20021419104

Committed 08 Dec 2025 08:22AM UTC coverage: 76.505% (-0.2%) from 76.718%

Build # 20021419104

Build Type

Pull #3912

github

Committed by

web-flow

Commit Message

Merge 5909fb4a9 into cae67e758

Pull Request Pull Request #3912: CNV-61721: Add ValidatingAdmissionPolicy to validate the HyperConverged namespace

Run Details

115 of 189 new or added lines in 4 files covered. (60.85%)

5 existing lines in 1 file now uncovered.

8183 of 10696 relevant lines covered (76.51%)

1.81 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.0

/controllers/admissionpolicy/resources.go

package admissionpolicy

import (
        "fmt"
        "sync"

        admissionv1 "k8s.io/api/admissionregistration/v1"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/utils/ptr"
        "sigs.k8s.io/controller-runtime/pkg/predicate"

        hcov1beta1 "github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1"
        "github.com/kubevirt/hyperconverged-cluster-operator/pkg/ownresources"
        hcoutil "github.com/kubevirt/hyperconverged-cluster-operator/pkg/util"
)

const (
        policyName        = "hyperconverged-namespace-policy"
        policyBindingName = policyName + "-binding"
)

var (
        requiredPolicy  *admissionv1.ValidatingAdmissionPolicy
        requiredBinding *admissionv1.ValidatingAdmissionPolicyBinding

        policyOnce  = &sync.Once{}
        bindingOnce = &sync.Once{}

        policyPredicate = predicate.NewTypedPredicateFuncs[*admissionv1.ValidatingAdmissionPolicy](func(policy *admissionv1.ValidatingAdmissionPolicy) bool {
                return policy.Name == policyName && policy.DeletionTimestamp == nil
        })

        bindingPredicate = predicate.NewTypedPredicateFuncs[*admissionv1.ValidatingAdmissionPolicyBinding](func(binding *admissionv1.ValidatingAdmissionPolicyBinding) bool {
                return binding.Name == policyBindingName && binding.DeletionTimestamp == nil
        })
)

func getRequiredPolicy() *admissionv1.ValidatingAdmissionPolicy {
        policyOnce.Do(func() {
                namespace := hcoutil.GetOperatorNamespaceFromEnv()
                requiredPolicy = &admissionv1.ValidatingAdmissionPolicy{
                        ObjectMeta: metav1.ObjectMeta{
                                Name:            policyName,
                                Labels:          hcoutil.GetLabels(hcov1beta1.HyperConvergedName, hcoutil.AppComponentDeployment),
                                OwnerReferences: []metav1.OwnerReference{ownresources.GetDeploymentRef()},
                        },
                        Spec: admissionv1.ValidatingAdmissionPolicySpec{
                                FailurePolicy: ptr.To(admissionv1.Fail),
                                MatchConstraints: &admissionv1.MatchResources{
                                        MatchPolicy:       ptr.To(admissionv1.Equivalent),
                                        NamespaceSelector: &metav1.LabelSelector{},
                                        ObjectSelector:    &metav1.LabelSelector{},
                                        ResourceRules: []admissionv1.NamedRuleWithOperations{
                                                {
                                                        RuleWithOperations: admissionv1.RuleWithOperations{
                                                                Rule: admissionv1.Rule{
                                                                        APIGroups:   []string{hcov1beta1.APIVersionGroup},
                                                                        APIVersions: []string{hcov1beta1.APIVersionBeta},
                                                                        Resources:   []string{"hyperconvergeds"},
                                                                        Scope:       ptr.To(admissionv1.NamespacedScope),
                                                                },
                                                                Operations: []admissionv1.OperationType{admissionv1.Create},
                                                        },
                                                },
                                        },
                                },
                                Validations: []admissionv1.Validation{
                                        {
                                                Expression: fmt.Sprintf(`request.namespace == '%s'`, namespace),
                                                Message:    fmt.Sprintf(`HyperConverged CR can only be created in the '%s' namespace.`, namespace),
                                        },
                                },
                        },
                }
        })

        return requiredPolicy.DeepCopy()
}

func getRequiredBinding() *admissionv1.ValidatingAdmissionPolicyBinding {
        bindingOnce.Do(func() {
                requiredBinding = &admissionv1.ValidatingAdmissionPolicyBinding{
                        ObjectMeta: metav1.ObjectMeta{
                                Name:            policyBindingName,
                                Labels:          hcoutil.GetLabels(hcov1beta1.HyperConvergedName, hcoutil.AppComponentDeployment),
                                OwnerReferences: []metav1.OwnerReference{ownresources.GetDeploymentRef()},
                        },
                        Spec: admissionv1.ValidatingAdmissionPolicyBindingSpec{
                                PolicyName:        policyName,
                                ValidationActions: []admissionv1.ValidationAction{admissionv1.Deny},
                        },
                }
        })

        return requiredBinding.DeepCopy()
}

1	package admissionpolicy
2
3	import (
4	"fmt"
5	"sync"
6
7	admissionv1 "k8s.io/api/admissionregistration/v1"
8	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
9	"k8s.io/utils/ptr"
10	"sigs.k8s.io/controller-runtime/pkg/predicate"
11
12	hcov1beta1 "github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1"
13	"github.com/kubevirt/hyperconverged-cluster-operator/pkg/ownresources"
14	hcoutil "github.com/kubevirt/hyperconverged-cluster-operator/pkg/util"
15	)
16
17	const (
18	policyName = "hyperconverged-namespace-policy"
19	policyBindingName = policyName + "-binding"
20	)
21
22	var (
23	requiredPolicy *admissionv1.ValidatingAdmissionPolicy
24	requiredBinding *admissionv1.ValidatingAdmissionPolicyBinding
25
26	policyOnce = &sync.Once{}
27	bindingOnce = &sync.Once{}
28
NEW 29	policyPredicate = predicate.NewTypedPredicateFuncs[admissionv1.ValidatingAdmissionPolicy](func(policy admissionv1.ValidatingAdmissionPolicy) bool {	×
NEW 30	return policy.Name == policyName && policy.DeletionTimestamp == nil	×
NEW 31	})	×
32
NEW 33	bindingPredicate = predicate.NewTypedPredicateFuncs[admissionv1.ValidatingAdmissionPolicyBinding](func(binding admissionv1.ValidatingAdmissionPolicyBinding) bool {	×
NEW 34	return binding.Name == policyBindingName && binding.DeletionTimestamp == nil	×
NEW 35	})	×
36	)
37
38	func getRequiredPolicy() *admissionv1.ValidatingAdmissionPolicy {	1✔
39	policyOnce.Do(func() {	2✔
40	namespace := hcoutil.GetOperatorNamespaceFromEnv()	1✔
41	requiredPolicy = &admissionv1.ValidatingAdmissionPolicy{	1✔
42	ObjectMeta: metav1.ObjectMeta{	1✔
43	Name: policyName,	1✔
44	Labels: hcoutil.GetLabels(hcov1beta1.HyperConvergedName, hcoutil.AppComponentDeployment),	1✔
45	OwnerReferences: []metav1.OwnerReference{ownresources.GetDeploymentRef()},	1✔
46	},	1✔
47	Spec: admissionv1.ValidatingAdmissionPolicySpec{	1✔
48	FailurePolicy: ptr.To(admissionv1.Fail),	1✔
49	MatchConstraints: &admissionv1.MatchResources{	1✔
50	MatchPolicy: ptr.To(admissionv1.Equivalent),	1✔
51	NamespaceSelector: &metav1.LabelSelector{},	1✔
52	ObjectSelector: &metav1.LabelSelector{},	1✔
53	ResourceRules: []admissionv1.NamedRuleWithOperations{	1✔
54	{	1✔
55	RuleWithOperations: admissionv1.RuleWithOperations{	1✔
56	Rule: admissionv1.Rule{	1✔
57	APIGroups: []string{hcov1beta1.APIVersionGroup},	1✔
58	APIVersions: []string{hcov1beta1.APIVersionBeta},	1✔
59	Resources: []string{"hyperconvergeds"},	1✔
60	Scope: ptr.To(admissionv1.NamespacedScope),	1✔
61	},	1✔
62	Operations: []admissionv1.OperationType{admissionv1.Create},	1✔
63	},	1✔
64	},	1✔
65	},	1✔
66	},	1✔
67	Validations: []admissionv1.Validation{	1✔
68	{	1✔
69	Expression: fmt.Sprintf(`request.namespace == '%s'`, namespace),	1✔
70	Message: fmt.Sprintf(`HyperConverged CR can only be created in the '%s' namespace.`, namespace),	1✔
71	},	1✔
72	},	1✔
73	},	1✔
74	}	1✔
75	})	1✔
76
77	return requiredPolicy.DeepCopy()	1✔
78	}
79
80	func getRequiredBinding() *admissionv1.ValidatingAdmissionPolicyBinding {	1✔
81	bindingOnce.Do(func() {	2✔
82	requiredBinding = &admissionv1.ValidatingAdmissionPolicyBinding{	1✔
83	ObjectMeta: metav1.ObjectMeta{	1✔
84	Name: policyBindingName,	1✔
85	Labels: hcoutil.GetLabels(hcov1beta1.HyperConvergedName, hcoutil.AppComponentDeployment),	1✔
86	OwnerReferences: []metav1.OwnerReference{ownresources.GetDeploymentRef()},	1✔
87	},	1✔
88	Spec: admissionv1.ValidatingAdmissionPolicyBindingSpec{	1✔
89	PolicyName: policyName,	1✔
90	ValidationActions: []admissionv1.ValidationAction{admissionv1.Deny},	1✔
91	},	1✔
92	}	1✔
93	})	1✔
94
95	return requiredBinding.DeepCopy()	1✔
96	}

kubevirt / hyperconverged-cluster-operator / 20021419104

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous