Merge pull request #116397 from jiahuif-forks/feature/validating-admission-policy/message-expression

MessageExpression for ValidatingAdmissionPolicy

api/openapi-spec/swagger.json

@@ -675,6 +675,10 @@
           "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".",
           "type": "string"
         },
+        "messageExpression": {
+          "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"",
+          "type": "string"
+        },
         "reason": {
           "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.",
           "type": "string"

api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json

@@ -421,6 +421,10 @@
             "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".",
             "type": "string"
           },
+          "messageExpression": {
+            "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"",
+            "type": "string"
+          },
           "reason": {
             "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.",
             "type": "string"

pkg/apis/admissionregistration/types.go

@@ -256,6 +256,18 @@ type Validation struct {
 	// If not set, StatusReasonInvalid is used in the response to the client.
 	// +optional
 	Reason *metav1.StatusReason
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	// +optional
+	MessageExpression string
 }
 
 // AuditAnnotation describes how to produce an audit annotation for an API request.

pkg/apis/admissionregistration/v1alpha1/zz_generated.conversion.go

@@ -548,6 +548,7 @@ func autoConvert_v1alpha1_Validation_To_admissionregistration_Validation(in *v1a
 	out.Expression = in.Expression
 	out.Message = in.Message
 	out.Reason = (*v1.StatusReason)(unsafe.Pointer(in.Reason))
+	out.MessageExpression = in.MessageExpression
 	return nil
 }
 
@@ -560,6 +561,7 @@ func autoConvert_admissionregistration_Validation_To_v1alpha1_Validation(in *adm
 	out.Expression = in.Expression
 	out.Message = in.Message
 	out.Reason = (*v1.StatusReason)(unsafe.Pointer(in.Reason))
+	out.MessageExpression = in.MessageExpression
 	return nil
 }
 

pkg/apis/admissionregistration/validation/validation.go

@@ -782,26 +782,24 @@ func validateValidation(v *admissionregistration.Validation, paramKind *admissio
 	var allErrors field.ErrorList
 	trimmedExpression := strings.TrimSpace(v.Expression)
 	trimmedMsg := strings.TrimSpace(v.Message)
+	trimmedMessageExpression := strings.TrimSpace(v.MessageExpression)
 	if len(trimmedExpression) == 0 {
 		allErrors = append(allErrors, field.Required(fldPath.Child("expression"), "expression is not specified"))
 	} else {
-		result := plugincel.CompileCELExpression(&validatingadmissionpolicy.ValidationCondition{
+		allErrors = append(allErrors, validateCELExpression(v.Expression, plugincel.OptionalVariableDeclarations{
-			Expression: trimmedExpression,
+			HasParams:     paramKind != nil,
-			Message:    v.Message,
+			HasAuthorizer: true,
-			Reason:     v.Reason,
+		}, fldPath.Child("expression"))...)
-		}, plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true}, celconfig.PerCallLimit)
-		if result.Error != nil {
-			switch result.Error.Type {
-			case cel.ErrorTypeRequired:
-				allErrors = append(allErrors, field.Required(fldPath.Child("expression"), result.Error.Detail))
-			case cel.ErrorTypeInvalid:
-				allErrors = append(allErrors, field.Invalid(fldPath.Child("expression"), v.Expression, result.Error.Detail))
-			case cel.ErrorTypeInternal:
-				allErrors = append(allErrors, field.InternalError(fldPath.Child("expression"), result.Error))
-			default:
-				allErrors = append(allErrors, field.InternalError(fldPath.Child("expression"), fmt.Errorf("unsupported error type: %w", result.Error)))
-			}
 	}
+	if len(v.MessageExpression) > 0 && len(trimmedMessageExpression) == 0 {
+		allErrors = append(allErrors, field.Invalid(fldPath.Child("messageExpression"), v.MessageExpression, "must be non-empty if specified"))
+	} else if len(trimmedMessageExpression) != 0 {
+		// use v.MessageExpression instead of trimmedMessageExpression so that
+		// the compiler output shows the correct column.
+		allErrors = append(allErrors, validateCELExpression(v.MessageExpression, plugincel.OptionalVariableDeclarations{
+			HasParams:     paramKind != nil,
+			HasAuthorizer: false,
+		}, fldPath.Child("messageExpression"))...)
 	}
 	if len(v.Message) > 0 && len(trimmedMsg) == 0 {
 		allErrors = append(allErrors, field.Invalid(fldPath.Child("message"), v.Message, "message must be non-empty if specified"))
@@ -816,6 +814,26 @@ func validateValidation(v *admissionregistration.Validation, paramKind *admissio
 	return allErrors
 }
 
+func validateCELExpression(expression string, variables plugincel.OptionalVariableDeclarations, fldPath *field.Path) field.ErrorList {
+	var allErrors field.ErrorList
+	result := plugincel.CompileCELExpression(&validatingadmissionpolicy.ValidationCondition{
+		Expression: expression,
+	}, variables, celconfig.PerCallLimit)
+	if result.Error != nil {
+		switch result.Error.Type {
+		case cel.ErrorTypeRequired:
+			allErrors = append(allErrors, field.Required(fldPath, result.Error.Detail))
+		case cel.ErrorTypeInvalid:
+			allErrors = append(allErrors, field.Invalid(fldPath, expression, result.Error.Detail))
+		case cel.ErrorTypeInternal:
+			allErrors = append(allErrors, field.InternalError(fldPath, result.Error))
+		default:
+			allErrors = append(allErrors, field.InternalError(fldPath, fmt.Errorf("unsupported error type: %w", result.Error)))
+		}
+	}
+	return allErrors
+}
+
 func validateAuditAnnotation(meta metav1.ObjectMeta, v *admissionregistration.AuditAnnotation, paramKind *admissionregistration.ParamKind, fldPath *field.Path) field.ErrorList {
 	var allErrors field.ErrorList
 	if len(meta.GetName()) != 0 {

pkg/apis/admissionregistration/validation/validation_test.go

@@ -2564,7 +2564,38 @@ func TestValidateValidatingAdmissionPolicy(t *testing.T) {
 					},
 				},
 			},
-			expectedError: `spec.validations[0].expression: Invalid value: "object.x in [1, 2, ": compilation failed: ERROR: <input>:1:19: Syntax error: missing ']' at '<EOF>`,
+			expectedError: `spec.validations[0].expression: Invalid value: "object.x in [1, 2, ": compilation failed: ERROR: <input>:1:20: Syntax error: missing ']' at '<EOF>`,
+		},
+		{
+			name: "invalid messageExpression",
+			config: &admissionregistration.ValidatingAdmissionPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "config",
+				},
+				Spec: admissionregistration.ValidatingAdmissionPolicySpec{
+					Validations: []admissionregistration.Validation{
+						{
+							Expression:        "true",
+							MessageExpression: "object.x in [1, 2, ",
+						},
+					},
+					MatchConstraints: &admissionregistration.MatchResources{
+						ResourceRules: []admissionregistration.NamedRuleWithOperations{
+							{
+								RuleWithOperations: admissionregistration.RuleWithOperations{
+									Operations: []admissionregistration.OperationType{"CREATE"},
+									Rule: admissionregistration.Rule{
+										APIGroups:   []string{"a"},
+										APIVersions: []string{"a"},
+										Resources:   []string{"*/*"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedError: `spec.validations[0].messageExpression: Invalid value: "object.x in [1, 2, ": compilation failed: ERROR: <input>:1:20: Syntax error: missing ']' at '<EOF>`,
 		},
 		{
 			name: "invalid auditAnnotations key due to key name",

pkg/generated/openapi/zz_generated.openapi.go

@@ -2498,6 +2498,13 @@ func schema_k8sio_api_admissionregistration_v1alpha1_Validation(ref common.Refer
 							Format:      "",
 						},
 					},
+					"messageExpression": {
+						SchemaProps: spec.SchemaProps{
+							Description: "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
 				},
 				Required: []string{"expression"},
 			},

staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go

@@ -401,80 +401,81 @@ func init() {
 }
 
 var fileDescriptor_c3be8d256e3ae3cf = []byte{
-	// 1159 bytes of a gzipped FileDescriptorProto
+	// 1177 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x57, 0x4d, 0x6f, 0x1b, 0x45,
-	0x18, 0xce, 0xd6, 0x6e, 0x1b, 0x8f, 0x9b, 0xc4, 0x1e, 0x5a, 0xd5, 0x44, 0xd4, 0x8e, 0xac, 0x0a,
+	0x18, 0xce, 0xd6, 0x6e, 0x1b, 0x8f, 0x9b, 0xc4, 0x1e, 0x52, 0xd5, 0x8d, 0xa8, 0x1d, 0x59, 0x15,
-	0x25, 0x07, 0x76, 0x49, 0x5a, 0x28, 0x70, 0x41, 0x5e, 0x5a, 0x44, 0x95, 0xa4, 0x89, 0x26, 0x28,
+	0x4a, 0x0e, 0xec, 0x92, 0xb4, 0x50, 0xe0, 0x82, 0xbc, 0xb4, 0x40, 0x95, 0xb8, 0x89, 0x26, 0x28,
 	0x91, 0x10, 0x95, 0x98, 0xac, 0x27, 0xf6, 0xd4, 0xde, 0x0f, 0x76, 0x66, 0xa3, 0x44, 0x1c, 0xa8,
-	0xc4, 0x89, 0x1b, 0x07, 0x7e, 0x0b, 0x47, 0xce, 0x39, 0xf6, 0x18, 0x2e, 0x16, 0x59, 0x2e, 0xf0,
+	0xc4, 0x89, 0x1b, 0x07, 0x7e, 0x0f, 0xe7, 0x1c, 0x7b, 0x0c, 0x17, 0x8b, 0x98, 0x0b, 0xfc, 0x01,
-	0x07, 0x40, 0xca, 0x09, 0xcd, 0xec, 0xac, 0xf7, 0xc3, 0x36, 0x71, 0x4a, 0xd4, 0x9b, 0xf7, 0xfd,
+	0x90, 0x72, 0x01, 0xcd, 0xec, 0xac, 0xf7, 0xc3, 0x36, 0x71, 0x4a, 0xd4, 0x9b, 0xf7, 0xfd, 0x78,
-	0x78, 0x9e, 0x79, 0xde, 0x79, 0xdf, 0x99, 0x31, 0x40, 0xbd, 0x8f, 0x98, 0x4e, 0x5d, 0xa3, 0x17,
+	0x9e, 0x79, 0xde, 0x79, 0xdf, 0x99, 0x31, 0x40, 0xdd, 0x0f, 0x99, 0x4e, 0x5d, 0xa3, 0x1b, 0xec,
-	0xec, 0x13, 0xdf, 0x21, 0x9c, 0x30, 0xe3, 0x90, 0x38, 0x6d, 0xd7, 0x37, 0x94, 0x03, 0x7b, 0xd4,
+	0x13, 0xdf, 0x21, 0x9c, 0x30, 0xe3, 0x90, 0x38, 0x2d, 0xd7, 0x37, 0x94, 0x03, 0x7b, 0xd4, 0xc0,
-	0xc0, 0x6d, 0x9b, 0x32, 0x46, 0x5d, 0xc7, 0x27, 0x1d, 0xca, 0xb8, 0x8f, 0x39, 0x75, 0x1d, 0xe3,
+	0x2d, 0x9b, 0x32, 0x46, 0x5d, 0xc7, 0x27, 0x6d, 0xca, 0xb8, 0x8f, 0x39, 0x75, 0x1d, 0xe3, 0x70,
-	0x70, 0x15, 0xf7, 0xbd, 0x2e, 0x5e, 0x35, 0x3a, 0xc4, 0x21, 0x3e, 0xe6, 0xa4, 0xad, 0x7b, 0xbe,
+	0x0d, 0xf7, 0xbc, 0x0e, 0x5e, 0x33, 0xda, 0xc4, 0x21, 0x3e, 0xe6, 0xa4, 0xa5, 0x7b, 0xbe, 0xcb,
-	0xcb, 0x5d, 0xb8, 0x12, 0xa5, 0xea, 0xd8, 0xa3, 0xfa, 0xd8, 0x54, 0x3d, 0x4e, 0x5d, 0x7c, 0xaf,
+	0x5d, 0xb8, 0x1a, 0xa6, 0xea, 0xd8, 0xa3, 0xfa, 0xd8, 0x54, 0x3d, 0x4a, 0x5d, 0x7a, 0xb7, 0x4d,
-	0x43, 0x79, 0x37, 0xd8, 0xd7, 0x2d, 0xd7, 0x36, 0x3a, 0x6e, 0xc7, 0x35, 0x24, 0xc2, 0x7e, 0x70,
+	0x79, 0x27, 0xd8, 0xd7, 0x2d, 0xd7, 0x36, 0xda, 0x6e, 0xdb, 0x35, 0x24, 0xc2, 0x7e, 0x70, 0x20,
-	0x20, 0xbf, 0xe4, 0x87, 0xfc, 0x15, 0x21, 0x2f, 0x3e, 0x98, 0x62, 0x51, 0xf9, 0xe5, 0x2c, 0x3e,
+	0xbf, 0xe4, 0x87, 0xfc, 0x15, 0x22, 0x2f, 0x3d, 0x98, 0x62, 0x51, 0xd9, 0xe5, 0x2c, 0x3d, 0x8c,
-	0x4c, 0x92, 0x6c, 0x6c, 0x75, 0xa9, 0x43, 0xfc, 0x63, 0xc3, 0xeb, 0x75, 0x84, 0x81, 0x19, 0x36,
+	0x93, 0x6c, 0x6c, 0x75, 0xa8, 0x43, 0xfc, 0x63, 0xc3, 0xeb, 0xb6, 0x85, 0x81, 0x19, 0x36, 0xe1,
-	0xe1, 0x78, 0x5c, 0x96, 0x31, 0x29, 0xcb, 0x0f, 0x1c, 0x4e, 0x6d, 0x32, 0x92, 0xf0, 0xe1, 0x45,
+	0x78, 0x5c, 0x96, 0x31, 0x29, 0xcb, 0x0f, 0x1c, 0x4e, 0x6d, 0x32, 0x92, 0xf0, 0xc1, 0x45, 0x09,
-	0x09, 0xcc, 0xea, 0x12, 0x1b, 0xe7, 0xf3, 0x9a, 0x0c, 0x2c, 0xb4, 0x82, 0x36, 0xe5, 0x2d, 0xc7,
+	0xcc, 0xea, 0x10, 0x1b, 0x67, 0xf3, 0xea, 0x0c, 0x2c, 0x34, 0x82, 0x16, 0xe5, 0x0d, 0xc7, 0x71,
-	0x71, 0xb9, 0x14, 0x01, 0xef, 0x81, 0x42, 0x8f, 0x1c, 0xd7, 0xb4, 0x25, 0x6d, 0xb9, 0x64, 0x96,
+	0xb9, 0x14, 0x01, 0xef, 0x81, 0x5c, 0x97, 0x1c, 0x57, 0xb4, 0x65, 0x6d, 0xa5, 0x60, 0x16, 0x4f,
-	0x4f, 0x06, 0x8d, 0x99, 0x70, 0xd0, 0x28, 0xac, 0x93, 0x63, 0x24, 0xec, 0xb0, 0x05, 0x16, 0x0e,
+	0xfa, 0xb5, 0x99, 0x41, 0xbf, 0x96, 0xdb, 0x20, 0xc7, 0x48, 0xd8, 0x61, 0x03, 0x2c, 0x1c, 0xe2,
-	0x71, 0x3f, 0x20, 0x4f, 0x8e, 0x3c, 0x9f, 0xc8, 0x12, 0xd4, 0xae, 0xc9, 0xd0, 0xbb, 0x2a, 0x74,
+	0x5e, 0x40, 0x9e, 0x1c, 0x79, 0x3e, 0x91, 0x25, 0xa8, 0x5c, 0x93, 0xa1, 0x77, 0x54, 0xe8, 0xc2,
-	0x61, 0x37, 0xeb, 0x46, 0xf9, 0xf8, 0xe6, 0x6f, 0x45, 0x30, 0xbf, 0x89, 0xb9, 0xd5, 0x45, 0x84,
+	0x6e, 0xda, 0x8d, 0xb2, 0xf1, 0xf5, 0x5f, 0xf3, 0x60, 0xbe, 0x89, 0xb9, 0xd5, 0x41, 0x84, 0xb9,
-	0xb9, 0x81, 0x6f, 0x11, 0x06, 0x8f, 0x40, 0xd5, 0xc1, 0x36, 0x61, 0x1e, 0xb6, 0xc8, 0x0e, 0xe9,
+	0x81, 0x6f, 0x11, 0x06, 0x8f, 0x40, 0xd9, 0xc1, 0x36, 0x61, 0x1e, 0xb6, 0xc8, 0x0e, 0xe9, 0x11,
-	0x13, 0x8b, 0xbb, 0xbe, 0x5c, 0x42, 0x79, 0xed, 0x81, 0x9e, 0xec, 0xe8, 0x50, 0x9b, 0xee, 0xf5,
+	0x8b, 0xbb, 0xbe, 0x5c, 0x42, 0x71, 0xfd, 0x81, 0x1e, 0xef, 0xe8, 0x50, 0x9b, 0xee, 0x75, 0xdb,
-	0x3a, 0xc2, 0xc0, 0x74, 0x51, 0x42, 0xfd, 0x70, 0x55, 0xdf, 0xc0, 0xfb, 0xa4, 0x1f, 0xa7, 0x9a,
+	0xc2, 0xc0, 0x74, 0x51, 0x42, 0xfd, 0x70, 0x4d, 0xdf, 0xc4, 0xfb, 0xa4, 0x17, 0xa5, 0x9a, 0xb7,
-	0x77, 0xc2, 0x41, 0xa3, 0xfa, 0x2c, 0x8f, 0x88, 0x46, 0x49, 0xa0, 0x0b, 0xe6, 0xdd, 0xfd, 0x17,
+	0x07, 0xfd, 0x5a, 0xf9, 0x59, 0x16, 0x11, 0x8d, 0x92, 0x40, 0x17, 0xcc, 0xbb, 0xfb, 0x2f, 0x88,
-	0xc4, 0xe2, 0x43, 0xda, 0x6b, 0xaf, 0x4f, 0x0b, 0xc3, 0x41, 0x63, 0x7e, 0x2b, 0x03, 0x87, 0x72,
+	0xc5, 0x87, 0xb4, 0xd7, 0x5e, 0x9f, 0x16, 0x0e, 0xfa, 0xb5, 0xf9, 0xad, 0x14, 0x1c, 0xca, 0xc0,
-	0xf0, 0xf0, 0x7b, 0x30, 0xe7, 0x2b, 0xdd, 0x28, 0xe8, 0x13, 0x56, 0x2b, 0x2c, 0x15, 0x96, 0xcb,
+	0xc3, 0xef, 0xc1, 0x9c, 0xaf, 0x74, 0xa3, 0xa0, 0x47, 0x58, 0x25, 0xb7, 0x9c, 0x5b, 0x29, 0xae,
-	0x6b, 0xa6, 0x3e, 0x75, 0xe3, 0xea, 0x42, 0x58, 0x5b, 0x24, 0xef, 0x51, 0xde, 0xdd, 0xf2, 0x48,
+	0x9b, 0xfa, 0xd4, 0x8d, 0xab, 0x0b, 0x61, 0x2d, 0x91, 0xbc, 0x47, 0x79, 0x67, 0xcb, 0x23, 0xa1,
-	0xe4, 0x67, 0xe6, 0x1d, 0xb5, 0x05, 0x73, 0x28, 0x4d, 0x80, 0xb2, 0x7c, 0xf0, 0x67, 0x0d, 0xdc,
+	0x9f, 0x99, 0xb7, 0xd5, 0x16, 0xcc, 0xa1, 0x24, 0x01, 0x4a, 0xf3, 0xc1, 0x9f, 0x35, 0xb0, 0x48,
-	0x26, 0x47, 0x56, 0x3f, 0x68, 0x93, 0x4c, 0x5c, 0xad, 0x78, 0x65, 0x0b, 0x79, 0x47, 0x2d, 0xe4,
+	0x8e, 0xac, 0x5e, 0xd0, 0x22, 0xa9, 0xb8, 0x4a, 0xfe, 0xca, 0x16, 0xf2, 0xb6, 0x5a, 0xc8, 0xe2,
-	0xf6, 0x93, 0x31, 0x3c, 0x68, 0x2c, 0x3b, 0x7c, 0x0c, 0xca, 0xb6, 0x68, 0x8a, 0x6d, 0xb7, 0x4f,
+	0x93, 0x31, 0x3c, 0x68, 0x2c, 0x3b, 0x7c, 0x0c, 0x8a, 0xb6, 0x68, 0x8a, 0x6d, 0xb7, 0x47, 0xad,
-	0xad, 0xe3, 0xda, 0x4d, 0xd9, 0x54, 0xcd, 0x70, 0xd0, 0x28, 0x6f, 0x26, 0xe6, 0xf3, 0x41, 0x63,
+	0xe3, 0xca, 0x4d, 0xd9, 0x54, 0xf5, 0x41, 0xbf, 0x56, 0x6c, 0xc6, 0xe6, 0xf3, 0x7e, 0x6d, 0x21,
-	0x21, 0xf5, 0xf9, 0xe5, 0xb1, 0x47, 0x50, 0x3a, 0xad, 0x79, 0xaa, 0x81, 0xbb, 0x13, 0x56, 0x05,
+	0xf1, 0xf9, 0xe5, 0xb1, 0x47, 0x50, 0x32, 0xad, 0x7e, 0xaa, 0x81, 0x3b, 0x13, 0x56, 0x05, 0x1f,
-	0x1f, 0x25, 0x95, 0x97, 0xad, 0x51, 0xd3, 0x96, 0x0a, 0xcb, 0x25, 0xb3, 0x9a, 0xae, 0x98, 0x74,
+	0xc5, 0x95, 0x97, 0xad, 0x51, 0xd1, 0x96, 0x73, 0x2b, 0x05, 0xb3, 0x9c, 0xac, 0x98, 0x74, 0xa0,
-	0xa0, 0x6c, 0x1c, 0xfc, 0x41, 0x03, 0xd0, 0x1f, 0xc1, 0x53, 0x8d, 0xf2, 0x68, 0x9a, 0x7a, 0xe9,
+	0x74, 0x1c, 0xfc, 0x41, 0x03, 0xd0, 0x1f, 0xc1, 0x53, 0x8d, 0xf2, 0x68, 0x9a, 0x7a, 0xe9, 0x63,
-	0x63, 0x8a, 0xb4, 0xa8, 0x8a, 0x04, 0x47, 0x7d, 0x68, 0x0c, 0x5d, 0x13, 0x83, 0xd2, 0x36, 0xf6,
+	0x8a, 0xb4, 0xa4, 0x8a, 0x04, 0x47, 0x7d, 0x68, 0x0c, 0x5d, 0x1d, 0x83, 0xc2, 0x36, 0xf6, 0xb1,
-	0xb1, 0xbd, 0x4e, 0x9d, 0x36, 0x5c, 0x03, 0x00, 0x7b, 0x74, 0x97, 0xf8, 0x72, 0x02, 0xa3, 0x61,
+	0xbd, 0x41, 0x9d, 0x16, 0x5c, 0x07, 0x00, 0x7b, 0x74, 0x97, 0xf8, 0x72, 0x02, 0xc3, 0x61, 0x85,
-	0x85, 0x0a, 0x10, 0xb4, 0xb6, 0x9f, 0x2a, 0x0f, 0x4a, 0x45, 0xc1, 0x25, 0x50, 0xec, 0x51, 0xa7,
+	0x0a, 0x10, 0x34, 0xb6, 0x9f, 0x2a, 0x0f, 0x4a, 0x44, 0xc1, 0x65, 0x90, 0xef, 0x52, 0xa7, 0xa5,
-	0xad, 0xe6, 0xf5, 0x96, 0x8a, 0x2e, 0x0a, 0x3c, 0x24, 0x3d, 0xcd, 0xe7, 0x60, 0x56, 0x52, 0x20,
+	0xe6, 0xf5, 0x96, 0x8a, 0xce, 0x0b, 0x3c, 0x24, 0x3d, 0xf5, 0xe7, 0x60, 0x56, 0x52, 0x20, 0x72,
-	0x72, 0x20, 0xa2, 0xc5, 0xb4, 0x28, 0xec, 0x61, 0xb4, 0xa8, 0x08, 0x92, 0x1e, 0x68, 0x80, 0xd2,
+	0x20, 0xa2, 0xc5, 0xb4, 0x28, 0xec, 0x61, 0xb4, 0xa8, 0x08, 0x92, 0x1e, 0x68, 0x80, 0xc2, 0x70,
-	0x70, 0x9e, 0x14, 0x68, 0x55, 0x85, 0x95, 0x86, 0xb3, 0x87, 0x92, 0x98, 0xe6, 0x5f, 0x1a, 0x78,
+	0x9e, 0x14, 0x68, 0x59, 0x85, 0x15, 0x86, 0xb3, 0x87, 0xe2, 0x98, 0xfa, 0x9f, 0x1a, 0xb8, 0xbb,
-	0x7b, 0x17, 0xf7, 0x69, 0x1b, 0x73, 0xea, 0x74, 0x5a, 0x71, 0xad, 0xa2, 0xad, 0x83, 0xdf, 0x80,
+	0x8b, 0x7b, 0xb4, 0x85, 0x39, 0x75, 0xda, 0x8d, 0xa8, 0x56, 0xe1, 0xd6, 0xc1, 0x6f, 0xc0, 0xac,
-	0x59, 0x31, 0x55, 0x6d, 0xcc, 0xb1, 0x1a, 0xfd, 0xf7, 0xa7, 0x9b, 0xc1, 0x68, 0xe0, 0x36, 0x09,
+	0x98, 0xaa, 0x16, 0xe6, 0x58, 0x8d, 0xfe, 0x7b, 0xd3, 0xcd, 0x60, 0x38, 0x70, 0x4d, 0xc2, 0x71,
-	0xc7, 0x49, 0x09, 0x12, 0x1b, 0x1a, 0xa2, 0xc2, 0x17, 0xa0, 0xc8, 0x3c, 0x62, 0xa9, 0x8d, 0xfb,
+	0x5c, 0x82, 0xd8, 0x86, 0x86, 0xa8, 0xf0, 0x05, 0xc8, 0x33, 0x8f, 0x58, 0x6a, 0xe3, 0xbe, 0xb8,
-	0xe2, 0x12, 0x8d, 0x3e, 0x71, 0xd5, 0x3b, 0x1e, 0xb1, 0x92, 0xe2, 0x88, 0x2f, 0x24, 0x39, 0x9a,
+	0x44, 0xa3, 0x4f, 0x5c, 0xf5, 0x8e, 0x47, 0xac, 0xb8, 0x38, 0xe2, 0x0b, 0x49, 0x8e, 0xfa, 0xdf,
-	0xff, 0x68, 0x60, 0x69, 0x62, 0x96, 0x49, 0x9d, 0x36, 0x75, 0x3a, 0x6f, 0x40, 0xf2, 0xb7, 0x19,
+	0x1a, 0x58, 0x9e, 0x98, 0x65, 0x52, 0xa7, 0x45, 0x9d, 0xf6, 0x1b, 0x90, 0xfc, 0x6d, 0x4a, 0xf2,
-	0xc9, 0x5b, 0x57, 0x21, 0x59, 0x2d, 0x7e, 0xa2, 0xf2, 0xbf, 0x35, 0x70, 0xff, 0xa2, 0xe4, 0x0d,
+	0xd6, 0x55, 0x48, 0x56, 0x8b, 0x9f, 0xa8, 0xfc, 0x2f, 0x0d, 0xdc, 0xbf, 0x28, 0x79, 0x93, 0x32,
-	0xca, 0x38, 0xfc, 0x7a, 0x44, 0xbd, 0x3e, 0xe5, 0xa1, 0x4b, 0x59, 0xa4, 0xbd, 0xa2, 0xe8, 0x67,
+	0x0e, 0xbf, 0x1e, 0x51, 0xaf, 0x4f, 0x79, 0xe8, 0x52, 0x16, 0x6a, 0x2f, 0x29, 0xfa, 0xd9, 0xc8,
-	0x63, 0x4b, 0x4a, 0xb9, 0x07, 0xae, 0x53, 0x4e, 0x6c, 0x31, 0xa6, 0xe2, 0x58, 0x5b, 0xbf, 0x42,
+	0x92, 0x50, 0xee, 0x81, 0xeb, 0x94, 0x13, 0x5b, 0x8c, 0xa9, 0x38, 0xd6, 0x36, 0xae, 0x50, 0xba,
-	0xe9, 0xe6, 0x9c, 0xe2, 0xbd, 0xfe, 0x54, 0x30, 0xa0, 0x88, 0xa8, 0xf9, 0x63, 0xe1, 0x62, 0xe1,
+	0x39, 0xa7, 0x78, 0xaf, 0x3f, 0x15, 0x0c, 0x28, 0x24, 0xaa, 0xff, 0x98, 0xbb, 0x58, 0xb8, 0xa8,
-	0xa2, 0x4e, 0x62, 0x78, 0x3d, 0x69, 0x7c, 0x96, 0x0c, 0xd8, 0x70, 0x1b, 0xb7, 0x87, 0x1e, 0x94,
+	0x93, 0x18, 0x5e, 0x4f, 0x1a, 0x9f, 0xc5, 0x03, 0x36, 0xdc, 0xc6, 0xed, 0xa1, 0x07, 0x25, 0xa2,
-	0x8a, 0x82, 0xcf, 0xc1, 0xac, 0xa7, 0x46, 0x73, 0xcc, 0x0d, 0x75, 0x91, 0xa2, 0x78, 0xaa, 0xcd,
+	0xe0, 0x73, 0x30, 0xeb, 0xa9, 0xd1, 0x1c, 0x73, 0x43, 0x5d, 0xa4, 0x28, 0x9a, 0x6a, 0xf3, 0x96,
-	0x5b, 0xa2, 0x5a, 0xf1, 0x17, 0x1a, 0x42, 0xc2, 0x00, 0xcc, 0xdb, 0x99, 0x2b, 0xb9, 0x56, 0x90,
+	0xa8, 0x56, 0xf4, 0x85, 0x86, 0x90, 0x30, 0x00, 0xf3, 0x76, 0xea, 0x4a, 0xae, 0xe4, 0x24, 0xc9,
-	0x24, 0x1f, 0x5f, 0x82, 0x24, 0x7b, 0xa7, 0x47, 0x97, 0x61, 0xd6, 0x86, 0x72, 0x24, 0x70, 0x0f,
+	0x47, 0x97, 0x20, 0x49, 0xdf, 0xe9, 0xe1, 0x65, 0x98, 0xb6, 0xa1, 0x0c, 0x09, 0xdc, 0x03, 0xe5,
-	0x54, 0x0f, 0x55, 0xc5, 0x5c, 0xa7, 0x65, 0x45, 0xe7, 0x6a, 0x51, 0x1e, 0xcb, 0x2b, 0xe2, 0x0a,
+	0x43, 0x55, 0x31, 0xd7, 0x69, 0x58, 0xe1, 0xb9, 0x9a, 0x97, 0xc7, 0xf2, 0xaa, 0xb8, 0xc2, 0x77,
-	0xdf, 0xcd, 0x3b, 0xcf, 0x07, 0x8d, 0x4a, 0xde, 0x88, 0x46, 0x31, 0x9a, 0x7f, 0x6a, 0xe0, 0xde,
+	0xb3, 0xce, 0xf3, 0x7e, 0xad, 0x94, 0x35, 0xa2, 0x51, 0x8c, 0xfa, 0x1f, 0x1a, 0xb8, 0x37, 0x71,
-	0xc4, 0xbd, 0x78, 0x03, 0xdd, 0x47, 0xb3, 0xdd, 0xf7, 0xf8, 0x4a, 0xba, 0x6f, 0x7c, 0xdb, 0xfd,
+	0x2f, 0xde, 0x40, 0xf7, 0xd1, 0x74, 0xf7, 0x3d, 0xbe, 0x92, 0xee, 0x1b, 0xdf, 0x76, 0xbf, 0xe4,
-	0x5a, 0xfc, 0x0f, 0xa9, 0xb2, 0xdf, 0x30, 0x28, 0x79, 0xf1, 0xcd, 0xa1, 0xb4, 0x3e, 0xbc, 0x6c,
+	0xff, 0x43, 0xaa, 0xec, 0x37, 0x0c, 0x0a, 0x5e, 0x74, 0x73, 0x28, 0xad, 0x0f, 0x2f, 0xdb, 0x3c,
-	0xf3, 0x88, 0x5c, 0x73, 0x4e, 0x1c, 0xed, 0xc3, 0x4f, 0x94, 0xa0, 0xc2, 0xef, 0x40, 0x45, 0x6e,
+	0x22, 0xd7, 0x9c, 0x13, 0x47, 0xfb, 0xf0, 0x13, 0xc5, 0xa8, 0xf0, 0x3b, 0x50, 0x92, 0x5b, 0xfb,
-	0xed, 0x67, 0xae, 0x23, 0x00, 0xa8, 0xc3, 0xe3, 0xfb, 0xf1, 0x7f, 0x74, 0xd0, 0xed, 0x70, 0xd0,
+	0xa9, 0xeb, 0x08, 0x00, 0xea, 0xf0, 0xe8, 0x7e, 0xfc, 0x1f, 0x1d, 0xb4, 0x38, 0xe8, 0xd7, 0x4a,
-	0xa8, 0x6c, 0xe6, 0x60, 0xd1, 0x08, 0x11, 0xec, 0x83, 0x72, 0xd2, 0x01, 0xf1, 0x83, 0xea, 0x83,
+	0xcd, 0x0c, 0x2c, 0x1a, 0x21, 0x82, 0x3d, 0x50, 0x8c, 0x3b, 0x20, 0x7a, 0x50, 0xbd, 0xff, 0x1a,
-	0xd7, 0x28, 0xb9, 0xeb, 0x98, 0x6f, 0xa9, 0x1a, 0x97, 0x13, 0x1b, 0x43, 0x69, 0x78, 0xb8, 0x01,
+	0x25, 0x77, 0x1d, 0xf3, 0x2d, 0x55, 0xe3, 0x62, 0x6c, 0x63, 0x28, 0x09, 0x0f, 0x37, 0xc1, 0xdc,
-	0xe6, 0x0e, 0x30, 0xed, 0x07, 0x3e, 0x51, 0x4f, 0x95, 0xa2, 0x1c, 0xe0, 0x77, 0xc5, 0x33, 0xe2,
+	0x01, 0xa6, 0xbd, 0xc0, 0x27, 0xea, 0xa9, 0x92, 0x97, 0x03, 0xfc, 0x8e, 0x78, 0x46, 0x7c, 0x96,
-	0xf3, 0xb4, 0xe3, 0x7c, 0xd0, 0xa8, 0x66, 0x0c, 0xf2, 0xb9, 0x92, 0x4d, 0x86, 0x2f, 0x35, 0x50,
+	0x74, 0x9c, 0xf7, 0x6b, 0xe5, 0x94, 0x41, 0x3e, 0x57, 0xd2, 0xc9, 0xf0, 0xa5, 0x06, 0x4a, 0x38,
-	0xc1, 0xd9, 0x27, 0x38, 0xab, 0x5d, 0x97, 0x0a, 0x3e, 0xb9, 0x84, 0x82, 0xdc, 0x2b, 0xde, 0xac,
+	0xfd, 0x04, 0x67, 0x95, 0xeb, 0x52, 0xc1, 0xc7, 0x97, 0x50, 0x90, 0x79, 0xc5, 0x9b, 0x15, 0x25,
-	0x29, 0x19, 0x95, 0x9c, 0x83, 0xa1, 0x11, 0xb6, 0xe6, 0x2f, 0x1a, 0x00, 0x89, 0x5a, 0x78, 0x1f,
+	0xa3, 0x94, 0x71, 0x30, 0x34, 0xc2, 0x56, 0xff, 0x47, 0x03, 0x20, 0x56, 0x0b, 0xef, 0x03, 0x90,
-	0x80, 0xd4, 0xe3, 0x3e, 0x3a, 0x9d, 0x8a, 0x02, 0x0e, 0xa5, 0xec, 0x70, 0x05, 0xdc, 0xb4, 0x09,
+	0x78, 0xdc, 0x87, 0xa7, 0x53, 0x5e, 0xc0, 0xa1, 0x84, 0x1d, 0xae, 0x82, 0x9b, 0x36, 0x61, 0x0c,
-	0x63, 0xb8, 0x13, 0x5f, 0xfd, 0x0b, 0x8a, 0xf1, 0xe6, 0x66, 0x64, 0x46, 0xb1, 0x1f, 0xee, 0x81,
+	0xb7, 0xa3, 0xab, 0x7f, 0x41, 0x31, 0xde, 0x6c, 0x86, 0x66, 0x14, 0xf9, 0xe1, 0x1e, 0xb8, 0xe1,
-	0x1b, 0x3e, 0xc1, 0xcc, 0x75, 0xe4, 0x99, 0x52, 0x32, 0x3f, 0x0d, 0x07, 0x8d, 0x1b, 0x48, 0x5a,
+	0x13, 0xcc, 0x5c, 0x47, 0x9e, 0x29, 0x05, 0xf3, 0x93, 0x41, 0xbf, 0x76, 0x03, 0x49, 0xcb, 0x79,
-	0xce, 0x07, 0x8d, 0xd5, 0x69, 0xfe, 0x21, 0xe9, 0x3b, 0x1c, 0xf3, 0x80, 0x45, 0x49, 0x48, 0xc1,
+	0xbf, 0xb6, 0x36, 0xcd, 0x3f, 0x24, 0x7d, 0x87, 0x63, 0x1e, 0xb0, 0x30, 0x09, 0x29, 0x38, 0xf8,
-	0x99, 0x5b, 0x27, 0x67, 0xf5, 0x99, 0x57, 0x67, 0xf5, 0x99, 0xd3, 0xb3, 0xfa, 0xcc, 0xcb, 0xb0,
+	0x39, 0x28, 0x2b, 0x8e, 0xc4, 0x82, 0xc3, 0xdd, 0xb8, 0xab, 0x56, 0x53, 0x6e, 0x66, 0x03, 0xd0,
-	0xae, 0x9d, 0x84, 0x75, 0xed, 0x55, 0x58, 0xd7, 0x4e, 0xc3, 0xba, 0xf6, 0x7b, 0x58, 0xd7, 0x7e,
+	0x68, 0x8e, 0xb9, 0x75, 0x72, 0x56, 0x9d, 0x79, 0x75, 0x56, 0x9d, 0x39, 0x3d, 0xab, 0xce, 0xbc,
-	0xfa, 0xa3, 0x3e, 0xf3, 0xd5, 0xca, 0xd4, 0x7f, 0x26, 0xff, 0x0d, 0x00, 0x00, 0xff, 0xff, 0x05,
+	0x1c, 0x54, 0xb5, 0x93, 0x41, 0x55, 0x7b, 0x35, 0xa8, 0x6a, 0xa7, 0x83, 0xaa, 0xf6, 0xdb, 0xa0,
-	0xb2, 0x6f, 0x65, 0x91, 0x0e, 0x00, 0x00,
+	0xaa, 0xfd, 0xf4, 0x7b, 0x75, 0xe6, 0xab, 0xd5, 0xa9, 0xff, 0x95, 0xfe, 0x1b, 0x00, 0x00, 0xff,
+	0xff, 0x47, 0xed, 0x82, 0x0e, 0xda, 0x0e, 0x00, 0x00,
 }
 
 func (m *AuditAnnotation) Marshal() (dAtA []byte, err error) {
@@ -1043,6 +1044,11 @@ func (m *Validation) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	i -= len(m.MessageExpression)
+	copy(dAtA[i:], m.MessageExpression)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MessageExpression)))
+	i--
+	dAtA[i] = 0x22
 	if m.Reason != nil {
 		i -= len(*m.Reason)
 		copy(dAtA[i:], *m.Reason)
@@ -1295,6 +1301,8 @@ func (m *Validation) Size() (n int) {
 		l = len(*m.Reason)
 		n += 1 + l + sovGenerated(uint64(l))
 	}
+	l = len(m.MessageExpression)
+	n += 1 + l + sovGenerated(uint64(l))
 	return n
 }
 
@@ -1471,6 +1479,7 @@ func (this *Validation) String() string {
 		`Expression:` + fmt.Sprintf("%v", this.Expression) + `,`,
 		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
 		`Reason:` + valueToStringGenerated(this.Reason) + `,`,
+		`MessageExpression:` + fmt.Sprintf("%v", this.MessageExpression) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3164,6 +3173,38 @@ func (m *Validation) Unmarshal(dAtA []byte) error {
 			s := k8s_io_apimachinery_pkg_apis_meta_v1.StatusReason(dAtA[iNdEx:postIndex])
 			m.Reason = &s
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MessageExpression", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MessageExpression = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])

staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.proto

@@ -413,5 +413,18 @@ message Validation {
   // If not set, StatusReasonInvalid is used in the response to the client.
   // +optional
   optional string reason = 3;
+
+  // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+  // Since messageExpression is used as a failure message, it must evaluate to a string.
+  // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+  // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+  // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+  // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+  // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+  // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+  // Example:
+  // "object.x must be less than max ("+string(params.max)+")"
+  // +optional
+  optional string messageExpression = 4;
 }
 

staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go

@@ -209,6 +209,18 @@ type Validation struct {
 	// If not set, StatusReasonInvalid is used in the response to the client.
 	// +optional
 	Reason *metav1.StatusReason `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	// +optional
+	MessageExpression string `json:"messageExpression,omitempty" protobuf:"bytes,4,opt,name=messageExpression"`
 }
 
 // AuditAnnotation describes how to produce an audit annotation for an API request.

staging/src/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go

@@ -149,6 +149,7 @@ var map_Validation = map[string]string{
 	"expression":        "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.",
 	"message":           "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".",
 	"reason":            "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.",
+	"messageExpression": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"",
 }
 
 func (Validation) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/testdata/HEAD/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.json

@@ -123,7 +123,8 @@
       {
         "expression": "expressionValue",
         "message": "messageValue",
-        "reason": "reasonValue"
+        "reason": "reasonValue",
+        "messageExpression": "messageExpressionValue"
       }
     ],
     "failurePolicy": "failurePolicyValue",

staging/src/k8s.io/api/testdata/HEAD/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.yaml

@@ -85,4 +85,5 @@ spec:
   validations:
   - expression: expressionValue
     message: messageValue
+    messageExpression: messageExpressionValue
     reason: reasonValue

staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter.go

@@ -18,7 +18,6 @@ package cel
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"math"
 	"reflect"
@@ -32,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/cel"
 	"k8s.io/apiserver/pkg/cel/library"
 )
 
@@ -78,6 +78,9 @@ func (a *evaluationActivation) Parent() interpreter.Activation {
 func (c *filterCompiler) Compile(expressionAccessors []ExpressionAccessor, options OptionalVariableDeclarations, perCallLimit uint64) Filter {
 	compilationResults := make([]CompilationResult, len(expressionAccessors))
 	for i, expressionAccessor := range expressionAccessors {
+		if expressionAccessor == nil {
+			continue
+		}
 		compilationResults[i] = CompileCELExpression(expressionAccessor, options, perCallLimit)
 	}
 	return NewFilter(compilationResults)
@@ -119,24 +122,24 @@ func objectToResolveVal(r runtime.Object) (interface{}, error) {
 // ForInput evaluates the compiled CEL expressions converting them into CELEvaluations
 // errors per evaluation are returned on the Evaluation object
 // runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
-func (f *filter) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *admissionv1.AdmissionRequest, inputs OptionalVariableBindings, runtimeCELCostBudget int64) ([]EvaluationResult, error) {
+func (f *filter) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *admissionv1.AdmissionRequest, inputs OptionalVariableBindings, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error) {
 	// TODO: replace unstructured with ref.Val for CEL variables when native type support is available
 	evaluations := make([]EvaluationResult, len(f.compilationResults))
 	var err error
 
 	oldObjectVal, err := objectToResolveVal(versionedAttr.VersionedOldObject)
 	if err != nil {
-		return nil, err
+		return nil, -1, err
 	}
 	objectVal, err := objectToResolveVal(versionedAttr.VersionedObject)
 	if err != nil {
-		return nil, err
+		return nil, -1, err
 	}
 	var paramsVal, authorizerVal, requestResourceAuthorizerVal any
 	if inputs.VersionedParams != nil {
 		paramsVal, err = objectToResolveVal(inputs.VersionedParams)
 		if err != nil {
-			return nil, err
+			return nil, -1, err
 		}
 	}
 
@@ -147,7 +150,7 @@ func (f *filter) ForInput(ctx context.Context, versionedAttr *admission.Versione
 
 	requestVal, err := convertObjectToUnstructured(request)
 	if err != nil {
-		return nil, err
+		return nil, -1, err
 	}
 	va := &evaluationActivation{
 		object:                    objectVal,
@@ -161,13 +164,22 @@ func (f *filter) ForInput(ctx context.Context, versionedAttr *admission.Versione
 	remainingBudget := runtimeCELCostBudget
 	for i, compilationResult := range f.compilationResults {
 		var evaluation = &evaluations[i]
+		if compilationResult.ExpressionAccessor == nil { // in case of placeholder
+			continue
+		}
 		evaluation.ExpressionAccessor = compilationResult.ExpressionAccessor
 		if compilationResult.Error != nil {
-			evaluation.Error = errors.New(fmt.Sprintf("compilation error: %v", compilationResult.Error))
+			evaluation.Error = &cel.Error{
+				Type:   cel.ErrorTypeInvalid,
+				Detail: fmt.Sprintf("compilation error: %v", compilationResult.Error),
+			}
 			continue
 		}
 		if compilationResult.Program == nil {
-			evaluation.Error = errors.New("unexpected internal error compiling expression")
+			evaluation.Error = &cel.Error{
+				Type:   cel.ErrorTypeInternal,
+				Detail: fmt.Sprintf("unexpected internal error compiling expression"),
+			}
 			continue
 		}
 		t1 := time.Now()
@@ -175,26 +187,38 @@ func (f *filter) ForInput(ctx context.Context, versionedAttr *admission.Versione
 		elapsed := time.Since(t1)
 		evaluation.Elapsed = elapsed
 		if evalDetails == nil {
-			return nil, errors.New(fmt.Sprintf("runtime cost could not be calculated for expression: %v, no further expression will be run", compilationResult.ExpressionAccessor.GetExpression()))
+			return nil, -1, &cel.Error{
+				Type:   cel.ErrorTypeInternal,
+				Detail: fmt.Sprintf("runtime cost could not be calculated for expression: %v, no further expression will be run", compilationResult.ExpressionAccessor.GetExpression()),
+			}
 		} else {
 			rtCost := evalDetails.ActualCost()
 			if rtCost == nil {
-				return nil, errors.New(fmt.Sprintf("runtime cost could not be calculated for expression: %v, no further expression will be run", compilationResult.ExpressionAccessor.GetExpression()))
+				return nil, -1, &cel.Error{
+					Type:   cel.ErrorTypeInvalid,
+					Detail: fmt.Sprintf("runtime cost could not be calculated for expression: %v, no further expression will be run", compilationResult.ExpressionAccessor.GetExpression()),
+				}
 			} else {
 				if *rtCost > math.MaxInt64 || int64(*rtCost) > remainingBudget {
-					return nil, errors.New(fmt.Sprintf("validation failed due to running out of cost budget, no further validation rules will be run"))
+					return nil, -1, &cel.Error{
+						Type:   cel.ErrorTypeInvalid,
+						Detail: fmt.Sprintf("validation failed due to running out of cost budget, no further validation rules will be run"),
+					}
 				}
 				remainingBudget -= int64(*rtCost)
 			}
 		}
 		if err != nil {
-			evaluation.Error = errors.New(fmt.Sprintf("expression '%v' resulted in error: %v", compilationResult.ExpressionAccessor.GetExpression(), err))
+			evaluation.Error = &cel.Error{
+				Type:   cel.ErrorTypeInvalid,
+				Detail: fmt.Sprintf("expression '%v' resulted in error: %v", compilationResult.ExpressionAccessor.GetExpression(), err),
+			}
 		} else {
 			evaluation.EvalResult = evalResult
 		}
 	}
 
-	return evaluations, nil
+	return evaluations, remainingBudget, nil
 }
 
 // TODO: to reuse https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go#L154

staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go

@@ -38,6 +38,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	apiservercel "k8s.io/apiserver/pkg/cel"
+	"k8s.io/utils/pointer"
 )
 
 type condition struct {
@@ -661,7 +662,7 @@ func TestFilter(t *testing.T) {
 
 			optionalVars := OptionalVariableBindings{VersionedParams: tc.params, Authorizer: tc.authorizer}
 			ctx := context.TODO()
-			evalResults, err := f.ForInput(ctx, versionedAttr, CreateAdmissionRequest(versionedAttr.Attributes), optionalVars, celconfig.RuntimeCELCostBudget)
+			evalResults, _, err := f.ForInput(ctx, versionedAttr, CreateAdmissionRequest(versionedAttr.Attributes), optionalVars, celconfig.RuntimeCELCostBudget)
 			if err != nil {
 				t.Fatalf("unexpected error: %v", err)
 			}
@@ -697,6 +698,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 		authorizer               authorizer.Authorizer
 		testRuntimeCELCostBudget int64
 		exceedBudget             bool
+		expectRemainingBudget    *int64
 	}{
 		{
 			name: "expression exceed RuntimeCELCostBudget at fist expression",
@@ -743,6 +745,45 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			hasParamKind:             true,
 			params:                   configMapParams,
 			exceedBudget:             false,
+			testRuntimeCELCostBudget: 10,
+			expectRemainingBudget:    pointer.Int64(4), // 10 - 6
+		},
+		{
+			name: "test RuntimeCELCostBudge exactly covers",
+			validations: []ExpressionAccessor{
+				&condition{
+					Expression: "oldObject != null",
+				},
+				&condition{
+					Expression: "object.subsets.size() > 2",
+				},
+			},
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             true,
+			params:                   configMapParams,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 6,
+			expectRemainingBudget:    pointer.Int64(0),
+		},
+		{
+			name: "test RuntimeCELCostBudge exactly covers then constant",
+			validations: []ExpressionAccessor{
+				&condition{
+					Expression: "oldObject != null",
+				},
+				&condition{
+					Expression: "object.subsets.size() > 2",
+				},
+				&condition{
+					Expression: "true", // zero cost
+				},
+			},
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             true,
+			params:                   configMapParams,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 6,
+			expectRemainingBudget:    pointer.Int64(0),
 		},
 	}
 
@@ -767,19 +808,25 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			}
 			optionalVars := OptionalVariableBindings{VersionedParams: tc.params, Authorizer: tc.authorizer}
 			ctx := context.TODO()
-			evalResults, err := f.ForInput(ctx, versionedAttr, CreateAdmissionRequest(versionedAttr.Attributes), optionalVars, tc.testRuntimeCELCostBudget)
+			evalResults, remaining, err := f.ForInput(ctx, versionedAttr, CreateAdmissionRequest(versionedAttr.Attributes), optionalVars, tc.testRuntimeCELCostBudget)
 			if tc.exceedBudget && err == nil {
 				t.Errorf("Expected RuntimeCELCostBudge to be exceeded but got nil")
 			}
 			if tc.exceedBudget && !strings.Contains(err.Error(), "validation failed due to running out of cost budget, no further validation rules will be run") {
 				t.Errorf("Expected RuntimeCELCostBudge exceeded error but got: %v", err)
 			}
+			if err != nil && remaining != -1 {
+				t.Errorf("expected -1 remaining when error, but got %d", remaining)
+			}
 			if err != nil && !tc.exceedBudget {
 				t.Fatalf("unexpected error: %v", err)
 			}
 			if tc.exceedBudget && len(evalResults) != 0 {
 				t.Fatalf("unexpected result returned: %v", evalResults)
 			}
+			if tc.expectRemainingBudget != nil && *tc.expectRemainingBudget != remaining {
+				t.Errorf("wrong remaining budget, expect %d, but got %d", *tc.expectRemainingBudget, remaining)
+			}
 		})
 	}
 }

staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go

@@ -92,9 +92,10 @@ type OptionalVariableBindings struct {
 // by the underlying CEL code (which is indicated by the match criteria of a policy definition).
 // versionedParams may be nil.
 type Filter interface {
-	// ForInput converts compiled CEL-typed values into evaluated CEL-typed values
+	// ForInput converts compiled CEL-typed values into evaluated CEL-typed value.
 	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
-	ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, runtimeCELCostBudget int64) ([]EvaluationResult, error)
+	// If cost budget is calculated, the filter should return the remaining budget.
+	ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)
 
 	// CompilationErrors returns a list of errors from the compilation of the evaluator
 	CompilationErrors() []error

staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go

@@ -212,7 +212,7 @@ func (f *fakeCompiler) Compile(
 	options cel.OptionalVariableDeclarations,
 	perCallLimit uint64,
 ) cel.Filter {
-	if len(expressions) > 0 {
+	if len(expressions) > 0 && expressions[0] != nil {
 		key := expressions[0].GetExpression()
 		if fun, ok := f.CompileFuncs[key]; ok {
 			return fun(expressions, options)
@@ -252,8 +252,8 @@ type fakeFilter struct {
 	keyId string
 }
 
-func (f *fakeFilter) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *admissionv1.AdmissionRequest, inputs cel.OptionalVariableBindings, runtimeCELCostBudget int64) ([]cel.EvaluationResult, error) {
+func (f *fakeFilter) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *admissionv1.AdmissionRequest, inputs cel.OptionalVariableBindings, runtimeCELCostBudget int64) ([]cel.EvaluationResult, int64, error) {
-	return []cel.EvaluationResult{}, nil
+	return []cel.EvaluationResult{}, 0, nil
 }
 
 func (f *fakeFilter) CompilationErrors() []error {
@@ -263,7 +263,7 @@ func (f *fakeFilter) CompilationErrors() []error {
 var _ Validator = &fakeValidator{}
 
 type fakeValidator struct {
-	validationFilter, auditAnnotationFilter *fakeFilter
+	validationFilter, auditAnnotationFilter, messageFilter *fakeFilter
 	ValidateFunc                                           func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, runtimeCELCostBudget int64) ValidateResult
 }
 
@@ -418,10 +418,11 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher,
 	// Override compiler used by controller for tests
 	controller = handler.evaluator.(*celAdmissionController)
 	controller.policyController.filterCompiler = compiler
-	controller.policyController.newValidator = func(validationFilter, auditAnnotationFilter cel.Filter, fail *admissionRegistrationv1.FailurePolicyType, authorizer authorizer.Authorizer) Validator {
+	controller.policyController.newValidator = func(validationFilter, auditAnnotationFilter, messageFilter cel.Filter, fail *admissionRegistrationv1.FailurePolicyType, authorizer authorizer.Authorizer) Validator {
 		f := validationFilter.(*fakeFilter)
 		v := validatorMap[f.keyId]
 		v.validationFilter = f
+		v.messageFilter = f
 		v.auditAnnotationFilter = auditAnnotationFilter.(*fakeFilter)
 		return v
 	}

staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go

@@ -92,7 +92,7 @@ type policyController struct {
 	authz authorizer.Authorizer
 }
 
-type newValidator func(validationFilter cel.Filter, auditAnnotationFilter cel.Filter, failurePolicy *v1.FailurePolicyType, authorizer authorizer.Authorizer) Validator
+type newValidator func(validationFilter cel.Filter, auditAnnotationFilter cel.Filter, messageFilter cel.Filter, failurePolicy *v1.FailurePolicyType, authorizer authorizer.Authorizer) Validator
 
 func newPolicyController(
 	restMapper meta.RESTMapper,
@@ -459,9 +459,11 @@ func (c *policyController) latestPolicyData() []policyData {
 					hasParam = true
 				}
 				optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}
+				expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}
 				bindingInfo.validator = c.newValidator(
 					c.filterCompiler.Compile(convertv1alpha1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, celconfig.PerCallLimit),
 					c.filterCompiler.Compile(convertv1alpha1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, celconfig.PerCallLimit),
+					c.filterCompiler.Compile(convertV1Alpha1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, celconfig.PerCallLimit),
 					convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy),
 					c.authz,
 				)
@@ -514,6 +516,19 @@ func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.Ex
 	return celExpressionAccessor
 }
 
+func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor {
+	celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
+	for i, validation := range inputValidations {
+		if validation.MessageExpression != "" {
+			condition := MessageExpressionCondition{
+				MessageExpression: validation.MessageExpression,
+			}
+			celExpressionAccessor[i] = &condition
+		}
+	}
+	return celExpressionAccessor
+}
+
 func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation) []cel.ExpressionAccessor {
 	celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
 	for i, validation := range inputValidations {

staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/message.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	celgo "github.com/google/cel-go/cel"
+	"k8s.io/apiserver/pkg/admission/plugin/cel"
+)
+
+var _ cel.ExpressionAccessor = (*MessageExpressionCondition)(nil)
+
+type MessageExpressionCondition struct {
+	MessageExpression string
+}
+
+func (m *MessageExpressionCondition) GetExpression() string {
+	return m.MessageExpression
+}
+
+func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type {
+	return []*celgo.Type{celgo.StringType}
+}

staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go

@@ -30,21 +30,25 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/plugin/cel"
+	celconfig "k8s.io/apiserver/pkg/apis/cel"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	apiservercel "k8s.io/apiserver/pkg/cel"
 )
 
 // validator implements the Validator interface
 type validator struct {
 	validationFilter      cel.Filter
 	auditAnnotationFilter cel.Filter
+	messageFilter         cel.Filter
 	failPolicy            *v1.FailurePolicyType
 	authorizer            authorizer.Authorizer
 }
 
-func NewValidator(validationFilter, auditAnnotationFilter cel.Filter, failPolicy *v1.FailurePolicyType, authorizer authorizer.Authorizer) Validator {
+func NewValidator(validationFilter, auditAnnotationFilter, messageFilter cel.Filter, failPolicy *v1.FailurePolicyType, authorizer authorizer.Authorizer) Validator {
 	return &validator{
 		validationFilter:      validationFilter,
 		auditAnnotationFilter: auditAnnotationFilter,
+		messageFilter:         messageFilter,
 		failPolicy:            failPolicy,
 		authorizer:            authorizer,
 	}
@@ -75,7 +79,9 @@ func (v *validator) Validate(ctx context.Context, versionedAttr *admission.Versi
 	}
 
 	optionalVars := cel.OptionalVariableBindings{VersionedParams: versionedParams, Authorizer: v.authorizer}
-	evalResults, err := v.validationFilter.ForInput(ctx, versionedAttr, cel.CreateAdmissionRequest(versionedAttr.Attributes), optionalVars, runtimeCELCostBudget)
+	expressionOptionalVars := cel.OptionalVariableBindings{VersionedParams: versionedParams}
+	admissionRequest := cel.CreateAdmissionRequest(versionedAttr.Attributes)
+	evalResults, remainingBudget, err := v.validationFilter.ForInput(ctx, versionedAttr, admissionRequest, optionalVars, runtimeCELCostBudget)
 	if err != nil {
 		return ValidateResult{
 			Decisions: []PolicyDecision{
@@ -88,7 +94,7 @@ func (v *validator) Validate(ctx context.Context, versionedAttr *admission.Versi
 		}
 	}
 	decisions := make([]PolicyDecision, len(evalResults))
-
+	messageResults, _, err := v.messageFilter.ForInput(ctx, versionedAttr, admissionRequest, expressionOptionalVars, remainingBudget)
 	for i, evalResult := range evalResults {
 		var decision = &decisions[i]
 		// TODO: move this to generics
@@ -101,10 +107,23 @@ func (v *validator) Validate(ctx context.Context, versionedAttr *admission.Versi
 			continue
 		}
 
+		var messageResult *cel.EvaluationResult
+		var messageError *apiservercel.Error
+		if len(messageResults) > i {
+			messageResult = &messageResults[i]
+		}
+		messageError, _ = err.(*apiservercel.Error)
 		if evalResult.Error != nil {
 			decision.Action = policyDecisionActionForError(f)
 			decision.Evaluation = EvalError
 			decision.Message = evalResult.Error.Error()
+		} else if messageError != nil &&
+			(messageError.Type == apiservercel.ErrorTypeInternal ||
+				(messageError.Type == apiservercel.ErrorTypeInvalid &&
+					strings.HasPrefix(messageError.Detail, "validation failed due to running out of cost budget"))) {
+			decision.Action = policyDecisionActionForError(f)
+			decision.Evaluation = EvalError
+			decision.Message = fmt.Sprintf("failed messageExpression: %s", err)
 		} else if evalResult.EvalResult != celtypes.True {
 			decision.Action = ActionDeny
 			if validation.Reason == nil {
@@ -112,11 +131,39 @@ func (v *validator) Validate(ctx context.Context, versionedAttr *admission.Versi
 			} else {
 				decision.Reason = *validation.Reason
 			}
-			if len(validation.Message) > 0 {
+			// decide the failure message
-				decision.Message = strings.TrimSpace(validation.Message)
+			var message string
-			} else {
+			// attempt to set message with messageExpression result
-				decision.Message = fmt.Sprintf("failed expression: %v", strings.TrimSpace(validation.Expression))
+			if messageResult != nil && messageResult.Error == nil && messageResult.EvalResult != nil {
+				// also fallback if the eval result is non-string (including null) or
+				// whitespaces.
+				if message, ok = messageResult.EvalResult.Value().(string); ok {
+					message = strings.TrimSpace(message)
+					// deny excessively long message from EvalResult
+					if len(message) > celconfig.MaxEvaluatedMessageExpressionSizeBytes {
+						klog.V(2).InfoS("excessively long message denied", "message", message)
+						message = ""
 					}
+					// deny message that contains newlines
+					if strings.ContainsAny(message, "\n") {
+						klog.V(2).InfoS("multi-line message denied", "message", message)
+						message = ""
+					}
+				}
+			}
+			if messageResult != nil && messageResult.Error != nil {
+				// log any error with messageExpression
+				klog.V(2).ErrorS(messageResult.Error, "error while evaluating messageExpression")
+			}
+			// fallback to set message to the custom message
+			if message == "" && len(validation.Message) > 0 {
+				message = strings.TrimSpace(validation.Message)
+			}
+			// fallback to use the expression to compose a message
+			if message == "" {
+				message = fmt.Sprintf("failed expression: %v", strings.TrimSpace(validation.Expression))
+			}
+			decision.Message = message
 		} else {
 			decision.Action = ActionAdmit
 			decision.Evaluation = EvalAdmit
@@ -124,7 +171,7 @@ func (v *validator) Validate(ctx context.Context, versionedAttr *admission.Versi
 	}
 
 	options := cel.OptionalVariableBindings{VersionedParams: versionedParams}
-	auditAnnotationEvalResults, err := v.auditAnnotationFilter.ForInput(ctx, versionedAttr, cel.CreateAdmissionRequest(versionedAttr.Attributes), options, runtimeCELCostBudget)
+	auditAnnotationEvalResults, _, err := v.auditAnnotationFilter.ForInput(ctx, versionedAttr, cel.CreateAdmissionRequest(versionedAttr.Attributes), options, runtimeCELCostBudget)
 	if err != nil {
 		return ValidateResult{
 			Decisions: []PolicyDecision{
@@ -139,6 +186,9 @@ func (v *validator) Validate(ctx context.Context, versionedAttr *admission.Versi
 
 	auditAnnotationResults := make([]PolicyAuditAnnotation, len(auditAnnotationEvalResults))
 	for i, evalResult := range auditAnnotationEvalResults {
+		if evalResult.ExpressionAccessor == nil {
+			continue
+		}
 		var auditAnnotationResult = &auditAnnotationResults[i]
 		// TODO: move this to generics
 		validation, ok := evalResult.ExpressionAccessor.(*AuditAnnotationCondition)

staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator_test.go

@@ -34,6 +34,7 @@ import (
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/plugin/cel"
 	celconfig "k8s.io/apiserver/pkg/apis/cel"
+	apiservercel "k8s.io/apiserver/pkg/cel"
 )
 
 var _ cel.Filter = &fakeCelFilter{}
@@ -43,11 +44,17 @@ type fakeCelFilter struct {
 	throwError  bool
 }
 
-func (f *fakeCelFilter) ForInput(context.Context, *admission.VersionedAttributes, *admissionv1.AdmissionRequest, cel.OptionalVariableBindings, int64) ([]cel.EvaluationResult, error) {
+func (f *fakeCelFilter) ForInput(_ context.Context, _ *admission.VersionedAttributes, _ *admissionv1.AdmissionRequest, _ cel.OptionalVariableBindings, costBudget int64) ([]cel.EvaluationResult, int64, error) {
-	if f.throwError {
+	if costBudget <= 0 { // this filter will cost 1, so cost = 0 means fail.
-		return nil, errors.New("test error")
+		return nil, -1, &apiservercel.Error{
+			Type:   apiservercel.ErrorTypeInvalid,
+			Detail: fmt.Sprintf("validation failed due to running out of cost budget, no further validation rules will be run"),
 		}
-	return f.evaluations, nil
+	}
+	if f.throwError {
+		return nil, -1, errors.New("test error")
+	}
+	return f.evaluations, costBudget - 1, nil
 }
 
 func (f *fakeCelFilter) CompilationErrors() []error {
@@ -68,10 +75,12 @@ func TestValidate(t *testing.T) {
 		name               string
 		failPolicy         *v1.FailurePolicyType
 		evaluations        []cel.EvaluationResult
+		messageEvaluations []cel.EvaluationResult
 		auditEvaluations   []cel.EvaluationResult
 		policyDecision     []PolicyDecision
 		auditAnnotations   []PolicyAuditAnnotation
 		throwError         bool
+		costBudget         int64 // leave zero to use default
 	}{
 		{
 			name: "test pass",
@@ -572,6 +581,244 @@ func TestValidate(t *testing.T) {
 			},
 			failPolicy: &ignore,
 		},
+		{
+			name: "messageExpression successful, empty message",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.String("evaluated message"),
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "evaluated message",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression for multiple validations",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "I am not overwritten",
+					},
+				},
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "I am overwritten",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{},
+				{
+					EvalResult: celtypes.String("evaluated message"),
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "I am not overwritten",
+					Reason:  forbiddenReason,
+				},
+				{
+					Action:  ActionDeny,
+					Message: "evaluated message",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression successful, overwritten message",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "I am overwritten",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.String("evaluated message"),
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "evaluated message",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression user failure",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "test1",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					Error: &apiservercel.Error{Type: apiservercel.ErrorTypeInvalid},
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "test1", // original message used
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression eval to empty",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "test1",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.String(" "),
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "test1",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression eval to multi-line",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "test1",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.String("hello\nthere"),
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "test1",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression eval result too long",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "test1",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.String(strings.Repeat("x", 5*1024+1)),
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "test1",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression eval to null",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "test1",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.NullValue,
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "test1",
+					Reason:  forbiddenReason,
+				},
+			},
+		},
+		{
+			name: "messageExpression out of budget after successful eval of expression",
+			evaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.False,
+					ExpressionAccessor: &ValidationCondition{
+						Reason:     &forbiddenReason,
+						Expression: "this.expression == unit.test",
+						Message:    "test1",
+					},
+				},
+			},
+			messageEvaluations: []cel.EvaluationResult{
+				{
+					EvalResult: celtypes.StringType, // does not matter
+				},
+			},
+			policyDecision: []PolicyDecision{
+				{
+					Action:  ActionDeny,
+					Message: "running out of cost budget",
+				},
+			},
+			costBudget: 1, // shared between expression and messageExpression, needs 1 + 1 = 2 in total
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -581,13 +828,21 @@ func TestValidate(t *testing.T) {
 					evaluations: tc.evaluations,
 					throwError:  tc.throwError,
 				},
+				messageFilter: &fakeCelFilter{
+					evaluations: tc.messageEvaluations,
+					throwError:  tc.throwError,
+				},
 				auditAnnotationFilter: &fakeCelFilter{
 					evaluations: tc.auditEvaluations,
 					throwError:  tc.throwError,
 				},
 			}
 			ctx := context.TODO()
-			validateResult := v.Validate(ctx, fakeVersionedAttr, nil, celconfig.RuntimeCELCostBudget)
+			var budget int64 = celconfig.RuntimeCELCostBudget
+			if tc.costBudget != 0 {
+				budget = tc.costBudget
+			}
+			validateResult := v.Validate(ctx, fakeVersionedAttr, nil, budget)
 
 			require.Equal(t, len(validateResult.Decisions), len(tc.policyDecision))
 
@@ -630,6 +885,7 @@ func TestContextCanceled(t *testing.T) {
 	v := validator{
 		failPolicy:       &fail,
 		validationFilter: f,
+		messageFilter:    f,
 		auditAnnotationFilter: &fakeCelFilter{
 			evaluations: nil,
 			throwError:  false,

staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validation.go

@@ -28,6 +28,7 @@ type ValidationApplyConfiguration struct {
 	Expression        *string          `json:"expression,omitempty"`
 	Message           *string          `json:"message,omitempty"`
 	Reason            *v1.StatusReason `json:"reason,omitempty"`
+	MessageExpression *string          `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@@ -59,3 +60,11 @@ func (b *ValidationApplyConfiguration) WithReason(value v1.StatusReason) *Valida
 	b.Reason = &value
 	return b
 }
+
+// WithMessageExpression sets the MessageExpression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MessageExpression field is set to the value of the last call.
+func (b *ValidationApplyConfiguration) WithMessageExpression(value string) *ValidationApplyConfiguration {
+	b.MessageExpression = &value
+	return b
+}

staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go

@@ -404,6 +404,9 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: message
       type:
         scalar: string
+    - name: messageExpression
+      type:
+        scalar: string
     - name: reason
       type:
         scalar: string