			Rules: []admv1.RuleWithOperations{
+				{
+					Operations: []admv1.OperationType{
+						admv1.Create,
+					},
+					Rule: createRule([]string{placementv1beta1.GroupVersion.Group}, []string{placementv1beta1.GroupVersion.Version}, []string{evictionName}, &clusterScope),
+				},
+			},
+			TimeoutSeconds: longWebhookTimeout,
+		},
 	}
 
 	return webHooks

pkg/webhook/webhook_test.go

@@ -25,7 +25,7 @@ func TestBuildFleetValidatingWebhooks(t *testing.T) {
 				serviceURL:           "test-url",
 				clientConnectionType: &url,
 			},
-			wantLength: 7,
+			wantLength: 8,
 		},
 	}
 

test/e2e/placement_eviction_test.go

@@ -31,74 +31,6 @@ import (
 	testutilseviction "github.com/kubefleet-dev/kubefleet/test/utils/eviction"
 )
 
-var _ = Describe("ClusterResourcePlacement eviction of bound binding - PickFixed CRP, invalid eviction denied - No PDB specified", Ordered, func() {
-	crpName := fmt.Sprintf(crpNameTemplate, GinkgoParallelProcess())
-	crpEvictionName := fmt.Sprintf(crpEvictionNameTemplate, GinkgoParallelProcess())
-
-	BeforeAll(func() {
-		By("creating work resources")
-		createWorkResources()
-
-		// Create the CRP.
-		crp := &placementv1beta1.ClusterResourcePlacement{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: crpName,
-				// Add a custom finalizer; this would allow us to better observe
-				// the behavior of the controllers.
-				Finalizers: []string{customDeletionBlockerFinalizer},
-			},
-			Spec: placementv1beta1.ClusterResourcePlacementSpec{
-				Policy: &placementv1beta1.PlacementPolicy{
-					PlacementType: placementv1beta1.PickFixedPlacementType,
-					ClusterNames:  allMemberClusterNames,
-				},
-				ResourceSelectors: workResourceSelector(),
-			},
-		}
-		Expect(hubClient.Create(ctx, crp)).To(Succeed(), "Failed to create CRP %s", crpName)
-	})
-
-	AfterAll(func() {
-		ensureCRPEvictionDeleted(crpEvictionName)
-		ensureCRPAndRelatedResourcesDeleted(crpName, allMemberClusters)
-	})
-
-	It("should update cluster resource placement status as expected", func() {
-		crpStatusUpdatedActual := crpStatusUpdatedActual(workResourceIdentifiers(), allMemberClusterNames, nil, "0")
-		Eventually(crpStatusUpdatedActual, eventuallyDuration, eventuallyInterval).Should(Succeed(), "Failed to update cluster resource placement status as expected")
-	})
-
-	It("should place resources on the all available member clusters", checkIfPlacedWorkResourcesOnAllMemberClusters)
-
-	It("create cluster resource placement eviction targeting member cluster 1", func() {
-		crpe := &placementv1beta1.ClusterResourcePlacementEviction{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: crpEvictionName,
-			},
-			Spec: placementv1beta1.PlacementEvictionSpec{
-				PlacementName: crpName,
-				ClusterName:   memberCluster1EastProdName,
-			},
-		}
-		Expect(hubClient.Create(ctx, crpe)).To(Succeed(), "Failed to create CRP eviction %s", crpe.Name)
-	})
-
-	It("should update cluster resource placement eviction status as expected", func() {
-		crpEvictionStatusUpdatedActual := testutilseviction.StatusUpdatedActual(
-			ctx, hubClient, crpEvictionName,
-			&testutilseviction.IsValidEviction{IsValid: false, Msg: condition.EvictionInvalidPickFixedCRPMessage},
-			nil)
-		Eventually(crpEvictionStatusUpdatedActual, eventuallyDuration, eventuallyInterval).Should(Succeed(), "Failed to update cluster resource placement eviction status as expected")
-	})
-
-	It("should ensure cluster resource placement status is unchanged", func() {
-		crpStatusUpdatedActual := crpStatusUpdatedActual(workResourceIdentifiers(), allMemberClusterNames, nil, "0")
-		Eventually(crpStatusUpdatedActual, eventuallyDuration, eventuallyInterval).Should(Succeed(), "Failed to update cluster resource placement status as expected")
-	})
-
-	It("should still place resources on the all available member clusters", checkIfPlacedWorkResourcesOnAllMemberClusters)
-})
-
 var _ = Describe("ClusterResourcePlacement eviction of bound binding, taint cluster before eviction - No PDB specified", Ordered, Serial, func() {
 	crpName := fmt.Sprintf(crpNameTemplate, GinkgoParallelProcess())
 	crpEvictionName := fmt.Sprintf(crpEvictionNameTemplate, GinkgoParallelProcess())

test/e2e/webhook_test.go

@@ -1291,3 +1291,95 @@ var _ = Describe("webhook tests for ResourceOverride UPDATE operations", Ordered
 		}, testutils.PollTimeout, testutils.PollInterval).Should(Succeed())
 	})
 })
+
+var _ = Describe("webhook tests for ClusterResourcePlacementEviction CREATE operations", Ordered, func() {
+	crpName := fmt.Sprintf(crpNameTemplate, GinkgoParallelProcess())
+	crpeName := fmt.Sprintf(crpEvictionNameTemplate, GinkgoParallelProcess())
+
+	AfterEach(func() {
+		By("deleting CRP")
+		cleanupCRP(crpName)
+	})
+
+	It("should deny create on CRPE with missing placement name", func() {
+		// Create the CRPE.
+		crpe := &placementv1beta1.ClusterResourcePlacementEviction{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: crpeName,
+			},
+			Spec: placementv1beta1.PlacementEvictionSpec{
+				PlacementName: crpName,
+			},
+		}
+		By(fmt.Sprintf("expecting denial of CREATE eviction %s", crpeName))
+		err := hubClient.Create(ctx, crpe)
+		var statusErr *k8sErrors.StatusError
+		Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Create CRPE call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{})))
+		Expect(statusErr.Status().Message).Should(ContainSubstring(fmt.Sprintf("ClusterResourcePlacement.placement.kubernetes-fleet.io \"%s\" not found", crpName)))
+	})
+
+	It("should deny create on CRPE with deleting crp", func() {
+		// Create the CRP with deletion timestamp.
+		crp := &placementv1beta1.ClusterResourcePlacement{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:       crpName,
+				Finalizers: []string{"example.com/finalizer"},
+			},
+			Spec: placementv1beta1.ClusterResourcePlacementSpec{
+				ResourceSelectors: workResourceSelector(),
+				Policy: &placementv1beta1.PlacementPolicy{
+					PlacementType: placementv1beta1.PickAllPlacementType,
+				},
+			},
+		}
+		Expect(hubClient.Create(ctx, crp)).Should(Succeed(), "Failed to create CRP %s", crpName)
+		// Delete the CRP to add deletion timestamp for check
+		Expect(hubClient.Delete(ctx, crp)).Should(Succeed(), "Failed to delete CRP %s", crpName)
+
+		// Create the CRPE.
+		crpe := &placementv1beta1.ClusterResourcePlacementEviction{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: crpeName,
+			},
+			Spec: placementv1beta1.PlacementEvictionSpec{
+				PlacementName: crpName,
+			},
+		}
+		By(fmt.Sprintf("expecting denial of CREATE eviction %s", crpeName))
+		err := hubClient.Create(ctx, crpe)
+		var statusErr *k8sErrors.StatusError
+		Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Create CRPE call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{})))
+		Expect(statusErr.Status().Message).Should(MatchRegexp(fmt.Sprintf("cluster resource placement %s is being deleted", crpName)))
+	})
+
+	It("should deny create on CRPE with PickFixed crp", func() {
+		crp := &placementv1beta1.ClusterResourcePlacement{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: crpName,
+			},
+			Spec: placementv1beta1.ClusterResourcePlacementSpec{
+				ResourceSelectors: workResourceSelector(),
+				Policy: &placementv1beta1.PlacementPolicy{
+					PlacementType: placementv1beta1.PickFixedPlacementType,
+					ClusterNames:  []string{"cluster1", "cluster2"},
+				},
+			},
+		}
+		Expect(hubClient.Create(ctx, crp)).Should(Succeed(), "Failed to create CRP %s", crpName)
+
+		// Create the CRPE.
+		crpe := &placementv1beta1.ClusterResourcePlacementEviction{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: crpeName,
+			},
+			Spec: placementv1beta1.PlacementEvictionSpec{
+				PlacementName: crpName,
+			},
+		}
+		By(fmt.Sprintf("expecting denial of CREATE eviction %s", crpName))
+		err := hubClient.Create(ctx, crpe)
+		var statusErr *k8sErrors.StatusError
+		Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Create CRPE call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{})))
+		Expect(statusErr.Status().Message).Should(MatchRegexp("cluster resource placement policy type PickFixed is not supported"))
+	})
+})