Always validate Namespace and ProjectRequest for the organization label (#97)

The ProjectRequest validation in Kyverno does not work for unknown reasons.
This fixes users without default organizations allowed to create projects.

Author: bastjan

main.go

@@ -229,10 +229,9 @@ func main() {
 			Client:  mgr.GetClient(),
 			Decoder: admission.NewDecoder(mgr.GetScheme()),
 
-			Skipper: skipper.NewMultiSkipper(
-				skipper.StaticSkipper{ShouldSkip: disableUsageProfiles},
-				psk,
-			),
+			Skipper: psk,
+
+			SkipValidateQuota: disableUsageProfiles,
 
 			OrganizationLabel:                 conf.OrganizationLabel,
 			UserDefaultOrganizationAnnotation: conf.UserDefaultOrganizationAnnotation,

webhooks/namespace_quota_validator.go

@@ -25,7 +25,9 @@ import (
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=user.openshift.io,resources=users,verbs=get;list;watch
 
-// NamespaceQuotaValidator checks namespaces for allowed node selectors.
+// NamespaceQuotaValidator checks if a user is allowed to create a namespace.
+// The user or the namespace must have a label with the organization name.
+// The organization name is used to count the number of namespaces for the organization.
 type NamespaceQuotaValidator struct {
 	Decoder *admission.Decoder
 
@@ -34,6 +36,10 @@ type NamespaceQuotaValidator struct {
 
 	Skipper skipper.Skipper
 
+	// SkipValidateQuota allows skipping the quota validation.
+	// If the validation is skipped only the organization label is checked.
+	SkipValidateQuota bool
+
 	OrganizationLabel                 string
 	UserDefaultOrganizationAnnotation string
 
@@ -89,6 +95,11 @@ func (v *NamespaceQuotaValidator) Handle(ctx context.Context, req admission.Requ
 		l.Info("got default organization from user", "user", req.UserInfo.Username, "organization", organizationName)
 	}
 
+	if v.SkipValidateQuota {
+		l.V(1).Info("allowed: skipped quota validation")
+		return admission.Allowed("skipped quota validation")
+	}
+
 	if v.SelectedProfile == "" {
 		return admission.Denied("No ZoneUsageProfile selected")
 	}

webhooks/namespace_quota_validator_test.go

@@ -23,10 +23,11 @@ func TestNamespaceQuotaValidator_Handle(t *testing.T) {
 	const nsLimit = 2
 
 	tests := map[string]struct {
-		initObjects  []client.Object
-		object       client.Object
-		allowed      bool
-		matchMessage string
+		initObjects         []client.Object
+		object              client.Object
+		allowed             bool
+		skipQuotaValidation bool
+		matchMessage        string
 	}{
 		"Allow Namespace": {
 			initObjects: []client.Object{
@@ -158,6 +159,42 @@ func TestNamespaceQuotaValidator_Handle(t *testing.T) {
 			},
 			allowed: false,
 		},
+
+		"SkipQuotaValidation Allow Namespace TooMany": {
+			initObjects: []client.Object{newNamespace("a", map[string]string{orgLabel: "testorg"}, nil), newNamespace("b", map[string]string{orgLabel: "testorg"}, nil)},
+			object: &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					Labels: map[string]string{
+						orgLabel: "testorg",
+					},
+				},
+			},
+			skipQuotaValidation: true,
+			allowed:             true,
+		},
+		"SkipQuotaValidation Allow ProjectRequest TooMany": {
+			initObjects: []client.Object{newNamespace("a", map[string]string{orgLabel: "testorg"}, nil), newNamespace("b", map[string]string{orgLabel: "testorg"}, nil)},
+			object: &projectv1.ProjectRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					Labels: map[string]string{
+						orgLabel: "testorg",
+					},
+				},
+			},
+			skipQuotaValidation: true,
+			allowed:             true,
+		},
+		"SkipQuotaValidation Deny NoOrganizationLabelAndNoUser": {
+			object: &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+				},
+			},
+			skipQuotaValidation: true,
+			allowed:             false,
+		},
 	}
 
 	for name, test := range tests {
@@ -168,6 +205,8 @@ func TestNamespaceQuotaValidator_Handle(t *testing.T) {
 				Client:  c,
 				Skipper: skipper.StaticSkipper{ShouldSkip: false},
 
+				SkipValidateQuota: test.skipQuotaValidation,
+
 				OrganizationLabel:                 orgLabel,
 				UserDefaultOrganizationAnnotation: userDefaultOrgAnnotation,