From d32eb1bd18dbdf7a4e57bf224f42eb8573400d36 Mon Sep 17 00:00:00 2001 From: Niklas Roeske Date: Thu, 19 Dec 2024 13:08:04 +0100 Subject: [PATCH] #221 Validate security in doguSecurityContextManager --- controllers/doguSecurityContextManager.go | 20 +++++++++++++++++-- .../doguSecurityContextManager_test.go | 3 ++- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/controllers/doguSecurityContextManager.go b/controllers/doguSecurityContextManager.go index e2e7b057..e717edb8 100644 --- a/controllers/doguSecurityContextManager.go +++ b/controllers/doguSecurityContextManager.go @@ -6,6 +6,8 @@ import ( k8sv2 "github.com/cloudogu/k8s-dogu-operator/v3/api/v2" "github.com/cloudogu/k8s-dogu-operator/v3/controllers/resource" "github.com/cloudogu/k8s-dogu-operator/v3/controllers/util" + corev1 "k8s.io/api/core/v1" + "k8s.io/client-go/tools/record" "sigs.k8s.io/controller-runtime/pkg/log" ) @@ -19,24 +21,38 @@ const ( type doguSecurityContextManager struct { resourceDoguFetcher resourceDoguFetcher resourceUpserter resource.ResourceUpserter + securityValidator securityValidator + recorder eventRecorder } -func NewDoguSecurityContextManager(mgrSet *util.ManagerSet) *doguSecurityContextManager { +func NewDoguSecurityContextManager(mgrSet *util.ManagerSet, eventRecorder record.EventRecorder) *doguSecurityContextManager { return &doguSecurityContextManager{ resourceDoguFetcher: mgrSet.ResourceDoguFetcher, resourceUpserter: mgrSet.ResourceUpserter, + securityValidator: mgrSet.SecurityValidator, + recorder: eventRecorder, } } func (d doguSecurityContextManager) UpdateDeploymentWithSecurityContext(ctx context.Context, doguResource *k8sv2.Dogu) error { logger := log.FromContext(ctx) + logger.Info("Fetching dogu...") + d.recorder.Event(doguResource, corev1.EventTypeNormal, SecurityContextChangeEventReason, "Fetching dogu...") dogu, _, err := d.resourceDoguFetcher.FetchWithResource(ctx, doguResource) if err != nil { return fmt.Errorf("failed to fetch dogu %s: %w", doguResource.Spec.Name, err) } - logger.Info("Upserting deployment... ") + logger.Info("Validating dogu security...") + d.recorder.Event(doguResource, corev1.EventTypeNormal, SecurityContextChangeEventReason, "Validating dogu security...") + err = d.securityValidator.ValidateSecurity(dogu, doguResource) + if err != nil { + return err + } + + logger.Info("Upserting deployment...") + d.recorder.Event(doguResource, corev1.EventTypeNormal, SecurityContextChangeEventReason, "Upserting deployment...") _, err = d.resourceUpserter.UpsertDoguDeployment(ctx, doguResource, dogu, nil) if err != nil { return fmt.Errorf("failed to upsert deployment with security context: %w", err) diff --git a/controllers/doguSecurityContextManager_test.go b/controllers/doguSecurityContextManager_test.go index 36bd0a44..467cd843 100644 --- a/controllers/doguSecurityContextManager_test.go +++ b/controllers/doguSecurityContextManager_test.go @@ -17,9 +17,10 @@ func TestNewDoguSecurityContextManager(t *testing.T) { t.Run("success", func(t *testing.T) { // given mgrSet := &util.ManagerSet{} + mockEventRecorder := &mockEventRecorder{} // when - doguSecurityContextManager := NewDoguSecurityContextManager(mgrSet) + doguSecurityContextManager := NewDoguSecurityContextManager(mgrSet, mockEventRecorder) // then require.NotNil(t, doguSecurityContextManager)