From 71463feb3046fc97390eca97e782f3694e64afdb Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Tue, 6 May 2025 09:23:46 -0400 Subject: [PATCH] Adding test case for the webhook behavior change Authored-by: Jordan Liggitt Signed-off-by: Davanum Srinivas Kubernetes-commit: 3be3051fb77be1a1ad250c04a68efe8c6bf61940 --- .../plugin/webhook/testing/testcase.go | 35 +++++++++++++++++++ .../plugin/webhook/testing/webhook_server.go | 10 ++++++ 2 files changed, 45 insertions(+) diff --git a/pkg/admission/plugin/webhook/testing/testcase.go b/pkg/admission/plugin/webhook/testing/testcase.go index fd5cd9674..da597a3f3 100644 --- a/pkg/admission/plugin/webhook/testing/testcase.go +++ b/pkg/admission/plugin/webhook/testing/testcase.go @@ -38,6 +38,7 @@ import ( "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" fakeclientset "k8s.io/client-go/kubernetes/fake" + "k8s.io/utils/ptr" ) var matchEverythingRules = []registrationv1.RuleWithOperations{{ @@ -897,6 +898,40 @@ func NewMutatingTestCases(url *url.URL, configurationName string) []MutatingTest "mutation.webhook.admission.k8s.io/round_0_index_0": mutationAnnotationValue(configurationName, "invalidMutation", false), }, }, + { + Name: "match & invalid patch", + Webhooks: []registrationv1.MutatingWebhook{{ + Name: "invalidPatch", + ClientConfig: ccfgSVC("invalidPatch"), + Rules: matchEverythingRules, + NamespaceSelector: &metav1.LabelSelector{}, + ObjectSelector: &metav1.LabelSelector{}, + AdmissionReviewVersions: []string{"v1beta1"}, + }}, + ExpectStatusCode: http.StatusInternalServerError, + ErrorContains: "unexpected end of JSON input", + ExpectAnnotations: map[string]string{ + "mutation.webhook.admission.k8s.io/round_0_index_0": mutationAnnotationValue(configurationName, "invalidPatch", false), + }, + }, + { + Name: "match & invalid patch fail open", + Webhooks: []registrationv1.MutatingWebhook{{ + Name: "invalidPatch", + ClientConfig: ccfgSVC("invalidPatch"), + Rules: matchEverythingRules, + NamespaceSelector: &metav1.LabelSelector{}, + ObjectSelector: &metav1.LabelSelector{}, + AdmissionReviewVersions: []string{"v1beta1"}, + FailurePolicy: ptr.To(registrationv1.Ignore), + }}, + ExpectAllow: true, + ExpectStatusCode: http.StatusOK, + ExpectAnnotations: map[string]string{ + "failed-open.mutation.webhook.admission.k8s.io/round_0_index_0": "invalidPatch", + "mutation.webhook.admission.k8s.io/round_0_index_0": mutationAnnotationValue(configurationName, "invalidPatch", false), + }, + }, { Name: "match & remove label dry run unsupported", Webhooks: []registrationv1.MutatingWebhook{{ diff --git a/pkg/admission/plugin/webhook/testing/webhook_server.go b/pkg/admission/plugin/webhook/testing/webhook_server.go index ecc5dfeed..88c29d605 100644 --- a/pkg/admission/plugin/webhook/testing/webhook_server.go +++ b/pkg/admission/plugin/webhook/testing/webhook_server.go @@ -137,6 +137,16 @@ func webhookHandler(w http.ResponseWriter, r *http.Request) { Patch: []byte(`[{"op": "add", "path": "/metadata/labels/added", "value": "test"}]`), }, }) + case "/invalidPatch": + w.Header().Set("Content-Type", "application/json") + pt := v1beta1.PatchTypeJSONPatch + json.NewEncoder(w).Encode(&v1beta1.AdmissionReview{ + Response: &v1beta1.AdmissionResponse{ + Allowed: true, + PatchType: &pt, + Patch: []byte(`[{`), + }, + }) case "/invalidMutation": w.Header().Set("Content-Type", "application/json") pt := v1beta1.PatchTypeJSONPatch