From 9eb065ffd751377b01ce809d9879cf6b395b709a Mon Sep 17 00:00:00 2001
From: Chao Xu <xuchao@google.com>
Date: Thu, 6 Jul 2017 17:32:15 -0700
Subject: [PATCH] make externalAdmissionHookConfigurationManager distinguish
 API disabled error

Also added unit tests
---
 .../admission/configuration/BUILD             |  3 ++
 .../external_admission_hook_manager.go        |  7 ++++
 .../external_admission_hook_manager_test.go   | 40 +++++++++++++++++++
 .../configuration/initializer_manager_test.go | 16 ++++++++
 4 files changed, 66 insertions(+)
 create mode 100644 pkg/kubeapiserver/admission/configuration/external_admission_hook_manager_test.go

diff --git a/pkg/kubeapiserver/admission/configuration/BUILD b/pkg/kubeapiserver/admission/configuration/BUILD
index 7411488739..0449f19e27 100644
--- a/pkg/kubeapiserver/admission/configuration/BUILD
+++ b/pkg/kubeapiserver/admission/configuration/BUILD
@@ -12,14 +12,17 @@ go_test(
     name = "go_default_test",
     srcs = [
         "configuration_manager_test.go",
+        "external_admission_hook_manager_test.go",
         "initializer_manager_test.go",
     ],
     library = ":go_default_library",
     tags = ["automanaged"],
     deps = [
         "//vendor/k8s.io/api/admissionregistration/v1alpha1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
     ],
 )
diff --git a/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager.go b/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager.go
index 798ab825c6..024f5fae0b 100644
--- a/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager.go
+++ b/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager.go
@@ -20,7 +20,10 @@ import (
 	"fmt"
 	"reflect"
 
+	"github.com/golang/glog"
+
 	"k8s.io/api/admissionregistration/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -37,6 +40,10 @@ func NewExternalAdmissionHookConfigurationManager(c ExternalAdmissionHookConfigu
 	getFn := func() (runtime.Object, error) {
 		list, err := c.List(metav1.ListOptions{})
 		if err != nil {
+			if errors.IsNotFound(err) || errors.IsForbidden(err) {
+				glog.V(5).Infof("ExternalAdmissionHookConfiguration are disabled due to an error: %v", err)
+				return nil, ErrDisabled
+			}
 			return nil, err
 		}
 		return mergeExternalAdmissionHookConfigurations(list), nil
diff --git a/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager_test.go b/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager_test.go
new file mode 100644
index 0000000000..1b849b1d26
--- /dev/null
+++ b/pkg/kubeapiserver/admission/configuration/external_admission_hook_manager_test.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package configuration
+
+import (
+	"testing"
+
+	"k8s.io/api/admissionregistration/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type disabledWebhookConfigLister struct{}
+
+func (l *disabledWebhookConfigLister) List(options metav1.ListOptions) (*v1alpha1.ExternalAdmissionHookConfigurationList, error) {
+	return nil, errors.NewNotFound(schema.GroupResource{Group: "admissionregistration", Resource: "externalAdmissionHookConfigurations"}, "")
+}
+func TestWebhookConfigDisabled(t *testing.T) {
+	manager := NewExternalAdmissionHookConfigurationManager(&disabledWebhookConfigLister{})
+	manager.sync()
+	_, err := manager.ExternalAdmissionHooks()
+	if err.Error() != ErrDisabled.Error() {
+		t.Errorf("expected %v, got %v", ErrDisabled, err)
+	}
+}
diff --git a/pkg/kubeapiserver/admission/configuration/initializer_manager_test.go b/pkg/kubeapiserver/admission/configuration/initializer_manager_test.go
index 2f4e190f69..783e67a5b7 100644
--- a/pkg/kubeapiserver/admission/configuration/initializer_manager_test.go
+++ b/pkg/kubeapiserver/admission/configuration/initializer_manager_test.go
@@ -23,7 +23,9 @@ import (
 	"time"
 
 	"k8s.io/api/admissionregistration/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 type mockLister struct {
@@ -164,3 +166,17 @@ func TestMergeInitializerConfigurations(t *testing.T) {
 		t.Errorf("expected: %#v, got: %#v", expected, got)
 	}
 }
+
+type disabledInitializerConfigLister struct{}
+
+func (l *disabledInitializerConfigLister) List(options metav1.ListOptions) (*v1alpha1.InitializerConfigurationList, error) {
+	return nil, errors.NewNotFound(schema.GroupResource{Group: "admissionregistration", Resource: "initializerConfigurations"}, "")
+}
+func TestInitializerConfigDisabled(t *testing.T) {
+	manager := NewInitializerConfigurationManager(&disabledInitializerConfigLister{})
+	manager.sync()
+	_, err := manager.Initializers()
+	if err.Error() != ErrDisabled.Error() {
+		t.Errorf("expected %v, got %v", ErrDisabled, err)
+	}
+}