k8s.io/kubernetes@v1.29.3/pkg/registry/admissionregistration/validatingadmissionpolicybinding/strategy_test.go (about) 1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package validatingadmissionpolicybinding 18 19 import ( 20 "testing" 21 22 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 genericapirequest "k8s.io/apiserver/pkg/endpoints/request" 24 25 "k8s.io/kubernetes/pkg/apis/admissionregistration" 26 ) 27 28 func TestPolicyBindingStrategy(t *testing.T) { 29 strategy := NewStrategy(nil, nil, nil) 30 ctx := genericapirequest.NewDefaultContext() 31 if strategy.NamespaceScoped() { 32 t.Error("PolicyBinding strategy must be cluster scoped") 33 } 34 if strategy.AllowCreateOnUpdate() { 35 t.Errorf("PolicyBinding should not allow create on update") 36 } 37 38 for _, configuration := range validPolicyBindings() { 39 strategy.PrepareForCreate(ctx, configuration) 40 errs := strategy.Validate(ctx, configuration) 41 if len(errs) != 0 { 42 t.Errorf("Unexpected error validating %v", errs) 43 } 44 invalidConfiguration := &admissionregistration.ValidatingAdmissionPolicyBinding{ 45 ObjectMeta: metav1.ObjectMeta{Name: ""}, 46 } 47 strategy.PrepareForUpdate(ctx, invalidConfiguration, configuration) 48 errs = strategy.ValidateUpdate(ctx, invalidConfiguration, configuration) 49 if len(errs) == 0 { 50 t.Errorf("Expected a validation error") 51 } 52 } 53 } 54 55 func validPolicyBindings() []*admissionregistration.ValidatingAdmissionPolicyBinding { 56 denyAction := admissionregistration.DenyAction 57 return []*admissionregistration.ValidatingAdmissionPolicyBinding{ 58 { 59 ObjectMeta: metav1.ObjectMeta{ 60 Name: "foo", 61 }, 62 Spec: admissionregistration.ValidatingAdmissionPolicyBindingSpec{ 63 PolicyName: "replicalimit-policy.example.com", 64 ParamRef: &admissionregistration.ParamRef{ 65 Name: "replica-limit-test.example.com", 66 ParameterNotFoundAction: &denyAction, 67 }, 68 ValidationActions: []admissionregistration.ValidationAction{admissionregistration.Deny}, 69 }, 70 }, 71 { 72 ObjectMeta: metav1.ObjectMeta{ 73 Name: "foo-clusterwide", 74 }, 75 Spec: admissionregistration.ValidatingAdmissionPolicyBindingSpec{ 76 PolicyName: "replicalimit-policy.example.com", 77 ParamRef: &admissionregistration.ParamRef{ 78 Name: "replica-limit-test.example.com", 79 Namespace: "default", 80 ParameterNotFoundAction: &denyAction, 81 }, 82 ValidationActions: []admissionregistration.ValidationAction{admissionregistration.Deny}, 83 }, 84 }, 85 { 86 ObjectMeta: metav1.ObjectMeta{ 87 Name: "foo-selector", 88 }, 89 Spec: admissionregistration.ValidatingAdmissionPolicyBindingSpec{ 90 PolicyName: "replicalimit-policy.example.com", 91 ParamRef: &admissionregistration.ParamRef{ 92 Selector: &metav1.LabelSelector{ 93 MatchLabels: map[string]string{ 94 "label": "value", 95 }, 96 }, 97 ParameterNotFoundAction: &denyAction, 98 }, 99 ValidationActions: []admissionregistration.ValidationAction{admissionregistration.Deny}, 100 }, 101 }, 102 { 103 ObjectMeta: metav1.ObjectMeta{ 104 Name: "foo-selector-clusterwide", 105 }, 106 Spec: admissionregistration.ValidatingAdmissionPolicyBindingSpec{ 107 PolicyName: "replicalimit-policy.example.com", 108 ParamRef: &admissionregistration.ParamRef{ 109 Namespace: "mynamespace", 110 Selector: &metav1.LabelSelector{ 111 MatchLabels: map[string]string{ 112 "label": "value", 113 }, 114 }, 115 ParameterNotFoundAction: &denyAction, 116 }, 117 ValidationActions: []admissionregistration.ValidationAction{admissionregistration.Deny}, 118 }, 119 }, 120 } 121 }