Skip to content

Commit

Permalink
Respect allow/deny lists even when namespaces aren't enabled
Browse files Browse the repository at this point in the history
Fixes #296
  • Loading branch information
adilyse committed Jul 20, 2020
1 parent 9bbf6df commit 7dc0d15
Show file tree
Hide file tree
Showing 2 changed files with 173 additions and 21 deletions.
16 changes: 7 additions & 9 deletions connect-inject/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -382,16 +382,14 @@ func (h *Handler) shouldInject(pod *corev1.Pod, namespace string) (bool, error)
}

// Namespace logic
if h.EnableNamespaces {
// If in deny list, don't inject
if h.DenyK8sNamespacesSet.Contains(namespace) {
return false, nil
}
// If in deny list, don't inject
if h.DenyK8sNamespacesSet.Contains(namespace) {
return false, nil
}

// If not in allow list or allow list is not *, don't inject
if !h.AllowK8sNamespacesSet.Contains("*") && !h.AllowK8sNamespacesSet.Contains(namespace) {
return false, nil
}
// If not in allow list or allow list is not *, don't inject
if !h.AllowK8sNamespacesSet.Contains("*") && !h.AllowK8sNamespacesSet.Contains(namespace) {
return false, nil
}

// If we already injected then don't inject again
Expand Down
178 changes: 166 additions & 12 deletions connect-inject/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,11 @@ func TestHandlerHandle(t *testing.T) {
}{
{
"kube-system namespace",
Handler{Log: hclog.Default().Named("handler")},
Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Namespace: metav1.NamespaceSystem,
Object: encodeRaw(t, &corev1.Pod{
Expand All @@ -47,7 +51,11 @@ func TestHandlerHandle(t *testing.T) {

{
"already injected",
Handler{Log: hclog.Default().Named("handler")},
Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -65,7 +73,11 @@ func TestHandlerHandle(t *testing.T) {

{
"empty pod basic",
Handler{Log: hclog.Default().Named("handler")},
Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
Spec: basicSpec,
Expand Down Expand Up @@ -102,7 +114,11 @@ func TestHandlerHandle(t *testing.T) {

{
"pod with upstreams specified",
Handler{Log: hclog.Default().Named("handler")},
Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -161,7 +177,11 @@ func TestHandlerHandle(t *testing.T) {

{
"empty pod with injection disabled",
Handler{Log: hclog.Default().Named("handler")},
Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -179,7 +199,11 @@ func TestHandlerHandle(t *testing.T) {

{
"empty pod with injection truthy",
Handler{Log: hclog.Default().Named("handler")},
Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -222,7 +246,13 @@ func TestHandlerHandle(t *testing.T) {

{
"empty pod basic, no default protocol",
Handler{WriteServiceDefaults: true, DefaultProtocol: "", Log: hclog.Default().Named("handler")},
Handler{
WriteServiceDefaults: true,
DefaultProtocol: "",
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
Spec: basicSpec,
Expand Down Expand Up @@ -260,7 +290,12 @@ func TestHandlerHandle(t *testing.T) {

{
"empty pod basic, protocol in annotation",
Handler{WriteServiceDefaults: true, Log: hclog.Default().Named("handler")},
Handler{
WriteServiceDefaults: true,
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
Spec: basicSpec,
Expand Down Expand Up @@ -299,7 +334,13 @@ func TestHandlerHandle(t *testing.T) {

{
"empty pod basic, default protocol specified",
Handler{WriteServiceDefaults: true, DefaultProtocol: "http", Log: hclog.Default().Named("handler")},
Handler{
WriteServiceDefaults: true,
DefaultProtocol: "http",
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
},
v1beta1.AdmissionRequest{
Object: encodeRaw(t, &corev1.Pod{
Spec: basicSpec,
Expand Down Expand Up @@ -369,7 +410,11 @@ func TestHandlerHandle_badContentType(t *testing.T) {
require.NoError(t, err)
req.Header.Set("Content-Type", "text/plain")

h := Handler{Log: hclog.Default().Named("handler")}
h := Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
}
rec := httptest.NewRecorder()
h.Handle(rec, req)
require.Equal(t, http.StatusBadRequest, rec.Code)
Expand All @@ -382,7 +427,11 @@ func TestHandlerHandle_noBody(t *testing.T) {
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

h := Handler{Log: hclog.Default().Named("handler")}
h := Handler{
Log: hclog.Default().Named("handler"),
AllowK8sNamespacesSet: mapset.NewSetWith("*"),
DenyK8sNamespacesSet: mapset.NewSet(),
}
rec := httptest.NewRecorder()
h.Handle(rec, req)
require.Equal(t, http.StatusBadRequest, rec.Code)
Expand Down Expand Up @@ -789,7 +838,7 @@ func TestShouldInject(t *testing.T) {
false,
},
{
"namespaces disabled",
"namespaces disabled, empty allow/deny lists",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
Expand All @@ -801,8 +850,113 @@ func TestShouldInject(t *testing.T) {
false,
mapset.NewSet(),
mapset.NewSet(),
false,
},
{
"namespaces disabled, allow *",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSetWith("*"),
mapset.NewSet(),
true,
},
{
"namespaces disabled, allow default",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSetWith("default"),
mapset.NewSet(),
true,
},
{
"namespaces disabled, allow * and default",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSetWith("*", "default"),
mapset.NewSet(),
true,
},
{
"namespaces disabled, allow only ns1 and ns2",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSetWith("ns1", "ns2"),
mapset.NewSet(),
false,
},
{
"namespaces disabled, deny default ns",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSet(),
mapset.NewSetWith("default"),
false,
},
{
"namespaces disabled, allow *, deny default ns",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSetWith("*"),
mapset.NewSetWith("default"),
false,
},
{
"namespaces disabled, default ns in both allow and deny lists",
&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotationService: "testing",
},
},
},
"default",
false,
mapset.NewSetWith("default"),
mapset.NewSetWith("default"),
false,
},
{
"namespaces enabled, empty allow/deny lists",
&corev1.Pod{
Expand Down

0 comments on commit 7dc0d15

Please sign in to comment.