Merge pull request #129207 from Jefftree/remove-vap-alpha

Remove v1alpha1 admissionregistration APIs (ValidatingAdmissionPolicies & ValidatingAdmissionPolicyBindings)
2025-08-05 02:09:56 +00:00 · 2024-12-17 18:52:59 +01:00 · 2024-12-17 18:52:59 +01:00 · cc03c6058b
commit cc03c6058b
parent 58aafb61d4 3cd1c8dd2d
4 changed files with 46 additions and 82 deletions
--- a/pkg/registry/admissionregistration/rest/storage_apiserver.go
+++ b/pkg/registry/admissionregistration/rest/storage_apiserver.go
@ -130,26 +130,6 @@ func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstora
 		return storage, err
 	}

-	// validatingadmissionpolicies
-	if resource := "validatingadmissionpolicies"; apiResourceConfigSource.ResourceEnabled(admissionregistrationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
-		policyStorage, policyStatusStorage, err := validatingadmissionpolicystorage.NewREST(restOptionsGetter, p.Authorizer, r)
-		if err != nil {
-			return storage, err
-		}
-		policyGetter = policyStorage
-		storage[resource] = policyStorage
-		storage[resource+"/status"] = policyStatusStorage
-	}
-
-	// validatingadmissionpolicybindings
-	if resource := "validatingadmissionpolicybindings"; apiResourceConfigSource.ResourceEnabled(admissionregistrationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
-		policyBindingStorage, err := policybindingstorage.NewREST(restOptionsGetter, p.Authorizer, &policybindingstorage.DefaultPolicyGetter{Getter: policyGetter}, r)
-		if err != nil {
-			return storage, err
-		}
-		storage[resource] = policyBindingStorage
-	}
-
 	// mutatingadmissionpolicies
 	if resource := "mutatingadmissionpolicies"; apiResourceConfigSource.ResourceEnabled(admissionregistrationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
 		policyStorage, err := mutatingadmissionpolicystorage.NewREST(restOptionsGetter, p.Authorizer, r)
--- a/test/integration/apiserver/cel/admission_policy_test.go
+++ b/test/integration/apiserver/cel/admission_policy_test.go
@ -31,7 +31,7 @@ import (
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/apis/admissionregistration"
-	admissionregistrationv1alpha1apis "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1"
+	admissionregistrationv1apis "k8s.io/kubernetes/pkg/apis/admissionregistration/v1"
 	admissionregistrationv1beta1apis "k8s.io/kubernetes/pkg/apis/admissionregistration/v1beta1"
 	"k8s.io/kubernetes/test/integration/etcd"
 	"k8s.io/kubernetes/test/integration/framework"
@ -43,7 +43,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"

 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
-	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 )

@ -282,22 +281,22 @@ func createV1beta1ValidatingPolicyAndBinding(client clientset.Interface, convert
 	return nil
 }

-func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, convertedRules []admissionregistrationv1alpha1.NamedRuleWithOperations) error {
-	exact := admissionregistrationv1alpha1.Exact
-	equivalent := admissionregistrationv1alpha1.Equivalent
-	denyAction := admissionregistrationv1alpha1.DenyAction
+func createV1ValidatingPolicyAndBinding(client clientset.Interface, convertedRules []admissionregistrationv1.NamedRuleWithOperations) error {
+	exact := admissionregistrationv1.Exact
+	equivalent := admissionregistrationv1.Equivalent
+	denyAction := admissionregistrationv1.DenyAction

-	var outSpec admissionregistrationv1alpha1.ValidatingAdmissionPolicy
-	if err := admissionregistrationv1alpha1apis.Convert_admissionregistration_ValidatingAdmissionPolicy_To_v1alpha1_ValidatingAdmissionPolicy(&testSpec, &outSpec, nil); err != nil {
+	var outSpec admissionregistrationv1.ValidatingAdmissionPolicy
+	if err := admissionregistrationv1apis.Convert_admissionregistration_ValidatingAdmissionPolicy_To_v1_ValidatingAdmissionPolicy(&testSpec, &outSpec, nil); err != nil {
 		return err
 	}

 	exactPolicyTemplate := outSpec.DeepCopy()
 	convertedPolicyTemplate := outSpec.DeepCopy()

-	exactPolicyTemplate.SetName("test-policy-v1alpha1")
-	exactPolicyTemplate.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{
-		ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{
+	exactPolicyTemplate.SetName("test-policy-v1")
+	exactPolicyTemplate.Spec.MatchConstraints = &admissionregistrationv1.MatchResources{
+		ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 			{
 				RuleWithOperations: admissionregistrationv1.RuleWithOperations{
 					Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
@ -308,18 +307,18 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver
 		MatchPolicy: &exact,
 	}

-	convertedPolicyTemplate.SetName("test-policy-v1alpha1-convert")
-	convertedPolicyTemplate.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{
+	convertedPolicyTemplate.SetName("test-policy-v1-convert")
+	convertedPolicyTemplate.Spec.MatchConstraints = &admissionregistrationv1.MatchResources{
 		ResourceRules: convertedRules,
 		MatchPolicy:   &equivalent,
 	}

-	exactPolicy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), exactPolicyTemplate, metav1.CreateOptions{})
+	exactPolicy, err := client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(context.TODO(), exactPolicyTemplate, metav1.CreateOptions{})
 	if err != nil {
 		return err
 	}

-	convertPolicy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), convertedPolicyTemplate, metav1.CreateOptions{})
+	convertPolicy, err := client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(context.TODO(), convertedPolicyTemplate, metav1.CreateOptions{})
 	if err != nil {
 		return err
 	}
@ -327,14 +326,14 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver
 	// Create a param that holds the options for this
 	configuration, err := client.CoreV1().ConfigMaps("default").Create(context.TODO(), &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-policy-v1alpha1-param",
+			Name:      "test-policy-v1-param",
 			Namespace: "default",
 			Annotations: map[string]string{
 				"skipMatch": "yes",
 			},
 		},
 		Data: map[string]string{
-			"version": "v1alpha1",
+			"version": "v1",
 			"phase":   validation,
 			"convert": "false",
 		},
@ -345,14 +344,14 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver

 	configurationConvert, err := client.CoreV1().ConfigMaps("default").Create(context.TODO(), &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-policy-v1alpha1-convert-param",
+			Name:      "test-policy-v1-convert-param",
 			Namespace: "default",
 			Annotations: map[string]string{
 				"skipMatch": "yes",
 			},
 		},
 		Data: map[string]string{
-			"version": "v1alpha1",
+			"version": "v1",
 			"phase":   validation,
 			"convert": "true",
 		},
@ -361,14 +360,14 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver
 		return err
 	}

-	_, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
+	_, err = client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), &admissionregistrationv1.ValidatingAdmissionPolicyBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-policy-v1alpha1-binding",
+			Name: "test-policy-v1-binding",
 		},
-		Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{
+		Spec: admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
 			PolicyName:        exactPolicy.GetName(),
-			ValidationActions: []admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Warn},
-			ParamRef: &admissionregistrationv1alpha1.ParamRef{
+			ValidationActions: []admissionregistrationv1.ValidationAction{admissionregistrationv1.Warn},
+			ParamRef: &admissionregistrationv1.ParamRef{
 				Name:                    configuration.GetName(),
 				Namespace:               configuration.GetNamespace(),
 				ParameterNotFoundAction: &denyAction,
@ -378,14 +377,14 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver
 	if err != nil {
 		return err
 	}
-	_, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
+	_, err = client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), &admissionregistrationv1.ValidatingAdmissionPolicyBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-policy-v1alpha1-convert-binding",
+			Name: "test-policy-v1-convert-binding",
 		},
-		Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{
+		Spec: admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
 			PolicyName:        convertPolicy.GetName(),
-			ValidationActions: []admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Warn},
-			ParamRef: &admissionregistrationv1alpha1.ParamRef{
+			ValidationActions: []admissionregistrationv1.ValidationAction{admissionregistrationv1.Warn},
+			ParamRef: &admissionregistrationv1.ParamRef{
 				Name:                    configurationConvert.GetName(),
 				Namespace:               configurationConvert.GetNamespace(),
 				ParameterNotFoundAction: &denyAction,
@ -405,10 +404,6 @@ func createV1alpha1ValidatingPolicyAndBinding(client clientset.Interface, conver
 // This test tries to mirror very closely the same test for webhook admission
 // test/integration/apiserver/admissionwebhook/admission_test.go testWebhookAdmission
 func TestPolicyAdmission(t *testing.T) {
-	// KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests
-	// TODO: Remove this line once admissionregistration v1alpha1 types to be removed in 1.32 are fully removed
-	t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
-
 	holder := &policyExpectationHolder{
 		holder: holder{
 			t:                 t,
@ -505,7 +500,7 @@ func TestPolicyAdmission(t *testing.T) {
 	convertedResources := map[string]schema.GroupVersionResource{}
 	// build the webhook rules enumerating the specific group/version/resources we want
 	convertedV1beta1Rules := []admissionregistrationv1beta1.NamedRuleWithOperations{}
-	convertedV1alpha1Rules := []admissionregistrationv1alpha1.NamedRuleWithOperations{}
+	convertedV1Rules := []admissionregistrationv1.NamedRuleWithOperations{}
 	for _, gvr := range gvrsToTest {
 		metaGVR := metav1.GroupVersionResource{Group: gvr.Group, Version: gvr.Version, Resource: gvr.Resource}

@ -522,10 +517,10 @@ func TestPolicyAdmission(t *testing.T) {
 					Rule:       admissionregistrationv1beta1.Rule{APIGroups: []string{gvr.Group}, APIVersions: []string{gvr.Version}, Resources: []string{gvr.Resource}},
 				},
 			})
-			convertedV1alpha1Rules = append(convertedV1alpha1Rules, admissionregistrationv1alpha1.NamedRuleWithOperations{
+			convertedV1Rules = append(convertedV1Rules, admissionregistrationv1.NamedRuleWithOperations{
 				RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-					Operations: []admissionregistrationv1alpha1.OperationType{admissionregistrationv1alpha1.OperationAll},
-					Rule:       admissionregistrationv1alpha1.Rule{APIGroups: []string{gvr.Group}, APIVersions: []string{gvr.Version}, Resources: []string{gvr.Resource}},
+					Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
+					Rule:       admissionregistrationv1.Rule{APIGroups: []string{gvr.Group}, APIVersions: []string{gvr.Version}, Resources: []string{gvr.Resource}},
 				},
 			})
 		}
@ -535,11 +530,10 @@ func TestPolicyAdmission(t *testing.T) {
 		holder.gvrToConvertedGVK[metaGVR] = schema.GroupVersionKind{Group: resourcesByGVR[convertedGVR].Group, Version: resourcesByGVR[convertedGVR].Version, Kind: resourcesByGVR[convertedGVR].Kind}
 	}

-	if err := createV1alpha1ValidatingPolicyAndBinding(client, convertedV1alpha1Rules); err != nil {
+	if err := createV1beta1ValidatingPolicyAndBinding(client, convertedV1beta1Rules); err != nil {
 		t.Fatal(err)
 	}
-
-	if err := createV1beta1ValidatingPolicyAndBinding(client, convertedV1beta1Rules); err != nil {
+	if err := createV1ValidatingPolicyAndBinding(client, convertedV1Rules); err != nil {
 		t.Fatal(err)
 	}

@ -610,7 +604,7 @@ func (p *policyExpectationHolder) expect(gvr schema.GroupVersionResource, gvk, o
 	p.recorded = map[webhookOptions]*admissionRequest{}
 	for _, phase := range []string{validation} {
 		for _, converted := range []bool{true, false} {
-			for _, version := range []string{"v1alpha1", "v1beta1"} {
+			for _, version := range []string{"v1beta1", "v1"} {
 				p.recorded[webhookOptions{version: version, phase: phase, converted: converted}] = nil
 			}
 		}
--- a/test/integration/apiserver/cel/admission_test_util.go
+++ b/test/integration/apiserver/cel/admission_test_util.go
@ -137,17 +137,17 @@ var (
 		// gvr("admissionregistration.k8s.io", "v1beta1", "validatingwebhookconfigurations"):     true,
 		// gvr("admissionregistration.k8s.io", "v1", "mutatingwebhookconfigurations"):            true,
 		// gvr("admissionregistration.k8s.io", "v1", "validatingwebhookconfigurations"):          true,
-		gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicies"):        true,
-		gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicies/status"): true,
-		gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicybindings"):  true,
-		gvr("admissionregistration.k8s.io", "v1beta1", "validatingadmissionpolicies"):         true,
-		gvr("admissionregistration.k8s.io", "v1beta1", "validatingadmissionpolicies/status"):  true,
-		gvr("admissionregistration.k8s.io", "v1beta1", "validatingadmissionpolicybindings"):   true,
-		gvr("admissionregistration.k8s.io", "v1", "validatingadmissionpolicies"):              true,
-		gvr("admissionregistration.k8s.io", "v1", "validatingadmissionpolicies/status"):       true,
-		gvr("admissionregistration.k8s.io", "v1", "validatingadmissionpolicybindings"):        true,
-		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicies"):          true,
-		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicybindings"):    true,
+		// gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicies"):        true,
+		// gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicies/status"): true,
+		// gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicybindings"):  true,
+		gvr("admissionregistration.k8s.io", "v1beta1", "validatingadmissionpolicies"):        true,
+		gvr("admissionregistration.k8s.io", "v1beta1", "validatingadmissionpolicies/status"): true,
+		gvr("admissionregistration.k8s.io", "v1beta1", "validatingadmissionpolicybindings"):  true,
+		gvr("admissionregistration.k8s.io", "v1", "validatingadmissionpolicies"):             true,
+		gvr("admissionregistration.k8s.io", "v1", "validatingadmissionpolicies/status"):      true,
+		gvr("admissionregistration.k8s.io", "v1", "validatingadmissionpolicybindings"):       true,
+		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicies"):         true,
+		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicybindings"):   true,
 		// transient resource exemption
 		gvr("authentication.k8s.io", "v1", "selfsubjectreviews"):       true,
 		gvr("authentication.k8s.io", "v1beta1", "selfsubjectreviews"):  true,
--- a/test/integration/etcd/data.go
+++ b/test/integration/etcd/data.go
@ -352,16 +352,6 @@ func GetEtcdStorageDataForNamespace(namespace string) map[schema.GroupVersionRes
 		// --

 		// k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1
-		gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicies"): {
-			Stub:             `{"metadata":{"name":"vap1a1","creationTimestamp":null},"spec":{"paramKind":{"apiVersion":"test.example.com/v1","kind":"Example"},"matchConstraints":{"resourceRules": [{"resourceNames": ["fakeName"], "apiGroups":["apps"],"apiVersions":["v1"],"operations":["CREATE", "UPDATE"], "resources":["deployments"]}]},"validations":[{"expression":"object.spec.replicas <= params.maxReplicas","message":"Too many replicas"}]}}`,
-			ExpectedEtcdPath: "/registry/validatingadmissionpolicies/vap1a1",
-			ExpectedGVK:      gvkP("admissionregistration.k8s.io", "v1", "ValidatingAdmissionPolicy"),
-		},
-		gvr("admissionregistration.k8s.io", "v1alpha1", "validatingadmissionpolicybindings"): {
-			Stub:             `{"metadata":{"name":"pb1a1","creationTimestamp":null},"spec":{"policyName":"replicalimit-policy.example.com","paramRef":{"name":"replica-limit-test.example.com"},"validationActions":["Deny"]}}`,
-			ExpectedEtcdPath: "/registry/validatingadmissionpolicybindings/pb1a1",
-			ExpectedGVK:      gvkP("admissionregistration.k8s.io", "v1", "ValidatingAdmissionPolicyBinding"),
-		},
 		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicies"): {
 			Stub:             `{"metadata":{"name":"map1","creationTimestamp":null},"spec":{"paramKind":{"apiVersion":"test.example.com/v1","kind":"Example"},"matchConstraints":{"resourceRules": [{"resourceNames": ["fakeName"], "apiGroups":["apps"],"apiVersions":["v1"],"operations":["CREATE", "UPDATE"], "resources":["deployments"]}]},"reinvocationPolicy": "IfNeeded","mutations":[{"applyConfiguration": {"expression":"Object{metadata: Object.metadata{labels: {'example':'true'}}}"}, "patchType":"ApplyConfiguration"}]}}`,
 			ExpectedEtcdPath: "/registry/mutatingadmissionpolicies/map1",