Merge pull request #130931 from nojnhuh/dra-vap-e2e

Remove unused VAP for DRA admin access e2e test
2025-07-23 03:41:45 +00:00 · 2025-03-20 01:36:51 -07:00 · 2025-03-20 01:36:51 -07:00 · 6b8e5a9457
commit 6b8e5a9457
parent 10bdb0a155 7d74a504ca
1 changed files with 0 additions and 71 deletions
--- a/test/e2e/dra/test-driver/deploy/example/admin-access-policy.yaml
+++ b/test/e2e/dra/test-driver/deploy/example/admin-access-policy.yaml
@ -1,71 +0,0 @@
 # This example shows how to use a validating admission policy (VAP)
 # to control who may use "admin access", a privileged mode which
 # grants access to devices which are currently in use, potentially
 # by some other user.
 #
 # The policy applies in any namespace which does not have the
 # "admin-access.dra.example.com" label. Other ways of making that decision are
 # also possible.
 #
 # Cluster administrators need to adapt at least the names and replace
 # "dra.example.com".
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
  name: resourceclaim-policy.dra.example.com
 spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["resource.k8s.io"]
      apiVersions: ["v1alpha3", "v1beta1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["resourceclaims"]
  validations:
    - expression: '! object.spec.devices.requests.exists(e, has(e.adminAccess) && e.adminAccess)'
      reason: Forbidden
      messageExpression: '"admin access to devices not enabled in namespace " + namespaceObject.metadata.name'
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
  name: resourceclaim-binding.dra.example.com
 spec:
  policyName:  resourceclaim-policy.dra.example.com
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchExpressions:
      - key: admin-access.dra.example.com
        operator: DoesNotExist
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
  name: resourceclaimtemplate-policy.dra.example.com
 spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["resource.k8s.io"]
      apiVersions: ["v1alpha3", "v1beta1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["resourceclaimtemplates"]
  validations:
    - expression: '! object.spec.spec.devices.requests.exists(e, has(e.adminAccess) && e.adminAccess)'
      reason: Forbidden
      messageExpression: '"admin access to devices not enabled in namespace " + namespaceObject.metadata.name'
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
  name: resourceclaimtemplate-binding.dra.example.com
 spec:
  policyName:  resourceclaimtemplate-policy.dra.example.com
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchExpressions:
      - key: admin-access.dra.example.com
        operator: DoesNotExist