mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-05 03:03:40 +00:00
AdmissionRegistration API changes: MatchPolicy
This commit is contained in:
Jordan Liggitt
@@ -37,6 +37,8 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
|
|||||||
c.FuzzNoCustom(obj) // fuzz self without calling this function again
|
c.FuzzNoCustom(obj) // fuzz self without calling this function again
|
||||||
p := admissionregistration.FailurePolicyType("Fail")
|
p := admissionregistration.FailurePolicyType("Fail")
|
||||||
obj.FailurePolicy = &p
|
obj.FailurePolicy = &p
|
||||||
|
m := admissionregistration.MatchPolicyType("Exact")
|
||||||
|
obj.MatchPolicy = &m
|
||||||
s := admissionregistration.SideEffectClassUnknown
|
s := admissionregistration.SideEffectClassUnknown
|
||||||
obj.SideEffects = &s
|
obj.SideEffects = &s
|
||||||
if obj.TimeoutSeconds == nil {
|
if obj.TimeoutSeconds == nil {
|
||||||
|
|||||||
@@ -86,6 +86,16 @@ const (
|
|||||||
Fail FailurePolicyType = "Fail"
|
Fail FailurePolicyType = "Fail"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// MatchPolicyType specifies the type of match policy
|
||||||
|
type MatchPolicyType string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// Exact means requests should only be sent to the webhook if they exactly match a given rule
|
||||||
|
Exact MatchPolicyType = "Exact"
|
||||||
|
// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
|
||||||
|
Equivalent MatchPolicyType = "Equivalent"
|
||||||
|
)
|
||||||
|
|
||||||
// SideEffectClass denotes the type of side effects resulting from calling the webhook
|
// SideEffectClass denotes the type of side effects resulting from calling the webhook
|
||||||
type SideEffectClass string
|
type SideEffectClass string
|
||||||
|
|
||||||
@@ -177,6 +187,22 @@ type Webhook struct {
|
|||||||
// +optional
|
// +optional
|
||||||
FailurePolicy *FailurePolicyType
|
FailurePolicy *FailurePolicyType
|
||||||
|
|
||||||
|
// matchPolicy defines how the "rules" list is used to match incoming requests.
|
||||||
|
// Allowed values are "Exact" or "Equivalent".
|
||||||
|
//
|
||||||
|
// - Exact: match a request only if it exactly matches a specified rule.
|
||||||
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
|
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
|
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
|
||||||
|
//
|
||||||
|
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
||||||
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
|
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
|
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
|
||||||
|
//
|
||||||
|
// +optional
|
||||||
|
MatchPolicy *MatchPolicyType
|
||||||
|
|
||||||
// NamespaceSelector decides whether to run the webhook on an object based
|
// NamespaceSelector decides whether to run the webhook on an object based
|
||||||
// on whether the namespace for that object matches the selector. If the
|
// on whether the namespace for that object matches the selector. If the
|
||||||
// object itself is a namespace, the matching is performed on
|
// object itself is a namespace, the matching is performed on
|
||||||
|
|||||||
@@ -32,6 +32,10 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) {
|
|||||||
policy := admissionregistrationv1beta1.Ignore
|
policy := admissionregistrationv1beta1.Ignore
|
||||||
obj.FailurePolicy = &policy
|
obj.FailurePolicy = &policy
|
||||||
}
|
}
|
||||||
|
if obj.MatchPolicy == nil {
|
||||||
|
policy := admissionregistrationv1beta1.Exact
|
||||||
|
obj.MatchPolicy = &policy
|
||||||
|
}
|
||||||
if obj.NamespaceSelector == nil {
|
if obj.NamespaceSelector == nil {
|
||||||
selector := metav1.LabelSelector{}
|
selector := metav1.LabelSelector{}
|
||||||
obj.NamespaceSelector = &selector
|
obj.NamespaceSelector = &selector
|
||||||
|
|||||||
@@ -231,6 +231,9 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
|
|||||||
if hook.FailurePolicy != nil && !supportedFailurePolicies.Has(string(*hook.FailurePolicy)) {
|
if hook.FailurePolicy != nil && !supportedFailurePolicies.Has(string(*hook.FailurePolicy)) {
|
||||||
allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
|
allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
|
||||||
}
|
}
|
||||||
|
if hook.MatchPolicy != nil && !supportedMatchPolicies.Has(string(*hook.MatchPolicy)) {
|
||||||
|
allErrors = append(allErrors, field.NotSupported(fldPath.Child("matchPolicy"), *hook.MatchPolicy, supportedMatchPolicies.List()))
|
||||||
|
}
|
||||||
if hook.SideEffects != nil && !supportedSideEffectClasses.Has(string(*hook.SideEffects)) {
|
if hook.SideEffects != nil && !supportedSideEffectClasses.Has(string(*hook.SideEffects)) {
|
||||||
allErrors = append(allErrors, field.NotSupported(fldPath.Child("sideEffects"), *hook.SideEffects, supportedSideEffectClasses.List()))
|
allErrors = append(allErrors, field.NotSupported(fldPath.Child("sideEffects"), *hook.SideEffects, supportedSideEffectClasses.List()))
|
||||||
}
|
}
|
||||||
@@ -259,6 +262,11 @@ var supportedFailurePolicies = sets.NewString(
|
|||||||
string(admissionregistration.Fail),
|
string(admissionregistration.Fail),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var supportedMatchPolicies = sets.NewString(
|
||||||
|
string(admissionregistration.Exact),
|
||||||
|
string(admissionregistration.Equivalent),
|
||||||
|
)
|
||||||
|
|
||||||
var supportedSideEffectClasses = sets.NewString(
|
var supportedSideEffectClasses = sets.NewString(
|
||||||
string(admissionregistration.SideEffectClassUnknown),
|
string(admissionregistration.SideEffectClassUnknown),
|
||||||
string(admissionregistration.SideEffectClassNone),
|
string(admissionregistration.SideEffectClassNone),
|
||||||
|
|||||||
@@ -84,6 +84,16 @@ const (
|
|||||||
Fail FailurePolicyType = "Fail"
|
Fail FailurePolicyType = "Fail"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// MatchPolicyType specifies the type of match policy
|
||||||
|
type MatchPolicyType string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// Exact means requests should only be sent to the webhook if they exactly match a given rule
|
||||||
|
Exact MatchPolicyType = "Exact"
|
||||||
|
// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
|
||||||
|
Equivalent MatchPolicyType = "Equivalent"
|
||||||
|
)
|
||||||
|
|
||||||
type SideEffectClass string
|
type SideEffectClass string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@@ -186,6 +196,23 @@ type Webhook struct {
|
|||||||
// +optional
|
// +optional
|
||||||
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"`
|
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"`
|
||||||
|
|
||||||
|
// matchPolicy defines how the "rules" list is used to match incoming requests.
|
||||||
|
// Allowed values are "Exact" or "Equivalent".
|
||||||
|
//
|
||||||
|
// - Exact: match a request only if it exactly matches a specified rule.
|
||||||
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
|
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
|
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
|
||||||
|
//
|
||||||
|
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
||||||
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
|
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
|
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
|
||||||
|
//
|
||||||
|
// Defaults to "Exact"
|
||||||
|
// +optional
|
||||||
|
MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,9,opt,name=matchPolicy,casttype=MatchPolicyType"`
|
||||||
|
|
||||||
// NamespaceSelector decides whether to run the webhook on an object based
|
// NamespaceSelector decides whether to run the webhook on an object based
|
||||||
// on whether the namespace for that object matches the selector. If the
|
// on whether the namespace for that object matches the selector. If the
|
||||||
// object itself is a namespace, the matching is performed on
|
// object itself is a namespace, the matching is performed on
|
||||||
|
|||||||
Reference in New Issue
Block a user