From 65460b14d2b9ea20aaf2c6fece191af53ae57249 Mon Sep 17 00:00:00 2001
From: Joe Betz <jpbetz@google.com>
Date: Tue, 8 Nov 2022 13:49:50 -0500
Subject: [PATCH] Fix params to be null instead of an empty map if paramRef is
 null

---
 .../pkg/admission/plugin/cel/validator.go     |  2 +-
 .../admission/plugin/cel/validator_test.go    | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator.go
index 3284f01de2b..81690dc9a84 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator.go
@@ -146,7 +146,7 @@ func convertObjectToUnstructured(obj interface{}) (*unstructured.Unstructured, e
 }
 
 func objectToResolveVal(r runtime.Object) (interface{}, error) {
-	if r == nil {
+	if r == nil || reflect.ValueOf(r).IsNil() {
 		return nil, nil
 	}
 	v, err := convertObjectToUnstructured(r)
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator_test.go
index 4d669173526..713600cefcb 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/validator_test.go
@@ -263,6 +263,8 @@ func TestValidate(t *testing.T) {
 		},
 	}
 
+	var nilUnstructured *unstructured.Unstructured
+
 	cases := []struct {
 		name            string
 		policy          *v1alpha1.ValidatingAdmissionPolicy
@@ -502,6 +504,39 @@ func TestValidate(t *testing.T) {
 				generatedDecision(admit, "", ""),
 			},
 		},
+		{
+			name: "test deny paramKind without paramRef",
+			policy: getValidPolicy([]v1alpha1.Validation{
+				{
+					Expression: "params != null",
+					Reason:     forbiddenReason,
+					Message:    "params as required",
+				},
+			}, hasParamKind, nil),
+			attributes: newValidAttribute(nil, true),
+			// Simulate a interface holding a nil pointer, since this is how param is passed to Validate
+			// if paramRef is unset on a binding
+			params: runtime.Object(nilUnstructured),
+			policyDecisions: []policyDecision{
+				generatedDecision(deny, "params as required", metav1.StatusReasonForbidden),
+			},
+		},
+		{
+			name: "test allow paramKind without paramRef",
+			policy: getValidPolicy([]v1alpha1.Validation{
+				{
+					Expression: "params == null",
+					Reason:     forbiddenReason,
+				},
+			}, hasParamKind, nil),
+			attributes: newValidAttribute(nil, true),
+			// Simulate a interface holding a nil pointer, since this is how param is passed to Validate
+			// if paramRef is unset on a binding
+			params: runtime.Object(nilUnstructured),
+			policyDecisions: []policyDecision{
+				generatedDecision(admit, "", ""),
+			},
+		},
 	}
 
 	for _, tc := range cases {