Validate ServiceAccount for ClusterSet member list changes

[luolanzone]

Since ClusterSet's member list is maintained by MemberClusterAnnounce
controller, mc-controller should deny ClusterSet member list updates by users
manually.

Signed-off-by: Lan Luo luola@vmware.com

[luolanzone]

/test-multicluster-e2e

[codecov]

Codecov Report

Merging #4090 (967ee6a) into main (454df5d) will increase coverage by 0.86%.
The diff coverage is 52.94%.

@@            Coverage Diff             @@
##             main    #4090      +/-   ##
==========================================
+ Coverage   64.25%   65.12%   +0.86%     
==========================================
  Files         294      310      +16     
  Lines       44805    45555     +750     
==========================================
+ Hits        28789    29666     +877     
+ Misses      13687    13512     -175     
- Partials     2329     2377      +48     

Flag	Coverage Δ
e2e-tests	58.34% <0.00%> (?)
integration-tests	35.47% <ø> (?)
kind-e2e-tests	43.57% <ø> (-6.72%)	⬇️
unit-tests	44.26% <52.94%> (-0.07%)	⬇️

Impacted Files	Coverage Δ
...luster-controller/memberclusterannounce_webhook.go	63.33% <0.00%> (+8.33%)	⬆️
.../cmd/multicluster-controller/clusterset_webhook.go	60.41% <56.25%> (+1.04%)	⬆️
pkg/agent/proxy/endpointslicecache.go	0.00% <0.00%> (-83.60%)	⬇️
pkg/agent/secondarynetwork/cnipodcache/cache.go	0.00% <0.00%> (-77.56%)	⬇️
pkg/controller/egress/store/egressgroup.go	1.72% <0.00%> (-54.32%)	⬇️
...g/agent/controller/serviceexternalip/controller.go	35.83% <0.00%> (-45.74%)	⬇️
pkg/agent/secondarynetwork/podwatch/controller.go	0.00% <0.00%> (-39.02%)	⬇️
.../agent/flowexporter/connections/conntrack_linux.go	58.87% <0.00%> (-26.62%)	⬇️
pkg/ovs/ovsctl/ovsctl_others.go	53.84% <0.00%> (-25.65%)	⬇️
...nt/apiserver/handlers/serviceexternalip/handler.go	29.62% <0.00%> (-22.23%)	⬇️
... and 109 more

[jianjuns]

Nits.

[jianjuns]

Do you think more efficient to check ServiceAccount name matches or not, before checking member list changes? Not sure.

[luolanzone]

I think other users may still update other parts of ClusterSet, eg: add a label or an annotation etc.

[jianjuns]

I meant if checking ServiceAccount name is faster than checking member list, maybe we should check SA name first, also assuming more updates should be by MC controller.

[luolanzone]

You mean we allow user to create/delete ClusterSet, but for update, we assume it will only be done by MC controller?

[jianjuns]

No, I meant if the current code is more efficient or not:

		ui := req.UserInfo
		_, saName, err := serviceaccount.SplitUsername(ui.Username)
		if err != nil {
			klog.ErrorS(err, "Error getting ServiceAccount name", "ClusterSet", req.Namespace+"/"+req.Name)
			return admission.Errored(http.StatusBadRequest, err)
		}
		if saName != mcControllerSAName && isMemberListChanged(oldClusterSet.Spec.Members, clusterSet.Spec.Members) {
			return admission.Errored(http.StatusPreconditionFailed, fmt.Errorf("member list can only be updated by Antrea Multi-cluster Controller"))
		}

assuming most updates are by controller.

[luolanzone]

Refined to check service account first.

[luolanzone]

/test-multicluster-e2e

[jianjuns]

No, I meant if the current code is more efficient or not:

		ui := req.UserInfo
		_, saName, err := serviceaccount.SplitUsername(ui.Username)
		if err != nil {
			klog.ErrorS(err, "Error getting ServiceAccount name", "ClusterSet", req.Namespace+"/"+req.Name)
			return admission.Errored(http.StatusBadRequest, err)
		}
		if saName != mcControllerSAName && isMemberListChanged(oldClusterSet.Spec.Members, clusterSet.Spec.Members) {
			return admission.Errored(http.StatusPreconditionFailed, fmt.Errorf("member list can only be updated by Antrea Multi-cluster Controller"))
		}

assuming most updates are by controller.

[jianjuns]

This block is useless and can be removed.

[luolanzone]

You are right, removed it.

[jianjuns]

/test-multicluster-e2e
/test-integration

[jianjuns]

/skip-all