Use label selector for workload identities validation

gardener · Jan 15, 2025 · 2bb34af · 2bb34af
1 parent b616ceb
commit 2bb34af
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 27 deletions.
diff --git a/pkg/admission/cmd/options.go b/pkg/admission/cmd/options.go
@@ -16,7 +16,6 @@ func GardenWebhookSwitchOptions() *webhookcmd.SwitchOptions {
 	return webhookcmd.NewSwitchOptions(
 		webhookcmd.Switch(validator.Name, validator.New),
 		webhookcmd.Switch(validator.SecretsValidatorName, validator.NewSecretsWebhook),
-		webhookcmd.Switch(validator.WorkloadIdentitiesValidatorName, validator.NewWorkloadIdentitiesWebhook),
 		webhookcmd.Switch(mutator.Name, mutator.New),
 	)
 }
diff --git a/pkg/admission/validator/webhook.go b/pkg/admission/validator/webhook.go
@@ -44,6 +44,7 @@ func New(mgr manager.Manager) (*extensionswebhook.Webhook, error) {
 			NewSecretBindingValidator(mgr):          {{Obj: &core.SecretBinding{}}},
 			NewCredentialsBindingValidator(mgr):     {{Obj: &security.CredentialsBinding{}}},
 			NewSeedValidator(mgr):                   {{Obj: &core.Seed{}}},
+			NewWorkloadIdentityValidator(serializer.NewCodecFactory(mgr.GetScheme(), serializer.EnableStrict).UniversalDecoder()): {{Obj: &securityv1alpha1.WorkloadIdentity{}}},
 		},
 		Target: extensionswebhook.TargetSeed,
 		ObjectSelector: &metav1.LabelSelector{
@@ -69,22 +70,3 @@ func NewSecretsWebhook(mgr manager.Manager) (*extensionswebhook.Webhook, error)
 		},
 	})
 }
-
-// NewWorkloadIdentitiesWebhook creates a new validation webhook for WorkloadIdentities.
-func NewWorkloadIdentitiesWebhook(mgr manager.Manager) (*extensionswebhook.Webhook, error) {
-	logger.Info("Setting up webhook", "name", WorkloadIdentitiesValidatorName)
-
-	return extensionswebhook.New(mgr, extensionswebhook.Args{
-		Provider: gcp.Type,
-		Name:     WorkloadIdentitiesValidatorName,
-		Path:     "/webhooks/validate/workloadidentities",
-		Validators: map[extensionswebhook.Validator][]extensionswebhook.Type{
-			NewWorkloadIdentityValidator(serializer.NewCodecFactory(mgr.GetScheme(), serializer.EnableStrict).UniversalDecoder()): {{Obj: &securityv1alpha1.WorkloadIdentity{}}},
-		},
-		Target: extensionswebhook.TargetSeed,
-		// TODO(dimityrmirchev): Uncomment this line and use the object selector once Gardener implements https://github.com/gardener/gardener/pull/10786
-		// ObjectSelector: &metav1.LabelSelector{
-		// 	MatchLabels: map[string]string{"provider.extensions.gardener.cloud/gcp": "true"},
-		// },
-	})
-}
diff --git a/pkg/admission/validator/workloadidentity.go b/pkg/admission/validator/workloadidentity.go
@@ -17,7 +17,6 @@ import (
 
 	"github.com/gardener/gardener-extension-provider-gcp/pkg/admission"
 	gcpvalidation "github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp/validation"
-	"github.com/gardener/gardener-extension-provider-gcp/pkg/gcp"
 )
 
 type workloadIdentity struct {
@@ -38,12 +37,6 @@ func (wi *workloadIdentity) Validate(_ context.Context, newObj, oldObj client.Ob
 		return fmt.Errorf("wrong object type %T", newObj)
 	}
 
-	// TODO(dimityrmirchev): remove once Gardener implements https://github.com/gardener/gardener/pull/10786
-	// and resources are selected with object selector
-	if workloadIdentity.Spec.TargetSystem.Type != gcp.Type {
-		return nil
-	}
-
 	if workloadIdentity.Spec.TargetSystem.ProviderConfig == nil {
 		return errors.New("the new target system is missing configuration")
 	}