OCPBUGS-48481 annotation validation policy

Adding new assets to payload

Unit tests updated

Author: miyadav

pkg/cloud/cloud_test.go

@@ -129,22 +129,26 @@ func TestGetResources(t *testing.T) {
 	}, {
 		name:                  "GCP resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.GCPPlatformType)],
-		expectedResourceCount: 4,
+		expectedResourceCount: 6,
 		expectedResourcesKindName: []string{
 			"Deployment/gcp-cloud-controller-manager",
 			"PodDisruptionBudget/gcp-cloud-controller-manager",
 			"ClusterRole/gcp-cloud-controller-manager",
 			"ClusterRoleBinding/gcp-cloud-controller-manager:cloud-provider",
+			"ValidatingAdmissionPolicyBinding/network-tier-annotation-binding",
+			"ValidatingAdmissionPolicy/network-tier-annotation-validation-policy",
 		},
 	}, {
 		name:                  "GCP resources returned as expected with single node cluster",
 		testPlatform:          platformsMap[string(configv1.GCPPlatformType)],
-		expectedResourceCount: 3,
+		expectedResourceCount: 5,
 		singleReplica:         true,
 		expectedResourcesKindName: []string{
 			"Deployment/gcp-cloud-controller-manager",
 			"ClusterRole/gcp-cloud-controller-manager",
 			"ClusterRoleBinding/gcp-cloud-controller-manager:cloud-provider",
+			"ValidatingAdmissionPolicyBinding/network-tier-annotation-binding",
+			"ValidatingAdmissionPolicy/network-tier-annotation-validation-policy",
 		},
 	}, {
 		name:                  "Azure resources returned as expected",

pkg/cloud/gcp/assets/validating-admission-policy-binding.yaml

@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: network-tier-annotation-binding
+spec:
+  policyName: network-tier-annotation-validation-policy
+  validationActions: ["Deny"]

pkg/cloud/gcp/assets/validating-admission-policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: network-tier-annotation-validation-policy
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["services"]
+  validations:
+    - expression: "(!has(object.metadata.annotations) || !('cloud.google.com/network-tier' in object.metadata.annotations) ||
+                   (object.metadata.annotations['cloud.google.com/network-tier'] == 'Standard' || object.metadata.annotations['cloud.google.com/network-tier'] == 'Premium') ||
+                   (has(oldObject.metadata.annotations) && oldObject.metadata.annotations['cloud.google.com/network-tier'] == object.metadata.annotations['cloud.google.com/network-tier']))"
+      message: "The annotation 'cloud.google.com/network-tier', if specified, must be either 'Standard' or 'Premium'."
+

pkg/cloud/gcp/gcp.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/asaskevich/govalidator"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -22,6 +23,8 @@ var (
 		{ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/cloud-controller-manager.yaml"},
 		{ReferenceObject: &rbacv1.ClusterRole{}, EmbedFsPath: "assets/gcp-cloud-controller-manager-clusterrole.yaml"},
 		{ReferenceObject: &rbacv1.ClusterRoleBinding{}, EmbedFsPath: "assets/gcp-cloud-controller-manager-clusterrolebinding.yaml"},
+		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-policy-binding.yaml"},
+		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-policy.yaml"},
 	}
 )
 

pkg/cloud/gcp/gcp_test.go

@@ -55,7 +55,7 @@ func TestResourcesRenderingSmoke(t *testing.T) {
 			}
 
 			resources := assets.GetRenderedResources()
-			assert.Len(t, resources, 3)
+			assert.Len(t, resources, 5)
 		})
 	}
 }