Add admission policy to deny changing an AWS LB type on an existing service

JoelSpeed · JoelSpeed · commit a21723cb736d · 2024-09-03T10:21:47.000+01:00
diff --git a/pkg/cloud/aws/assets/validating-admission-policy-binding.yaml b/pkg/cloud/aws/assets/validating-admission-policy-binding.yaml
@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: openshift-cloud-controller-manager-cloud-provider-aws
+spec:
+  policyName: openshift-cloud-controller-manager-cloud-provider-aws
+  validationActions: ["Deny"]
diff --git a/pkg/cloud/aws/assets/validating-admission-policy.yaml b/pkg/cloud/aws/assets/validating-admission-policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: openshift-cloud-controller-manager-cloud-provider-aws
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["UPDATE"]
+      resources:   ["services"]
+  validations:
+    - expression: |
+        (has(object.metadata.annotations) && 'service.beta.kubernetes.io/aws-load-balancer-type' in object.metadata.annotations) ==
+          (has(oldObject.metadata.annotations) && 'service.beta.kubernetes.io/aws-load-balancer-type' in oldObject.metadata.annotations) &&
+          (has(object.metadata.annotations) && 'service.beta.kubernetes.io/aws-load-balancer-type' in object.metadata.annotations ?
+          object.metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-type'] == oldObject.metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-type'] : true)
+      message: "The annotation 'service.beta.kubernetes.io/aws-load-balancer-type' may not be added, removed, or have its value changed. Changing the type of an existing load balancer is not supported."
+      reason: Invalid
diff --git a/pkg/cloud/aws/aws.go b/pkg/cloud/aws/aws.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/asaskevich/govalidator"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -20,6 +21,8 @@ var (
 
 	templates = []common.TemplateSource{
 		{ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/deployment.yaml"},
+		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-policy.yaml"},
+		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-policy-binding.yaml"},
 	}
 )
 
diff --git a/pkg/cloud/aws/aws_test.go b/pkg/cloud/aws/aws_test.go
@@ -43,7 +43,7 @@ func TestResourcesRenderingSmoke(t *testing.T) {
 			}
 
 			resources := assets.GetRenderedResources()
-			assert.Len(t, resources, 1)
+			assert.Len(t, resources, 3)
 		})
 	}
 }
diff --git a/pkg/cloud/cloud_test.go b/pkg/cloud/cloud_test.go
@@ -99,17 +99,23 @@ func TestGetResources(t *testing.T) {
 	}{{
 		name:                  "AWS resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.AWSPlatformType)],
-		expectedResourceCount: 2,
+		expectedResourceCount: 4,
 		expectedResourcesKindName: []string{
 			"Deployment/aws-cloud-controller-manager",
+			"ValidatingAdmissionPolicy/openshift-cloud-controller-manager-cloud-provider-aws",
+			"ValidatingAdmissionPolicyBinding/openshift-cloud-controller-manager-cloud-provider-aws",
 			"PodDisruptionBudget/aws-cloud-controller-manager",
 		},
 	}, {
-		name:                      "AWS resources returned as expected with single node cluster",
-		testPlatform:              platformsMap[string(configv1.AWSPlatformType)],
-		expectedResourceCount:     1,
-		singleReplica:             true,
-		expectedResourcesKindName: []string{"Deployment/aws-cloud-controller-manager"},
+		name:                  "AWS resources returned as expected with single node cluster",
+		testPlatform:          platformsMap[string(configv1.AWSPlatformType)],
+		expectedResourceCount: 3,
+		singleReplica:         true,
+		expectedResourcesKindName: []string{
+			"Deployment/aws-cloud-controller-manager",
+			"ValidatingAdmissionPolicy/openshift-cloud-controller-manager-cloud-provider-aws",
+			"ValidatingAdmissionPolicyBinding/openshift-cloud-controller-manager-cloud-provider-aws",
+		},
 	}, {
 		name:                  "OpenStack resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.OpenStackPlatformType)],

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ import (`
`5`	`5`	`"fmt"`
`6`	`6`
`7`	`7`	`"github.com/asaskevich/govalidator"`
	`8`	`+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"`
`8`	`9`	`appsv1 "k8s.io/api/apps/v1"`
`9`	`10`	`"sigs.k8s.io/controller-runtime/pkg/client"`
`10`	`11`
`@@ -20,6 +21,8 @@ var (`
`20`	`21`
`21`	`22`	`templates = []common.TemplateSource{`
`22`	`23`	`{ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/deployment.yaml"},`
	`24`	`+ {ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-policy.yaml"},`
	`25`	`+ {ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-policy-binding.yaml"},`
`23`	`26`	`}`
`24`	`27`	`)`
`25`	`28`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func TestResourcesRenderingSmoke(t *testing.T) {`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`resources := assets.GetRenderedResources()`
`46`		`- assert.Len(t, resources, 1)`
	`46`	`+ assert.Len(t, resources, 3)`
`47`	`47`	`})`
`48`	`48`	`}`
`49`	`49`	`}`