Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 7e8b047bed
Branches Tags
custom-kube-...
/
kubernetes
/
test
/
integration
/
apiserver
/
admissionwebhook
/
broken_webhook_test.go

broken_webhook_test.go 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. /*
    2. 

  2. Copyright 2018 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package admissionwebhook
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"testing"
    23. 

  23. 	"time"
    24. 

  24. 

  25. 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
    26. 

  26. 	appsv1 "k8s.io/api/apps/v1"
    27. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29. 

  29. 	"k8s.io/client-go/kubernetes"
    30. 

  30. 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
    31. 

  31. 	"k8s.io/kubernetes/test/integration/framework"
    32. 

  32. )
    33. 

  33. 

  34. var (
    35. 

  35. 	brokenWebhookName    = "integration-broken-webhook-test-webhook-config"
    36. 

  36. 	deploymentNamePrefix = "integration-broken-webhook-test-deployment"
    37. 

  37. )
    38. 

  38. 

  39. func TestBrokenWebhook(t *testing.T) {
    40. 

  40. 	var tearDownFn kubeapiservertesting.TearDownFunc
    41. 

  41. 	defer func() {
    42. 

  42. 		if tearDownFn != nil {
    43. 

  43. 			tearDownFn()
    44. 

  44. 		}
    45. 

  45. 	}()
    46. 

  46. 

  47. 	etcdConfig := framework.SharedEtcd()
    48. 

  48. 	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, etcdConfig)
    49. 

  49. 	tearDownFn = server.TearDownFn
    50. 

  50. 

  51. 	client, err := kubernetes.NewForConfig(server.ClientConfig)
    52. 

  52. 	if err != nil {
    53. 

  53. 		t.Fatalf("unexpected error: %v", err)
    54. 

  54. 	}
    55. 

  55. 

  56. 	t.Logf("Creating Deployment to ensure apiserver is functional")
    57. 

  57. 	_, err = client.AppsV1().Deployments("default").Create(context.TODO(), exampleDeployment(generateDeploymentName(0)), metav1.CreateOptions{})
    58. 

  58. 	if err != nil {
    59. 

  59. 		t.Fatalf("Failed to create deployment: %v", err)
    60. 

  60. 	}
    61. 

  61. 

  62. 	t.Logf("Creating Broken Webhook that will block all operations on all objects")
    63. 

  63. 	_, err = client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Create(context.TODO(), brokenWebhookConfig(brokenWebhookName), metav1.CreateOptions{})
    64. 

  64. 	if err != nil {
    65. 

  65. 		t.Fatalf("Failed to register broken webhook: %v", err)
    66. 

  66. 	}
    67. 

  67. 

  68. 	// There is no guarantee on how long it takes the apiserver to honor the configuration and there is
    69. 

  69. 	// no API to determine if the configuration is being honored, so we will just wait 10s, which is long enough
    70. 

  70. 	// in most cases.
    71. 

  71. 	time.Sleep(10 * time.Second)
    72. 

  72. 

  73. 	// test whether the webhook blocks requests
    74. 

  74. 	t.Logf("Attempt to create Deployment which should fail due to the webhook")
    75. 

  75. 	_, err = client.AppsV1().Deployments("default").Create(context.TODO(), exampleDeployment(generateDeploymentName(1)), metav1.CreateOptions{})
    76. 

  76. 	if err == nil {
    77. 

  77. 		t.Fatalf("Expected the broken webhook to cause creating a deployment to fail, but it succeeded.")
    78. 

  78. 	}
    79. 

  79. 

  80. 	t.Logf("Restarting apiserver")
    81. 

  81. 	tearDownFn = nil
    82. 

  82. 	server.TearDownFn()
    83. 

  83. 	server = kubeapiservertesting.StartTestServerOrDie(t, nil, nil, etcdConfig)
    84. 

  84. 	tearDownFn = server.TearDownFn
    85. 

  85. 

  86. 	client, err = kubernetes.NewForConfig(server.ClientConfig)
    87. 

  87. 	if err != nil {
    88. 

  88. 		t.Fatalf("unexpected error: %v", err)
    89. 

  89. 	}
    90. 

  90. 

  91. 	// test whether the webhook still blocks requests after restarting
    92. 

  92. 	t.Logf("Attempt again to create Deployment which should fail due to the webhook")
    93. 

  93. 	_, err = client.AppsV1().Deployments("default").Create(context.TODO(), exampleDeployment(generateDeploymentName(2)), metav1.CreateOptions{})
    94. 

  94. 	if err == nil {
    95. 

  95. 		t.Fatalf("Expected the broken webhook to cause creating a deployment to fail, but it succeeded.")
    96. 

  96. 	}
    97. 

  97. 

  98. 	t.Logf("Deleting the broken webhook to fix the cluster")
    99. 

  99. 	err = client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Delete(context.TODO(), brokenWebhookName, nil)
    100. 

  100. 	if err != nil {
    101. 

  101. 		t.Fatalf("Failed to delete broken webhook: %v", err)
    102. 

  102. 	}
    103. 

  103. 

  104. 	// The webhook deletion is honored in 10s.
    105. 

  105. 	time.Sleep(10 * time.Second)
    106. 

  106. 

  107. 	// test if the deleted webhook no longer blocks requests
    108. 

  108. 	t.Logf("Creating Deployment to ensure webhook is deleted")
    109. 

  109. 	_, err = client.AppsV1().Deployments("default").Create(context.TODO(), exampleDeployment(generateDeploymentName(3)), metav1.CreateOptions{})
    110. 

  110. 	if err != nil {
    111. 

  111. 		t.Fatalf("Failed to create deployment: %v", err)
    112. 

  112. 	}
    113. 

  113. }
    114. 

  114. 

  115. func generateDeploymentName(suffix int) string {
    116. 

  116. 	return fmt.Sprintf("%v-%v", deploymentNamePrefix, suffix)
    117. 

  117. }
    118. 

  118. 

  119. func exampleDeployment(name string) *appsv1.Deployment {
    120. 

  120. 	var replicas int32 = 1
    121. 

  121. 	return &appsv1.Deployment{
    122. 

  122. 		TypeMeta: metav1.TypeMeta{
    123. 

  123. 			Kind:       "Deployment",
    124. 

  124. 			APIVersion: "apps/v1",
    125. 

  125. 		},
    126. 

  126. 		ObjectMeta: metav1.ObjectMeta{
    127. 

  127. 			Namespace: "default",
    128. 

  128. 			Name:      name,
    129. 

  129. 		},
    130. 

  130. 		Spec: appsv1.DeploymentSpec{
    131. 

  131. 			Replicas: &replicas,
    132. 

  132. 			Selector: &metav1.LabelSelector{
    133. 

  133. 				MatchLabels: map[string]string{"foo": "bar"},
    134. 

  134. 			},
    135. 

  135. 			Template: corev1.PodTemplateSpec{
    136. 

  136. 				ObjectMeta: metav1.ObjectMeta{
    137. 

  137. 					Labels: map[string]string{"foo": "bar"},
    138. 

  138. 				},
    139. 

  139. 				Spec: corev1.PodSpec{
    140. 

  140. 					Containers: []corev1.Container{
    141. 

  141. 						{
    142. 

  142. 							Name:  "foo",
    143. 

  143. 							Image: "foo",
    144. 

  144. 						},
    145. 

  145. 					},
    146. 

  146. 				},
    147. 

  147. 			},
    148. 

  148. 		},
    149. 

  149. 	}
    150. 

  150. }
    151. 

  151. 

  152. func brokenWebhookConfig(name string) *admissionregistrationv1beta1.ValidatingWebhookConfiguration {
    153. 

  153. 	var path string
    154. 

  154. 	failurePolicy := admissionregistrationv1beta1.Fail
    155. 

  155. 	return &admissionregistrationv1beta1.ValidatingWebhookConfiguration{
    156. 

  156. 		ObjectMeta: metav1.ObjectMeta{
    157. 

  157. 			Name: name,
    158. 

  158. 		},
    159. 

  159. 		Webhooks: []admissionregistrationv1beta1.ValidatingWebhook{
    160. 

  160. 			{
    161. 

  161. 				Name: "broken-webhook.k8s.io",
    162. 

  162. 				Rules: []admissionregistrationv1beta1.RuleWithOperations{{
    163. 

  163. 					Operations: []admissionregistrationv1beta1.OperationType{admissionregistrationv1beta1.OperationAll},
    164. 

  164. 					Rule: admissionregistrationv1beta1.Rule{
    165. 

  165. 						APIGroups:   []string{"*"},
    166. 

  166. 						APIVersions: []string{"*"},
    167. 

  167. 						Resources:   []string{"*/*"},
    168. 

  168. 					},
    169. 

  169. 				}},
    170. 

  170. 				// This client config references a non existent service
    171. 

  171. 				// so it should always fail.
    172. 

  172. 				ClientConfig: admissionregistrationv1beta1.WebhookClientConfig{
    173. 

  173. 					Service: &admissionregistrationv1beta1.ServiceReference{
    174. 

  174. 						Namespace: "default",
    175. 

  175. 						Name:      "invalid-webhook-service",
    176. 

  176. 						Path:      &path,
    177. 

  177. 					},
    178. 

  178. 					CABundle: nil,
    179. 

  179. 				},
    180. 

  180. 				FailurePolicy: &failurePolicy,
    181. 

  181. 			},
    182. 

  182. 		},
    183. 

  183. 	}
    184. 

  184. }
    185. 

  185.