AdmissionRegistration API changes: MatchPolicy

2025-09-03 02:07:38 +00:00 · 2019-05-20 15:06:45 -04:00
parent fc495f457f
commit b6fa0f5b0f
5 changed files with 67 additions and 0 deletions
--- a/pkg/apis/admissionregistration/fuzzer/fuzzer.go
+++ b/pkg/apis/admissionregistration/fuzzer/fuzzer.go
@@ -37,6 +37,8 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 			c.FuzzNoCustom(obj) // fuzz self without calling this function again
 			p := admissionregistration.FailurePolicyType("Fail")
 			obj.FailurePolicy = &p
+			m := admissionregistration.MatchPolicyType("Exact")
+			obj.MatchPolicy = &m
 			s := admissionregistration.SideEffectClassUnknown
 			obj.SideEffects = &s
 			if obj.TimeoutSeconds == nil {
--- a/pkg/apis/admissionregistration/types.go
+++ b/pkg/apis/admissionregistration/types.go
@@ -86,6 +86,16 @@ const (
 	Fail FailurePolicyType = "Fail"
 )

+// MatchPolicyType specifies the type of match policy
+type MatchPolicyType string
+
+const (
+	// Exact means requests should only be sent to the webhook if they exactly match a given rule
+	Exact MatchPolicyType = "Exact"
+	// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
+	Equivalent MatchPolicyType = "Equivalent"
+)
+
 // SideEffectClass denotes the type of side effects resulting from calling the webhook
 type SideEffectClass string

@@ -177,6 +187,22 @@ type Webhook struct {
 	// +optional
 	FailurePolicy *FailurePolicyType

+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// +optional
+	MatchPolicy *MatchPolicyType
+
 	// NamespaceSelector decides whether to run the webhook on an object based
 	// on whether the namespace for that object matches the selector. If the
 	// object itself is a namespace, the matching is performed on
--- a/pkg/apis/admissionregistration/v1beta1/defaults.go
+++ b/pkg/apis/admissionregistration/v1beta1/defaults.go
@@ -32,6 +32,10 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) {
 		policy := admissionregistrationv1beta1.Ignore
 		obj.FailurePolicy = &policy
 	}
+	if obj.MatchPolicy == nil {
+		policy := admissionregistrationv1beta1.Exact
+		obj.MatchPolicy = &policy
+	}
 	if obj.NamespaceSelector == nil {
 		selector := metav1.LabelSelector{}
 		obj.NamespaceSelector = &selector
--- a/pkg/apis/admissionregistration/validation/validation.go
+++ b/pkg/apis/admissionregistration/validation/validation.go
@@ -231,6 +231,9 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
 	if hook.FailurePolicy != nil && !supportedFailurePolicies.Has(string(*hook.FailurePolicy)) {
 		allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
 	}
+	if hook.MatchPolicy != nil && !supportedMatchPolicies.Has(string(*hook.MatchPolicy)) {
+		allErrors = append(allErrors, field.NotSupported(fldPath.Child("matchPolicy"), *hook.MatchPolicy, supportedMatchPolicies.List()))
+	}
 	if hook.SideEffects != nil && !supportedSideEffectClasses.Has(string(*hook.SideEffects)) {
 		allErrors = append(allErrors, field.NotSupported(fldPath.Child("sideEffects"), *hook.SideEffects, supportedSideEffectClasses.List()))
 	}
@@ -259,6 +262,11 @@ var supportedFailurePolicies = sets.NewString(
 	string(admissionregistration.Fail),
 )

+var supportedMatchPolicies = sets.NewString(
+	string(admissionregistration.Exact),
+	string(admissionregistration.Equivalent),
+)
+
 var supportedSideEffectClasses = sets.NewString(
 	string(admissionregistration.SideEffectClassUnknown),
 	string(admissionregistration.SideEffectClassNone),
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
@@ -84,6 +84,16 @@ const (
 	Fail FailurePolicyType = "Fail"
 )

+// MatchPolicyType specifies the type of match policy
+type MatchPolicyType string
+
+const (
+	// Exact means requests should only be sent to the webhook if they exactly match a given rule
+	Exact MatchPolicyType = "Exact"
+	// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
+	Equivalent MatchPolicyType = "Equivalent"
+)
+
 type SideEffectClass string

 const (
@@ -186,6 +196,23 @@ type Webhook struct {
 	// +optional
 	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"`

+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	// +optional
+	MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,9,opt,name=matchPolicy,casttype=MatchPolicyType"`
+
 	// NamespaceSelector decides whether to run the webhook on an object based
 	// on whether the namespace for that object matches the selector. If the
 	// object itself is a namespace, the matching is performed on