diff --git a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go index 2c143ef623f..ce6e58f693b 100644 --- a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go +++ b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go @@ -22,7 +22,6 @@ import ( apiextensionsscheme "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme" pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating" "k8s.io/apiserver/pkg/cel/openapi/resolver" - genericfeatures "k8s.io/apiserver/pkg/features" k8sscheme "k8s.io/client-go/kubernetes/scheme" "k8s.io/component-base/featuregate" "k8s.io/controller-manager/controller" @@ -33,11 +32,9 @@ import ( func newValidatingAdmissionPolicyStatusControllerDescriptor() *ControllerDescriptor { return &ControllerDescriptor{ - name: names.ValidatingAdmissionPolicyStatusController, - initFunc: startValidatingAdmissionPolicyStatusController, - requiredFeatureGates: []featuregate.Feature{ - genericfeatures.ValidatingAdmissionPolicy, - }, + name: names.ValidatingAdmissionPolicyStatusController, + initFunc: startValidatingAdmissionPolicyStatusController, + requiredFeatureGates: []featuregate.Feature{}, } } diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 261760d6aae..1542b9ff605 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -1281,8 +1281,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS genericfeatures.UnauthenticatedHTTP2DOSMitigation: {Default: true, PreRelease: featuregate.Beta}, - genericfeatures.ValidatingAdmissionPolicy: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.32 - genericfeatures.WatchBookmark: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, genericfeatures.WatchCacheInitializationPostStartHook: {Default: false, PreRelease: featuregate.Beta}, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index ea28632ccf6..11a50c0109d 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -446,18 +446,17 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) eventsRule(), }, }) - if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.ValidatingAdmissionPolicy) { - addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "validatingadmissionpolicy-status-controller"}, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule("get", "list", "watch").Groups(admissionRegistrationGroup). - Resources("validatingadmissionpolicies").RuleOrDie(), - rbacv1helpers.NewRule("get", "patch", "update").Groups(admissionRegistrationGroup). - Resources("validatingadmissionpolicies/status").RuleOrDie(), - eventsRule(), - }, - }) - } + addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "validatingadmissionpolicy-status-controller"}, + Rules: []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("get", "list", "watch").Groups(admissionRegistrationGroup). + Resources("validatingadmissionpolicies").RuleOrDie(), + rbacv1helpers.NewRule("get", "patch", "update").Groups(admissionRegistrationGroup). + Resources("validatingadmissionpolicies/status").RuleOrDie(), + eventsRule(), + }, + }) + if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) && utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) { addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go index 69b19fb2aa6..964f2d904fd 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go @@ -45,7 +45,6 @@ import ( "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission/initializer" "k8s.io/apiserver/pkg/authorization/authorizer" - "k8s.io/apiserver/pkg/features" ) // PolicyTestContext is everything you need to unit test a policy plugin @@ -196,18 +195,6 @@ func NewPolicyTestContext[P, B runtime.Object, E Evaluator]( plugin.SetEnabled(true) featureGate := featuregate.NewFeatureGate() - err = featureGate.Add(map[featuregate.Feature]featuregate.FeatureSpec{ - //!TODO: move this to validating specific tests - features.ValidatingAdmissionPolicy: { - Default: true, PreRelease: featuregate.Beta}}) - if err != nil { - return nil, nil, err - } - err = featureGate.SetFromMap(map[string]bool{string(features.ValidatingAdmissionPolicy): true}) - if err != nil { - return nil, nil, err - } - testContext, testCancel := context.WithCancel(context.Background()) genericInitializer := initializer.New( nativeClient, diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go index 06f4a8c7145..390227d8172 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go @@ -127,7 +127,7 @@ func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admi } func (a *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) { - a.Plugin.SetEnabled(featureGates.Enabled(features.ValidatingAdmissionPolicy)) + a.Plugin.SetEnabled(true) } func compilePolicy(policy *Policy) Validator { diff --git a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go index ce5b0967ee5..1fd3b8e0003 100644 --- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go +++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go @@ -106,16 +106,6 @@ const ( // Enables concurrent watch object decoding to avoid starving watch cache when conversion webhook is installed. ConcurrentWatchObjectDecode featuregate.Feature = "ConcurrentWatchObjectDecode" - // owner: @cici37 @jpbetz - // kep: http://kep.k8s.io/3488 - // alpha: v1.26 - // beta: v1.28 - // stable: v1.30 - // - // Note: the feature gate can be removed in 1.32 - // Enables expression validation in Admission Control - ValidatingAdmissionPolicy featuregate.Feature = "ValidatingAdmissionPolicy" - // owner: @jefftree // kep: https://kep.k8s.io/4355 // alpha: v1.31 @@ -355,8 +345,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS ConcurrentWatchObjectDecode: {Default: false, PreRelease: featuregate.Beta}, - ValidatingAdmissionPolicy: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.32 - CoordinatedLeaderElection: {Default: false, PreRelease: featuregate.Alpha}, EfficientWatchResumption: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, diff --git a/test/integration/apiserver/cel/admission_policy_test.go b/test/integration/apiserver/cel/admission_policy_test.go index 8c0570593c0..bca8a9db300 100644 --- a/test/integration/apiserver/cel/admission_policy_test.go +++ b/test/integration/apiserver/cel/admission_policy_test.go @@ -29,10 +29,6 @@ import ( "k8s.io/api/admission/v1beta1" corev1 "k8s.io/api/core/v1" apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" - genericfeatures "k8s.io/apiserver/pkg/features" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" - apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" "k8s.io/kubernetes/pkg/apis/admissionregistration" admissionregistrationv1alpha1apis "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1" @@ -409,8 +405,6 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver // This test tries to mirror very closely the same test for webhook admission // test/integration/apiserver/admissionwebhook/admission_test.go testWebhookAdmission func TestPolicyAdmission(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) - holder := &policyExpectationHolder{ holder: holder{ t: t, diff --git a/test/integration/apiserver/cel/validatingadmissionpolicy_test.go b/test/integration/apiserver/cel/validatingadmissionpolicy_test.go index 2dd810dd9da..95ea25ea6d0 100644 --- a/test/integration/apiserver/cel/validatingadmissionpolicy_test.go +++ b/test/integration/apiserver/cel/validatingadmissionpolicy_test.go @@ -76,7 +76,6 @@ const policyRefreshInterval = 10 * time.Millisecond func Test_ValidateNamespace_NoParams_Success(t *testing.T) { resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval) defer resetPolicyRefreshInterval() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -191,7 +190,6 @@ func Test_ValidateNamespace_NoParams_Success(t *testing.T) { func Test_ValidateNamespace_NoParams_Failures(t *testing.T) { resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval) defer resetPolicyRefreshInterval() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -437,8 +435,6 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { }, } - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) - // prepare audit policy file policyFile, err := os.CreateTemp("", "audit-policy.yaml") if err != nil { @@ -524,7 +520,6 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { func Test_ValidateNamespace_WithConfigMapParams(t *testing.T) { resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval) defer resetPolicyRefreshInterval() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -597,7 +592,6 @@ func Test_ValidateNamespace_WithConfigMapParams(t *testing.T) { } func TestMultiplePolicyBindings(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, nil, framework.SharedEtcd()) if err != nil { t.Fatal(err) @@ -724,7 +718,6 @@ func TestMultiplePolicyBindings(t *testing.T) { // Test_PolicyExemption tests that ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources // are exempt from policy rules. func Test_PolicyExemption(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -811,7 +804,6 @@ func Test_PolicyExemption(t *testing.T) { // the new ParamKind to be allowed. For example, when Paramkind is v1/ConfigMap, only namespaces prefixed with "configmap" // is allowed and when ParamKind is updated to v1/Secret, only namespaces prefixed with "secret" is allowed, etc. func Test_ValidatingAdmissionPolicy_UpdateParamKind(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -952,7 +944,6 @@ func Test_ValidatingAdmissionPolicy_UpdateParamKind(t *testing.T) { // only the ParamRef in the binding is updated. This test creates a policy where namespaces must have a prefix that matches // the ParamRef set in the policy binding. The paramRef in the binding is then updated to a different object. func Test_ValidatingAdmissionPolicy_UpdateParamRef(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1100,7 +1091,6 @@ func Test_ValidatingAdmissionPolicy_UpdateParamRef(t *testing.T) { // Test_ValidatingAdmissionPolicy_UpdateParamResource validates behavior of a policy after updates to the param resource. func Test_ValidatingAdmissionPolicy_UpdateParamResource(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1233,7 +1223,6 @@ func Test_ValidatingAdmissionPolicy_UpdateParamResource(t *testing.T) { } func Test_ValidatingAdmissionPolicy_MatchByObjectSelector(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1301,7 +1290,6 @@ func Test_ValidatingAdmissionPolicy_MatchByObjectSelector(t *testing.T) { } func Test_ValidatingAdmissionPolicy_MatchByNamespaceSelector(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1393,7 +1381,6 @@ func Test_ValidatingAdmissionPolicy_MatchByNamespaceSelector(t *testing.T) { } func Test_ValidatingAdmissionPolicy_MatchByResourceNames(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1452,7 +1439,6 @@ func Test_ValidatingAdmissionPolicy_MatchByResourceNames(t *testing.T) { } func Test_ValidatingAdmissionPolicy_MatchWithExcludeResources(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1524,7 +1510,6 @@ func Test_ValidatingAdmissionPolicy_MatchWithExcludeResources(t *testing.T) { } func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyEquivalent(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1616,7 +1601,6 @@ func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyEquivalent(t *testing.T) } func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyExact(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1711,7 +1695,6 @@ func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyExact(t *testing.T) { } func Test_ValidatingAdmissionPolicy_MatchExcludedResource(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1778,7 +1761,6 @@ func Test_ValidatingAdmissionPolicy_MatchExcludedResource(t *testing.T) { // Test_ValidatingAdmissionPolicy_PolicyDeletedThenRecreated validates that deleting a ValidatingAdmissionPolicy // removes the policy from the apiserver admission chain and recreating it re-enables it. func Test_ValidatingAdmissionPolicy_PolicyDeletedThenRecreated(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -1896,7 +1878,6 @@ func Test_ValidatingAdmissionPolicy_PolicyDeletedThenRecreated(t *testing.T) { // Test_ValidatingAdmissionPolicy_BindingDeletedThenRecreated validates that deleting a ValidatingAdmissionPolicyBinding // removes the policy from the apiserver admission chain and recreating it re-enables it. func Test_ValidatingAdmissionPolicy_BindingDeletedThenRecreated(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -2015,7 +1996,6 @@ func Test_ValidatingAdmissionPolicy_BindingDeletedThenRecreated(t *testing.T) { // Test_ValidatingAdmissionPolicy_ParamResourceDeletedThenRecreated validates that deleting a param resource referenced // by a binding renders the policy as invalid. Recreating the param resource re-enables the policy. func Test_ValidatingAdmissionPolicy_ParamResourceDeletedThenRecreated(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -2352,7 +2332,6 @@ func generateValidationsWithAuthzCheck(num int, exp string) []admissionregistrat func TestCRDParams(t *testing.T) { resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval) defer resetPolicyRefreshInterval() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -2459,7 +2438,6 @@ func TestCRDParams(t *testing.T) { } func TestBindingRemoval(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", }, framework.SharedEtcd()) @@ -2555,7 +2533,6 @@ func TestBindingRemoval(t *testing.T) { func Test_ValidateSecondaryAuthorization(t *testing.T) { resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval) defer resetPolicyRefreshInterval() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) server, err := apiservertesting.StartTestServer(t, nil, []string{ "--enable-admission-plugins", "ValidatingAdmissionPolicy", "--authorization-mode=RBAC", @@ -2687,7 +2664,6 @@ func Test_ValidateSecondaryAuthorization(t *testing.T) { } func TestCRDsOnStartup(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) testContext, testCancel := context.WithCancel(context.Background()) defer testCancel() @@ -2837,7 +2813,6 @@ func TestAuthorizationDecisionCaching(t *testing.T) { defer resetPolicyRefreshInterval() ctx, cancel := context.WithCancel(context.TODO()) defer cancel() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ValidatingAdmissionPolicy, true) var nChecks int webhook := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { var review authorizationv1.SubjectAccessReview