(t *testing.T)
| 420 | } |
| 421 | |
| 422 | func TestExcludedNamespaces(t *testing.T) { |
| 423 | cfg := &v1alpha1.Config{ |
| 424 | Spec: v1alpha1.ConfigSpec{ |
| 425 | Match: []v1alpha1.MatchEntry{ |
| 426 | { |
| 427 | ExcludedNamespaces: []wildcard.Wildcard{"kube-*"}, |
| 428 | Processes: []string{"*"}, |
| 429 | }, |
| 430 | }, |
| 431 | Validation: v1alpha1.Validation{ |
| 432 | Traces: []v1alpha1.Trace{}, |
| 433 | }, |
| 434 | }, |
| 435 | } |
| 436 | ctx := context.Background() |
| 437 | opa, err := makeOpaClient() |
| 438 | if err != nil { |
| 439 | t.Fatalf("Could not initialize OPA: %s", err) |
| 440 | } |
| 441 | if _, err := opa.AddTemplate(ctx, validRegoTemplate()); err != nil { |
| 442 | t.Fatalf("could not add template: %s", err) |
| 443 | } |
| 444 | if _, err := opa.AddConstraint(ctx, validRegoTemplateConstraint()); err != nil { |
| 445 | t.Fatalf("could not add constraint: %s", err) |
| 446 | } |
| 447 | pe := process.New() |
| 448 | pe.Add(cfg.Spec.Match) |
| 449 | expSystem := expansion.NewSystem(mutation.NewSystem(mutation.SystemOpts{})) |
| 450 | handler := validationHandler{ |
| 451 | opa: opa, |
| 452 | expansionSystem: expSystem, |
| 453 | webhookHandler: webhookHandler{ |
| 454 | injectedConfig: cfg, |
| 455 | client: &nsGetter{}, |
| 456 | reader: &nsGetter{}, |
| 457 | processExcluder: pe, |
| 458 | }, |
| 459 | log: log, |
| 460 | } |
| 461 | tc := []struct { |
| 462 | Name string |
| 463 | Namespace string |
| 464 | Operation admissionv1.Operation |
| 465 | Raw []byte |
| 466 | OldRaw []byte |
| 467 | AllowedExpected bool |
| 468 | }{ |
| 469 | { |
| 470 | Name: "ExcludedNamespace invalid create", |
| 471 | Namespace: "notkube-test", |
| 472 | Operation: admissionv1.Create, |
| 473 | Raw: []byte(`{"apiVersion": "v1", "kind": "Pod", "metadata": {"name": "acbd","namespace": ""}}`), |
| 474 | AllowedExpected: false, |
| 475 | }, |
| 476 | { |
| 477 | Name: "ExcludedNamespace valid create", |
| 478 | Namespace: "kube-test", |
| 479 | Operation: admissionv1.Create, |
nothing calls this directly
no test coverage detected
searching dependent graphs…