Merge pull request #126 from rahulii/feature-block-changes

k8s-ci-robot · web-flow · commit 73b2d3dfac1f · 2022-01-26T14:00:50.000-08:00
Protect all labels and annotations on propagated objects
diff --git a/internal/objects/validator.go b/internal/objects/validator.go
@@ -281,6 +281,12 @@ func (v *Validator) handleInherited(ctx context.Context, op k8sadm.Operation, ne
 				"Cannot modify object propagated from namespace \""+oldSource+"\"")
 		}
 
+		// Check for all the labels and annotations (including HNC and non HNC)
+		if !reflect.DeepEqual(oldInst.GetLabels(), inst.GetLabels()) || !reflect.DeepEqual(oldInst.GetAnnotations(), inst.GetAnnotations()) {
+			return webhooks.Deny(metav1.StatusReasonForbidden,
+				"Cannot modify object propagated from namespace \""+oldSource+"\"")
+		}
+
 		return webhooks.Allow("no illegal updates to propagated object")
 	}
 
diff --git a/internal/objects/validator_test.go b/internal/objects/validator_test.go
@@ -210,6 +210,60 @@ func TestUserChanges(t *testing.T) {
 				},
 			},
 		},
+	}, {
+		name: "Deny changes to HNC annotations in propagated objects",
+		fail: true,
+		oldInst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+					},
+				},
+			},
+		},
+		inst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+					},
+					"annotations": map[string]interface{}{
+						api.AnnotationPropagatePrefix + "/select": "abc",
+					},
+				},
+			},
+		},
+	}, {
+		name: "Deny changes to HNC labels in propagated objects",
+		fail: true,
+		oldInst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+					},
+				},
+			},
+		},
+		inst: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{
+						api.LabelInheritedFrom: "foo",
+						api.MetaGroup + "/foo": "foo",
+					},
+				},
+			},
+		},
 	}, {
 		name: "Deny spec changes to propagated objects",
 		fail: true,

Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,12 @@ func (v *Validator) handleInherited(ctx context.Context, op k8sadm.Operation, ne`
`281`	`281`	`"Cannot modify object propagated from namespace \""+oldSource+"\"")`
`282`	`282`	`}`
`283`	`283`
	`284`	`+ // Check for all the labels and annotations (including HNC and non HNC)`
	`285`	`+ if !reflect.DeepEqual(oldInst.GetLabels(), inst.GetLabels()) \|\| !reflect.DeepEqual(oldInst.GetAnnotations(), inst.GetAnnotations()) {`
	`286`	`+ return webhooks.Deny(metav1.StatusReasonForbidden,`
	`287`	`+ "Cannot modify object propagated from namespace \""+oldSource+"\"")`
	`288`	`+ }`
	`289`	`+`
`284`	`290`	`return webhooks.Allow("no illegal updates to propagated object")`
`285`	`291`	`}`
`286`	`292`