Merge pull request openshift#233 from Tafhim/OSD-16469-whitelist-all-sa-for-ic-webhook

OSD-16469 - Add all Service Accounts on the IC webhook whitelist

Author: openshift-merge-robot

pkg/webhooks/ingresscontroller/ingresscontroller.go

@@ -19,7 +19,7 @@ import (
 const (
 	WebhookName   string = "ingresscontroller-validation"
 	docString     string = `Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes.`
-	allowedGroups string = `^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*|osde2e-[a-z0-9]{5})`
+	allowedGroups string = `^system:serviceaccounts:*`
 )
 
 var (

pkg/webhooks/ingresscontroller/ingresscontroller_test.go

@@ -321,6 +321,44 @@ func TestIngressControllerExceptions(t *testing.T) {
 			},
 			shouldBeAllowed: true,
 		},
+		{
+			testID:     "exception-test-create-hive",
+			name:       "shiny-newingress",
+			namespace:  "openshift-ingress-operator",
+			username:   "anywho",
+			userGroups: []string{"system:serviceaccounts:hive"},
+			operation:  admissionv1.Create,
+			nodeSelector: corev1.NodeSelector{
+				NodeSelectorTerms: []corev1.NodeSelectorTerm{},
+			},
+			tolerations: []corev1.Toleration{
+				{
+					Key:      "node-role.kubernetes.io/infra",
+					Operator: "Exists",
+					Effect:   "NoSchedule",
+				},
+			},
+			shouldBeAllowed: true,
+		},
+		{
+			testID:     "exception-test-update-hive",
+			name:       "shiny-newingress",
+			namespace:  "openshift-ingress-operator",
+			username:   "anywho",
+			userGroups: []string{"system:serviceaccounts:hive"},
+			operation:  admissionv1.Update,
+			nodeSelector: corev1.NodeSelector{
+				NodeSelectorTerms: []corev1.NodeSelectorTerm{},
+			},
+			tolerations: []corev1.Toleration{
+				{
+					Key:      "node-role.kubernetes.io/infra",
+					Operator: "Exists",
+					Effect:   "NoSchedule",
+				},
+			},
+			shouldBeAllowed: true,
+		},
 	}
 	runIngressControllerTests(t, tests)
 }