Allow osd-admin user with cluster-admins group for e2e tests

dustman9000 · dustman9000 · commit 59ae773e2034 · 2025-10-01T10:46:01.000-07:00
Add exemption for the osd-admin user when it has the cluster-admins group
to support OpenShift CI e2e tests. This is a targeted exemption that requires
both the specific username AND group membership.

Security rationale:
- In production OSD clusters, customers cannot arbitrarily assign users to
  the cluster-admins group as it's managed by the OAuth infrastructure
- The exemption only applies when BOTH conditions are met: username is
  osd-admin AND user is in cluster-admins group
- This is more restrictive than the previous blanket cluster-admins group
  exemption that was removed in SREP-1565

This fixes CI test failures in openshift/origin endpoint admission tests
where the osd-admin user needs to create privileged namespaces like
kube-system for testing purposes.
diff --git a/pkg/webhooks/namespace/namespace.go b/pkg/webhooks/namespace/namespace.go
@@ -371,6 +371,15 @@ func amIAdmin(request admissionctl.Request) bool {
 		}
 	}
 
+	// Allow osd-admin user only when it's in the cluster-admins group
+	// This is specifically for OpenShift CI e2e tests
+	// Note: This is a security trade-off - we're allowing this specific combination
+	// for e2e test compatibility. In production OSD clusters, customers cannot
+	// create users with the cluster-admins group as it's managed by OAuth.
+	if request.UserInfo.Username == "osd-admin" && slices.Contains(request.UserInfo.Groups, "cluster-admins") {
+		return true
+	}
+
 	return false
 }
 
diff --git a/pkg/webhooks/namespace/namespace_test.go b/pkg/webhooks/namespace/namespace_test.go
@@ -1162,3 +1162,37 @@ func TestGetURI(t *testing.T) {
 		t.Fatalf("Hook URI does not begin with a /")
 	}
 }
+
+// TestE2EAdminUser tests the e2e test user exemption
+func TestE2EAdminUser(t *testing.T) {
+	tests := []namespaceTestSuites{
+		{
+			// osd-admin with cluster-admins group should be allowed (for CI e2e tests)
+			testID:          "e2e-osd-admin-with-cluster-admins",
+			targetNamespace: "kube-system",
+			username:        "osd-admin",
+			userGroups:      []string{"cluster-admins", "system:authenticated:oauth", "system:authenticated"},
+			operation:       admissionv1.Create,
+			shouldBeAllowed: true,
+		},
+		{
+			// osd-admin without cluster-admins group should be denied
+			testID:          "osd-admin-without-cluster-admins",
+			targetNamespace: "kube-system",
+			username:        "osd-admin",
+			userGroups:      []string{"system:authenticated:oauth", "system:authenticated"},
+			operation:       admissionv1.Create,
+			shouldBeAllowed: false,
+		},
+		{
+			// Different user with cluster-admins should still be denied (cluster-admins exemption was removed)
+			testID:          "other-user-with-cluster-admins",
+			targetNamespace: "kube-system",
+			username:        "some-other-user",
+			userGroups:      []string{"cluster-admins", "system:authenticated:oauth", "system:authenticated"},
+			operation:       admissionv1.Create,
+			shouldBeAllowed: false,
+		},
+	}
+	runNamespaceTests(t, tests)
+}

Original file line number	Diff line number	Diff line change
`@@ -371,6 +371,15 @@ func amIAdmin(request admissionctl.Request) bool {`
`371`	`371`	`}`
`372`	`372`	`}`
`373`	`373`
	`374`	`+ // Allow osd-admin user only when it's in the cluster-admins group`
	`375`	`+ // This is specifically for OpenShift CI e2e tests`
	`376`	`+ // Note: This is a security trade-off - we're allowing this specific combination`
	`377`	`+ // for e2e test compatibility. In production OSD clusters, customers cannot`
	`378`	`+ // create users with the cluster-admins group as it's managed by OAuth.`
	`379`	`+ if request.UserInfo.Username == "osd-admin" && slices.Contains(request.UserInfo.Groups, "cluster-admins") {`
	`380`	`+ return true`
	`381`	`+ }`
	`382`	`+`
`374`	`383`	`return false`
`375`	`384`	`}`
`376`	`385`