azure-load-balancer-tcp-idle-timeout validation for svc

miyadav · miyadav · commit 76b7f98df6f9 · 2025-01-23T14:15:58.000+05:30
diff --git a/pkg/cloud/azure/assets/validating-admission-service-annotation-policy-binding.yaml b/pkg/cloud/azure/assets/validating-admission-service-annotation-policy-binding.yaml
@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: azure-load-balancer-tcp-idle-timeout-validation-annotation-binding
+spec:
+  policyName: azure-load-balancer-tcp-idle-timeout-annotation-validation-policy
+  validationActions: ["Deny"]
diff --git a/pkg/cloud/azure/assets/validating-admission-service-annotation-policy.yaml b/pkg/cloud/azure/assets/validating-admission-service-annotation-policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: azure-load-balancer-tcp-idle-timeout-annotation-validation-policy
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["services"]
+  validations:
+    - expression: |
+        (!has(object.metadata.annotations) || 
+        !('service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout' in object.metadata.annotations) ||
+        (object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout'].matches('^[0-9]+$') &&
+        int(object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']) >= 4 &&
+        int(object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']) <= 100))
+      message: "The annotation 'service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout', if specified, must have a value between 4 and 100."
+     
diff --git a/pkg/cloud/azure/azure.go b/pkg/cloud/azure/azure.go
@@ -34,6 +34,8 @@ var (
 		{ReferenceObject: &rbacv1.ClusterRoleBinding{}, EmbedFsPath: "assets/azure-cloud-controller-manager-clusterrolebinding.yaml"},
 		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-policy.yaml"},
 		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-policy-binding.yaml"},
+		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-service-annotation-policy-binding.yaml"},
+		{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-service-annotation-policy.yaml"},
 	}
 )
 
diff --git a/pkg/cloud/azure/azure_test.go b/pkg/cloud/azure/azure_test.go
@@ -90,7 +90,7 @@ func TestResourcesRenderingSmoke(t *testing.T) {
 			}
 
 			resources := assets.GetRenderedResources()
-			assert.Len(t, resources, 6)
+			assert.Len(t, resources, 8)
 		})
 	}
 }
diff --git a/pkg/cloud/cloud_test.go b/pkg/cloud/cloud_test.go
@@ -153,20 +153,22 @@ func TestGetResources(t *testing.T) {
 	}, {
 		name:                  "Azure resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.AzurePlatformType)],
-		expectedResourceCount: 7,
+		expectedResourceCount: 9,
 		expectedResourcesKindName: []string{
 			"Deployment/azure-cloud-controller-manager",
 			"DaemonSet/azure-cloud-node-manager",
 			"ClusterRole/azure-cloud-controller-manager",
 			"ClusterRoleBinding/cloud-controller-manager:azure-cloud-controller-manager",
 			"ValidatingAdmissionPolicy/openshift-cloud-controller-manager-cloud-provider-azure-node-admission",
 			"ValidatingAdmissionPolicyBinding/openshift-cloud-controller-manager-cloud-provider-azure-node-admission",
+			"ValidatingAdmissionPolicyBinding/azure-load-balancer-tcp-idle-timeout-validation-annotation-binding",
+			"ValidatingAdmissionPolicy/azure-load-balancer-tcp-idle-timeout-annotation-validation-policy",
 			"PodDisruptionBudget/azure-cloud-controller-manager",
 		},
 	}, {
 		name:                  "Azure resources returned as expected with single node cluster",
 		testPlatform:          platformsMap[string(configv1.AzurePlatformType)],
-		expectedResourceCount: 6,
+		expectedResourceCount: 8,
 		singleReplica:         true,
 		expectedResourcesKindName: []string{
 			"Deployment/azure-cloud-controller-manager",
@@ -175,6 +177,8 @@ func TestGetResources(t *testing.T) {
 			"ClusterRoleBinding/cloud-controller-manager:azure-cloud-controller-manager",
 			"ValidatingAdmissionPolicy/openshift-cloud-controller-manager-cloud-provider-azure-node-admission",
 			"ValidatingAdmissionPolicyBinding/openshift-cloud-controller-manager-cloud-provider-azure-node-admission",
+			"ValidatingAdmissionPolicyBinding/azure-load-balancer-tcp-idle-timeout-validation-annotation-binding",
+			"ValidatingAdmissionPolicy/azure-load-balancer-tcp-idle-timeout-annotation-validation-policy",
 		},
 	}, {
 		name:                  "Azure Stack resources returned as expected",

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ var (`
`34`	`34`	`{ReferenceObject: &rbacv1.ClusterRoleBinding{}, EmbedFsPath: "assets/azure-cloud-controller-manager-clusterrolebinding.yaml"},`
`35`	`35`	`{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-policy.yaml"},`
`36`	`36`	`{ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-policy-binding.yaml"},`
	`37`	`+ {ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}, EmbedFsPath: "assets/validating-admission-service-annotation-policy-binding.yaml"},`
	`38`	`+ {ReferenceObject: &admissionregistrationv1.ValidatingAdmissionPolicy{}, EmbedFsPath: "assets/validating-admission-service-annotation-policy.yaml"},`
`37`	`39`	`}`
`38`	`40`	`)`
`39`	`41`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func TestResourcesRenderingSmoke(t *testing.T) {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`resources := assets.GetRenderedResources()`
`93`		`- assert.Len(t, resources, 6)`
	`93`	`+ assert.Len(t, resources, 8)`
`94`	`94`	`})`
`95`	`95`	`}`
`96`	`96`	`}`