add webhook for serviceaccount deletion

Author: bmeng

build/selectorsyncset.yaml

@@ -505,6 +505,36 @@ objects:
           scope: Cluster
         sideEffects: None
         timeoutSeconds: 2
+    - apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+        creationTimestamp: null
+        name: sre-serviceaccount-validation
+      webhooks:
+      - admissionReviewVersions:
+        - v1
+        clientConfig:
+          service:
+            name: validation-webhook
+            namespace: openshift-validation-webhook
+            path: /serviceaccount-validation
+        failurePolicy: Ignore
+        matchPolicy: Equivalent
+        name: serviceaccount-validation.managed.openshift.io
+        rules:
+        - apiGroups:
+          - ""
+          apiVersions:
+          - v1
+          operations:
+          - DELETE
+          resources:
+          - serviceaccounts
+          scope: Namespaced
+        sideEffects: None
+        timeoutSeconds: 2
     - apiVersion: admissionregistration.k8s.io/v1
       kind: ValidatingWebhookConfiguration
       metadata:

config/package/resources.yaml.gotmpl

@@ -377,6 +377,36 @@ webhooks:
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    package-operator.run/phase: webhooks
+    service.beta.openshift.io/inject-cabundle: "false"
+  creationTimestamp: null
+  name: sre-serviceaccount-validation
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: '{{.config.serviceca | b64enc }}'
+    url: https://validation-webhook.{{.package.metadata.namespace}}.svc.cluster.local/serviceaccount-validation
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: serviceaccount-validation.managed.openshift.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - serviceaccounts
+    scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 2
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
     package-operator.run/phase: webhooks

docs/webhooks-short.json

@@ -29,7 +29,7 @@
   },
   {
     "webhookName": "regular-user-validation",
-    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [machine.openshift.io admissionregistration.k8s.io addons.managed.openshift.io ocmagent.managed.openshift.io upgrade.managed.openshift.io machineconfiguration.openshift.io network.openshift.io managed.openshift.io splunkforwarder.managed.openshift.io autoscaling.openshift.io config.openshift.io operator.openshift.io cloudcredential.openshift.io cloudingress.managed.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
+    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [cloudcredential.openshift.io machine.openshift.io admissionregistration.k8s.io operator.openshift.io splunkforwarder.managed.openshift.io upgrade.managed.openshift.io machineconfiguration.openshift.io managed.openshift.io ocmagent.managed.openshift.io network.openshift.io config.openshift.io addons.managed.openshift.io cloudingress.managed.openshift.io autoscaling.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
   },
   {
     "webhookName": "regular-user-validation-osd",
@@ -39,6 +39,10 @@
     "webhookName": "scc-validation",
     "documentString": "Managed OpenShift Customers may not modify the following default SCCs: [anyuid hostaccess hostmount-anyuid hostnetwork hostnetwork-v2 node-exporter nonroot nonroot-v2 privileged restricted restricted-v2]"
   },
+  {
+    "webhookName": "serviceaccount-validation",
+    "documentString": "Managed OpenShift Customers may not delete the service accounts under the managed namespaces。"
+  },
   {
     "webhookName": "techpreviewnoupgrade-validation",
     "documentString": "Managed OpenShift Customers may not use TechPreviewNoUpgrade FeatureGate that could prevent any future ability to do a y-stream upgrade to their clusters."

docs/webhooks.json

@@ -318,7 +318,7 @@
         "scope": "*"
       }
     ],
-    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [addons.managed.openshift.io cloudingress.managed.openshift.io upgrade.managed.openshift.io autoscaling.openshift.io config.openshift.io operator.openshift.io machine.openshift.io managed.openshift.io ocmagent.managed.openshift.io machineconfiguration.openshift.io network.openshift.io cloudcredential.openshift.io admissionregistration.k8s.io splunkforwarder.managed.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
+    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [addons.managed.openshift.io ocmagent.managed.openshift.io operator.openshift.io network.openshift.io admissionregistration.k8s.io cloudingress.managed.openshift.io splunkforwarder.managed.openshift.io upgrade.managed.openshift.io config.openshift.io cloudcredential.openshift.io machine.openshift.io managed.openshift.io autoscaling.openshift.io machineconfiguration.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
   },
   {
     "webhookName": "regular-user-validation-osd",
@@ -364,6 +364,27 @@
     ],
     "documentString": "Managed OpenShift Customers may not modify the following default SCCs: [anyuid hostaccess hostmount-anyuid hostnetwork hostnetwork-v2 node-exporter nonroot nonroot-v2 privileged restricted restricted-v2]"
   },
+  {
+    "webhookName": "serviceaccount-validation",
+    "rules": [
+      {
+        "operations": [
+          "DELETE"
+        ],
+        "apiGroups": [
+          ""
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "serviceaccounts"
+        ],
+        "scope": "Namespaced"
+      }
+    ],
+    "documentString": "Managed OpenShift Customers may not delete the service accounts under the managed namespaces。"
+  },
   {
     "webhookName": "techpreviewnoupgrade-validation",
     "rules": [

pkg/testutils/testutils.go

@@ -6,14 +6,15 @@ import (
 	"net/http"
 	"net/http/httptest"
 
-	responsehelper "github.com/openshift/managed-cluster-validating-webhooks/pkg/helpers"
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
 	admissionv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	admissionctl "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	responsehelper "github.com/openshift/managed-cluster-validating-webhooks/pkg/helpers"
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
 )
 
 // Webhook interface
@@ -54,7 +55,7 @@ func CanCanNot(b bool) string {
 func CreateFakeRequestJSON(uid string,
 	gvk metav1.GroupVersionKind, gvr metav1.GroupVersionResource,
 	operation admissionv1.Operation,
-	username string, userGroups []string,
+	username string, userGroups []string, namespace string,
 	obj, oldObject *runtime.RawExtension) ([]byte, error) {
 
 	req := admissionv1.AdmissionReview{
@@ -64,6 +65,7 @@ func CreateFakeRequestJSON(uid string,
 			RequestKind: &gvk,
 			Resource:    gvr,
 			Operation:   operation,
+			Namespace:   namespace,
 			UserInfo: authenticationv1.UserInfo{
 				Username: username,
 				Groups:   userGroups,
@@ -96,9 +98,9 @@ func CreateFakeRequestJSON(uid string,
 func CreateHTTPRequest(uri, uid string,
 	gvk metav1.GroupVersionKind, gvr metav1.GroupVersionResource,
 	operation admissionv1.Operation,
-	username string, userGroups []string,
+	username string, userGroups []string, namespace string,
 	obj, oldObject *runtime.RawExtension) (*http.Request, error) {
-	req, err := CreateFakeRequestJSON(uid, gvk, gvr, operation, username, userGroups, obj, oldObject)
+	req, err := CreateFakeRequestJSON(uid, gvk, gvr, operation, username, userGroups, namespace, obj, oldObject)
 	if err != nil {
 		return nil, err
 	}

pkg/webhooks/add_serviceaccount.go

@@ -0,0 +1,9 @@
+package webhooks
+
+import (
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/serviceaccount"
+)
+
+func init() {
+	Register(serviceaccount.WebhookName, func() Webhook { return serviceaccount.NewWebhook() })
+}

pkg/webhooks/clusterlogging/clusterlogging_test.go

@@ -4,11 +4,12 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/clusterlogging"
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/clusterlogging"
 )
 
 type clusterloggingTestSuite struct {
@@ -128,7 +129,7 @@ func runTests(t *testing.T, tests []clusterloggingTestSuite) {
 		hook := clusterlogging.NewWebhook()
 		httprequest, err := testutils.CreateHTTPRequest(hook.GetURI(),
 			test.testID,
-			metav1.GroupVersionKind{}, metav1.GroupVersionResource{}, test.operation, test.username, test.userGroups, obj, test.oldObject)
+			metav1.GroupVersionKind{}, metav1.GroupVersionResource{}, test.operation, test.username, test.userGroups, "", obj, test.oldObject)
 		if err != nil {
 			t.Fatalf("Expected no error, got %s", err.Error())
 		}

pkg/webhooks/clusterrolebinding/clusterrolebinding_test.go

@@ -5,11 +5,12 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
 	admissionv1 "k8s.io/api/admission/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
+
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -74,7 +75,7 @@ func runClusterRoleBindingTests(t *testing.T, tests []ClusterRoleBindingTestSuit
 
 		hook := NewWebhook()
 		httprequest, err := testutils.CreateHTTPRequest(hook.GetURI(),
-			test.testID, gvk, gvr, test.operation, test.username, test.userGroups, &obj, &oldObj)
+			test.testID, gvk, gvr, test.operation, test.username, test.userGroups, "", &obj, &oldObj)
 		if err != nil {
 			t.Fatalf("Expected no error, got %s", err.Error())
 		}

pkg/webhooks/hiveownership/hiveownership_test.go

@@ -67,7 +67,7 @@ func runTests(t *testing.T, tests []hiveOwnershipTestSuites) {
 		hook := NewWebhook()
 		httprequest, err := testutils.CreateHTTPRequest(hook.GetURI(),
 			test.testID,
-			gvk, gvr, test.operation, test.username, test.userGroups, obj, test.oldObject)
+			gvk, gvr, test.operation, test.username, test.userGroups, "", obj, test.oldObject)
 		if err != nil {
 			t.Fatalf("Expected no error, got %s", err.Error())
 		}

pkg/webhooks/imagecontentpolicies/imagecontentpolicies_test.go

@@ -7,11 +7,12 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1alpha1 "github.com/openshift/api/operator/v1alpha1"
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/testutils"
 )
 
 func Test_authorizeImageDigestMirrorSet(t *testing.T) {
@@ -476,7 +477,7 @@ func TestImageContentPolicy(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			hook := NewWebhook()
-			req, err := testutils.CreateHTTPRequest(hook.GetURI(), test.name, test.gvk, test.gvr, test.op, "", []string{}, test.obj, test.oldObj)
+			req, err := testutils.CreateHTTPRequest(hook.GetURI(), test.name, test.gvk, test.gvr, test.op, "", []string{}, "", test.obj, test.oldObj)
 			if err != nil {
 				t.Errorf("failed to create test HTTP request: %v", err)
 			}