Allow webhook implementations to optionally disallow unknown fields. (#338)

Related: https://github.com/knative/serving/issues/3309
2019-03-25 17:52:49 -07:00 · 2019-03-25 17:52:49 -07:00 · 04154dda9a
parent fe25685384
commit 04154dda9a
2 changed files with 36 additions and 2 deletions
--- a/webhook/webhook.go
+++ b/webhook/webhook.go
@ -120,6 +120,8 @@ type AdmissionController struct {
 	Options  ControllerOptions
 	Handlers map[schema.GroupVersionKind]GenericCRD
 	Logger   *zap.SugaredLogger
+
+	DisallowUnknownFields bool
 }

 // GenericCRD is the interface definition that allows us to perform the generic
@ -527,6 +529,9 @@ func (ac *AdmissionController) mutate(ctx context.Context, req *admissionv1beta1
 	if len(newBytes) != 0 {
 		newObj = handler.DeepCopyObject().(GenericCRD)
 		newDecoder := json.NewDecoder(bytes.NewBuffer(newBytes))
+		if ac.DisallowUnknownFields {
+			newDecoder.DisallowUnknownFields()
+		}
 		if err := newDecoder.Decode(&newObj); err != nil {
 			return nil, fmt.Errorf("cannot decode incoming new object: %v", err)
 		}
@ -534,6 +539,9 @@ func (ac *AdmissionController) mutate(ctx context.Context, req *admissionv1beta1
 	if len(oldBytes) != 0 {
 		oldObj = handler.DeepCopyObject().(GenericCRD)
 		oldDecoder := json.NewDecoder(bytes.NewBuffer(oldBytes))
+		if ac.DisallowUnknownFields {
+			oldDecoder.DisallowUnknownFields()
+		}
 		if err := oldDecoder.Decode(&oldObj); err != nil {
 			return nil, fmt.Errorf("cannot decode incoming old object: %v", err)
 		}
--- a/webhook/webhook_test.go
+++ b/webhook/webhook_test.go
@ -135,6 +135,31 @@ func TestUnknownVersionFails(t *testing.T) {
 	expectFailsWith(t, ac.admit(TestContextWithLogger(t), req), "unhandled kind")
 }

+func TestUnknownFieldFails(t *testing.T) {
+	_, ac := newNonRunningTestAdmissionController(t, newDefaultOptions())
+	req := &admissionv1beta1.AdmissionRequest{
+		Operation: admissionv1beta1.Create,
+		Kind: metav1.GroupVersionKind{
+			Group:   "pkg.knative.dev",
+			Version: "v1alpha1",
+			Kind:    "Resource",
+		},
+	}
+
+	marshaled, err := json.Marshal(map[string]interface{}{
+		"spec": map[string]interface{}{
+			"foo": "bar",
+		},
+	})
+	if err != nil {
+		panic("failed to marshal resource")
+	}
+	req.Object.Raw = marshaled
+
+	expectFailsWith(t, ac.admit(TestContextWithLogger(t), req),
+		`mutation failed: cannot decode incoming new object: json: unknown field "foo"`)
+}
+
 func TestValidCreateResourceSucceeds(t *testing.T) {
 	r := createResource("a name")
 	for _, v := range []string{"v1alpha1", "v1beta1"} {
@ -701,6 +726,7 @@ func NewAdmissionController(client kubernetes.Interface, options ControllerOptio
 	return &AdmissionController{
 		Client:                client,
 		Options:               options,
+		DisallowUnknownFields: true,
 		// Use different versions and domains, for coverage.
 		Handlers: map[schema.GroupVersionKind]GenericCRD{
 			{