From a000af25ff3bcc79fe7d8da299225ad252c9894a Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Thu, 2 Nov 2023 13:54:39 -0400
Subject: [PATCH] Require match condition version only if matchConditions are
 specified

---
 .../apiserver/pkg/apis/apiserver/validation/validation.go     | 4 +++-
 .../pkg/apis/apiserver/validation/validation_test.go          | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
index 7b22a200f96..843324085cf 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
@@ -512,7 +512,9 @@ func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfigurati
 
 	switch c.MatchConditionSubjectAccessReviewVersion {
 	case "":
-		allErrs = append(allErrs, field.Required(fldPath.Child("matchConditionSubjectAccessReviewVersion"), ""))
+		if len(c.MatchConditions) > 0 {
+			allErrs = append(allErrs, field.Required(fldPath.Child("matchConditionSubjectAccessReviewVersion"), "required if match conditions are specified"))
+		}
 	case "v1":
 		_ = &v1.SubjectAccessReview{}
 	default:
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
index ca688a0bee5..4be785d6a2d 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
@@ -1438,6 +1438,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
 							ConnectionInfo: api.WebhookConnectionInfo{
 								Type: "InClusterConfig",
 							},
+							MatchConditions: []api.WebhookMatchCondition{{Expression: "true"}},
 						},
 					},
 				},