Handle MutatingAdmissionPolicyBinding

Author: naoki9911

README.md

@@ -114,6 +114,7 @@ vapTestSuites:
     expect: <allow|deny|skip|error>
 mapTestSuites:
 - policy: <name> # MutatingAdmissionPolicy's name
+  binding: <name> # Optional: MutatingAdmissionPolicyBinding's name
   tests:
   - object:
       group: <group> # Optional

internal/tester/loader.go

@@ -37,18 +37,20 @@ import (
 )
 
 type ResourceLoader struct {
-	Vaps      map[string]*v1.ValidatingAdmissionPolicy
-	Maps      map[string]*v1alpha1.MutatingAdmissionPolicy
-	Resources map[NameWithGVK]*unstructured.Unstructured
-	validator validator.Validator
+	Vaps        map[string]*v1.ValidatingAdmissionPolicy
+	Maps        map[string]*v1alpha1.MutatingAdmissionPolicy
+	MapBindings map[string]*v1alpha1.MutatingAdmissionPolicyBinding
+	Resources   map[NameWithGVK]*unstructured.Unstructured
+	validator   validator.Validator
 }
 
 func NewResourceLoader(validator validator.Validator) *ResourceLoader {
 	return &ResourceLoader{
-		Vaps:      map[string]*v1.ValidatingAdmissionPolicy{},
-		Maps:      map[string]*v1alpha1.MutatingAdmissionPolicy{},
-		Resources: map[NameWithGVK]*unstructured.Unstructured{},
-		validator: validator,
+		Vaps:        map[string]*v1.ValidatingAdmissionPolicy{},
+		Maps:        map[string]*v1alpha1.MutatingAdmissionPolicy{},
+		MapBindings: map[string]*v1alpha1.MutatingAdmissionPolicyBinding{},
+		Resources:   map[NameWithGVK]*unstructured.Unstructured{},
+		validator:   validator,
 	}
 }
 
@@ -111,6 +113,13 @@ func (r *ResourceLoader) LoadPolicies(paths []string) {
 				// Ensure nil labelSelectors to be matching everything
 				defaultingMAPPolicy(m)
 				r.Maps[m.Name] = m
+			case "MutatingAdmissionPolicyBinding":
+				if gvk.Version != "v1alpha1" {
+					slog.Warn("only v1alpha1 MutatingAdmissionPolicyBinding is supported", "version", gvk.Version)
+					continue
+				}
+				mb := obj.(*v1alpha1.MutatingAdmissionPolicyBinding)
+				r.MapBindings[mb.Name] = mb
 			default:
 				slog.Warn("unexpected manifest", "kind", gvk.Kind)
 			}

internal/tester/manifest.go

@@ -109,8 +109,9 @@ func (tc VAPTestCase) SummaryLine(pass bool, policy string, result string) strin
 }
 
 type TestsForSingleMapPolicy struct {
-	Policy string        `yaml:"policy"`
-	Tests  []MAPTestCase `yaml:"tests"`
+	Policy  string        `yaml:"policy"`
+	Binding string        `yaml:"binding,omitempty"`
+	Tests   []MAPTestCase `yaml:"tests"`
 }
 
 type MAPTestCase struct {

internal/tester/result.go

@@ -154,6 +154,26 @@ func (r *policyNotFoundResult) String(verbose bool) string {
 	return fmt.Sprintf("FAIL: %s ==> POLICY NOT FOUND", r.Policy)
 }
 
+type bindingNotFoundResult struct {
+	Binding string
+}
+
+var _ testResult = &bindingNotFoundResult{}
+
+func newBindingNotFoundResult(binding string) *bindingNotFoundResult {
+	return &bindingNotFoundResult{
+		Binding: binding,
+	}
+}
+
+func (r *bindingNotFoundResult) Pass() bool {
+	return false
+}
+
+func (r *bindingNotFoundResult) String(verbose bool) string {
+	return fmt.Sprintf("FAIL: %s ==> BINDING NOT FOUND", r.Binding)
+}
+
 type setupErrorResult struct {
 	Policy   string
 	TestCase TestCase

internal/tester/testdata/map-with-params.test/kaptest.yaml

@@ -10,6 +10,7 @@ mapTestSuites:
       name: small
       namespace: foo
     param:
+      namespace: hoge
       name: config1
     expect: mutate
     expectObject:
@@ -21,5 +22,21 @@ mapTestSuites:
       name: ok
       namespace: foo
     param:
+      namespace: hoge
       name: config1
     expect: skip
+- policy: deployment-replicas
+  binding: deployment-replicas-binding
+  tests:
+  - object:
+      kind: Deployment
+      name: small
+      namespace: foo
+    param:
+      namespace: foo
+      name: config1
+    expect: mutate
+    expectObject:
+      kind: Deployment
+      name: ok-large
+      namespace: foo

internal/tester/testdata/map-with-params.test/resources.yaml

@@ -21,6 +21,27 @@ spec:
 ---
 apiVersion: apps/v1
 kind: Deployment
+metadata:
+  name: ok-large
+  namespace: foo
+  labels:
+    app: ok-deployment
+spec:
+  replicas: 10
+  selector:
+    matchLabels:
+      app: ok-deployment
+  template:
+    metadata:
+      labels:
+        app: ok-deployment
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+---
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   name: small
   namespace: foo
@@ -47,3 +68,11 @@ metadata:
   namespace: hoge
 data:
   maxReplicas: "5"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config1
+  namespace: foo
+data:
+  maxReplicas: "10"

internal/tester/testdata/map-with-params.yaml

@@ -32,3 +32,13 @@ spec:
             replicas: variables.maxReplicas
           }
         }
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: MutatingAdmissionPolicyBinding
+metadata:
+  name: deployment-replicas-binding
+spec:
+  policyName: deployment-replicas
+  paramRef:
+    name: config1
+    namespace: foo

internal/tester/tester.go

@@ -200,7 +200,18 @@ func runEach(cfg TesterCmdConfig, manifestPath string) testResultSummary {
 			continue
 		}
 
-		mutator, err := kaptest.NewMutator(policy)
+		var mutator *kaptest.Mutator
+		var err error
+		if tt.Binding != "" {
+			binding, ok := loader.MapBindings[tt.Binding]
+			if !ok {
+				results = append(results, newBindingNotFoundResult(tt.Binding))
+				continue
+			}
+			mutator, err = kaptest.NewMutatorWithBinding(policy, binding)
+		} else {
+			mutator, err = kaptest.NewMutator(policy)
+		}
 		if err != nil {
 			panic(err)
 		}

mutation.go

@@ -54,6 +54,7 @@ type MutatorInterface interface {
 
 type Mutator struct {
 	policy    *v1alpha1.MutatingAdmissionPolicy
+	binding   *v1alpha1.MutatingAdmissionPolicyBinding
 	evaluator mutating.PolicyEvaluator
 }
 
@@ -107,6 +108,15 @@ func NewMutator(policy *v1alpha1.MutatingAdmissionPolicy) (*Mutator, error) {
 	}, nil
 }
 
+func NewMutatorWithBinding(policy *v1alpha1.MutatingAdmissionPolicy, binding *v1alpha1.MutatingAdmissionPolicyBinding) (*Mutator, error) {
+	m, err := NewMutator(policy)
+	if err != nil {
+		return nil, err
+	}
+	m.binding = binding
+	return m, nil
+}
+
 type mutatorContext struct {
 	tcm             patch.TypeConverterManager
 	auth            authorizer.Authorizer
@@ -280,21 +290,25 @@ func (m *Mutator) dispatchImpl(p MutationParams, dispatcherFactory func(mCtx *mu
 		return nil, fmt.Errorf("failed to initialize mutatorContext: %w", err)
 	}
 
-	binding := &v1alpha1.MutatingAdmissionPolicyBinding{
-		Spec: v1alpha1.MutatingAdmissionPolicyBindingSpec{
-			ParamRef: &v1alpha1.ParamRef{},
-			MatchResources: &v1alpha1.MatchResources{
-				MatchPolicy:       ptr.To(v1alpha1.Equivalent),
-				ObjectSelector:    &metav1.LabelSelector{},
-				NamespaceSelector: &metav1.LabelSelector{},
+	bindingGenerated := false
+	if m.binding == nil {
+		m.binding = &v1alpha1.MutatingAdmissionPolicyBinding{
+			Spec: v1alpha1.MutatingAdmissionPolicyBindingSpec{
+				ParamRef: &v1alpha1.ParamRef{},
+				MatchResources: &v1alpha1.MatchResources{
+					MatchPolicy:       ptr.To(v1alpha1.Equivalent),
+					ObjectSelector:    &metav1.LabelSelector{},
+					NamespaceSelector: &metav1.LabelSelector{},
+				},
 			},
-		},
+		}
+		bindingGenerated = true
 	}
 
 	hook := mutating.PolicyHook{
 		Policy:    m.policy,
 		Evaluator: m.evaluator,
-		Bindings:  []*mutating.PolicyBinding{binding},
+		Bindings:  []*mutating.PolicyBinding{m.binding},
 	}
 
 	if m.policy.Spec.ParamKind != nil {
@@ -322,8 +336,10 @@ func (m *Mutator) dispatchImpl(p MutationParams, dispatcherFactory func(mCtx *mu
 		if err != nil {
 			return nil, fmt.Errorf("failed to access paramObj: %w", err)
 		}
-		binding.Spec.ParamRef.Name = metaAcc.GetName()
-		binding.Spec.ParamRef.Namespace = metaAcc.GetNamespace()
+		if bindingGenerated {
+			m.binding.Spec.ParamRef.Name = metaAcc.GetName()
+			m.binding.Spec.ParamRef.Namespace = metaAcc.GetNamespace()
+		}
 	}
 
 	// Start informers