pepr 0.39.1 → 0.40.0

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.39.1",
+  "version": "0.40.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -46,7 +46,7 @@
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.3.1",
+    "kubernetes-fluent-client": "3.3.3",
     "pino": "9.5.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -54,8 +54,8 @@
     "sigstore": "3.0.0"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.5.0",
-    "@commitlint/config-conventional": "19.5.0",
+    "@commitlint/cli": "19.6.0",
+    "@commitlint/config-conventional": "19.6.0",
     "@fast-check/jest": "^2.0.1",
     "@jest/globals": "29.7.0",
     "@types/eslint": "9.6.1",

package/src/fixtures/data/admission-create-clusterrole.json

@@ -0,0 +1,52 @@
+{
+  "uid": "2ac28f03-c045-4af6-86f1-aa0007571863",
+  "kind": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "kind": "ClusterRole"
+  },
+  "resource": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "resource": "clusterroles"
+  },
+  "requestKind": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "kind": "ClusterRole"
+  },
+  "requestResource": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "resource": "clusterroles"
+  },
+  "name": "pod-creator",
+  "operation": "CREATE",
+  "userInfo": {
+    "username": "system:admin",
+    "groups": ["system:masters", "system:authenticated"]
+  },
+  "object": {
+    "kind": "ClusterRole",
+    "apiVersion": "rbac.authorization.k8s.io/v1",
+    "metadata": {
+      "name": "pod-creator",
+      "creationTimestamp": null
+    },
+    "rules": [
+      {
+        "verbs": ["create", "update", "patch"],
+        "apiGroups": [""],
+        "resources": ["pods"]
+      }
+    ]
+  },
+  "oldObject": null,
+  "dryRun": false,
+  "options": {
+    "kind": "CreateOptions",
+    "apiVersion": "meta.k8s.io/v1",
+    "fieldManager": "kubectl-create",
+    "fieldValidation": "Strict"
+  }
+}

package/src/fixtures/data/admission-create-deployment.json

@@ -0,0 +1,93 @@
+{
+  "uid": "501f5447-a028-4a3f-b4ac-fc56f3f78ffc",
+  "kind": {
+    "group": "apps",
+    "version": "v1",
+    "kind": "Deployment"
+  },
+  "resource": {
+    "group": "apps",
+    "version": "v1",
+    "resource": "deployments"
+  },
+  "requestKind": {
+    "group": "apps",
+    "version": "v1",
+    "kind": "Deployment"
+  },
+  "requestResource": {
+    "group": "apps",
+    "version": "v1",
+    "resource": "deployments"
+  },
+  "name": "lower",
+  "namespace": "pepr-demo",
+  "operation": "CREATE",
+  "userInfo": {
+    "username": "system:admin",
+    "groups": ["system:masters", "system:authenticated"]
+  },
+  "object": {
+    "kind": "Deployment",
+    "apiVersion": "apps/v1",
+    "metadata": {
+      "name": "lower",
+      "namespace": "pepr-demo",
+      "creationTimestamp": null,
+      "labels": {
+        "app": "lower"
+      }
+    },
+    "spec": {
+      "replicas": 3,
+      "selector": {
+        "matchLabels": {
+          "app": "lower"
+        }
+      },
+      "template": {
+        "metadata": {
+          "creationTimestamp": null,
+          "labels": {
+            "app": "lower"
+          }
+        },
+        "spec": {
+          "containers": [
+            {
+              "name": "nginx",
+              "image": "nginx",
+              "resources": {},
+              "terminationMessagePath": "/dev/termination-log",
+              "terminationMessagePolicy": "File",
+              "imagePullPolicy": "Always"
+            }
+          ],
+          "restartPolicy": "Always",
+          "terminationGracePeriodSeconds": 30,
+          "dnsPolicy": "ClusterFirst",
+          "securityContext": {},
+          "schedulerName": "default-scheduler"
+        }
+      },
+      "strategy": {
+        "type": "RollingUpdate",
+        "rollingUpdate": {
+          "maxUnavailable": "25%",
+          "maxSurge": "25%"
+        }
+      },
+      "revisionHistoryLimit": 10,
+      "progressDeadlineSeconds": 600
+    },
+    "status": {}
+  },
+  "oldObject": null,
+  "dryRun": false,
+  "options": {
+    "kind": "CreateOptions",
+    "apiVersion": "meta.k8s.io/v1",
+    "fieldManager": "kubectl-create",
+    "fieldValidation": "Strict"
+  }
+}

package/src/fixtures/loader.ts

@@ -1,15 +1,25 @@
 import { kind } from "kubernetes-fluent-client";
 
 import { AdmissionRequest } from "../lib/types";
-import createPod from "./data/create-pod.json";
-import deletePod from "./data/delete-pod.json";
+import admissionRequestCreatePod from "./data/admission-create-pod.json";
+import admissionRequestDeletePod from "./data/admission-delete-pod.json";
+import admissionRequestCreateClusterRole from "./data/admission-create-clusterrole.json";
+import admissionRequestCreateDeployment from "./data/admission-create-deployment.json";
 
-export function CreatePod() {
-  return cloneObject<kind.Pod>(createPod);
+export function AdmissionRequestCreateDeployment() {
+  return cloneObject<kind.Deployment>(admissionRequestCreateDeployment);
 }
 
-export function DeletePod() {
-  return cloneObject<kind.Pod>(deletePod);
+export function AdmissionRequestCreatePod() {
+  return cloneObject<kind.Pod>(admissionRequestCreatePod);
+}
+
+export function AdmissionRequestDeletePod() {
+  return cloneObject<kind.Pod>(admissionRequestDeletePod);
+}
+
+export function AdmissionRequestCreateClusterRole() {
+  return cloneObject<kind.ClusterRole>(admissionRequestCreateClusterRole);
 }
 
 function cloneObject<T>(obj: unknown): AdmissionRequest<T> {

package/src/lib/assets/rbac.ts

@@ -22,7 +22,6 @@ export function clusterRole(
 ): kind.ClusterRole {
   // Create the RBAC map from capabilities
   const rbacMap = createRBACMap(capabilities);
-
   // Generate scoped rules from rbacMap
   const scopedRules = Object.keys(rbacMap).map(key => {
     let group: string;

package/src/lib/filter/adjudicators.ts

@@ -216,6 +216,15 @@ export const uncarryableNamespace = allPass([
   pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)), not),
 ]);
 
+export const missingCarriableNamespace = allPass([
+  pipe(nthArg(0), length, gt(__, 0)),
+  pipe((namespaceSelector: string[], kubernetesObject: KubernetesObject): boolean =>
+    kubernetesObject.kind === "Namespace"
+      ? !namespaceSelector.includes(kubernetesObject.metadata!.name!)
+      : !carriesNamespace(kubernetesObject),
+  ),
+]);
+
 export const carriesIgnoredNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
   pipe(nthArg(1), carriesNamespace),

package/src/lib/filter/filter.ts

@@ -35,6 +35,7 @@ import {
   mismatchedGroup,
   mismatchedVersion,
   mismatchedKind,
+  missingCarriableNamespace,
   unbindableNamespaces,
   uncarryableNamespace,
 } from "./adjudicators";
@@ -53,7 +54,7 @@ export function shouldSkipRequest(
   ignoredNamespaces?: string[],
 ): string {
   const prefix = "Ignoring Admission Callback:";
-  const obj = req.operation === Operation.DELETE ? req.oldObject : req.object;
+  const obj = (req.operation === Operation.DELETE ? req.oldObject : req.object)!;
 
   // prettier-ignore
   return (
@@ -139,6 +140,12 @@ export function shouldSkipRequest(
         `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
       ) :
 
+    missingCarriableNamespace(capabilityNamespaces, obj) ? 
+      (
+        `${prefix} Object does not carry a namespace ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
     ""
   );
 }

package/src/lib/helpers.ts

@@ -26,6 +26,7 @@ import {
   mismatchedNameRegex,
   mismatchedNamespace,
   mismatchedNamespaceRegex,
+  missingCarriableNamespace,
   unbindableNamespaces,
   uncarryableNamespace,
 } from "./filter/adjudicators";
@@ -139,6 +140,12 @@ export function filterNoMatchReason(
         `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
       ) :
 
+    missingCarriableNamespace(capabilityNamespaces, obj) ? 
+      (
+        `${prefix} Object does not carry a namespace ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
     ""
   );
 }

package/src/lib/watch-processor.ts

@@ -50,7 +50,6 @@ export function getOrCreateQueue(obj: KubernetesObject) {
 
 // Watch configuration
 const watchCfg: WatchCfg = {
-  useLegacyWatch: process.env.PEPR_USE_LEGACY_WATCH === "true",
   resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
   resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
   lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS