image: transform api groups to legacy resources in admission

mfojtik · mfojtik · commit 9a9032f94d44 · 2017-03-17T12:28:28.000+01:00
diff --git a/pkg/api/latest/latest.go b/pkg/api/latest/latest.go
@@ -55,6 +55,16 @@ func OriginLegacyKind(gvk unversioned.GroupVersionKind) bool {
 	return OriginKind(gvk) && gvk.Group == ""
 }
 
+// IsOriginAPIGroup returns true if the provided group name belongs to Origin API.
+func IsOriginAPIGroup(groupName string) bool {
+	for _, v := range Versions {
+		if v.Group == groupName {
+			return true
+		}
+	}
+	return false
+}
+
 // IsKindInAnyOriginGroup returns true if OpenShift owns the kind described in any apiVersion.
 // TODO: this may not work once we divide builds/deployments/images into their own API groups
 func IsKindInAnyOriginGroup(kind string) bool {
diff --git a/pkg/image/admission/imagepolicy/rules/accept.go b/pkg/image/admission/imagepolicy/rules/accept.go
@@ -5,6 +5,7 @@ import (
 
 	"k8s.io/kubernetes/pkg/api/unversioned"
 
+	"github.com/openshift/origin/pkg/api/latest"
 	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
 )
 
@@ -18,14 +19,14 @@ type Accepter interface {
 type mappedAccepter map[unversioned.GroupResource]Accepter
 
 func (a mappedAccepter) Covers(gr unversioned.GroupResource) bool {
-	_, ok := a[gr]
+	_, ok := a[transformToLegacy(gr)]
 	return ok
 }
 
 // Accepts returns true if no Accepter is registered for the group resource in attributes,
 // or if the registered Accepter also returns true.
 func (a mappedAccepter) Accepts(attr *ImagePolicyAttributes) bool {
-	accepter, ok := a[attr.Resource]
+	accepter, ok := a[transformToLegacy(attr.Resource)]
 	if !ok {
 		return true
 	}
@@ -51,13 +52,13 @@ func NewExecutionRulesAccepter(rules []api.ImageExecutionPolicyRule, integratedR
 		}
 		rule.ImageCondition.MatchImageLabelSelectors = selectors
 		for gr := range over {
-			a, ok := mapped[gr]
+			a, ok := mapped[transformToLegacy(gr)]
 			if !ok {
 				a = &executionAccepter{
-					covers: gr,
+					covers: transformToLegacy(gr),
 					integratedRegistryMatcher: integratedRegistryMatcher,
 				}
-				mapped[gr] = a
+				mapped[transformToLegacy(gr)] = a
 			}
 			byResource := a.(*executionAccepter)
 			byResource.rules = append(byResource.rules, rule)
@@ -83,11 +84,20 @@ func NewExecutionRulesAccepter(rules []api.ImageExecutionPolicyRule, integratedR
 }
 
 func (r *executionAccepter) Covers(gr unversioned.GroupResource) bool {
-	return r.covers == gr
+	return transformToLegacy(r.covers) == transformToLegacy(gr)
+}
+
+// transformToLegacy transforms the given resource to legacy resource if the API group is
+// set and the group is one of the Origin API groups.
+func transformToLegacy(resource unversioned.GroupResource) unversioned.GroupResource {
+	if len(resource.Group) > 0 && latest.IsOriginAPIGroup(resource.Group) {
+		return unversioned.GroupResource{Resource: resource.Resource, Group: ""}
+	}
+	return resource
 }
 
 func (r *executionAccepter) Accepts(attrs *ImagePolicyAttributes) bool {
-	if attrs.Resource != r.covers {
+	if !r.Covers(attrs.Resource) {
 		return true
 	}
 
diff --git a/pkg/image/admission/imagepolicy/rules/accept_test.go b/pkg/image/admission/imagepolicy/rules/accept_test.go
@@ -262,6 +262,9 @@ func TestAccept(t *testing.T) {
 				{ImageCondition: api.ImageCondition{OnResources: []unversioned.GroupResource{podResource, {Resource: "services"}}}},
 				{ImageCondition: api.ImageCondition{OnResources: []unversioned.GroupResource{{Resource: "services", Group: "extra"}}}},
 				{ImageCondition: api.ImageCondition{OnResources: []unversioned.GroupResource{{Resource: "nodes", Group: "extra"}}}},
+				{ImageCondition: api.ImageCondition{OnResources: []unversioned.GroupResource{{Resource: "deploymentconfigs", Group: ""}}}},
+				{ImageCondition: api.ImageCondition{OnResources: []unversioned.GroupResource{{Resource: "deployments", Group: "extensions"}}}},
+				{ImageCondition: api.ImageCondition{OnResources: []unversioned.GroupResource{{Resource: "users", Group: "user.openshift.io"}}}},
 			},
 			matcher: nameSet{},
 			covers: map[unversioned.GroupResource]bool{
@@ -270,6 +273,16 @@ func TestAccept(t *testing.T) {
 				unversioned.GroupResource{Group: "extra", Resource: "services"}: true,
 				unversioned.GroupResource{Group: "extra", Resource: "nodes"}:    true,
 				unversioned.GroupResource{Resource: "nodes"}:                    false,
+
+				// Make sure the legacy and grouped resources are treated as same
+				unversioned.GroupResource{Group: "", Resource: "deploymentconfigs"}:                  true,
+				unversioned.GroupResource{Group: "apps.openshift.io", Resource: "deploymentconfigs"}: true,
+				unversioned.GroupResource{Group: "user.openshift.io", Resource: "users"}:             true,
+				unversioned.GroupResource{Group: "", Resource: "users"}:                              true,
+
+				// Deployments are Kubernetes, not Origin API group
+				unversioned.GroupResource{Group: "extensions", Resource: "deployments"}: true,
+				unversioned.GroupResource{Group: "", Resource: "deployments"}:           false,
 			},
 		},
 	}
