Merge branch 'openkruise:master' into update-vertical

Author: abhi0324

.github/workflows/ci.yaml

@@ -127,7 +127,7 @@ jobs:
           make test
           git status
       - name: Publish Unit Test Coverage
-        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:

CONTRIBUTING.md

@@ -89,7 +89,7 @@ We encourage contributors to follow the [PR template](./.github/PULL_REQUEST_TEM
 As a contributor, if you want to make any contribution to the Kruise project, we should reach an agreement on the version of tools used in the development environment.
 Here are some dependencies with specific versions:
 
-- Golang : v1.18+
+- Golang : v1.22+
 - Kubernetes: v1.16+
 
 ### Developing guide

SECURITY_CONTACTS.md

@@ -1,6 +1,6 @@
 Defined below are the security persons of contact for this project. If you have questions regarding the triaging and handling of incoming problems, they may be contacted.
 
-The following security contacts have agreed to abide by the Embargo Policy $LINK and will be removed and replaced if found to be in violation of that agreement.
+The following security contacts have agreed to abide by the [Embargo Policy](embargo-policy.md) and will be removed and replaced if found to be in violation of that agreement.
 
 DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, USE THE INSTRUCTIONS AT [SECURITY.md](SECURITY.md)
 

pkg/control/sidecarcontrol/fuzz_util_test.go

@@ -0,0 +1,63 @@
+package sidecarcontrol
+
+import (
+	"encoding/json"
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
+	fuzzutils "github.com/openkruise/kruise/test/fuzz"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func FuzzPatchPodMetadata(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		cf := fuzz.NewConsumer(data)
+		metadata := &metav1.ObjectMeta{}
+		if err := cf.GenerateStruct(metadata); err != nil {
+			return
+		}
+
+		jsonPatch, err := cf.GetBool()
+		if err != nil {
+			return
+		}
+
+		patch, err := fuzzutils.GeneratePatchPodMetadata(cf, jsonPatch)
+		if err != nil || patch == nil {
+			return
+		}
+
+		// Make sure there is a probability that the same key exists.
+		if exist, err := cf.GetBool(); exist && err == nil {
+			for key := range patch.Annotations {
+				if jsonPatch {
+					m := make(map[string]string)
+					if err := cf.FuzzMap(&m); err != nil {
+						return
+					}
+					bytes, _ := json.Marshal(m)
+					metadata.GetAnnotations()[key] = string(bytes)
+				} else {
+					val, err := cf.GetString()
+					if err != nil {
+						return
+					}
+					metadata.GetAnnotations()[key] = val
+				}
+			}
+		}
+
+		_, err = PatchPodMetadata(metadata, []appsv1alpha1.SidecarSetPatchPodMetadata{*patch})
+		// Because function can capture panic error, so here to deal with the errors due to panic,
+		// Meanwhile, the error of the failed Patch merge in JSON format needs to be ignored.
+		if err != nil {
+			if !jsonPatch && patch.PatchPolicy == appsv1alpha1.SidecarSetMergePatchJsonPatchPolicy {
+				t.Logf("Ignore patch merge in JSON format failed: %s", err)
+				return
+			}
+			// The panic error will be printed.
+			t.Errorf("Panic: %s", err)
+		}
+	})
+}

pkg/controller/uniteddeployment/fuzz_uniteddeployment_controller_test.go

@@ -47,7 +47,7 @@ func FuzzParseSubsetReplicas(f *testing.F) {
 		}
 		udReplicas := int32(udReplicasInt)
 
-		subsetReplicas, err := fuzzutils.GenerateSubsetReplicas(cf)
+		subsetReplicas, err := fuzzutils.GenerateIntOrString(cf)
 		if err != nil {
 			return
 		}

pkg/webhook/pod/mutating/fuzz_sidecarset_test.go

@@ -0,0 +1,106 @@
+package mutating
+
+import (
+	"context"
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
+	"github.com/openkruise/kruise/pkg/util/fieldindex"
+	fuzzutils "github.com/openkruise/kruise/test/fuzz"
+	admissionv1 "k8s.io/api/admission/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+var (
+	fakeScheme = runtime.NewScheme()
+
+	defaultPod = &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pod",
+			Namespace: "default",
+			Labels:    map[string]string{"app": "fuzz-test"},
+		},
+		Spec: corev1.PodSpec{
+			InitContainers: []corev1.Container{
+				{
+					Name:  "init-0",
+					Image: "busybox:1.0.0",
+				},
+			},
+			Containers: []corev1.Container{
+				{
+					Name:  "nginx",
+					Image: "nginx:1.15.1",
+				},
+			},
+		},
+	}
+
+	req = admission.Request{
+		AdmissionRequest: admissionv1.AdmissionRequest{
+			Operation:   admissionv1.Create,
+			Object:      runtime.RawExtension{},
+			OldObject:   runtime.RawExtension{},
+			Resource:    metav1.GroupVersionResource{Group: corev1.SchemeGroupVersion.Group, Version: corev1.SchemeGroupVersion.Version, Resource: "pods"},
+			SubResource: "",
+		},
+	}
+)
+
+func init() {
+	_ = clientgoscheme.AddToScheme(fakeScheme)
+	_ = appsv1alpha1.AddToScheme(fakeScheme)
+	_ = appsv1alpha1.AddToScheme(clientgoscheme.Scheme)
+}
+
+func FuzzSidecarSetMutatingPod(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		cf := fuzz.NewConsumer(data)
+
+		sidecarSet := &appsv1alpha1.SidecarSet{}
+		if err := cf.GenerateStruct(sidecarSet); err != nil {
+			return
+		}
+
+		if err := fuzzutils.GenerateSidecarSetSpec(cf, sidecarSet,
+			fuzzutils.GenerateSidecarSetUpdateStrategy,
+			fuzzutils.GenerateSidecarSetInjectionStrategy,
+			fuzzutils.GenerateSidecarSetInitContainer,
+			fuzzutils.GenerateSidecarSetContainer,
+			fuzzutils.GenerateSidecarSetPatchPodMetadata); err != nil {
+			return
+		}
+		matched, err := cf.GetBool()
+		if err != nil {
+			return
+		}
+		if matched {
+			// Make sure can select to defaultPod
+			sidecarSet.Spec.Selector.MatchLabels = defaultPod.GetLabels()
+			sidecarSet.Spec.Selector.MatchExpressions = nil
+			sidecarSet.Spec.Namespace = defaultPod.GetNamespace()
+			sidecarSet.Spec.NamespaceSelector = nil
+			sidecarSet.Spec.InjectionStrategy.Revision = nil
+		}
+
+		if sidecarSet.GetDeletionTimestamp() != nil && len(sidecarSet.GetFinalizers()) == 0 {
+			sidecarSet.SetDeletionTimestamp(nil)
+		}
+
+		c := fake.NewClientBuilder().WithObjects(sidecarSet).WithIndex(
+			&appsv1alpha1.SidecarSet{}, fieldindex.IndexNameForSidecarSetNamespace, fieldindex.IndexSidecarSet,
+		).WithScheme(fakeScheme).Build()
+
+		handler := &PodCreateHandler{
+			Decoder: admission.NewDecoder(fakeScheme),
+			Client:  c,
+		}
+		_, _ = handler.sidecarsetMutatingPod(context.Background(), req, defaultPod)
+	})
+}

pkg/webhook/sidecarset/validating/fuzz_sidecarset_validation_test.go

@@ -0,0 +1,135 @@
+/*
+Copyright 2025 The Kruise Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validating
+
+import (
+	"encoding/json"
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
+	"github.com/openkruise/kruise/pkg/control/sidecarcontrol"
+	"github.com/openkruise/kruise/pkg/util"
+	"github.com/openkruise/kruise/pkg/util/configuration"
+	webhookutil "github.com/openkruise/kruise/pkg/webhook/util"
+	fuzzutils "github.com/openkruise/kruise/test/fuzz"
+	apps "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+var (
+	fakeScheme = runtime.NewScheme()
+)
+
+func init() {
+	_ = clientgoscheme.AddToScheme(fakeScheme)
+	_ = appsv1alpha1.AddToScheme(fakeScheme)
+	_ = appsv1alpha1.AddToScheme(clientgoscheme.Scheme)
+}
+
+func FuzzValidateSidecarSetSpec(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		cf := fuzz.NewConsumer(data)
+
+		ss := &appsv1alpha1.SidecarSet{}
+		if err := cf.GenerateStruct(ss); err != nil {
+			return
+		}
+
+		if err := fuzzutils.GenerateSidecarSetSpec(cf, ss,
+			fuzzutils.GenerateSidecarSetSelector,
+			fuzzutils.GenerateSidecarSetNamespace,
+			fuzzutils.GenerateSidecarSetNamespaceSelector,
+			fuzzutils.GenerateSidecarSetInitContainer,
+			fuzzutils.GenerateSidecarSetContainer,
+			fuzzutils.GenerateSidecarSetUpdateStrategy,
+			fuzzutils.GenerateSidecarSetInjectionStrategy,
+			fuzzutils.GenerateSidecarSetPatchPodMetadata); err != nil {
+			return
+		}
+
+		h, err := newFakeSidecarSetCreateUpdateHandler(cf, ss)
+		if err != nil {
+			return
+		}
+
+		_ = h.validateSidecarSetSpec(ss, field.NewPath("spec"))
+	})
+}
+
+func newFakeSidecarSetCreateUpdateHandler(cf *fuzz.ConsumeFuzzer, ss *appsv1alpha1.SidecarSet) (*SidecarSetCreateUpdateHandler, error) {
+	name, hash := "", ""
+	if ss.Spec.InjectionStrategy.Revision != nil && ss.Spec.InjectionStrategy.Revision.RevisionName != nil {
+		name = *ss.Spec.InjectionStrategy.Revision.RevisionName
+	}
+
+	if ss.Spec.InjectionStrategy.Revision != nil && ss.Spec.InjectionStrategy.Revision.CustomVersion != nil {
+		hash = *ss.Spec.InjectionStrategy.Revision.CustomVersion
+	}
+
+	object := &apps.ControllerRevision{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: webhookutil.GetNamespace(),
+			Name:      name,
+		},
+	}
+
+	objectList := &apps.ControllerRevisionList{
+		Items: []apps.ControllerRevision{
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: webhookutil.GetNamespace(),
+					Name:      "default",
+					Labels: map[string]string{
+						sidecarcontrol.SidecarSetKindName:         ss.GetName(),
+						appsv1alpha1.SidecarSetCustomVersionLabel: hash,
+					},
+				},
+			},
+		},
+	}
+
+	whiteList := &configuration.SidecarSetPatchMetadataWhiteList{}
+	if err := fuzzutils.GenerateSidecarSetWhiteListRule(cf, whiteList); err != nil {
+		return nil, err
+	}
+	whiteListJson, err := json.Marshal(whiteList)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      configuration.KruiseConfigurationName,
+			Namespace: util.GetKruiseNamespace(),
+		},
+		Data: map[string]string{
+			configuration.SidecarSetPatchPodMetadataWhiteListKey: string(whiteListJson),
+		},
+	}
+
+	return &SidecarSetCreateUpdateHandler{
+		Client:  fake.NewClientBuilder().WithScheme(fakeScheme).WithObjects(object, config).WithLists(objectList).Build(),
+		Decoder: admission.NewDecoder(fakeScheme),
+	}, err
+}

pkg/webhook/workloadspread/validating/fuzz_workloadspread_validation_test.go

@@ -17,9 +17,14 @@ limitations under the License.
 package validating
 
 import (
+	"encoding/json"
 	"testing"
 
 	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
+	"github.com/openkruise/kruise/pkg/util"
+	"github.com/openkruise/kruise/pkg/util/configuration"
+	fuzzutils "github.com/openkruise/kruise/test/fuzz"
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -28,9 +33,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-
-	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
-	fuzzutils "github.com/openkruise/kruise/test/fuzz"
 )
 
 var (
@@ -64,15 +66,13 @@ func FuzzValidateWorkloadSpreadSpec(f *testing.F) {
 			return
 		}
 
-		whiteList, err := cf.GetString()
-		if err != nil {
+		whiteList := &configuration.WSCustomWorkloadWhiteList{}
+		if err := fuzzutils.GenerateWorkloadSpreadWhiteList(cf, whiteList); err != nil {
 			return
 		}
-		if validWhiteList, err := cf.GetBool(); err == nil && validWhiteList {
-			whiteList = "{\"workloads\":[{\"Group\":\"test\",\"Kind\":\"TFJob\"}]}"
-			if matched, err := cf.GetBool(); err == nil && matched {
-				whiteList = "{\"workloads\":[{\"Group\":\"training.kubedl.io\",\"Kind\":\"TFJob\"}]}"
-			}
+		whiteListJson, err := json.Marshal(whiteList)
+		if err != nil {
+			return
 		}
 
 		fakeClient := fake.NewClientBuilder().
@@ -82,8 +82,8 @@ func FuzzValidateWorkloadSpreadSpec(f *testing.F) {
 				&appsv1.StatefulSet{ObjectMeta: metav1.ObjectMeta{Name: "valid-target", Namespace: "default"}},
 				&batchv1.Job{ObjectMeta: metav1.ObjectMeta{Name: "valid-target", Namespace: "default"}},
 				&appsv1.ReplicaSet{ObjectMeta: metav1.ObjectMeta{Name: "valid-target", Namespace: "default"}},
-				&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "kruise-configuration", Namespace: "kruise-system"},
-					Data: map[string]string{"WorkloadSpread_Watch_Custom_Workload_WhiteList": whiteList}},
+				&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: configuration.KruiseConfigurationName, Namespace: util.GetKruiseNamespace()},
+					Data: map[string]string{configuration.WSWatchCustomWorkloadWhiteList: string(whiteListJson)}},
 			).Build()
 
 		h := &WorkloadSpreadCreateUpdateHandler{Client: fakeClient}