Webhook validation for networks .Spec.NetworkNamespace field

zeeke · zeeke · commit 7225640f21ec · 2025-07-30T11:39:42.000+02:00
Signed-off-by: Andrea Panattoni &lt;apanatto@redhat.com&gt;
diff --git a/bindata/manifests/operator-webhook/003-webhook.yaml b/bindata/manifests/operator-webhook/003-webhook.yaml
@@ -69,3 +69,15 @@ webhooks:
         apiGroups: [ "sriovnetwork.openshift.io" ]
         apiVersions: [ "v1" ]
         resources: [ "sriovnetworkpoolconfigs" ]
+      - operations: [ "CREATE", "UPDATE", ]
+        apiGroups: [ "sriovnetwork.openshift.io" ]
+        apiVersions: [ "v1" ]
+        resources: [ "sriovnetworks" ]
+      - operations: [ "CREATE", "UPDATE", ]
+        apiGroups: [ "sriovnetwork.openshift.io" ]
+        apiVersions: [ "v1" ]
+        resources: [ "sriovibnetworks" ]
+      - operations: [ "CREATE", "UPDATE", ]
+        apiGroups: [ "sriovnetwork.openshift.io" ]
+        apiVersions: [ "v1" ]
+        resources: [ "ovsnetworks" ]
diff --git a/pkg/webhook/validate_networks.go b/pkg/webhook/validate_networks.go
@@ -0,0 +1,43 @@
+package webhook
+
+import (
+	"fmt"
+
+	v1 "k8s.io/api/admission/v1"
+
+	sriovnetworkv1 "github.com/k8snetworkplumbingwg/sriov-network-operator/api/v1"
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/controllers"
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/vars"
+)
+
+func validateSriovNetwork(cr *sriovnetworkv1.SriovNetwork, operation v1.Operation) (bool, []string, error) {
+	err := validateNetworkNamespace(cr)
+	if err != nil {
+		return false, nil, err
+	}
+	return true, nil, nil
+}
+
+func validateSriovIBNetwork(cr *sriovnetworkv1.SriovIBNetwork, operation v1.Operation) (bool, []string, error) {
+	err := validateNetworkNamespace(cr)
+	if err != nil {
+		return false, nil, err
+	}
+	return true, nil, nil
+}
+
+func validateOVSNetwork(cr *sriovnetworkv1.OVSNetwork, operation v1.Operation) (bool, []string, error) {
+	err := validateNetworkNamespace(cr)
+	if err != nil {
+		return false, nil, err
+	}
+	return true, nil, nil
+}
+
+func validateNetworkNamespace(cr controllers.NetworkCRInstance) error {
+	if cr.GetNamespace() != vars.Namespace && cr.NetworkNamespace() != "" {
+		return fmt.Errorf(".Spec.NetworkNamespace field can't be specified if the resource is not in the %s namespace", vars.Namespace)
+	}
+
+	return nil
+}
diff --git a/pkg/webhook/validate_networks_test.go b/pkg/webhook/validate_networks_test.go
@@ -0,0 +1,95 @@
+package webhook
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	. "github.com/k8snetworkplumbingwg/sriov-network-operator/api/v1"
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/controllers"
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/vars"
+)
+
+func TestValidate_NetworkNamespace(t *testing.T) {
+	defer func(previous string) { vars.Namespace = previous }(vars.Namespace)
+	vars.Namespace = "operator-namespace"
+
+	testCases := []struct {
+		name       string
+		network    controllers.NetworkCRInstance
+		shouldFail bool
+	}{
+		{
+			name:       "SriovNetwork in operator namespace with empty NetworkNamespace",
+			network:    &SriovNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "operator-namespace"}, Spec: SriovNetworkSpec{NetworkNamespace: ""}},
+			shouldFail: false,
+		},
+		{
+			name:       "SriovNetwork in operator namespace with custom NetworkNamespace",
+			network:    &SriovNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "operator-namespace"}, Spec: SriovNetworkSpec{NetworkNamespace: "xxx"}},
+			shouldFail: false,
+		},
+		{
+			name:       "SriovNetwork in custom namespace with empty NetworkNamespace",
+			network:    &SriovNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "xxx"}, Spec: SriovNetworkSpec{NetworkNamespace: ""}},
+			shouldFail: false,
+		},
+		{
+			name:       "SriovIBNetwork in operator namespace with empty NetworkNamespace",
+			network:    &SriovIBNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "operator-namespace"}, Spec: SriovIBNetworkSpec{NetworkNamespace: ""}},
+			shouldFail: false,
+		},
+		{
+			name:       "SriovIBNetwork in operator namespace with custom NetworkNamespace",
+			network:    &SriovIBNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "operator-namespace"}, Spec: SriovIBNetworkSpec{NetworkNamespace: "xxx"}},
+			shouldFail: false,
+		},
+		{
+			name:       "SriovIBNetwork in custom namespace with empty NetworkNamespace",
+			network:    &SriovIBNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "xxx"}, Spec: SriovIBNetworkSpec{NetworkNamespace: ""}},
+			shouldFail: false,
+		},
+		{
+			name:       "OVSNetwork in operator namespace with empty NetworkNamespace",
+			network:    &OVSNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "operator-namespace"}, Spec: OVSNetworkSpec{NetworkNamespace: ""}},
+			shouldFail: false,
+		},
+		{
+			name:       "OVSNetwork in operator namespace with custom NetworkNamespace",
+			network:    &OVSNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "operator-namespace"}, Spec: OVSNetworkSpec{NetworkNamespace: "xxx"}},
+			shouldFail: false,
+		},
+		{
+			name:       "OVSNetwork in custom namespace with empty NetworkNamespace",
+			network:    &OVSNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "xxx"}, Spec: OVSNetworkSpec{NetworkNamespace: ""}},
+			shouldFail: false,
+		},
+		{
+			name:       "SriovNetwork in custom namespace with custom NetworkNamespace",
+			network:    &SriovNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "xxx"}, Spec: SriovNetworkSpec{NetworkNamespace: "yyy"}},
+			shouldFail: true,
+		},
+		{
+			name:       "SriovIBNetwork in custom namespace with custom NetworkNamespace",
+			network:    &SriovIBNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "xxx"}, Spec: SriovIBNetworkSpec{NetworkNamespace: "yyy"}},
+			shouldFail: true,
+		},
+		{
+			name:       "OVSNetwork in custom namespace with custom NetworkNamespace",
+			network:    &OVSNetwork{ObjectMeta: metav1.ObjectMeta{Namespace: "xxx"}, Spec: OVSNetworkSpec{NetworkNamespace: "yyy"}},
+			shouldFail: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := validateNetworkNamespace(tc.network)
+			if tc.shouldFail && err == nil {
+				t.Error("expected error but got none")
+			}
+			if !tc.shouldFail && err != nil {
+				t.Errorf("expected no error but got: %v", err)
+			}
+		})
+	}
+}
diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -97,6 +97,49 @@ func ValidateCustomResource(ar v1.AdmissionReview) *v1.AdmissionResponse {
 				Reason: metav1.StatusReason(err.Error()),
 			}
 		}
+
+	case "SriovNetwork":
+		network := sriovnetworkv1.SriovNetwork{}
+
+		err = json.Unmarshal(raw, &network)
+		if err != nil {
+			log.Log.Error(err, "failed to unmarshal object")
+			return toV1AdmissionResponse(err)
+		}
+
+		if reviewResponse.Allowed, reviewResponse.Warnings, err = validateSriovNetwork(&network, ar.Request.Operation); err != nil {
+			reviewResponse.Result = &metav1.Status{
+				Reason: metav1.StatusReason(err.Error()),
+			}
+		}
+	case "SriovIBNetwork":
+		network := sriovnetworkv1.SriovIBNetwork{}
+
+		err = json.Unmarshal(raw, &network)
+		if err != nil {
+			log.Log.Error(err, "failed to unmarshal object")
+			return toV1AdmissionResponse(err)
+		}
+
+		if reviewResponse.Allowed, reviewResponse.Warnings, err = validateSriovIBNetwork(&network, ar.Request.Operation); err != nil {
+			reviewResponse.Result = &metav1.Status{
+				Reason: metav1.StatusReason(err.Error()),
+			}
+		}
+	case "OVSNetwork":
+		network := sriovnetworkv1.OVSNetwork{}
+
+		err = json.Unmarshal(raw, &network)
+		if err != nil {
+			log.Log.Error(err, "failed to unmarshal object")
+			return toV1AdmissionResponse(err)
+		}
+
+		if reviewResponse.Allowed, reviewResponse.Warnings, err = validateOVSNetwork(&network, ar.Request.Operation); err != nil {
+			reviewResponse.Result = &metav1.Status{
+				Reason: metav1.StatusReason(err.Error()),
+			}
+		}
 	}
 
 	return &reviewResponse
