Verify with the API server if an empty map is equal to nil

If a policy specified an empty map but the object didn't return a value for the map, it was assumed that API server was just not returning an empty value. This is true in most cases, however, if the underlying Go type of the map is a pointer to a struct, an empty map may have a different meaning than nil. One example is the `emptyDir` key in the "configs.imageregistry.operator.openshift.io" resource. This commit changes the local comparison logic from considering empty maps being the same as a nil value. The controller then performs a dry run update request to see if the API server returns an empty map or omits the value entirely (i.e. seen as nil). The result of the object comparison is now cached to not continuously making dry run update requests on every policy evaluation. Relates: https://issues.redhat.com/browse/ACM-7810 Signed-off-by: mprahl <mprahl@users.noreply.github.com>
mprahl · Nov 3, 2023 · ffc115c · ffc115c
1 parent bc358da
commit ffc115c
Show file tree

Hide file tree

Showing 9 changed files with 444 additions and 67 deletions.
diff --git a/controllers/configurationpolicy_controller.go b/controllers/configurationpolicy_controller.go
diff --git a/controllers/configurationpolicy_controller_test.go b/controllers/configurationpolicy_controller_test.go
@@ -91,7 +91,7 @@ func TestCompareSpecs(t *testing.T) {
 		},
 	}
 
-	merged, err := compareSpecs(spec1, spec2, "mustonlyhave")
+	merged, err := compareSpecs(spec1, spec2, "mustonlyhave", true)
 	if err != nil {
 		t.Fatalf("compareSpecs: (%v)", err)
 	}
@@ -123,7 +123,7 @@ func TestCompareSpecs(t *testing.T) {
 		},
 	}
 
-	merged, err = compareSpecs(spec1, spec2, "musthave")
+	merged, err = compareSpecs(spec1, spec2, "musthave", true)
 	if err != nil {
 		t.Fatalf("compareSpecs: (%v)", err)
 	}
@@ -291,7 +291,7 @@ func TestMergeArraysMustHave(t *testing.T) {
 		t.Run(testName, func(t *testing.T) {
 			t.Parallel()
 
-			actualMergedList := mergeArrays(test.desiredList, test.currentList, "musthave")
+			actualMergedList := mergeArrays(test.desiredList, test.currentList, "musthave", true)
 			assert.Equal(t, fmt.Sprintf("%+v", test.expectedList), fmt.Sprintf("%+v", actualMergedList))
 			assert.True(t, checkListsMatch(test.expectedList, actualMergedList))
 		})
@@ -378,7 +378,7 @@ func TestMergeArraysMustOnlyHave(t *testing.T) {
 		t.Run(testName, func(t *testing.T) {
 			t.Parallel()
 
-			actualMergedList := mergeArrays(test.desiredList, test.currentList, "mustonlyhave")
+			actualMergedList := mergeArrays(test.desiredList, test.currentList, "mustonlyhave", true)
 			assert.Equal(t, fmt.Sprintf("%+v", test.expectedList), fmt.Sprintf("%+v", actualMergedList))
 			assert.True(t, checkListsMatch(test.expectedList, actualMergedList))
 		})
@@ -569,14 +569,14 @@ status:
 	existingObjOrderOne := unstructured.Unstructured{Object: orderOneObj}
 	existingObjOrderTwo := unstructured.Unstructured{Object: orderTwoObj}
 
-	errormsg, updateNeeded, _, _ := handleSingleKey("status", desiredObj, &existingObjOrderOne, "musthave")
+	errormsg, updateNeeded, _, _ := handleSingleKey("status", desiredObj, &existingObjOrderOne, "musthave", true)
 	if len(errormsg) != 0 {
 		t.Error("Got unexpected error message", errormsg)
 	}
 
 	assert.False(t, updateNeeded)
 
-	errormsg, updateNeeded, _, _ = handleSingleKey("status", desiredObj, &existingObjOrderTwo, "musthave")
+	errormsg, updateNeeded, _, _ = handleSingleKey("status", desiredObj, &existingObjOrderTwo, "musthave", true)
 	if len(errormsg) != 0 {
 		t.Error("Got unexpected error message", errormsg)
 	}
@@ -1332,7 +1332,7 @@ func TestShouldHandleSingleKeyFalse(t *testing.T) {
 		unstruct.Object = test.input
 		unstructObj.Object = test.fromAPI
 		key := test.expectResult.key
-		_, update, _, skip = handleSingleKey(key, unstruct, &unstructObj, "musthave")
+		_, update, _, skip = handleSingleKey(key, unstruct, &unstructObj, "musthave", true)
 		assert.Equal(t, update, test.expectResult.expect)
 		assert.False(t, skip)
 	}

diff --git a/controllers/configurationpolicy_utils.go b/controllers/configurationpolicy_utils.go
@@ -106,11 +106,11 @@ func updateRelatedObjectsStatus(
 
 // equalObjWithSort is a wrapper function that calls the correct function to check equality depending on what
 // type the objects to compare are
-func equalObjWithSort(mergedObj interface{}, oldObj interface{}) (areEqual bool) {
+func equalObjWithSort(mergedObj interface{}, oldObj interface{}, zeroValueEqualsNil bool) (areEqual bool) {
 	switch mergedObj := mergedObj.(type) {
 	case map[string]interface{}:
 		if oldObjMap, ok := oldObj.(map[string]interface{}); ok {
-			return checkFieldsWithSort(mergedObj, oldObjMap)
+			return checkFieldsWithSort(mergedObj, oldObjMap, zeroValueEqualsNil)
 		}
 		// this includes the case where oldObj is nil
 		return false
@@ -125,20 +125,22 @@ func equalObjWithSort(mergedObj interface{}, oldObj interface{}) (areEqual bool)
 
 		return false
 	default: // when mergedObj's type is string, int, bool, or nil
-		if oldObj == nil && mergedObj != nil {
-			// compare the zero value of mergedObj's type to mergedObj
-			ref := reflect.ValueOf(mergedObj)
-			zero := reflect.Zero(ref.Type()).Interface()
+		if zeroValueEqualsNil {
+			if oldObj == nil && mergedObj != nil {
+				// compare the zero value of mergedObj's type to mergedObj
+				ref := reflect.ValueOf(mergedObj)
+				zero := reflect.Zero(ref.Type()).Interface()
 
-			return fmt.Sprint(zero) == fmt.Sprint(mergedObj)
-		}
+				return fmt.Sprint(zero) == fmt.Sprint(mergedObj)
+			}
 
-		if mergedObj == nil && oldObj != nil {
-			// compare the zero value of oldObj's type to oldObj
-			ref := reflect.ValueOf(oldObj)
-			zero := reflect.Zero(ref.Type()).Interface()
+			if mergedObj == nil && oldObj != nil {
+				// compare the zero value of oldObj's type to oldObj
+				ref := reflect.ValueOf(oldObj)
+				zero := reflect.Zero(ref.Type()).Interface()
 
-			return fmt.Sprint(zero) == fmt.Sprint(oldObj)
+				return fmt.Sprint(zero) == fmt.Sprint(oldObj)
+			}
 		}
 
 		return fmt.Sprint(mergedObj) == fmt.Sprint(oldObj)
@@ -147,7 +149,9 @@ func equalObjWithSort(mergedObj interface{}, oldObj interface{}) (areEqual bool)
 
 // checkFieldsWithSort is a check for maps that uses an arbitrary sort to ensure it is
 // comparing the right values
-func checkFieldsWithSort(mergedObj map[string]interface{}, oldObj map[string]interface{}) (matches bool) {
+func checkFieldsWithSort(
+	mergedObj map[string]interface{}, oldObj map[string]interface{}, zeroValueEqualsNil bool,
+) (matches bool) {
 	// needed to compare lists, since merge messes up the order
 	if len(mergedObj) < len(oldObj) {
 		return false
@@ -159,14 +163,14 @@ func checkFieldsWithSort(mergedObj map[string]interface{}, oldObj map[string]int
 			// if field is a map, recurse to check for a match
 			oVal, ok := oldObj[i].(map[string]interface{})
 			if !ok {
-				if len(mVal) == 0 {
+				if zeroValueEqualsNil && len(mVal) == 0 {
 					break
 				}
 
 				return false
 			}
 
-			if !checkFieldsWithSort(mVal, oVal) {
+			if !checkFieldsWithSort(mVal, oVal, zeroValueEqualsNil) {
 				return false
 			}
 		case []interface{}:
@@ -280,7 +284,7 @@ func checkListsMatch(oldVal []interface{}, mergedVal []interface{}) (m bool) {
 		case map[string]interface{}:
 			// if list contains maps, recurse on those maps to check for a match
 			if mVal, ok := mVal[idx].(map[string]interface{}); ok {
-				if !checkFieldsWithSort(mVal, oNestedVal) {
+				if !checkFieldsWithSort(mVal, oNestedVal, true) {
 					return false
 				}
 

diff --git a/controllers/configurationpolicy_utils_test.go b/controllers/configurationpolicy_utils_test.go
@@ -116,7 +116,30 @@ func TestCheckFieldsWithSort(t *testing.T) {
 		"resources":       []interface{}{},
 	}
 
-	assert.True(t, checkFieldsWithSort(mergedObj, oldObj))
+	assert.True(t, checkFieldsWithSort(mergedObj, oldObj, false))
+}
+
+func TestCheckFieldsWithSortEmptyMap(t *testing.T) {
+	oldObj := map[string]interface{}{
+		"spec": map[string]interface{}{
+			"storage": map[string]interface{}{
+				"s3": map[string]interface{}{
+					"bucket": "some-bucket",
+				},
+			},
+		},
+	}
+	mergedObj := map[string]interface{}{
+		"spec": map[string]interface{}{
+			"storage": map[string]interface{}{
+				"emptyDir": map[string]interface{}{},
+			},
+		},
+	}
+
+	assert.False(t, checkFieldsWithSort(mergedObj, oldObj, false))
+
+	assert.True(t, checkFieldsWithSort(mergedObj, oldObj, true))
 }
 
 func TestEqualObjWithSort(t *testing.T) {
@@ -133,8 +156,8 @@ func TestEqualObjWithSort(t *testing.T) {
 		"resources":       []interface{}{},
 	}
 
-	assert.True(t, equalObjWithSort(mergedObj, oldObj))
-	assert.False(t, equalObjWithSort(mergedObj, nil))
+	assert.True(t, equalObjWithSort(mergedObj, oldObj, true))
+	assert.False(t, equalObjWithSort(mergedObj, nil, true))
 
 	oldObj = map[string]interface{}{
 		"nonResourceURLs": []string{"/version", "/healthz"},
@@ -147,5 +170,30 @@ func TestEqualObjWithSort(t *testing.T) {
 		"resources":       []interface{}{},
 	}
 
-	assert.False(t, equalObjWithSort(mergedObj, oldObj))
+	assert.False(t, equalObjWithSort(mergedObj, oldObj, true))
+}
+
+func TestEqualObjWithSortString(t *testing.T) {
+	t.Parallel()
+
+	assert.True(t, equalObjWithSort("", nil, true))
+	assert.False(t, equalObjWithSort("", nil, false))
+	assert.True(t, equalObjWithSort(nil, "", true))
+	assert.False(t, equalObjWithSort(nil, "", false))
+}
+
+func TestEqualObjWithSortEmptyMap(t *testing.T) {
+	t.Parallel()
+
+	oldObj := map[string]interface{}{
+		"cities": map[string]interface{}{},
+	}
+	mergedObj := map[string]interface{}{
+		"cities": map[string]interface{}{
+			"raleigh": map[string]interface{}{},
+		},
+	}
+
+	assert.True(t, equalObjWithSort(mergedObj, oldObj, true))
+	assert.False(t, equalObjWithSort(mergedObj, oldObj, false))
 }
diff --git a/main.go b/main.go
@@ -19,6 +19,7 @@ import (
 	operatorv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/spf13/pflag"
 	"github.com/stolostron/go-log-utils/zaputil"
+	"golang.org/x/mod/semver"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	extensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -27,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -329,9 +331,28 @@ func main() {
 		os.Exit(1)
 	}
 
+	discoveryClient := discovery.NewDiscoveryClientForConfigOrDie(targetK8sConfig)
+
+	serverVersion, err := discoveryClient.ServerVersion()
+	if err != nil {
+		log.Error(err, "unable to detect the managed cluster's Kubernetes version")
+		os.Exit(1)
+	}
+
+	dryRunSupported := semver.Compare(serverVersion.GitVersion, "v1.18.0") >= 0
+	if dryRunSupported {
+		log.Info("The managed cluster supports dry run API requests")
+	} else {
+		log.Info(
+			"The managed cluster does not support dry run API requests. Will assume that empty values are equal to " +
+				"not being set.",
+		)
+	}
+
 	reconciler := controllers.ConfigurationPolicyReconciler{
 		Client:                 mgr.GetClient(),
 		DecryptionConcurrency:  opts.decryptionConcurrency,
+		DryRunSupported:        dryRunSupported,
 		EvaluationConcurrency:  opts.evaluationConcurrency,
 		Scheme:                 mgr.GetScheme(),
 		Recorder:               mgr.GetEventRecorderFor(controllers.ControllerName),

diff --git a/test/e2e/case36_empty_map_test.go b/test/e2e/case36_empty_map_test.go
@@ -0,0 +1,70 @@
+// Copyright Contributors to the Open Cluster Management project
+
+package e2e
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"open-cluster-management.io/config-policy-controller/test/utils"
+)
+
+var _ = Describe("Test resource creation when there are empty labels in configurationPolicy", Ordered, func() {
+	const (
+		case36AddEmptyMap     = "../resources/case36_empty_map/policy-should-add-empty-map.yaml"
+		case36AddEmptyMapName = "case36-check-selinux-options"
+		case36NoEmptyMap      = "../resources/case36_empty_map/policy-should-not-add-empty-map.yaml"
+		case36NoEmptyMapName  = "case36-check-node-selector"
+		case36Deployment      = "../resources/case36_empty_map/deployment.yaml"
+		case36DeploymentName  = "case36-deployment"
+	)
+
+	BeforeEach(func() {
+		By("creating the deployment " + case36DeploymentName)
+		utils.Kubectl("apply", "-f", case36Deployment)
+	})
+
+	AfterEach(func() {
+		By("deleting the deployment " + case36DeploymentName)
+		utils.Kubectl("delete", "-f", case36Deployment, "--ignore-not-found")
+		deleteConfigPolicies([]string{case36AddEmptyMapName, case36NoEmptyMapName})
+	})
+
+	It("verifies the policy "+case36AddEmptyMapName+"is NonCompliant", func() {
+		By("creating the policy " + case36AddEmptyMapName)
+		utils.Kubectl("apply", "-f", case36AddEmptyMap, "-n", testNamespace)
+
+		By("checking if the policy " + case36AddEmptyMapName + " is NonCompliant")
+		Eventually(func() interface{} {
+			managedPlc := utils.GetWithTimeout(
+				clientManagedDynamic,
+				gvrConfigPolicy,
+				case36AddEmptyMapName,
+				testNamespace,
+				true,
+				defaultTimeoutSeconds,
+			)
+
+			return utils.GetComplianceState(managedPlc)
+		}, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant"))
+	})
+
+	It("verifies the policy "+case36NoEmptyMapName+"is Compliant", func() {
+		By("creating the policy " + case36NoEmptyMapName)
+		utils.Kubectl("apply", "-f", case36NoEmptyMap, "-n", testNamespace)
+
+		By("checking if the policy " + case36NoEmptyMapName + " is Compliant")
+		Eventually(func() interface{} {
+			managedPlc := utils.GetWithTimeout(
+				clientManagedDynamic,
+				gvrConfigPolicy,
+				case36NoEmptyMapName,
+				testNamespace,
+				true,
+				defaultTimeoutSeconds,
+			)
+
+			return utils.GetComplianceState(managedPlc)
+		}, defaultTimeoutSeconds, 1).Should(Equal("Compliant"))
+	})
+})
diff --git a/test/resources/case36_empty_map/deployment.yaml b/test/resources/case36_empty_map/deployment.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: case36-deployment
+  namespace: default
+  labels:
+    test: case36-deployment
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      test: case36-deployment
+  template:
+    metadata:
+      labels:
+        test: case36-deployment
+    spec:
+      securityContext: {}
+      containers:
+        - image: nginx:1.7.9
+          imagePullPolicy: Never
+          name: nginx
diff --git a/test/resources/case36_empty_map/policy-should-add-empty-map.yaml b/test/resources/case36_empty_map/policy-should-add-empty-map.yaml
@@ -0,0 +1,21 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: case36-check-selinux-options
+spec:
+  remediationAction: inform
+  object-templates:
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: case36-deployment
+          namespace: default
+        spec:
+          template:
+            spec:
+              # securityContext defaults to `{}` and seLinuxOptions has omitempty on the API server but is a pointer,
+              # so setting this to an empty object will cause the empty object to be returned by the API.
+              securityContext:
+                seLinuxOptions: {}