Improve webhook to support all resource types and better pluralization

Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com>

Author: Copilot

config/webhook/mutating_webhook_configuration.yaml

@@ -5,13 +5,13 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: policywall-system/policywall-webhook-cert
 webhooks:
-- name: mpod.policy.casbin.org
+- name: mutate.policy.casbin.org
   admissionReviewVersions: ["v1", "v1beta1"]
   clientConfig:
     service:
       name: policywall-webhook-service
       namespace: policywall-system
-      path: /mutate-v1-pod
+      path: /mutate
   failurePolicy: Fail
   matchPolicy: Equivalent
   namespaceSelector:
@@ -22,10 +22,10 @@ webhooks:
   objectSelector: {}
   reinvocationPolicy: Never
   rules:
-  - apiGroups: [""]
-    apiVersions: ["v1"]
+  - apiGroups: ["*"]
+    apiVersions: ["*"]
     operations: ["CREATE", "UPDATE"]
-    resources: ["pods"]
+    resources: ["*"]
     scope: "*"
   sideEffects: None
   timeoutSeconds: 10

config/webhook/validating_webhook_configuration.yaml

@@ -5,13 +5,13 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: policywall-system/policywall-webhook-cert
 webhooks:
-- name: vpod.policy.casbin.org
+- name: validate.policy.casbin.org
   admissionReviewVersions: ["v1", "v1beta1"]
   clientConfig:
     service:
       name: policywall-webhook-service
       namespace: policywall-system
-      path: /validate-v1-pod
+      path: /validate
   failurePolicy: Fail
   matchPolicy: Equivalent
   namespaceSelector:
@@ -21,10 +21,10 @@ webhooks:
       values: ["true"]
   objectSelector: {}
   rules:
-  - apiGroups: [""]
-    apiVersions: ["v1"]
+  - apiGroups: ["*"]
+    apiVersions: ["*"]
     operations: ["CREATE", "UPDATE"]
-    resources: ["pods"]
+    resources: ["*"]
     scope: "*"
   sideEffects: None
   timeoutSeconds: 10

main.go

@@ -85,12 +85,12 @@ func main() {
 	validatingWebhook := webhookpkg.NewValidatingWebhook(mgr.GetClient(), enforcer)
 
 	// Register mutating webhook
-	mgr.GetWebhookServer().Register("/mutate-v1-pod", &webhook.Admission{
+	mgr.GetWebhookServer().Register("/mutate", &webhook.Admission{
 		Handler: mutatingWebhook,
 	})
 
 	// Register validating webhook
-	mgr.GetWebhookServer().Register("/validate-v1-pod", &webhook.Admission{
+	mgr.GetWebhookServer().Register("/validate", &webhook.Admission{
 		Handler: validatingWebhook,
 	})
 

pkg/webhook/enforcer.go

@@ -130,9 +130,12 @@ func (pe *PolicyEnforcer) Enforce(ctx context.Context, obj runtime.Object, usern
 		Validations: []ValidationResult{},
 	}
 
-	// Get resource type
+	// Get resource type from GVK
 	gvk := obj.GetObjectKind().GroupVersionKind()
-	resourceType := strings.ToLower(gvk.Kind) + "s"
+	resourceType := gvk.Kind
+
+	// Normalize resource type to lowercase for comparison
+	resourceTypeLower := strings.ToLower(resourceType)
 
 	// Load all policies
 	var policyList policyv1alpha1.PolicyList
@@ -150,7 +153,7 @@ func (pe *PolicyEnforcer) Enforce(ctx context.Context, obj runtime.Object, usern
 	// Process each policy
 	for _, policy := range policyList.Items {
 		// Check if policy applies to this resource
-		if !pe.policyAppliesTo(&policy, resourceType, u) {
+		if !pe.policyAppliesTo(&policy, resourceTypeLower, u) {
 			continue
 		}
 
@@ -196,10 +199,19 @@ func (pe *PolicyEnforcer) policyAppliesTo(policy *policyv1alpha1.Policy, resourc
 	namespace := obj.GetNamespace()
 
 	for _, rs := range policy.Spec.Resources {
-		// Check if resource type matches
+		// Check if resource type matches (support both singular and plural forms)
 		resourceMatches := false
 		for _, res := range rs.Resources {
-			if strings.ToLower(res) == strings.ToLower(resourceType) || res == "*" {
+			resLower := strings.ToLower(res)
+			// Match if:
+			// 1. Exact match (case insensitive)
+			// 2. Wildcard match
+			// 3. Singular matches plural (e.g., "pod" matches "pod" or "pods")
+			// 4. Plural matches singular (e.g., "pods" matches "pod")
+			if resLower == resourceType ||
+				res == "*" ||
+				resLower == resourceType+"s" ||
+				resLower+"s" == resourceType {
 				resourceMatches = true
 				break
 			}
@@ -329,9 +341,11 @@ func GenerateSidecarInjectionPatch(containerName, image string) []PatchOperation
 		Image: image,
 	}
 
+	// Marshal container to JSON (error ignored as Container is a known type that always marshals successfully)
 	containerJSON, _ := json.Marshal(sidecarContainer)
 	var containerMap map[string]interface{}
-	json.Unmarshal(containerJSON, &containerMap)
+	// Unmarshal to map (error ignored as valid JSON from Marshal above)
+	_ = json.Unmarshal(containerJSON, &containerMap)
 
 	return []PatchOperation{
 		{

pkg/webhook/mutating_webhook.go

@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 
-	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -14,7 +14,6 @@ import (
 // MutatingWebhook handles mutating admission requests
 type MutatingWebhook struct {
 	client   client.Client
-	decoder  admission.Decoder
 	enforcer *PolicyEnforcer
 }
 
@@ -37,10 +36,9 @@ func (m *MutatingWebhook) Handle(ctx context.Context, req admission.Request) adm
 		"username", req.UserInfo.Username,
 	)
 
-	// Decode the object
-	obj := &corev1.Pod{}
-	err := m.decoder.Decode(req, obj)
-	if err != nil {
+	// Decode the object as unstructured to support any resource type
+	obj := &unstructured.Unstructured{}
+	if err := json.Unmarshal(req.Object.Raw, obj); err != nil {
 		logger.Error(err, "failed to decode object")
 		return admission.Errored(http.StatusBadRequest, err)
 	}
@@ -70,9 +68,3 @@ func (m *MutatingWebhook) Handle(ctx context.Context, req admission.Request) adm
 	// Return a patched response
 	return admission.PatchResponseFromRaw(req.Object.Raw, patchBytes)
 }
-
-// InjectDecoder injects the decoder
-func (m *MutatingWebhook) InjectDecoder(d admission.Decoder) error {
-	m.decoder = d
-	return nil
-}

pkg/webhook/validating_webhook.go

@@ -2,9 +2,10 @@ package webhook
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 
-	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -13,7 +14,6 @@ import (
 // ValidatingWebhook handles validating admission requests
 type ValidatingWebhook struct {
 	client   client.Client
-	decoder  admission.Decoder
 	enforcer *PolicyEnforcer
 }
 
@@ -36,10 +36,9 @@ func (v *ValidatingWebhook) Handle(ctx context.Context, req admission.Request) a
 		"username", req.UserInfo.Username,
 	)
 
-	// Decode the object
-	obj := &corev1.Pod{}
-	err := v.decoder.Decode(req, obj)
-	if err != nil {
+	// Decode the object as unstructured to support any resource type
+	obj := &unstructured.Unstructured{}
+	if err := json.Unmarshal(req.Object.Raw, obj); err != nil {
 		logger.Error(err, "failed to decode object")
 		return admission.Errored(http.StatusBadRequest, err)
 	}
@@ -68,9 +67,3 @@ func (v *ValidatingWebhook) Handle(ctx context.Context, req admission.Request) a
 	logger.Info("validation passed")
 	return admission.Allowed("validation passed")
 }
-
-// InjectDecoder injects the decoder
-func (v *ValidatingWebhook) InjectDecoder(d admission.Decoder) error {
-	v.decoder = d
-	return nil
-}