Tests for AccessEntry validations

joshfrench · joshfrench · commit 464f490f46b6 · 2025-09-02T15:59:56.000-04:00
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -2270,6 +2270,7 @@ spec:
                                       Only valid when Type is namespace
                                     items:
                                       type: string
+                                    minItems: 1
                                     type: array
                                   type:
                                     default: cluster
@@ -2290,6 +2291,7 @@ spec:
                             - accessScope
                             - policyARN
                             type: object
+                          maxItems: 20
                           type: array
                         kubernetesGroups:
                           description: |-
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go
@@ -276,6 +276,7 @@ type AccessEntry struct {
 	// AccessPolicies specifies the policies to associate with this access entry
 	// Cannot be specified if Type is EC2_LINUX or EC2_WINDOWS
 	// +optional
+	// +kubebuilder:validation:MaxItems=20
 	AccessPolicies []AccessPolicyReference `json:"accessPolicies,omitempty"`
 }
 
@@ -300,6 +301,7 @@ type AccessScope struct {
 	// Namespaces are the namespaces for the access scope
 	// Only valid when Type is namespace
 	// +optional
+	// +kubebuilder:validation:MinItems=1
 	Namespaces []string `json:"namespaces,omitempty"`
 }
 
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go
@@ -98,6 +98,7 @@ func (*awsManagedControlPlaneWebhook) ValidateCreate(_ context.Context, obj runt
 	// TODO: Add ipv6 validation things in these validations.
 	allErrs = append(allErrs, r.validateEKSVersion(nil)...)
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
+	allErrs = append(allErrs, r.validateAccessConfig(nil)...)
 	allErrs = append(allErrs, r.validateIAMAuthConfig()...)
 	allErrs = append(allErrs, r.validateSecondaryCIDR()...)
 	allErrs = append(allErrs, r.validateEKSAddons()...)
@@ -324,14 +325,14 @@ func (r *AWSManagedControlPlane) validateAccessConfig(old *AWSManagedControlPlan
 	var allErrs field.ErrorList
 
 	// If accessConfig is already set, do not allow removal of it.
-	if old.Spec.AccessConfig != nil && r.Spec.AccessConfig == nil {
+	if old != nil && old.Spec.AccessConfig != nil && r.Spec.AccessConfig == nil {
 		allErrs = append(allErrs,
 			field.Invalid(field.NewPath("spec", "accessConfig"), r.Spec.AccessConfig, "removing AccessConfig is not allowed after it has been enabled"),
 		)
 	}
 
 	// AuthenticationMode is ratcheting - do not allow downgrades
-	if old.Spec.AccessConfig != nil && r.Spec.AccessConfig != nil &&
+	if old != nil && old.Spec.AccessConfig != nil && r.Spec.AccessConfig != nil &&
 		old.Spec.AccessConfig.AuthenticationMode != r.Spec.AccessConfig.AuthenticationMode &&
 		((old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeAPIAndConfigMap && r.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeConfigMap) ||
 			old.Spec.AccessConfig.AuthenticationMode == EKSAuthenticationModeAPI) {
@@ -389,7 +390,7 @@ func (r *AWSManagedControlPlane) validateAccessConfig(old *AWSManagedControlPlan
 						field.Invalid(
 							field.NewPath("spec", "accessConfig", "accessEntries").Index(i).Child("accessPolicies").Index(j).Child("accessScope", "namespaces"),
 							policy.AccessScope.Namespaces,
-							"at least one value must be specified when accessScope type is namespace",
+							"at least one value must be provided when accessScope type is namespace",
 						),
 					)
 				}
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go
@@ -526,6 +526,166 @@ func TestWebhookCreateIPv6Details(t *testing.T) {
 	}
 }
 
+func TestWebhookValidateAccessEntries(t *testing.T) {
+	tests := []struct {
+		name         string
+		accessConfig *AccessConfig
+		expectError  bool
+		errorSubstr  string
+	}{
+		{
+			name: "valid access entries with API auth mode",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeAPI,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN:     "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:             "STANDARD",
+						KubernetesGroups: []string{"system:masters"},
+					},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "valid access entries with API_AND_CONFIG_MAP auth mode",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeAPIAndConfigMap,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN:     "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:             "STANDARD",
+						KubernetesGroups: []string{"system:masters"},
+					},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "invalid access entries with CONFIG_MAP auth mode",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeConfigMap,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN:     "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:             "STANDARD",
+						KubernetesGroups: []string{"system:masters"},
+					},
+				},
+			},
+			expectError: true,
+			errorSubstr: "accessEntries can only be used when authenticationMode is set to API or API_AND_CONFIG_MAP",
+		},
+		{
+			name: "invalid EC2_LINUX access entry with kubernetes groups",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeAPI,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN:     "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:             "EC2_LINUX",
+						KubernetesGroups: []string{"system:masters"},
+					},
+				},
+			},
+			expectError: true,
+			errorSubstr: "kubernetesGroups cannot be specified when type is EC2_LINUX or EC2_WINDOWS",
+		},
+		{
+			name: "invalid EC2_WINDOWS access entry with access policies",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeAPI,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN: "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:         "EC2_WINDOWS",
+						AccessPolicies: []AccessPolicyReference{
+							{
+								PolicyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy",
+								AccessScope: AccessScope{
+									Type: "cluster",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectError: true,
+			errorSubstr: "accessPolicies cannot be specified when type is EC2_LINUX or EC2_WINDOWS",
+		},
+		{
+			name: "invalid access policy with namespace type and no namespaces",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeAPI,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN: "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:         "STANDARD",
+						AccessPolicies: []AccessPolicyReference{
+							{
+								PolicyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy",
+								AccessScope: AccessScope{
+									Type: "namespace",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectError: true,
+			errorSubstr: "at least one value must be provided when accessScope type is namespace",
+		},
+		{
+			name: "valid access policy with namespace type and namespaces",
+			accessConfig: &AccessConfig{
+				AuthenticationMode: EKSAuthenticationModeAPI,
+				AccessEntries: []AccessEntry{
+					{
+						PrincipalARN: "arn:aws:iam::123456789012:role/EKSAdmin",
+						Type:         "STANDARD",
+						AccessPolicies: []AccessPolicyReference{
+							{
+								PolicyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy",
+								AccessScope: AccessScope{
+									Type:       "namespace",
+									Namespaces: []string{"default", "kube-system"},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			mcp := &AWSManagedControlPlane{
+				Spec: AWSManagedControlPlaneSpec{
+					EKSClusterName: "default_cluster1",
+					AccessConfig:   tc.accessConfig,
+				},
+			}
+
+			warn, err := (&awsManagedControlPlaneWebhook{}).ValidateCreate(context.Background(), mcp)
+
+			if tc.expectError {
+				g.Expect(err).ToNot(BeNil())
+				if tc.errorSubstr != "" {
+					g.Expect(err.Error()).To(ContainSubstring(tc.errorSubstr))
+				}
+			} else {
+				g.Expect(err).To(BeNil())
+			}
+			// Nothing emits warnings yet
+			g.Expect(warn).To(BeEmpty())
+		})
+	}
+}
+
 func TestWebhookUpdate(t *testing.T) {
 	tests := []struct {
 		name           string

Original file line number	Diff line number	Diff line change
`@@ -276,6 +276,7 @@ type AccessEntry struct {`
`276`	`276`	`// AccessPolicies specifies the policies to associate with this access entry`
`277`	`277`	`// Cannot be specified if Type is EC2_LINUX or EC2_WINDOWS`
`278`	`278`	`// +optional`
	`279`	`+ // +kubebuilder:validation:MaxItems=20`
`279`	`280`	AccessPolicies []AccessPolicyReference `json:"accessPolicies,omitempty"`
`280`	`281`	`}`
`281`	`282`
`@@ -300,6 +301,7 @@ type AccessScope struct {`
`300`	`301`	`// Namespaces are the namespaces for the access scope`
`301`	`302`	`// Only valid when Type is namespace`
`302`	`303`	`// +optional`
	`304`	`+ // +kubebuilder:validation:MinItems=1`
`303`	`305`	Namespaces []string `json:"namespaces,omitempty"`
`304`	`306`	`}`
`305`	`307`