kubevirt / hyperconverged-cluster-operator / 20108931282
76%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 112
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 76.573% (-0.2%) from 76.787%
20108931282

push

github

web-flow 
CNV-61721: Add ValidatingAdmissionPolicy to validate the HyperConverged namespace (#3912)

* Add the new admission policy controller

The current implementation of preventing the creation of the
HyperConverged CR in non-allowed namespace, is not working in Openshift,
where becasue of a race condition, the webhook's namespace selector is
removed by OLM.

This commit adds a new controller, to create and reconcile a
ValidatingAdmissionPolicy and the related
ValidatingAdmissionPolicyBinding, to perform the same validation.

The reason we're doing it in a new controller, is because we need the
ValidatingAdmissionPolicy to be set, even if the HyperConverged CR is
not deployed, while our main controller only reconciles resources if
the HyperConverged CR is deployed.

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

* Register the admission policy controller on boot

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

* Remove the current validation

Remove the existing validation of the HyperConverged CR namespace from
the validation webhook, as it is now done by the policy, created by the
admission policy controller.

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

* Don't remove the namespace selector from the validation wh

OLM adds a namespace selection on the validation webhook CR, causing the
namespace validation to be not relevant.

The webhook setup logic removes this selector, but actually this is
reconciled by OLM, and eventually, user can still create the
HyperConverged CR in any namespace.

The issue is now handled by a ValidationgAdmissionPolicy, and so we
don't need this logic anymore, and so this commit removes it.

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

---------

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

115 of 189 new or added lines in 4 files covered. (60.85%)

5 existing lines in 1 file now uncovered.

8201 of 10710 relevant lines covered (76.57%)

1.81 hits per line

New Missed Lines in Diff

Lines Coverage File
5
3.0
 -0.01% pkg/components/components.go
6
90.0
 controllers/admissionpolicy/resources.go
63
48.78
 controllers/admissionpolicy/admission_policy_controller.go

Uncovered Existing Lines

Lines Coverage File
5
90.63
 -1.23% pkg/webhooks/validator/validator.go
Jobs
ID Job ID Ran Files Coverage
1 Unit - 20108931282.1 112
76.57
 GitHub Action Run
Source Files on build 20108931282