Revert "OSD-16469 - Add all Service Accounts on the IC webhook whitelist"

Tafhim · Tafhim · commit 364e6533f8a4 · 2023-07-07T18:16:55.000+10:00
This reverts commit 2ba2b11.
diff --git a/pkg/webhooks/ingresscontroller/ingresscontroller.go b/pkg/webhooks/ingresscontroller/ingresscontroller.go
@@ -19,7 +19,7 @@ import (
 const (
 	WebhookName   string = "ingresscontroller-validation"
 	docString     string = `Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes.`
-	allowedGroups string = `^system:serviceaccounts:*`
+	allowedGroups string = `^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*|osde2e-[a-z0-9]{5})`
 )
 
 var (
diff --git a/pkg/webhooks/ingresscontroller/ingresscontroller_test.go b/pkg/webhooks/ingresscontroller/ingresscontroller_test.go
@@ -321,44 +321,6 @@ func TestIngressControllerExceptions(t *testing.T) {
 			},
 			shouldBeAllowed: true,
 		},
-		{
-			testID:     "exception-test-create-hive",
-			name:       "shiny-newingress",
-			namespace:  "openshift-ingress-operator",
-			username:   "anywho",
-			userGroups: []string{"system:serviceaccounts:hive"},
-			operation:  admissionv1.Create,
-			nodeSelector: corev1.NodeSelector{
-				NodeSelectorTerms: []corev1.NodeSelectorTerm{},
-			},
-			tolerations: []corev1.Toleration{
-				{
-					Key:      "node-role.kubernetes.io/infra",
-					Operator: "Exists",
-					Effect:   "NoSchedule",
-				},
-			},
-			shouldBeAllowed: true,
-		},
-		{
-			testID:     "exception-test-update-hive",
-			name:       "shiny-newingress",
-			namespace:  "openshift-ingress-operator",
-			username:   "anywho",
-			userGroups: []string{"system:serviceaccounts:hive"},
-			operation:  admissionv1.Update,
-			nodeSelector: corev1.NodeSelector{
-				NodeSelectorTerms: []corev1.NodeSelectorTerm{},
-			},
-			tolerations: []corev1.Toleration{
-				{
-					Key:      "node-role.kubernetes.io/infra",
-					Operator: "Exists",
-					Effect:   "NoSchedule",
-				},
-			},
-			shouldBeAllowed: true,
-		},
 	}
 	runIngressControllerTests(t, tests)
 }

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ import (`
`19`	`19`	`const (`
`20`	`20`	`WebhookName string = "ingresscontroller-validation"`
`21`	`21`	docString string = `Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes.`
`22`		- allowedGroups string = `^system:serviceaccounts:*`
	`22`	+ allowedGroups string = `^system:serviceaccounts:(kube.\|openshift.\|default\|redhat.*\|osde2e-[a-z0-9]{5})`
`23`	`23`	`)`
`24`	`24`
`25`	`25`	`var (`