From 59ae773e20346904684fa78c2e2e42de537d1cec Mon Sep 17 00:00:00 2001 From: Dustin Row Date: Wed, 1 Oct 2025 10:46:01 -0700 Subject: [PATCH] Allow osd-admin user with cluster-admins group for e2e tests Add exemption for the osd-admin user when it has the cluster-admins group to support OpenShift CI e2e tests. This is a targeted exemption that requires both the specific username AND group membership. Security rationale: - In production OSD clusters, customers cannot arbitrarily assign users to the cluster-admins group as it's managed by the OAuth infrastructure - The exemption only applies when BOTH conditions are met: username is osd-admin AND user is in cluster-admins group - This is more restrictive than the previous blanket cluster-admins group exemption that was removed in SREP-1565 This fixes CI test failures in openshift/origin endpoint admission tests where the osd-admin user needs to create privileged namespaces like kube-system for testing purposes. --- pkg/webhooks/namespace/namespace.go | 9 +++++++ pkg/webhooks/namespace/namespace_test.go | 34 ++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/pkg/webhooks/namespace/namespace.go b/pkg/webhooks/namespace/namespace.go index 0dd0bc6e..c474e6be 100644 --- a/pkg/webhooks/namespace/namespace.go +++ b/pkg/webhooks/namespace/namespace.go @@ -371,6 +371,15 @@ func amIAdmin(request admissionctl.Request) bool { } } + // Allow osd-admin user only when it's in the cluster-admins group + // This is specifically for OpenShift CI e2e tests + // Note: This is a security trade-off - we're allowing this specific combination + // for e2e test compatibility. In production OSD clusters, customers cannot + // create users with the cluster-admins group as it's managed by OAuth. + if request.UserInfo.Username == "osd-admin" && slices.Contains(request.UserInfo.Groups, "cluster-admins") { + return true + } + return false } diff --git a/pkg/webhooks/namespace/namespace_test.go b/pkg/webhooks/namespace/namespace_test.go index 6ef3791a..58d4b736 100644 --- a/pkg/webhooks/namespace/namespace_test.go +++ b/pkg/webhooks/namespace/namespace_test.go @@ -1162,3 +1162,37 @@ func TestGetURI(t *testing.T) { t.Fatalf("Hook URI does not begin with a /") } } + +// TestE2EAdminUser tests the e2e test user exemption +func TestE2EAdminUser(t *testing.T) { + tests := []namespaceTestSuites{ + { + // osd-admin with cluster-admins group should be allowed (for CI e2e tests) + testID: "e2e-osd-admin-with-cluster-admins", + targetNamespace: "kube-system", + username: "osd-admin", + userGroups: []string{"cluster-admins", "system:authenticated:oauth", "system:authenticated"}, + operation: admissionv1.Create, + shouldBeAllowed: true, + }, + { + // osd-admin without cluster-admins group should be denied + testID: "osd-admin-without-cluster-admins", + targetNamespace: "kube-system", + username: "osd-admin", + userGroups: []string{"system:authenticated:oauth", "system:authenticated"}, + operation: admissionv1.Create, + shouldBeAllowed: false, + }, + { + // Different user with cluster-admins should still be denied (cluster-admins exemption was removed) + testID: "other-user-with-cluster-admins", + targetNamespace: "kube-system", + username: "some-other-user", + userGroups: []string{"cluster-admins", "system:authenticated:oauth", "system:authenticated"}, + operation: admissionv1.Create, + shouldBeAllowed: false, + }, + } + runNamespaceTests(t, tests) +}