update

Signed-off-by: Bryce Palmer <[email protected]>

openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go

@@ -22,53 +22,14 @@ import (
 	userclient "github.com/openshift/client-go/user/clientset/versioned"
 	userinformer "github.com/openshift/client-go/user/informers/externalversions"
 	"github.com/openshift/library-go/pkg/apiserver/admission/admissionrestconfig"
-	"github.com/openshift/library-go/pkg/config/helpers"
-	restrictusersv1alpha1 "k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/apis/restrictusers/v1alpha1"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers/usercache"
 )
 
-const RestrictSubjectBindingsPluginName = "authorization.openshift.io/RestrictSubjectBindings"
-
 func Register(plugins *admission.Plugins) {
-	plugins.Register(RestrictSubjectBindingsPluginName, pluginForConfig)
-}
-
-func pluginForConfig(config io.Reader) (admission.Interface, error) {
-	cfg, err := readConfig(config)
-	if err != nil {
-		return nil, err
-	}
-
-	if cfg != nil && cfg.OpenShiftOAuthDesiredState == restrictusersv1alpha1.OpenShiftOAuthStateNotDesired {
-		klog.Infof("Admission plugin %q configured to expect the OpenShift oauth-apiserver as not being available. This is effectively the same as disabling the plugin, so it will be disabled.", RestrictSubjectBindingsPluginName)
-		return nil, nil
-	}
-
-	return NewRestrictUsersAdmission()
-}
-
-func readConfig(reader io.Reader) (*restrictusersv1alpha1.RestrictSubjectBindingsAdmissionConfig, error) {
-	obj, err := helpers.ReadYAMLToInternal(reader, restrictusersv1alpha1.Install)
-	if err != nil {
-		return nil, err
-	}
-	if obj == nil {
-		return nil, nil
-	}
-	config, ok := obj.(*restrictusersv1alpha1.RestrictSubjectBindingsAdmissionConfig)
-	if !ok {
-		return nil, fmt.Errorf("unexpected config object: %#v", obj)
-	}
-
-	// validate config
-	switch config.OpenShiftOAuthDesiredState {
-	case restrictusersv1alpha1.OpenShiftOAuthStateDesired, restrictusersv1alpha1.OpenShiftOAuthStateNotDesired:
-		// valid, do nothing
-	default:
-		return nil, fmt.Errorf("config is invalid, openshiftOAuthDesiredState must be one of Desired,NotDesired but was %s", config.OpenShiftOAuthDesiredState)
-	}
-
-	return config, nil
+	plugins.Register("authorization.openshift.io/RestrictSubjectBindings",
+		func(config io.Reader) (admission.Interface, error) {
+			return NewRestrictUsersAdmission()
+		})
 }
 
 type GroupCache interface {
@@ -97,7 +58,12 @@ var (
 
 // NewRestrictUsersAdmission configures an admission plugin that enforces
 // restrictions on adding role bindings in a project.
-func NewRestrictUsersAdmission() (admission.Interface, error)
+func NewRestrictUsersAdmission() (admission.Interface, error) {
+	return &restrictUsersAdmission{
+		Handler: admission.NewHandler(admission.Create, admission.Update),
+	}, nil
+}
+
 func (q *restrictUsersAdmission) SetExternalKubeClientSet(c kubernetes.Interface) {
 	q.kubeClient = c
 }

openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers_test.go

@@ -3,12 +3,10 @@ package restrictusers
 import (
 	"context"
 	"fmt"
-	"io"
 	"strings"
 	"testing"
 
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -404,74 +402,3 @@ func TestAdmission(t *testing.T) {
 		}
 	}
 }
-
-func TestPluginForConfig(t *testing.T) {
-	testcases := []struct {
-		name           string
-		config         string
-		expectedErr    string
-		expectedPlugin admission.Interface
-	}{
-		{
-			name: "no config, no err, expect plugin",
-			expectedPlugin: func() admission.Interface {
-				plugin, _ := NewRestrictUsersAdmission()
-				return plugin
-			}(),
-		},
-		{
-			name: "config sets openshiftOAuthDesiredState to NotDesired, no err, nil plugin",
-			config: `apiVersion: authorization.openshift.io/v1alpha1
-kind: RestrictSubjectBindingsAdmissionConfig
-openshiftOAuthDesiredState: NotDesired
-            `,
-			expectedPlugin: nil,
-		},
-		{
-			name: "config sets openshiftOAuthDesiredState to Desired, no err, expect plugin",
-			config: `apiVersion: authorization.openshift.io/v1alpha1
-kind: RestrictSubjectBindingsAdmissionConfig
-openshiftOAuthDesiredState: Desired
-            `,
-			expectedPlugin: func() admission.Interface {
-				plugin, _ := NewRestrictUsersAdmission()
-				return plugin
-			}(),
-		},
-		{
-			name: "config sets openshiftOAuthDesiredState to invalid value, err, nil plugin",
-			config: `apiVersion: authorization.openshift.io/v1alpha1
-kind: RestrictSubjectBindingsAdmissionConfig
-openshiftOAuthDesiredState: FooBar
-            `,
-			expectedPlugin: nil,
-			expectedErr:    "config is invalid, openshiftOAuthDesiredState must be one of Desired,NotDesired",
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			var reader io.Reader
-			if len(tc.config) > 0 {
-				reader = strings.NewReader(tc.config)
-			}
-
-			plugin, err := pluginForConfig(reader)
-			switch {
-			case len(tc.expectedErr) == 0 && err == nil:
-			case len(tc.expectedErr) == 0 && err != nil:
-				t.Errorf("%s: unexpected error: %v", tc.name, err)
-			case len(tc.expectedErr) != 0 && err == nil:
-				t.Errorf("%s: missing error: %v", tc.name, tc.expectedErr)
-			case len(tc.expectedErr) != 0 && err != nil &&
-				!strings.Contains(err.Error(), tc.expectedErr):
-				t.Errorf("%s: missing error: expected %v, got %v",
-					tc.name, tc.expectedErr, err)
-			}
-
-			if !equality.Semantic.DeepEqual(tc.expectedPlugin, plugin) {
-				t.Errorf("plugin does not match. expected %v, got %v", tc.expectedPlugin, plugin)
-			}
-		})
-	}
-}