Skip to content

Commit 2fcbf6b

Browse files
author
Per Goncalves da Silva
committed
Add webhook rule checker
Signed-off-by: Per Goncalves da Silva <[email protected]>
1 parent 27b05e7 commit 2fcbf6b

File tree

2 files changed

+408
-0
lines changed

2 files changed

+408
-0
lines changed

internal/operator-controller/rukpak/render/registryv1/validators/validator.go

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,3 +264,50 @@ func CheckWebhookNameIsDNS1123SubDomain(rv1 *bundle.RegistryV1) []error {
264264
}
265265
return errs
266266
}
267+
268+
// unsupportedWebhookRuleAPIGroups contain the API groups that are unsupported for webhook configuration rules in OLMv1
269+
var unsupportedWebhookRuleAPIGroups = []string{
270+
"olm.operatorframework.io",
271+
"*",
272+
}
273+
274+
// unsupportedAdmissionRegistrationResources contain the resources that are unsupported for webhook configuration rules
275+
// for the admissionregistration.k8s.io api group
276+
var unsupportedAdmissionRegistrationResources = []string{
277+
"*",
278+
"mutatingwebhookconfiguration",
279+
"mutatingwebhookconfigurations",
280+
"validatingwebhookconfiguration",
281+
"validatingwebhookconfigurations",
282+
}
283+
284+
// CheckWebhookRules ensures webhook rules do not reference unsupported API groups or resources in line with OLMv0 behavior
285+
// See https://github.com/operator-framework/operator-lifecycle-manager/blob/ccf0c4c91f1e7673e87f3a18947f9a1f88d48438/pkg/controller/install/webhook.go#L19
286+
// for more details
287+
func CheckWebhookRules(rv1 *bundle.RegistryV1) []error {
288+
var errs []error
289+
for _, wh := range rv1.CSV.Spec.WebhookDefinitions {
290+
// Rules are not used for conversion webhooks
291+
if wh.Type == v1alpha1.ConversionWebhook {
292+
continue
293+
}
294+
webhookName := wh.GenerateName
295+
for _, rule := range wh.Rules {
296+
for _, apiGroup := range rule.APIGroups {
297+
if slices.Contains(unsupportedWebhookRuleAPIGroups, apiGroup) {
298+
errs = append(errs, fmt.Errorf("webhook %q contains unsupported rule: unsupported API group %q", webhookName, apiGroup))
299+
}
300+
if apiGroup == "admissionregistration.k8s.io" {
301+
for _, resource := range rule.Resources {
302+
if slices.Contains(unsupportedAdmissionRegistrationResources, strings.ToLower(resource)) {
303+
errs = append(errs, fmt.Errorf("webhook %q contains unsupported rule: unsupported resource %q for API group %q", webhookName, resource, apiGroup))
304+
}
305+
}
306+
}
307+
}
308+
}
309+
}
310+
return slices.SortedFunc(slices.Values(errs), func(err1 error, err2 error) int {
311+
return cmp.Compare(err1.Error(), err2.Error())
312+
})
313+
}

0 commit comments

Comments
 (0)