Merge pull request #6944 from XiShanYongYe-Chang/add-validate-for-binding

add valition for binding resourcebinding.karmada.io/dependencies annotation

Author: karmada-bot

pkg/dependenciesdistributor/dependencies_distributor.go

@@ -78,13 +78,6 @@ const (
 	dependedByLabelKeyPrefix = "resourcebinding.karmada.io/depended-by-"
 )
 
-// well-know annotations
-const (
-	// dependenciesAnnotationKey is added to the independent binding,
-	// it describes the names of dependencies (json serialized).
-	dependenciesAnnotationKey = "resourcebinding.karmada.io/dependencies"
-)
-
 // LabelsKey is the object key which is a unique identifier under a cluster, across all resources.
 type LabelsKey struct {
 	keys.ClusterWideKey
@@ -211,7 +204,7 @@ func (d *DependenciesDistributor) reconcileResourceTemplate(key util.QueueKey) e
 // matchesWithBindingDependencies tells if the given object(resource template) is matched
 // with the dependencies of independent resourceBinding.
 func matchesWithBindingDependencies(resourceTemplateKey *LabelsKey, independentBinding *workv1alpha2.ResourceBinding) bool {
-	dependencies, exist := independentBinding.Annotations[dependenciesAnnotationKey]
+	dependencies, exist := independentBinding.Annotations[util.DependenciesAnnotationKey]
 	if !exist {
 		return false
 	}
@@ -439,10 +432,10 @@ func (d *DependenciesDistributor) recordDependencies(ctx context.Context, indepe
 	}
 
 	// dependencies are not updated, no need to update annotation.
-	if oldDependencies, exist := objectAnnotation[dependenciesAnnotationKey]; exist && oldDependencies == dependenciesStr {
+	if oldDependencies, exist := objectAnnotation[util.DependenciesAnnotationKey]; exist && oldDependencies == dependenciesStr {
 		return nil
 	}
-	objectAnnotation[dependenciesAnnotationKey] = dependenciesStr
+	objectAnnotation[util.DependenciesAnnotationKey] = dependenciesStr
 
 	return retry.RetryOnConflict(retry.DefaultRetry, func() (err error) {
 		independentBinding.SetAnnotations(objectAnnotation)

pkg/dependenciesdistributor/dependencies_distributor_test.go

@@ -329,7 +329,7 @@ func Test_reconcileResourceTemplate(t *testing.T) {
 								"app": "test",
 							},
 							Annotations: map[string]string{
-								dependenciesAnnotationKey: "[{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"namespace\":\"test\",\"name\":\"demo-app\"}]",
+								util.DependenciesAnnotationKey: "[{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"namespace\":\"test\",\"name\":\"demo-app\"}]",
 							},
 						},
 						Spec: workv1alpha2.ResourceBindingSpec{
@@ -394,7 +394,7 @@ func Test_dependentObjectReferenceMatches(t *testing.T) {
 				},
 				referenceBinding: &workv1alpha2.ResourceBinding{
 					ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{
-						dependenciesAnnotationKey: "[{\"apiVersion\":\"example-stgzr.karmada.io/v1alpha1\",\"kind\":\"Foot5zmh\",\"namespace\":\"karmadatest-vpvll\",\"name\":\"cr-fxzq6\"}]",
+						util.DependenciesAnnotationKey: "[{\"apiVersion\":\"example-stgzr.karmada.io/v1alpha1\",\"kind\":\"Foot5zmh\",\"namespace\":\"karmadatest-vpvll\",\"name\":\"cr-fxzq6\"}]",
 					}},
 				},
 			},
@@ -415,7 +415,7 @@ func Test_dependentObjectReferenceMatches(t *testing.T) {
 				},
 				referenceBinding: &workv1alpha2.ResourceBinding{
 					ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{
-						dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"namespace\":\"karmadatest-h46wh\",\"name\":\"configmap-8w426\"}]",
+						util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"namespace\":\"karmadatest-h46wh\",\"name\":\"configmap-8w426\"}]",
 					}},
 				},
 			},
@@ -437,7 +437,7 @@ func Test_dependentObjectReferenceMatches(t *testing.T) {
 				},
 				referenceBinding: &workv1alpha2.ResourceBinding{
 					ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{
-						dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"namespace\":\"test\",\"labelSelector\":{\"matchExpressions\":[{\"key\":\"app\",\"operator\":\"In\",\"values\":[\"test\"]}]}}]",
+						util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"namespace\":\"test\",\"labelSelector\":{\"matchExpressions\":[{\"key\":\"app\",\"operator\":\"In\",\"values\":[\"test\"]}]}}]",
 					}},
 				},
 			},
@@ -1324,7 +1324,7 @@ func Test_recordDependencies(t *testing.T) {
 					Namespace:       "test",
 					ResourceVersion: "1001",
 					Annotations: map[string]string{
-						dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
+						util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
 					},
 				},
 				Spec: workv1alpha2.ResourceBindingSpec{
@@ -1352,7 +1352,7 @@ func Test_recordDependencies(t *testing.T) {
 							Namespace:       "test",
 							ResourceVersion: "1000",
 							Annotations: map[string]string{
-								dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
+								util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
 							},
 						},
 						Spec: workv1alpha2.ResourceBindingSpec{
@@ -1375,7 +1375,7 @@ func Test_recordDependencies(t *testing.T) {
 						Namespace:       "test",
 						ResourceVersion: "1000",
 						Annotations: map[string]string{
-							dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
+							util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
 						},
 					},
 					Spec: workv1alpha2.ResourceBindingSpec{
@@ -1403,7 +1403,7 @@ func Test_recordDependencies(t *testing.T) {
 					Namespace:       "test",
 					ResourceVersion: "1000",
 					Annotations: map[string]string{
-						dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
+						util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
 					},
 				},
 				Spec: workv1alpha2.ResourceBindingSpec{
@@ -1431,7 +1431,7 @@ func Test_recordDependencies(t *testing.T) {
 							Namespace:       "test",
 							ResourceVersion: "1000",
 							Annotations: map[string]string{
-								dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
+								util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
 							},
 						},
 						Spec: workv1alpha2.ResourceBindingSpec{
@@ -1479,7 +1479,7 @@ func Test_recordDependencies(t *testing.T) {
 					Namespace:       "test",
 					ResourceVersion: "1001",
 					Annotations: map[string]string{
-						dependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
+						util.DependenciesAnnotationKey: "[{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"namespace\":\"default\",\"name\":\"pod\"}]",
 					},
 				},
 				Spec: workv1alpha2.ResourceBindingSpec{

pkg/util/constants.go

@@ -105,6 +105,10 @@ const (
 
 	// EndpointSliceProvisionClusterAnnotation is added to work of the dispatch EndpointSlice in consumption clusters' namespace.
 	EndpointSliceProvisionClusterAnnotation = "endpointslice.karmada.io/provision-cluster"
+
+	// DependenciesAnnotationKey is added to the independent binding,
+	// it describes the names of dependencies (json serialized).
+	DependenciesAnnotationKey = "resourcebinding.karmada.io/dependencies"
 )
 
 // Define finalizers used by karmada system.

pkg/webhook/resourcebinding/validating.go

@@ -18,6 +18,7 @@ package resourcebinding
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -32,6 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
+	configv1alpha1 "github.com/karmada-io/karmada/pkg/apis/config/v1alpha1"
 	policyv1alpha1 "github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1"
 	workv1alpha2 "github.com/karmada-io/karmada/pkg/apis/work/v1alpha2"
 	"github.com/karmada-io/karmada/pkg/features"
@@ -64,6 +66,11 @@ func (v *ValidatingAdmission) Handle(ctx context.Context, req admission.Request)
 	}
 	klog.V(2).Infof("Processing ResourceBinding(%s/%s) for request: %s (%s)", rb.Namespace, rb.Name, req.Operation, req.UID)
 
+	if err := v.validateBindingAnnotations(rb.Annotations, field.NewPath("metadata").Child("annotations")); err != nil {
+		klog.Errorf("Admission denied for ResourceBinding %s/%s: %v", rb.Namespace, rb.Name, err)
+		return admission.Denied(err.Error())
+	}
+
 	if err := v.validateFederatedResourceQuota(ctx, req, rb, oldRB); err != nil {
 		if apierrors.IsInternalError(err) {
 			klog.Errorf("Internal error while processing ResourceBinding %s/%s: %v", rb.Namespace, rb.Name, err)
@@ -83,6 +90,22 @@ func (v *ValidatingAdmission) Handle(ctx context.Context, req admission.Request)
 	return admission.Allowed("")
 }
 
+func (v *ValidatingAdmission) validateBindingAnnotations(annotations map[string]string, fldPath *field.Path) error {
+	var allErrs field.ErrorList
+
+	dependencies, exist := annotations[util.DependenciesAnnotationKey]
+	if !exist {
+		return nil
+	}
+	var dependenciesSlice []configv1alpha1.DependentObjectReference
+	err := json.Unmarshal([]byte(dependencies), &dependenciesSlice)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child(util.DependenciesAnnotationKey), dependencies, "annotation value must be a valid JSON"))
+	}
+
+	return allErrs.ToAggregate()
+}
+
 // validateFederatedResourceQuota checks the FederatedResourceQuota for the ResourceBinding.
 // It returns a list of errors if validation fails, or nil if it passes.
 func (v *ValidatingAdmission) validateFederatedResourceQuota(ctx context.Context, req admission.Request, rb, oldRB *workv1alpha2.ResourceBinding) error {

pkg/webhook/resourcebinding/validating_test.go

@@ -118,6 +118,17 @@ func WithResourceRef(ref workv1alpha2.ObjectReference) RBOption {
 	}
 }
 
+func WithAnnotations(annotations map[string]string) RBOption {
+	return func(rb *workv1alpha2.ResourceBinding) {
+		if rb.Annotations == nil {
+			rb.Annotations = make(map[string]string)
+		}
+		for k, v := range annotations {
+			rb.Annotations[k] = v
+		}
+	}
+}
+
 func makeTestRB(namespace, name string, opts ...RBOption) *workv1alpha2.ResourceBinding {
 	defaultResourceRef := workv1alpha2.ObjectReference{
 		APIVersion: "v1", Kind: "Pod", Name: "test-pod-" + name, Namespace: namespace,
@@ -424,6 +435,48 @@ func TestValidatingAdmission_Handle(t *testing.T) {
 			enableFederatedQuotaEnforcementFeatureGate: true,
 			wantResponse: admission.Errored(http.StatusBadRequest, errors.New("decode failed")),
 		},
+		{
+			name: "valid dependencies annotation should be allowed",
+			req: newAdmissionRequestBuilder(t, admissionv1.Create, "default", "rb-valid-deps", "valid-deps").
+				WithObject(makeTestRB("default", "rb-valid-deps",
+					WithAnnotations(map[string]string{
+						"resourcebinding.karmada.io/dependencies": `[{"apiVersion":"v1","kind":"ConfigMap","namespace":"default","name":"my-config"}]`,
+					}))).
+				Build(),
+			decoder: &fakeDecoder{decodeObj: makeTestRB("default", "rb-valid-deps",
+				WithAnnotations(map[string]string{
+					"resourcebinding.karmada.io/dependencies": `[{"apiVersion":"v1","kind":"ConfigMap","namespace":"default","name":"my-config"}]`,
+				}))},
+			clientObjects: nil,
+			enableFederatedQuotaEnforcementFeatureGate: false,
+			wantResponse: admission.Allowed(""),
+		},
+		{
+			name: "invalid dependencies annotation should be denied",
+			req: newAdmissionRequestBuilder(t, admissionv1.Create, "default", "rb-invalid-deps", "invalid-deps").
+				WithObject(makeTestRB("default", "rb-invalid-deps",
+					WithAnnotations(map[string]string{
+						"resourcebinding.karmada.io/dependencies": `invalid-json-string`,
+					}))).
+				Build(),
+			decoder: &fakeDecoder{decodeObj: makeTestRB("default", "rb-invalid-deps",
+				WithAnnotations(map[string]string{
+					"resourcebinding.karmada.io/dependencies": `invalid-json-string`,
+				}))},
+			clientObjects: nil,
+			enableFederatedQuotaEnforcementFeatureGate: false,
+			wantResponse: admission.Denied("metadata.annotations.resourcebinding.karmada.io/dependencies: Invalid value: \"invalid-json-string\": annotation value must be a valid JSON"),
+		},
+		{
+			name: "no dependencies annotation should be allowed",
+			req: newAdmissionRequestBuilder(t, admissionv1.Create, "default", "rb-no-deps", "no-deps").
+				WithObject(makeTestRB("default", "rb-no-deps")).
+				Build(),
+			decoder:       &fakeDecoder{decodeObj: makeTestRB("default", "rb-no-deps")},
+			clientObjects: nil,
+			enableFederatedQuotaEnforcementFeatureGate: false,
+			wantResponse: admission.Allowed(""),
+		},
 		{
 			name: "create operation not yet scheduled should be allowed",
 			req: newAdmissionRequestBuilder(t, admissionv1.Create, rbUnscheduledCreate.Namespace, rbUnscheduledCreate.Name, "create-unscheduled").