ValidatingAdmissionPolicy controller for Type Checking (#117377)

* [API REVIEW] ValidatingAdmissionPolicyStatucController config. worker count. * ValidatingAdmissionPolicyStatus controller. * remove CEL typechecking from API server. * fix initializer tests. * remove type checking integration tests from API server integration tests. * validatingadmissionpolicy-status options. * grant access to VAP controller. * add defaulting unit test. * generated: ./hack/update-codegen.sh * add OWNERS for VAP status controller. * type checking test case.
2026-01-05 07:27:21 +00:00 · 2023-07-13 13:41:50 -07:00
parent a9e40bd7c6
commit 049614f884
42 changed files with 2242 additions and 1392 deletions
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -484,6 +484,9 @@ func NewControllerInitializers(loopMode ControllerLoopMode) map[string]InitFunc
 	if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenCleanUp) {
 		register(names.LegacyServiceAccountTokenCleanerController, startLegacySATokenCleaner)
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.ValidatingAdmissionPolicy) {
+		register("validatingadmissionpolicy-status-controller", startValidatingAdmissionPolicyStatusController)
+	}

 	return controllers
 }
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@@ -62,31 +62,32 @@ type KubeControllerManagerOptions struct {
 	KubeCloudShared   *cpoptions.KubeCloudSharedOptions
 	ServiceController *cpoptions.ServiceControllerOptions

-	AttachDetachController           *AttachDetachControllerOptions
-	CSRSigningController             *CSRSigningControllerOptions
-	DaemonSetController              *DaemonSetControllerOptions
-	DeploymentController             *DeploymentControllerOptions
-	StatefulSetController            *StatefulSetControllerOptions
-	DeprecatedFlags                  *DeprecatedControllerOptions
-	EndpointController               *EndpointControllerOptions
-	EndpointSliceController          *EndpointSliceControllerOptions
-	EndpointSliceMirroringController *EndpointSliceMirroringControllerOptions
-	EphemeralVolumeController        *EphemeralVolumeControllerOptions
-	GarbageCollectorController       *GarbageCollectorControllerOptions
-	HPAController                    *HPAControllerOptions
-	JobController                    *JobControllerOptions
-	CronJobController                *CronJobControllerOptions
-	LegacySATokenCleaner             *LegacySATokenCleanerOptions
-	NamespaceController              *NamespaceControllerOptions
-	NodeIPAMController               *NodeIPAMControllerOptions
-	NodeLifecycleController          *NodeLifecycleControllerOptions
-	PersistentVolumeBinderController *PersistentVolumeBinderControllerOptions
-	PodGCController                  *PodGCControllerOptions
-	ReplicaSetController             *ReplicaSetControllerOptions
-	ReplicationController            *ReplicationControllerOptions
-	ResourceQuotaController          *ResourceQuotaControllerOptions
-	SAController                     *SAControllerOptions
-	TTLAfterFinishedController       *TTLAfterFinishedControllerOptions
+	AttachDetachController                    *AttachDetachControllerOptions
+	CSRSigningController                      *CSRSigningControllerOptions
+	DaemonSetController                       *DaemonSetControllerOptions
+	DeploymentController                      *DeploymentControllerOptions
+	StatefulSetController                     *StatefulSetControllerOptions
+	DeprecatedFlags                           *DeprecatedControllerOptions
+	EndpointController                        *EndpointControllerOptions
+	EndpointSliceController                   *EndpointSliceControllerOptions
+	EndpointSliceMirroringController          *EndpointSliceMirroringControllerOptions
+	EphemeralVolumeController                 *EphemeralVolumeControllerOptions
+	GarbageCollectorController                *GarbageCollectorControllerOptions
+	HPAController                             *HPAControllerOptions
+	JobController                             *JobControllerOptions
+	CronJobController                         *CronJobControllerOptions
+	LegacySATokenCleaner                      *LegacySATokenCleanerOptions
+	NamespaceController                       *NamespaceControllerOptions
+	NodeIPAMController                        *NodeIPAMControllerOptions
+	NodeLifecycleController                   *NodeLifecycleControllerOptions
+	PersistentVolumeBinderController          *PersistentVolumeBinderControllerOptions
+	PodGCController                           *PodGCControllerOptions
+	ReplicaSetController                      *ReplicaSetControllerOptions
+	ReplicationController                     *ReplicationControllerOptions
+	ResourceQuotaController                   *ResourceQuotaControllerOptions
+	SAController                              *SAControllerOptions
+	TTLAfterFinishedController                *TTLAfterFinishedControllerOptions
+	ValidatingAdmissionPolicyStatusController *ValidatingAdmissionPolicyStatusControllerOptions

 	SecureServing  *apiserveroptions.SecureServingOptionsWithLoopback
 	Authentication *apiserveroptions.DelegatingAuthenticationOptions
@@ -186,6 +187,9 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 		TTLAfterFinishedController: &TTLAfterFinishedControllerOptions{
 			&componentConfig.TTLAfterFinishedController,
 		},
+		ValidatingAdmissionPolicyStatusController: &ValidatingAdmissionPolicyStatusControllerOptions{
+			&componentConfig.ValidatingAdmissionPolicyStatusController,
+		},
 		SecureServing:  apiserveroptions.NewSecureServingOptions().WithLoopback(),
 		Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
 		Authorization:  apiserveroptions.NewDelegatingAuthorizationOptions(),
@@ -261,6 +265,7 @@ func (s *KubeControllerManagerOptions) Flags(allControllers []string, disabledBy
 	s.ResourceQuotaController.AddFlags(fss.FlagSet(names.ResourceQuotaController))
 	s.SAController.AddFlags(fss.FlagSet(names.ServiceAccountController))
 	s.TTLAfterFinishedController.AddFlags(fss.FlagSet(names.TTLAfterFinishedController))
+	s.ValidatingAdmissionPolicyStatusController.AddFlags(fss.FlagSet(names.ValidatingAdmissionPolicyStatusController))

 	s.Metrics.AddFlags(fss.FlagSet("metrics"))
 	logsapi.AddFlags(s.Logs, fss.FlagSet("logs"))
@@ -359,6 +364,9 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config, a
 	if err := s.TTLAfterFinishedController.ApplyTo(&c.ComponentConfig.TTLAfterFinishedController); err != nil {
 		return err
 	}
+	if err := s.ValidatingAdmissionPolicyStatusController.ApplyTo(&c.ComponentConfig.ValidatingAdmissionPolicyStatusController); err != nil {
+		return err
+	}
 	if err := s.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
 		return err
 	}
--- a/cmd/kube-controller-manager/app/options/options_test.go
+++ b/cmd/kube-controller-manager/app/options/options_test.go
@@ -63,6 +63,7 @@ import (
 	serviceaccountconfig "k8s.io/kubernetes/pkg/controller/serviceaccount/config"
 	statefulsetconfig "k8s.io/kubernetes/pkg/controller/statefulset/config"
 	ttlafterfinishedconfig "k8s.io/kubernetes/pkg/controller/ttlafterfinished/config"
+	validatingadmissionpolicystatusconfig "k8s.io/kubernetes/pkg/controller/validatingadmissionpolicystatus/config"
 	attachdetachconfig "k8s.io/kubernetes/pkg/controller/volume/attachdetach/config"
 	ephemeralvolumeconfig "k8s.io/kubernetes/pkg/controller/volume/ephemeral/config"
 	persistentvolumeconfig "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/config"
@@ -101,6 +102,7 @@ var args = []string{
 	"--concurrent-service-syncs=2",
 	"--concurrent-serviceaccount-token-syncs=10",
 	"--concurrent_rc_syncs=10",
+	"--concurrent-validating-admission-policy-status-syncs=9",
 	"--configure-cloud-routes=false",
 	"--contention-profiling=true",
 	"--controller-start-interval=2m",
@@ -409,6 +411,11 @@ func TestAddFlags(t *testing.T) {
 				ConcurrentTTLSyncs: 8,
 			},
 		},
+		ValidatingAdmissionPolicyStatusController: &ValidatingAdmissionPolicyStatusControllerOptions{
+			&validatingadmissionpolicystatusconfig.ValidatingAdmissionPolicyStatusControllerConfiguration{
+				ConcurrentPolicySyncs: 9,
+			},
+		},
 		SecureServing: (&apiserveroptions.SecureServingOptions{
 			BindPort:    10001,
 			BindAddress: netutils.ParseIPSloppy("192.168.4.21"),
@@ -640,6 +647,9 @@ func TestApplyTo(t *testing.T) {
 			TTLAfterFinishedController: ttlafterfinishedconfig.TTLAfterFinishedControllerConfiguration{
 				ConcurrentTTLSyncs: 8,
 			},
+			ValidatingAdmissionPolicyStatusController: validatingadmissionpolicystatusconfig.ValidatingAdmissionPolicyStatusControllerConfiguration{
+				ConcurrentPolicySyncs: 9,
+			},
 		},
 	}

--- a/cmd/kube-controller-manager/app/options/validatingadmissionpolicycontroller.go
+++ b/cmd/kube-controller-manager/app/options/validatingadmissionpolicycontroller.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+
+	validatingadmissionpolicystatusconfig "k8s.io/kubernetes/pkg/controller/validatingadmissionpolicystatus/config"
+)
+
+// ValidatingAdmissionPolicyStatusControllerOptions holds the ValidatingAdmissionPolicyStatusController options.
+type ValidatingAdmissionPolicyStatusControllerOptions struct {
+	*validatingadmissionpolicystatusconfig.ValidatingAdmissionPolicyStatusControllerConfiguration
+}
+
+// AddFlags adds flags related to ValidatingAdmissionPolicyStatusController for controller manager to the specified FlagSet.
+func (o *ValidatingAdmissionPolicyStatusControllerOptions) AddFlags(fs *pflag.FlagSet) {
+	if o == nil {
+		return
+	}
+
+	fs.Int32Var(&o.ConcurrentPolicySyncs, "concurrent-validating-admission-policy-status-syncs", o.ConcurrentPolicySyncs, "The number of ValidatingAdmissionPolicyStatusController workers that are allowed to sync concurrently.")
+}
+
+// ApplyTo fills up ValidatingAdmissionPolicyStatusController config with options.
+func (o *ValidatingAdmissionPolicyStatusControllerOptions) ApplyTo(cfg *validatingadmissionpolicystatusconfig.ValidatingAdmissionPolicyStatusControllerConfiguration) error {
+	if o == nil {
+		return nil
+	}
+
+	cfg.ConcurrentPolicySyncs = o.ConcurrentPolicySyncs
+
+	return nil
+}
+
+// Validate checks validation of ValidatingAdmissionPolicyStatusControllerOptions.
+func (o *ValidatingAdmissionPolicyStatusControllerOptions) Validate() []error {
+	if o == nil {
+		return nil
+	}
+	var errs []error
+	if o.ConcurrentPolicySyncs <= 0 {
+		// omits controller or flag names because the CLI already includes these in the message.
+		errs = append(errs, fmt.Errorf("must be positive, got %d", o.ConcurrentPolicySyncs))
+	}
+	return errs
+}
--- a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
+++ b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+
+	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
+	"k8s.io/apiserver/pkg/cel/openapi/resolver"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/controller-manager/controller"
+	"k8s.io/kubernetes/pkg/controller/validatingadmissionpolicystatus"
+	"k8s.io/kubernetes/pkg/generated/openapi"
+)
+
+var validatingAdmissionPolicyResource = admissionregistrationv1alpha1.SchemeGroupVersion.WithResource("validatingadmissionpolicies")
+
+func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) {
+	// intended check against served resource but not feature gate.
+	// KCM won't start the controller without the feature gate set.
+	if !controllerContext.AvailableResources[validatingAdmissionPolicyResource] {
+		return nil, false, nil
+	}
+	typeChecker := &pluginvalidatingadmissionpolicy.TypeChecker{
+		SchemaResolver: resolver.NewDefinitionsSchemaResolver(scheme.Scheme, openapi.GetOpenAPIDefinitions),
+		RestMapper:     controllerContext.RESTMapper,
+	}
+	c, err := validatingadmissionpolicystatus.NewController(
+		controllerContext.InformerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
+		controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(),
+		typeChecker,
+	)
+
+	go c.Run(ctx, int(controllerContext.ComponentConfig.ValidatingAdmissionPolicyStatusController.ConcurrentPolicySyncs))
+	return nil, true, err
+}
--- a/cmd/kube-controller-manager/names/controller_names.go
+++ b/cmd/kube-controller-manager/names/controller_names.go
@@ -86,6 +86,7 @@ const (
 	StorageVersionGarbageCollectorController     = "storageversion-garbage-collector-controller"
 	ResourceClaimController                      = "resourceclaim-controller"
 	LegacyServiceAccountTokenCleanerController   = "legacy-serviceaccount-token-cleaner-controller"
+	ValidatingAdmissionPolicyStatusController    = "validatingadmissionpolicy-status-controller"
 )

 // KCMControllerAliases returns a mapping of aliases to canonical controller names