From 9c3c3bfd9ef67916ea609ad578ff07c8d4de2712 Mon Sep 17 00:00:00 2001
From: Krzysztof Kwiatosz <krzysztof.kwiatosz@sap.com>
Date: Mon, 12 Feb 2024 14:24:06 +0100
Subject: [PATCH] Warden admission control for labelled namespaces only as per
 webhook configuration (#192)

* Warden admission should act only in labelled namespaces as per webhook configuration

* give time to k8s in integration test

* give time to k8s in integration test
---
 .../warden-admission/templates/webhook.yaml   | 11 ++++++++--
 internal/webhook/webhook.go                   | 21 +++++++++++++++----
 tests/helpers/test_context.go                 | 14 ++++++++-----
 3 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/charts/warden/charts/warden-admission/templates/webhook.yaml b/charts/warden/charts/warden-admission/templates/webhook.yaml
index 5de3fc24..2d7c34ae 100644
--- a/charts/warden/charts/warden-admission/templates/webhook.yaml
+++ b/charts/warden/charts/warden-admission/templates/webhook.yaml
@@ -13,9 +13,12 @@ webhooks:
     failurePolicy: Ignore
     sideEffects: None
     matchPolicy: Exact
-    timeoutSeconds: 15
+    timeoutSeconds: 1
     admissionReviewVersions: [ "v1beta1", "v1" ]
     name: validation.webhook.warden.kyma-project.io
+    namespaceSelector:
+      matchLabels:
+        namespaces.warden.kyma-project.io/validate: enabled
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -31,6 +34,10 @@ webhooks:
     failurePolicy: Ignore
     sideEffects: None
     matchPolicy: Exact
-    timeoutSeconds: 15
+    timeoutSeconds: 10
     admissionReviewVersions: [ "v1beta1", "v1" ]
     name: defaulting.webhook.warden.kyma-project.io
+    namespaceSelector:
+      matchLabels:
+        namespaces.warden.kyma-project.io/validate: enabled
+
diff --git a/internal/webhook/webhook.go b/internal/webhook/webhook.go
index 2b50fefa..ad774036 100644
--- a/internal/webhook/webhook.go
+++ b/internal/webhook/webhook.go
@@ -2,11 +2,13 @@ package webhook
 
 import (
 	"context"
-	"k8s.io/utils/ptr"
 	"reflect"
 
+	"k8s.io/utils/ptr"
+
 	"github.com/kyma-project/warden/internal/admission"
 
+	"github.com/kyma-project/warden/pkg"
 	"github.com/pkg/errors"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -25,7 +27,8 @@ const (
 	DefaultingWebhookName = "defaulting.webhook.warden.kyma-project.io"
 	ValidationWebhookName = "validation.webhook.warden.kyma-project.io"
 
-	WebhookTimeout = 15
+	ValidationWebhookTimeout = 1
+	MutationWebhookTimeout   = 10
 
 	PodValidationPath = "/validation/pods"
 )
@@ -123,7 +126,12 @@ func getFunctionMutatingWebhookCfg(config WebhookConfig) admissionregistrationv1
 			},
 		},
 		SideEffects:    &sideEffects,
-		TimeoutSeconds: ptr.To[int32](WebhookTimeout),
+		TimeoutSeconds: ptr.To[int32](MutationWebhookTimeout),
+		NamespaceSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				pkg.NamespaceValidationLabel: pkg.NamespaceValidationEnabled,
+			},
+		},
 	}
 }
 
@@ -172,7 +180,12 @@ func createValidatingWebhookConfiguration(config WebhookConfig) *admissionregist
 				},
 
 				SideEffects:    &sideEffects,
-				TimeoutSeconds: ptr.To[int32](WebhookTimeout),
+				TimeoutSeconds: ptr.To[int32](ValidationWebhookTimeout),
+				NamespaceSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						pkg.NamespaceValidationLabel: pkg.NamespaceValidationEnabled,
+					},
+				},
 			},
 		},
 	}
diff --git a/tests/helpers/test_context.go b/tests/helpers/test_context.go
index 4bc56a04..103a0cc4 100644
--- a/tests/helpers/test_context.go
+++ b/tests/helpers/test_context.go
@@ -3,14 +3,14 @@ package helpers
 import (
 	"context"
 	"fmt"
+	"testing"
+	"time"
+
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
-	"k8s.io/api/core/v1"
-	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
-	"testing"
-	"time"
 )
 
 type testContext struct {
@@ -19,7 +19,7 @@ type testContext struct {
 	validationEnabled bool
 	namePrefix        string
 	namespaceName     string
-	namespace         *corev1.Namespace
+	namespace         *v1.Namespace
 }
 
 func NewTestContext(t *testing.T, namePrefix string) *testContext {
@@ -42,6 +42,10 @@ func (tc *testContext) Initialize() *testContext {
 	tc.client, err = ctrlclient.New(ctrl.GetConfigOrDie(), ctrlclient.Options{})
 	require.NoError(tc.test, err)
 	tc.CreateNamespace()
+	if tc.validationEnabled {
+		//give some time for k8s to reconcile webhook selectors
+		time.Sleep(1 * time.Second)
+	}
 	return tc
 }