Custom match criteria (#116350)

* Add custom match conditions for CEL admission This PR is based off of, and dependent on the following PR: https://github.com/kubernetes/kubernetes/pull/116261 Signed-off-by: Max Smythe <smythe@google.com> * run `make update` Signed-off-by: Max Smythe <smythe@google.com> * Fix unit tests Signed-off-by: Max Smythe <smythe@google.com> * Fix unit tests Signed-off-by: Max Smythe <smythe@google.com> * Update compatibility test data Signed-off-by: Max Smythe <smythe@google.com> * Revert "Update compatibility test data" This reverts commit 312ba7f9e74e0ec4a7ac1f07bf575479c608af28. * Allow params during validation; make match conditions optional Signed-off-by: Max Smythe <smythe@google.com> * Add conditional ignoring of matcher CEL expression validation on update Signed-off-by: Max Smythe <smythe@google.com> * Run codegen Signed-off-by: Max Smythe <smythe@google.com> * Add more validation tests Signed-off-by: Max Smythe <smythe@google.com> * Short-circuit CEL matcher when no matchers specified Signed-off-by: Max Smythe <smythe@google.com> * Run codegen Signed-off-by: Max Smythe <smythe@google.com> * Address review comments Signed-off-by: Max Smythe <smythe@google.com> --------- Signed-off-by: Max Smythe <smythe@google.com> Kubernetes-commit: e5fd204c33e90a7e8f5a0ee70242f1296a5ec7af
2025-07-31 06:41:52 +00:00 · 2023-03-15 17:23:15 -07:00 · 2023-03-15 17:23:15 -07:00 · 4666344cbc
commit 4666344cbc
parent 38589731da
6 changed files with 87 additions and 4 deletions
--- a/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// MatchConditionApplyConfiguration represents an declarative configuration of the MatchCondition type for use
+// with apply.
+type MatchConditionApplyConfiguration struct {
+	Name       *string `json:"name,omitempty"`
+	Expression *string `json:"expression,omitempty"`
+}
+
+// MatchConditionApplyConfiguration constructs an declarative configuration of the MatchCondition type for use with
+// apply.
+func MatchCondition() *MatchConditionApplyConfiguration {
+	return &MatchConditionApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *MatchConditionApplyConfiguration) WithName(value string) *MatchConditionApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *MatchConditionApplyConfiguration) WithExpression(value string) *MatchConditionApplyConfiguration {
+	b.Expression = &value
+	return b
+}
--- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
+++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
@ -30,6 +30,7 @@ type ValidatingAdmissionPolicySpecApplyConfiguration struct {
 	Validations      []ValidationApplyConfiguration                   `json:"validations,omitempty"`
 	FailurePolicy    *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
 	AuditAnnotations []AuditAnnotationApplyConfiguration              `json:"auditAnnotations,omitempty"`
+	MatchConditions  []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
 }

 // ValidatingAdmissionPolicySpecApplyConfiguration constructs an declarative configuration of the ValidatingAdmissionPolicySpec type for use with
@ -87,3 +88,16 @@ func (b *ValidatingAdmissionPolicySpecApplyConfiguration) WithAuditAnnotations(v
 	}
 	return b
 }
+
+// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchConditions field.
+func (b *ValidatingAdmissionPolicySpecApplyConfiguration) WithMatchConditions(values ...*MatchConditionApplyConfiguration) *ValidatingAdmissionPolicySpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithMatchConditions")
+		}
+		b.MatchConditions = append(b.MatchConditions, *values[i])
+	}
+	return b
+}
--- a/applyconfigurations/internal/internal.go
+++ b/applyconfigurations/internal/internal.go
@ -274,6 +274,17 @@ var schemaYAML = typed.YAMLObject(`types:
      type:
        scalar: string
      default: ""
+- name: io.k8s.api.admissionregistration.v1alpha1.MatchCondition
+  map:
+    fields:
+    - name: expression
+      type:
+        scalar: string
+      default: ""
+    - name: name
+      type:
+        scalar: string
+      default: ""
 - name: io.k8s.api.admissionregistration.v1alpha1.MatchResources
  map:
    fields:
@ -433,6 +444,14 @@ var schemaYAML = typed.YAMLObject(`types:
    - name: failurePolicy
      type:
        scalar: string
+    - name: matchConditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.admissionregistration.v1alpha1.MatchCondition
+          elementRelationship: associative
+          keys:
+          - name
    - name: matchConstraints
      type:
        namedType: io.k8s.api.admissionregistration.v1alpha1.MatchResources
--- a/applyconfigurations/utils.go
+++ b/applyconfigurations/utils.go
@ -145,6 +145,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &admissionregistrationv1alpha1.AuditAnnotationApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ExpressionWarning"):
 		return &admissionregistrationv1alpha1.ExpressionWarningApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("MatchCondition"):
+		return &admissionregistrationv1alpha1.MatchConditionApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("MatchResources"):
 		return &admissionregistrationv1alpha1.MatchResourcesApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("NamedRuleWithOperations"):
--- a/go.mod
+++ b/go.mod
@ -24,7 +24,7 @@ require (
 	golang.org/x/term v0.6.0
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
 	google.golang.org/protobuf v1.28.1
-	k8s.io/api v0.0.0-20230315032826-0b4c449988b1
+	k8s.io/api v0.0.0-20230316002315-c80582ebe125
 	k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38
 	k8s.io/klog/v2 v2.90.1
 	k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a
@ -59,6 +59,6 @@ require (
 )

 replace (
-	k8s.io/api => k8s.io/api v0.0.0-20230315032826-0b4c449988b1
+	k8s.io/api => k8s.io/api v0.0.0-20230316002315-c80582ebe125
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38
 )
--- a/go.sum
+++ b/go.sum
@ -477,8 +477,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.0.0-20230315032826-0b4c449988b1 h1:wlCdY1kqV0RkfnfRr4mEZ3fGJ1VvLelr5Q2vCnCICIo=
-k8s.io/api v0.0.0-20230315032826-0b4c449988b1/go.mod h1:aZ6MBt4NMLXSxkSKFkoDaP4hTutnZIvH5dCSpOis9g4=
+k8s.io/api v0.0.0-20230316002315-c80582ebe125 h1:sNLUUpJNxIYmttU1YQIm4nhSD2jK3wOkSQVsqhlFh2A=
+k8s.io/api v0.0.0-20230316002315-c80582ebe125/go.mod h1:aZ6MBt4NMLXSxkSKFkoDaP4hTutnZIvH5dCSpOis9g4=
 k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38 h1:n1qDRCTPAXwyXYg7eSpWDO9FdW79lwAQ9dAr1vETpn4=
 k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM=
 k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw=