From b9b17245b9f5071bab7f1af1e37f1b7f38b87efd Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Fri, 4 Feb 2022 07:57:31 -0500 Subject: [PATCH] Do not validate ingresses with unknown ingress class in admission webhook endpoint. --- internal/ingress/controller/controller.go | 6 ++++ .../ingress/controller/controller_test.go | 4 +++ internal/ingress/controller/store/store.go | 3 ++ test/e2e/admission/admission.go | 29 +++++++++++++++++++ 4 files changed, 42 insertions(+) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 48a91b67b8..9afe009531 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -233,6 +233,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { return nil } + // Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller. + if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" { + klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err) + return nil + } + if n.cfg.Namespace != "" && ing.ObjectMeta.Namespace != n.cfg.Namespace { klog.Warningf("ignoring ingress %v in namespace %v different from the namespace watched %s", ing.Name, ing.ObjectMeta.Namespace, n.cfg.Namespace) return nil diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index b67929b972..5e3eb91134 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -63,6 +63,10 @@ type fakeIngressStore struct { configuration ngx_config.Configuration } +func (fakeIngressStore) GetIngressClass(ing *networking.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) { + return "nginx", nil +} + func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { return fis.configuration } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7e9b897358..2b15dc74d2 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -98,6 +98,9 @@ type Storer interface { // Run initiates the synchronization of the controllers Run(stopCh chan struct{}) + + // GetIngressClass validates given ingress against ingress class configuration and returns the ingress class. + GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) } // EventType type of event associated with an informer diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 2099e54d4a..c4c1ef76da 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -191,6 +191,12 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error") } }) + + ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { + out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) + assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) + assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") + }) }) func uninstallChart(f *framework.Framework) error { @@ -270,6 +276,29 @@ spec: port: number: 80 --- +` + invalidV1IngressWithOtherClass = ` +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: extensions-invalid-other + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + invalid directive +spec: + ingressClassName: nginx-other + rules: + - host: extensions-invalid + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echo + port: + number: 80 +--- ` )