Add CEL to limit adding the of overrides on AuthPolicies attached to …

…HTTPRoutes
Kuadrant · Apr 15, 2024 · c67790f · c67790f
1 parent 1fd5374
commit c67790f
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/api/v1beta2/authpolicy_types.go b/api/v1beta2/authpolicy_types.go
@@ -156,6 +156,7 @@ type CallbackSpec struct {
 // +kubebuilder:validation:XValidation:rule="!(has(self.defaults) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit and explicit defaults are mutually exclusive"
 // +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && (has(self.routeSelectors) || has(self.patterns) || has(self.when) || has(self.rules)))",message="Implicit defaults and explicit overrides are mutually exclusive"
 // +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && has(self.defaults))",message="Explicit overrides and explicit defaults are mutually exclusive"
+// +kubebuilder:validation:XValidation:rule="!(has(self.overrides) && self.targetRef.kind == 'HTTPRoute')",message="Overrides are not allowed for policies targeting a HTTPRoute resource"
 type AuthPolicySpec struct {
 	// TargetRef identifies an API object to apply policy to.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"

diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml
@@ -13075,6 +13075,9 @@ spec:
                 || has(self.when) || has(self.rules)))'
             - message: Explicit overrides and explicit defaults are mutually exclusive
               rule: '!(has(self.overrides) && has(self.defaults))'
+            - message: Overrides are not allowed for policies targeting a HTTPRoute
+                resource
+              rule: '!(has(self.overrides) && self.targetRef.kind == ''HTTPRoute'')'
           status:
             properties:
               conditions:

diff --git a/controllers/authpolicy_controller_test.go b/controllers/authpolicy_controller_test.go
@@ -1474,6 +1474,18 @@ var _ = Describe("AuthPolicy controller", func() {
 			Eventually(isAuthPolicyEnforced(gatewayPolicy), 30*time.Second, 5*time.Second).Should(BeFalse())
 			Eventually(isAuthPolicyEnforced(routePolicy), 30*time.Second, 5*time.Second).Should(BeTrue())
 		})
+
+		It("Blocks creation of AuthPolicies with overrides targeting HTTPRoutes", func() {
+			routePolicy := policyFactory(func(policy *api.AuthPolicy) {
+				policy.Spec.Overrides = &api.AuthPolicyCommonSpec{}
+				policy.Spec.Defaults = nil
+				policy.Spec.Overrides.AuthScheme = testBasicAuthScheme()
+			})
+			err := k8sClient.Create(context.Background(), routePolicy)
+			logf.Log.V(1).Info("Creating AuthPolicy", "key", client.ObjectKeyFromObject(routePolicy).String(), "error", err)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("Overrides are not allowed for policies targeting a HTTPRoute resource"))
+		})
 	})
 })