From 400f52d4919d7fb6e7f54e24b20199fc2a9214dc Mon Sep 17 00:00:00 2001
From: Nikhil Sharma <nikhilsharma230303@gmail.com>
Date: Tue, 21 Jun 2022 11:36:14 +0530
Subject: [PATCH] added ratcheting validation for embedded resource and
 x-kubernetes-list-type validation

Signed-off-by: Paco Xu <paco.xu@daocloud.io>
---
 .../pkg/registry/customresource/status_strategy.go          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
index 074c4b73c96..042d972122c 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
@@ -22,6 +22,7 @@ import (
 	"sigs.k8s.io/structured-merge-diff/v4/fieldpath"
 
 	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel"
+	structurallisttype "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/listtype"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -97,6 +98,11 @@ func (a statusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Obj
 
 	v := obj.GetObjectKind().GroupVersionKind().Version
 
+	// ratcheting validation of x-kubernetes-list-type value map and set
+	if oldErrs := structurallisttype.ValidateListSetsAndMaps(nil, a.structuralSchemas[v], uOld.Object); len(oldErrs) == 0 {
+		errs = append(errs, structurallisttype.ValidateListSetsAndMaps(nil, a.structuralSchemas[v], uNew.Object)...)
+	}
+
 	// validate x-kubernetes-validations rules
 	if celValidator, ok := a.customResourceStrategy.celValidators[v]; ok {
 		if has, err := hasBlockingErr(errs); has {