Skip to content

Commit

Permalink
Do not validate ingresses with unknown ingress class in admission web…
Browse files Browse the repository at this point in the history
…hook endpoint. (#8221)
  • Loading branch information
ElvinEfendi authored Feb 6, 2022
1 parent d769cea commit 04035cc
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 0 deletions.
6 changes: 6 additions & 0 deletions internal/ingress/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
return nil
}

// Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller.
if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" {
klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err)
return nil
}

if n.cfg.Namespace != "" && ing.ObjectMeta.Namespace != n.cfg.Namespace {
klog.Warningf("ignoring ingress %v in namespace %v different from the namespace watched %s", ing.Name, ing.ObjectMeta.Namespace, n.cfg.Namespace)
return nil
Expand Down
4 changes: 4 additions & 0 deletions internal/ingress/controller/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,10 @@ type fakeIngressStore struct {
configuration ngx_config.Configuration
}

func (fakeIngressStore) GetIngressClass(ing *networking.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) {
return "nginx", nil
}

func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration {
return fis.configuration
}
Expand Down
3 changes: 3 additions & 0 deletions internal/ingress/controller/store/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,9 @@ type Storer interface {

// Run initiates the synchronization of the controllers
Run(stopCh chan struct{})

// GetIngressClass validates given ingress against ingress class configuration and returns the ingress class.
GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error)
}

// EventType type of event associated with an informer
Expand Down
29 changes: 29 additions & 0 deletions test/e2e/admission/admission.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,12 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
}
})

ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() {
out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass)
assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out)
assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl")
})
})

func uninstallChart(f *framework.Framework) error {
Expand Down Expand Up @@ -270,6 +276,29 @@ spec:
port:
number: 80
---
`
invalidV1IngressWithOtherClass = `
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: extensions-invalid-other
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
invalid directive
spec:
ingressClassName: nginx-other
rules:
- host: extensions-invalid
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: echo
port:
number: 80
---
`
)

Expand Down

0 comments on commit 04035cc

Please sign in to comment.