adapted condition in webhook

Signed-off-by: odubajDT <[email protected]>

Author: odubajDT

webhooks/common.go

@@ -104,6 +104,11 @@ func shouldUseSidecar(annotations map[string]string) bool {
 	return ok
 }
 
+func shouldUseInProcess(annotations map[string]string) bool {
+	_, ok := annotations[fmt.Sprintf("%s/%s", common.OpenFeatureAnnotationPrefix, common.InProcessConfigurationAnnotation)]
+	return ok
+}
+
 func (m *PodMutator) getFeatureFlagSource(ctx context.Context, namespace string, name string) (*api.FeatureFlagSource, error) {
 	fcConfig := &api.FeatureFlagSource{}
 	if err := m.Client.Get(ctx, client.ObjectKey{Name: name, Namespace: namespace}, fcConfig); err != nil {

webhooks/pod_webhook.go

@@ -84,10 +84,12 @@ func (m *PodMutator) Handle(ctx context.Context, req admission.Request) admissio
 				return admission.Errored(code, err)
 			}
 		}
-	} else { // use in-process evaluation
+	} else if shouldUseInProcess(annotations) { // use in-process evaluation
 		if code, err := m.handleInProcessConfiguration(ctx, req, annotations, pod); err != nil {
 			return admission.Errored(code, err)
 		}
+	} else {
+		return admission.Denied("cannot mutate pods without 'featureflagsource' or 'inprocessconfiguration' annotation")
 	}
 
 	marshaledPod, err := json.Marshal(pod)

webhooks/pod_webhook_test.go

@@ -275,6 +275,21 @@ func TestPodMutator_Handle(t *testing.T) {
 	goodInProcessAnnotatedPod, err := json.Marshal(inProcessPod)
 	require.Nil(t, err)
 
+	missingAnnotationPod := corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "myNotAnnotatedPod",
+			Namespace: mutatePodNamespace,
+			Annotations: map[string]string{
+				fmt.Sprintf("%s/%s", common.OpenFeatureAnnotationPrefix, common.EnabledAnnotation): "true",
+			},
+			OwnerReferences: []metav1.OwnerReference{{UID: "123"}},
+		},
+		Spec: corev1.PodSpec{ServiceAccountName: defaultPodServiceAccountName},
+	}
+
+	missingPod, err := json.Marshal(missingAnnotationPod)
+	require.Nil(t, err)
+
 	tests := []struct {
 		name     string
 		mutator  *PodMutator
@@ -523,6 +538,47 @@ func TestPodMutator_Handle(t *testing.T) {
 			},
 			allow: true,
 		},
+		{
+			name: "ofo enabled but annotation missing",
+			mutator: &PodMutator{
+				Client: NewClient(true,
+					&inProcessPod,
+					&corev1.ServiceAccount{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      defaultPodServiceAccountName,
+							Namespace: mutatePodNamespace,
+						},
+					},
+					&rbac.ClusterRoleBinding{
+						ObjectMeta: metav1.ObjectMeta{Name: common.ClusterRoleBindingName},
+						Subjects:   nil,
+						RoleRef:    rbac.RoleRef{},
+					},
+				),
+				decoder: decoder,
+				Log:     testr.New(t),
+			},
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					UID: "123",
+					Object: runtime.RawExtension{
+						Raw:    missingPod,
+						Object: &missingAnnotationPod,
+					},
+				},
+			},
+			setup: func(mockInjector *flagdinjectorfake.MockFlagdContainerInjector) {
+				mockInjector.EXPECT().
+					InjectFlagd(
+						gomock.Any(),
+						gomock.Any(),
+						gomock.Any(),
+						gomock.Any(),
+					).Return(nil).Times(0)
+			},
+			wantCode: http.StatusForbidden,
+			allow:    false,
+		},
 		{
 			name: "wrong request",
 			mutator: &PodMutator{