github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-22 10:06:15 +00:00
Code Issues Projects Releases Wiki Activity

refactor: replace usage of v1alpha1 with v1beta1

Browse Source 
v1alpha -> v1beta

fill in DenyAction where there is no ParameterNotFoundAction
This commit is contained in:
Alexander Zielenski 2023-07-19 15:53:31 -07:00
parent b3b775baa5
commit ef8670c946
14 changed files with 600 additions and 597 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
View File

@ -19,7 +19,7 @@ package app
import (
"context"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
"k8s.io/apiserver/pkg/cel/openapi/resolver"
"k8s.io/client-go/kubernetes/scheme"
@ -28,7 +28,7 @@ import (
"k8s.io/kubernetes/pkg/generated/openapi"
)
var validatingAdmissionPolicyResource = admissionregistrationv1alpha1.SchemeGroupVersion.WithResource("validatingadmissionpolicies")
var validatingAdmissionPolicyResource = admissionregistrationv1beta1.SchemeGroupVersion.WithResource("validatingadmissionpolicies")
func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) {
// intended check against served resource but not feature gate.
@ -41,8 +41,8 @@ func startValidatingAdmissionPolicyStatusController(ctx context.Context, control
RestMapper: controllerContext.RESTMapper,
}
c, err := validatingadmissionpolicystatus.NewController(
controllerContext.InformerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(),
controllerContext.InformerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
typeChecker,
)

28
pkg/controller/validatingadmissionpolicystatus/controller.go
View File

@ -21,15 +21,15 @@ import (
"fmt"
"time"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
admissionregistrationv1alpha1apply "k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1"
informerv1alpha1 "k8s.io/client-go/informers/admissionregistration/v1alpha1"
admissionregistrationv1alpha1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1"
admissionregistrationv1beta1apply "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1"
informerv1beta1 "k8s.io/client-go/informers/admissionregistration/v1beta1"
admissionregistrationv1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
)
@ -40,10 +40,10 @@ const ControllerName = "validatingadmissionpolicy-status"
// Controller is the ValidatingAdmissionPolicy Status controller that reconciles the Status field of each policy object.
// This controller runs type checks against referred types for each policy definition.
type Controller struct {
policyInformer informerv1alpha1.ValidatingAdmissionPolicyInformer
policyInformer informerv1beta1.ValidatingAdmissionPolicyInformer
policyQueue workqueue.RateLimitingInterface
policySynced cache.InformerSynced
policyClient admissionregistrationv1alpha1.ValidatingAdmissionPolicyInterface
policyClient admissionregistrationv1beta1.ValidatingAdmissionPolicyInterface
// typeChecker checks the policy's expressions for type errors.
// Type of params is defined in policy.Spec.ParamsKind
@ -66,7 +66,7 @@ func (c *Controller) Run(ctx context.Context, workers int) {
<-ctx.Done()
}
func NewController(policyInformer informerv1alpha1.ValidatingAdmissionPolicyInformer, policyClient admissionregistrationv1alpha1.ValidatingAdmissionPolicyInterface, typeChecker *validatingadmissionpolicy.TypeChecker) (*Controller, error) {
func NewController(policyInformer informerv1beta1.ValidatingAdmissionPolicyInformer, policyClient admissionregistrationv1beta1.ValidatingAdmissionPolicyInterface, typeChecker *validatingadmissionpolicy.TypeChecker) (*Controller, error) {
c := &Controller{
policyInformer: policyInformer,
policyQueue: workqueue.NewRateLimitingQueueWithConfig(workqueue.DefaultControllerRateLimiter(), workqueue.RateLimitingQueueConfig{Name: ControllerName}),
@ -89,7 +89,7 @@ func NewController(policyInformer informerv1alpha1.ValidatingAdmissionPolicyInfo
}
func (c *Controller) enqueuePolicy(policy any) {
if policy, ok := policy.(*v1alpha1.ValidatingAdmissionPolicy); ok {
if policy, ok := policy.(*v1beta1.ValidatingAdmissionPolicy); ok {
// policy objects are cluster-scoped, no point include its namespace.
key := policy.ObjectMeta.Name
if key == "" {
@ -138,7 +138,7 @@ func (c *Controller) processNextWorkItem(ctx context.Context) bool {
return true
}
func (c *Controller) reconcile(ctx context.Context, policy *v1alpha1.ValidatingAdmissionPolicy) error {
func (c *Controller) reconcile(ctx context.Context, policy *v1beta1.ValidatingAdmissionPolicy) error {
if policy == nil {
return nil
}
@ -146,16 +146,16 @@ func (c *Controller) reconcile(ctx context.Context, policy *v1alpha1.ValidatingA
return nil
}
warnings := c.typeChecker.Check(policy)
warningsConfig := make([]*admissionregistrationv1alpha1apply.ExpressionWarningApplyConfiguration, 0, len(warnings))
warningsConfig := make([]*admissionregistrationv1beta1apply.ExpressionWarningApplyConfiguration, 0, len(warnings))
for _, warning := range warnings {
warningsConfig = append(warningsConfig, admissionregistrationv1alpha1apply.ExpressionWarning().
warningsConfig = append(warningsConfig, admissionregistrationv1beta1apply.ExpressionWarning().
WithFieldRef(warning.FieldRef).
WithWarning(warning.Warning))
}
applyConfig := admissionregistrationv1alpha1apply.ValidatingAdmissionPolicy(policy.Name).
WithStatus(admissionregistrationv1alpha1apply.ValidatingAdmissionPolicyStatus().
applyConfig := admissionregistrationv1beta1apply.ValidatingAdmissionPolicy(policy.Name).
WithStatus(admissionregistrationv1beta1apply.ValidatingAdmissionPolicyStatus().
WithObservedGeneration(policy.Generation).
WithTypeChecking(admissionregistrationv1alpha1apply.TypeChecking().
WithTypeChecking(admissionregistrationv1beta1apply.TypeChecking().
WithExpressionWarnings(warningsConfig...)))
_, err := c.policyClient.ApplyStatus(ctx, applyConfig, metav1.ApplyOptions{FieldManager: ControllerName, Force: true})
return err

52
pkg/controller/validatingadmissionpolicystatus/controller_test.go
View File

@ -23,7 +23,7 @@ import (
"time"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/api/meta/testrestmapper"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"
@ -38,13 +38,13 @@ import (
func TestTypeChecking(t *testing.T) {
for _, tc := range []struct {
name string
policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy
assertFieldRef func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) // warning.fieldRef
assertWarnings func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) // warning.warning
policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy
assertFieldRef func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) // warning.fieldRef
assertWarnings func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) // warning.warning
}{
{
name: "deployment with correct expression",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{
Expression: "object.spec.replicas > 1",
},
@ -54,7 +54,7 @@ func TestTypeChecking(t *testing.T) {
},
{
name: "deployment with type confusion",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{
Expression: "object.spec.replicas < 100", // this one passes
},
@ -67,7 +67,7 @@ func TestTypeChecking(t *testing.T) {
},
{
name: "two expressions different type checking errors",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{
Expression: "object.spec.nonExistingFirst > 1",
},
@ -83,7 +83,7 @@ func TestTypeChecking(t *testing.T) {
},
{
name: "one expression, two warnings",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{
Expression: "object.spec.replicas < 100", // this one passes
},
@ -107,8 +107,8 @@ func TestTypeChecking(t *testing.T) {
RestMapper: testrestmapper.TestOnlyStaticRESTMapper(scheme.Scheme),
}
controller, err := NewController(
informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(),
informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
typeChecker,
)
if err != nil {
@ -120,7 +120,7 @@ func TestTypeChecking(t *testing.T) {
name := policy.Name
// wait until the typeChecking is set, which means the type checking
// is complete.
updated, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, name, metav1.GetOptions{})
updated, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, name, metav1.GetOptions{})
if err != nil {
return false, err
}
@ -143,8 +143,8 @@ func TestTypeChecking(t *testing.T) {
}
func toBe(expected ...string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
func toBe(expected ...string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if len(expected) != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", len(expected), len(warnings))
}
@ -156,8 +156,8 @@ func toBe(expected ...string) func(warnings []admissionregistrationv1alpha1.Expr
}
}
func toHaveSubstring(substrings ...string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
func toHaveSubstring(substrings ...string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if len(substrings) != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings))
}
@ -169,8 +169,8 @@ func toHaveSubstring(substrings ...string) func(warnings []admissionregistration
}
}
func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if len(substrings) != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings))
}
@ -184,19 +184,19 @@ func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionr
}
}
func toHaveLengthOf(n int) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) {
func toHaveLengthOf(n int) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if n != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", n, len(warnings))
}
}
}
func withGVRMatch(groups []string, versions []string, resources []string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy {
policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{
ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{
func withGVRMatch(groups []string, versions []string, resources []string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{
ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{
RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{
"*",
},
@ -212,13 +212,13 @@ func withGVRMatch(groups []string, versions []string, resources []string, policy
return policy
}
func withValidations(validations []admissionregistrationv1alpha1.Validation, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy {
func withValidations(validations []admissionregistrationv1beta1.Validation, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
policy.Spec.Validations = validations
return policy
}
func makePolicy(name string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy {
return &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
func makePolicy(name string) *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{Name: name},
}
}

140
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go
View File

@ -30,7 +30,7 @@ import (
admissionv1 "k8s.io/api/admission/v1"
admissionRegistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
v1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
@ -78,7 +78,7 @@ var (
Kind: clusterScopedParamsGVK.Kind + "List",
}, &unstructured.UnstructuredList{})
if err := v1alpha1.AddToScheme(res); err != nil {
if err := v1beta1.AddToScheme(res); err != nil {
panic(err)
}
@ -117,25 +117,25 @@ var (
return res
}()
definitionGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1alpha1.ValidatingAdmissionPolicy{}))[0]
bindingGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1alpha1.ValidatingAdmissionPolicyBinding{}))[0]
definitionGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1beta1.ValidatingAdmissionPolicy{}))[0]
bindingGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1beta1.ValidatingAdmissionPolicyBinding{}))[0]
definitionsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(definitionGVK.GroupKind(), definitionGVK.Version)).Resource
bindingsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(bindingGVK.GroupKind(), bindingGVK.Version)).Resource
// Common objects
denyPolicy *v1alpha1.ValidatingAdmissionPolicy = &v1alpha1.ValidatingAdmissionPolicy{
denyPolicy *v1beta1.ValidatingAdmissionPolicy = &v1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "denypolicy.example.com",
ResourceVersion: "1",
},
Spec: v1alpha1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{
Spec: v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind,
},
FailurePolicy: ptrTo(v1alpha1.Fail),
Validations: []v1alpha1.Validation{
FailurePolicy: ptrTo(v1beta1.Fail),
Validations: []v1beta1.Validation{
{
Expression: "messageId for deny policy",
},
@ -156,61 +156,61 @@ var (
},
}
denyBinding *v1alpha1.ValidatingAdmissionPolicyBinding = &v1alpha1.ValidatingAdmissionPolicyBinding{
denyBinding *v1beta1.ValidatingAdmissionPolicyBinding = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com",
ResourceVersion: "1",
},
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name,
ParamRef: &v1alpha1.ParamRef{
ParamRef: &v1beta1.ParamRef{
Name: fakeParams.GetName(),
Namespace: fakeParams.GetNamespace(),
// fake object tracker does not populate defaults
ParameterNotFoundAction: ptrTo(v1alpha1.DenyAction),
ParameterNotFoundAction: v1beta1.DenyAction,
},
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny},
},
}
denyBindingWithNoParamRef *v1alpha1.ValidatingAdmissionPolicyBinding = &v1alpha1.ValidatingAdmissionPolicyBinding{
denyBindingWithNoParamRef *v1beta1.ValidatingAdmissionPolicyBinding = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com",
ResourceVersion: "1",
},
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny},
},
}
denyBindingWithAudit = &v1alpha1.ValidatingAdmissionPolicyBinding{
denyBindingWithAudit = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com",
ResourceVersion: "1",
},
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Audit},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Audit},
},
}
denyBindingWithWarn = &v1alpha1.ValidatingAdmissionPolicyBinding{
denyBindingWithWarn = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com",
ResourceVersion: "1",
},
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Warn},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Warn},
},
}
denyBindingWithAll = &v1alpha1.ValidatingAdmissionPolicyBinding{
denyBindingWithAll = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com",
ResourceVersion: "1",
},
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny, v1alpha1.Warn, v1alpha1.Audit},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny, v1beta1.Warn, v1beta1.Audit},
},
}
)
@ -275,7 +275,7 @@ func (f *fakeCompiler) Compile(
return &fakeFilter{}
}
func (f *fakeCompiler) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, compileFunc func([]cel.ExpressionAccessor, cel.OptionalVariableDeclarations) cel.Filter) {
func (f *fakeCompiler) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, compileFunc func([]cel.ExpressionAccessor, cel.OptionalVariableDeclarations) cel.Filter) {
//Key must be something that we can decipher from the inputs to Validate so using expression which will be passed to validate on the filter
key := definition.Spec.Validations[0].Expression
if compileFunc != nil {
@ -321,7 +321,7 @@ type fakeValidator struct {
ValidateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult
}
func (f *fakeValidator) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, validateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult) {
func (f *fakeValidator) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, validateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult) {
//Key must be something that we can decipher from the inputs to Validate so using message which will be on the validationCondition object of evalResult
var key string
if len(definition.Spec.Validations) > 0 {
@ -354,11 +354,11 @@ func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) {
type fakeMatcher struct {
DefaultMatch bool
DefinitionMatchFuncs map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool
BindingMatchFuncs map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool
DefinitionMatchFuncs map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool
BindingMatchFuncs map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool
}
func (f *fakeMatcher) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, matchFunc func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool) {
func (f *fakeMatcher) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, matchFunc func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool) {
namespace, name := definition.Namespace, definition.Name
key := namespacedName{
name: name,
@ -367,13 +367,13 @@ func (f *fakeMatcher) RegisterDefinition(definition *v1alpha1.ValidatingAdmissio
if matchFunc != nil {
if f.DefinitionMatchFuncs == nil {
f.DefinitionMatchFuncs = make(map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool)
f.DefinitionMatchFuncs = make(map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool)
}
f.DefinitionMatchFuncs[key] = matchFunc
}
}
func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding, matchFunc func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) {
func (f *fakeMatcher) RegisterBinding(binding *v1beta1.ValidatingAdmissionPolicyBinding, matchFunc func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) {
namespace, name := binding.Namespace, binding.Name
key := namespacedName{
name: name,
@ -382,7 +382,7 @@ func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolic
if matchFunc != nil {
if f.BindingMatchFuncs == nil {
f.BindingMatchFuncs = make(map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool)
f.BindingMatchFuncs = make(map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool)
}
f.BindingMatchFuncs[key] = matchFunc
}
@ -390,7 +390,7 @@ func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolic
// Matches says whether this policy definition matches the provided admission
// resource request
func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
namespace, name := definition.Namespace, definition.Name
key := namespacedName{
name: name,
@ -406,7 +406,7 @@ func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.Obje
// Matches says whether this policy definition matches the provided admission
// resource request
func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) {
func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) {
namespace, name := binding.Namespace, binding.Name
key := namespacedName{
name: name,
@ -516,7 +516,7 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher,
i := 0
dummyPolicy := &v1alpha1.ValidatingAdmissionPolicy{
dummyPolicy := &v1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "dummypolicy.example.com",
Annotations: map[string]string{
@ -525,7 +525,7 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher,
},
}
dummyBinding := &v1alpha1.ValidatingAdmissionPolicyBinding{
dummyBinding := &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "dummybinding.example.com",
Annotations: map[string]string{
@ -581,7 +581,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O
defer c.policyController.mutex.RUnlock()
switch obj.(type) {
case *v1alpha1.ValidatingAdmissionPolicyBinding:
case *v1beta1.ValidatingAdmissionPolicyBinding:
nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName())
info, ok := c.policyController.bindingInfos[nn]
if !ok {
@ -589,7 +589,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O
}
return info.lastReconciledValue, nil
case *v1alpha1.ValidatingAdmissionPolicy:
case *v1beta1.ValidatingAdmissionPolicy:
nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName())
info, ok := c.policyController.definitionInfo[nn]
if !ok {
@ -601,7 +601,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O
// If test isn't trying to fetch a policy or binding, assume it is
// fetching a param
paramSourceGVK := obj.GetObjectKind().GroupVersionKind()
paramKind := v1alpha1.ParamKind{
paramKind := v1beta1.ParamKind{
APIVersion: paramSourceGVK.GroupVersion().String(),
Kind: paramSourceGVK.Kind,
}
@ -915,7 +915,7 @@ func TestDefinitionDoesntMatch(t *testing.T) {
}
})
matcher.RegisterDefinition(denyPolicy, func(vap *v1alpha1.ValidatingAdmissionPolicy, a admission.Attributes) bool {
matcher.RegisterDefinition(denyPolicy, func(vap *v1beta1.ValidatingAdmissionPolicy, a admission.Attributes) bool {
// Match names with even-numbered length
obj := a.GetObject()
@ -1030,19 +1030,19 @@ func TestReconfigureBinding(t *testing.T) {
}
})
denyBinding2 := &v1alpha1.ValidatingAdmissionPolicyBinding{
denyBinding2 := &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com",
ResourceVersion: "2",
},
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name,
ParamRef: &v1alpha1.ParamRef{
ParamRef: &v1beta1.ParamRef{
Name: fakeParams2.GetName(),
Namespace: fakeParams2.GetNamespace(),
ParameterNotFoundAction: ptrTo(v1alpha1.DenyAction),
ParameterNotFoundAction: v1beta1.DenyAction,
},
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny},
},
}
@ -1251,7 +1251,7 @@ func TestInvalidParamSourceGVK(t *testing.T) {
passedParams := make(chan *unstructured.Unstructured)
badPolicy := *denyPolicy
badPolicy.Spec.ParamKind = &v1alpha1.ParamKind{
badPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(),
Kind: "BadParamKind",
}
@ -1499,13 +1499,13 @@ func TestMultiplePoliciesSharedParamType(t *testing.T) {
// Use ConfigMap native-typed param
policy1 := *denyPolicy
policy1.Name = "denypolicy1.example.com"
policy1.Spec = v1alpha1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{
policy1.Spec = v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind,
},
FailurePolicy: ptrTo(v1alpha1.Fail),
Validations: []v1alpha1.Validation{
FailurePolicy: ptrTo(v1beta1.Fail),
Validations: []v1beta1.Validation{
{
Expression: "policy1",
},
@ -1514,13 +1514,13 @@ func TestMultiplePoliciesSharedParamType(t *testing.T) {
policy2 := *denyPolicy
policy2.Name = "denypolicy2.example.com"
policy2.Spec = v1alpha1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{
policy2.Spec = v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind,
},
FailurePolicy: ptrTo(v1alpha1.Fail),
Validations: []v1alpha1.Validation{
FailurePolicy: ptrTo(v1beta1.Fail),
Validations: []v1beta1.Validation{
{
Expression: "policy2",
},
@ -1665,7 +1665,7 @@ func TestNativeTypeParam(t *testing.T) {
// Use ConfigMap native-typed param
nativeTypeParamPolicy := *denyPolicy
nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{
nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: "v1",
Kind: "ConfigMap",
}
@ -1800,7 +1800,7 @@ func TestAuditValidationAction(t *testing.T) {
expected := []validationFailureValue{{
ExpressionIndex: 0,
Message: "I'm sorry Dave",
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Audit},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Audit},
Binding: "denybinding.example.com",
Policy: noParamSourcePolicy.Name,
}}
@ -1931,7 +1931,7 @@ func TestAllValidationActions(t *testing.T) {
expected := []validationFailureValue{{
ExpressionIndex: 0,
Message: "I'm sorry Dave",
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny, v1alpha1.Warn, v1alpha1.Audit},
ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny, v1beta1.Warn, v1beta1.Audit},
Binding: "denybinding.example.com",
Policy: noParamSourcePolicy.Name,
}}
@ -1957,13 +1957,13 @@ func TestNamespaceParamRefName(t *testing.T) {
// Use ConfigMap native-typed param
nativeTypeParamPolicy := *denyPolicy
nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{
nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: "v1",
Kind: "ConfigMap",
}
namespaceParamBinding := *denyBinding
namespaceParamBinding.Spec.ParamRef = &v1alpha1.ParamRef{
namespaceParamBinding.Spec.ParamRef = &v1beta1.ParamRef{
Name: "replicas-test.example.com",
}
@ -2194,7 +2194,7 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs
// Create a cluster scoped and a namespace scoped CRD
policy := *denyPolicy
binding := *denyBinding
binding.Spec.ParamRef = &v1alpha1.ParamRef{}
binding.Spec.ParamRef = &v1beta1.ParamRef{}
paramRef := binding.Spec.ParamRef
shouldErrorOnClusterScopedRequests := !namespaceIsSet && !paramIsClusterScoped
@ -2208,12 +2208,12 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs
otherNonmatchingLabels := labels.Set{"notaffiliated": "no"}
if paramIsClusterScoped {
policy.Spec.ParamKind = &v1alpha1.ParamKind{
policy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: clusterScopedParamsGVK.GroupVersion().String(),
Kind: clusterScopedParamsGVK.Kind,
}
} else {
policy.Spec.ParamKind = &v1alpha1.ParamKind{
policy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind,
}
@ -2232,9 +2232,9 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs
}
if denyNotFound {
paramRef.ParameterNotFoundAction = ptrTo(v1alpha1.DenyAction)
paramRef.ParameterNotFoundAction = v1beta1.DenyAction
} else {
paramRef.ParameterNotFoundAction = ptrTo(v1alpha1.AllowAction)
paramRef.ParameterNotFoundAction = v1beta1.AllowAction
}
compiler := &fakeCompiler{}
@ -2486,13 +2486,13 @@ func TestNamespaceParamRefClusterScopedParamError(t *testing.T) {
// Use ValidatingAdmissionPolicy for param type since it is cluster-scoped
nativeTypeParamPolicy := *denyPolicy
nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{
APIVersion: "admissionregistration.k8s.io/v1alpha1",
nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: "admissionregistration.k8s.io/v1beta1",
Kind: "ValidatingAdmissionPolicy",
}
namespaceParamBinding := *denyBinding
namespaceParamBinding.Spec.ParamRef = &v1alpha1.ParamRef{
namespaceParamBinding.Spec.ParamRef = &v1beta1.ParamRef{
Name: "other-param-to-use-with-no-label.example.com",
Namespace: "mynamespace",
}
@ -2507,7 +2507,7 @@ func TestNamespaceParamRefClusterScopedParamError(t *testing.T) {
validator.RegisterDefinition(&nativeTypeParamPolicy, func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult {
evaluations.Add(1)
if _, ok := versionedParams.(*v1alpha1.ValidatingAdmissionPolicy); ok {
if _, ok := versionedParams.(*v1beta1.ValidatingAdmissionPolicy); ok {
return ValidateResult{
Decisions: []PolicyDecision{
{

52
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
View File

@ -25,7 +25,7 @@ import (
"sync/atomic"
"time"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
v1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
@ -81,8 +81,8 @@ type policyData struct {
// that determined the decision
type policyDecisionWithMetadata struct {
PolicyDecision
Definition *v1alpha1.ValidatingAdmissionPolicy
Binding *v1alpha1.ValidatingAdmissionPolicyBinding
Definition *v1beta1.ValidatingAdmissionPolicy
Binding *v1beta1.ValidatingAdmissionPolicyBinding
}
// namespaceName is used as a key in definitionInfo and bindingInfos
@ -98,7 +98,7 @@ type definitionInfo struct {
// Last value seen by this controller to be used in policy enforcement
// May not be nil
lastReconciledValue *v1alpha1.ValidatingAdmissionPolicy
lastReconciledValue *v1beta1.ValidatingAdmissionPolicy
}
type bindingInfo struct {
@ -107,7 +107,7 @@ type bindingInfo struct {
// Last value seen by this controller to be used in policy enforcement
// May not be nil
lastReconciledValue *v1alpha1.ValidatingAdmissionPolicyBinding
lastReconciledValue *v1beta1.ValidatingAdmissionPolicyBinding
}
type paramInfo struct {
@ -141,10 +141,10 @@ func NewAdmissionController(
informerFactory,
nil,
NewMatcher(matching.NewMatcher(informerFactory.Core().V1().Namespaces().Lister(), client)),
generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicy](
informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies().Informer()),
generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicyBinding](
informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings().Informer()),
generic.NewInformer[*v1beta1.ValidatingAdmissionPolicy](
informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies().Informer()),
generic.NewInformer[*v1beta1.ValidatingAdmissionPolicyBinding](
informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings().Informer()),
),
authz: authz,
}
@ -192,21 +192,21 @@ func (c *celAdmissionController) Validate(
var deniedDecisions []policyDecisionWithMetadata
addConfigError := func(err error, definition *v1alpha1.ValidatingAdmissionPolicy, binding *v1alpha1.ValidatingAdmissionPolicyBinding) {
addConfigError := func(err error, definition *v1beta1.ValidatingAdmissionPolicy, binding *v1beta1.ValidatingAdmissionPolicyBinding) {
// we always default the FailurePolicy if it is unset and validate it in API level
var policy v1alpha1.FailurePolicyType
var policy v1beta1.FailurePolicyType
if definition.Spec.FailurePolicy == nil {
policy = v1alpha1.Fail
policy = v1beta1.Fail
} else {
policy = *definition.Spec.FailurePolicy
}
// apply FailurePolicy specified in ValidatingAdmissionPolicy, the default would be Fail
switch policy {
case v1alpha1.Ignore:
case v1beta1.Ignore:
// TODO: add metrics for ignored error here
return
case v1alpha1.Fail:
case v1beta1.Fail:
var message string
if binding == nil {
message = fmt.Errorf("failed to configure policy: %w", err).Error()
@ -336,17 +336,17 @@ func (c *celAdmissionController) Validate(
case ActionDeny:
for _, action := range binding.Spec.ValidationActions {
switch action {
case v1alpha1.Deny:
case v1beta1.Deny:
deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{
Definition: definition,
Binding: binding,
PolicyDecision: decision,
})
celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
case v1alpha1.Audit:
case v1beta1.Audit:
c.publishValidationFailureAnnotation(binding, i, decision, versionedAttr)
celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
case v1alpha1.Warn:
case v1beta1.Warn:
warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message))
celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
}
@ -412,9 +412,9 @@ func (c *celAdmissionController) Validate(
// Returns objects to use to evaluate the policy
func (c *celAdmissionController) collectParams(
paramKind *v1alpha1.ParamKind,
paramKind *v1beta1.ParamKind,
info paramInfo,
paramRef *v1alpha1.ParamRef,
paramRef *v1beta1.ParamRef,
namespace string,
) ([]runtime.Object, error) {
// If definition has paramKind, paramRef is required in binding.
@ -520,14 +520,14 @@ func (c *celAdmissionController) collectParams(
}
// Apply fail action for params not found case
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == v1alpha1.DenyAction {
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == v1beta1.DenyAction {
return nil, errors.New("no params found for policy binding with `Deny` parameterNotFoundAction")
}
return params, nil
}
func (c *celAdmissionController) publishValidationFailureAnnotation(binding *v1alpha1.ValidatingAdmissionPolicyBinding, expressionIndex int, decision PolicyDecision, attributes admission.Attributes) {
func (c *celAdmissionController) publishValidationFailureAnnotation(binding *v1beta1.ValidatingAdmissionPolicyBinding, expressionIndex int, decision PolicyDecision, attributes admission.Attributes) {
key := "validation.policy.admission.k8s.io/validation_failure"
// Marshal to a list of failures since, in the future, we may need to support multiple failures
valueJson, err := utiljson.Marshal([]validationFailureValue{{
@ -561,11 +561,11 @@ func (c *celAdmissionController) refreshPolicies() {
// validationFailureValue defines the JSON format of a "validation.policy.admission.k8s.io/validation_failure" audit
// annotation value.
type validationFailureValue struct {
Message string `json:"message"`
Policy string `json:"policy"`
Binding string `json:"binding"`
ExpressionIndex int `json:"expressionIndex"`
ValidationActions []v1alpha1.ValidationAction `json:"validationActions"`
Message string `json:"message"`
Policy string `json:"policy"`
Binding string `json:"binding"`
ExpressionIndex int `json:"expressionIndex"`
ValidationActions []v1beta1.ValidationAction `json:"validationActions"`
}
type auditAnnotationCollector struct {

48
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
View File

@ -23,7 +23,7 @@ import (
"time"
v1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
"k8s.io/apimachinery/pkg/api/meta"
@ -49,8 +49,8 @@ type policyController struct {
dynamicClient dynamic.Interface
informerFactory informers.SharedInformerFactory
restMapper meta.RESTMapper
policyDefinitionsController generic.Controller[*v1alpha1.ValidatingAdmissionPolicy]
policyBindingController generic.Controller[*v1alpha1.ValidatingAdmissionPolicyBinding]
policyDefinitionsController generic.Controller[*v1beta1.ValidatingAdmissionPolicy]
policyBindingController generic.Controller[*v1beta1.ValidatingAdmissionPolicyBinding]
// Provided to the policy's Compile function as an injected dependency to
// assist with compiling its expressions to CEL
@ -70,7 +70,7 @@ type policyController struct {
cachedPolicies []policyData
// controller and metadata
paramsCRDControllers map[v1alpha1.ParamKind]*paramInfo
paramsCRDControllers map[v1beta1.ParamKind]*paramInfo
// Index for each definition namespace/name, contains all binding
// namespace/names known to exist for that definition
@ -96,15 +96,15 @@ func newPolicyController(
informerFactory informers.SharedInformerFactory,
filterCompiler cel.FilterCompiler,
matcher Matcher,
policiesInformer generic.Informer[*v1alpha1.ValidatingAdmissionPolicy],
bindingsInformer generic.Informer[*v1alpha1.ValidatingAdmissionPolicyBinding],
policiesInformer generic.Informer[*v1beta1.ValidatingAdmissionPolicy],
bindingsInformer generic.Informer[*v1beta1.ValidatingAdmissionPolicyBinding],
) *policyController {
res := &policyController{}
*res = policyController{
filterCompiler: filterCompiler,
definitionInfo: make(map[namespacedName]*definitionInfo),
bindingInfos: make(map[namespacedName]*bindingInfo),
paramsCRDControllers: make(map[v1alpha1.ParamKind]*paramInfo),
paramsCRDControllers: make(map[v1beta1.ParamKind]*paramInfo),
definitionsToBindings: make(map[namespacedName]sets.Set[namespacedName]),
matcher: matcher,
newValidator: NewValidator,
@ -160,14 +160,14 @@ func (c *policyController) HasSynced() bool {
return c.policyDefinitionsController.HasSynced() && c.policyBindingController.HasSynced()
}
func (c *policyController) reconcilePolicyDefinition(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error {
func (c *policyController) reconcilePolicyDefinition(namespace, name string, definition *v1beta1.ValidatingAdmissionPolicy) error {
c.mutex.Lock()
defer c.mutex.Unlock()
err := c.reconcilePolicyDefinitionSpec(namespace, name, definition)
return err
}
func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error {
func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, definition *v1beta1.ValidatingAdmissionPolicy) error {
c.cachedPolicies = nil // invalidate cachedPolicies
// Namespace for policydefinition is empty.
@ -186,7 +186,7 @@ func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string,
return nil
}
var paramSource *v1alpha1.ParamKind
var paramSource *v1beta1.ParamKind
if definition != nil {
paramSource = definition.Spec.ParamKind
}
@ -266,7 +266,7 @@ func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string,
// Ensures that there is an informer started for the given GVK to be used as a
// param
func (c *policyController) ensureParamInfo(paramSource *v1alpha1.ParamKind, mapping *meta.RESTMapping) *paramInfo {
func (c *policyController) ensureParamInfo(paramSource *v1beta1.ParamKind, mapping *meta.RESTMapping) *paramInfo {
if info, ok := c.paramsCRDControllers[*paramSource]; ok {
return info
}
@ -329,7 +329,7 @@ func (c *policyController) ensureParamInfo(paramSource *v1alpha1.ParamKind, mapp
}
func (c *policyController) reconcilePolicyBinding(namespace, name string, binding *v1alpha1.ValidatingAdmissionPolicyBinding) error {
func (c *policyController) reconcilePolicyBinding(namespace, name string, binding *v1beta1.ValidatingAdmissionPolicyBinding) error {
c.mutex.Lock()
defer c.mutex.Unlock()
@ -432,7 +432,7 @@ func (c *policyController) latestPolicyData() []policyData {
}
optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}
expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}
failurePolicy := convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy)
failurePolicy := convertv1beta1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy)
var matcher matchconditions.Matcher = nil
matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions
@ -441,7 +441,7 @@ func (c *policyController) latestPolicyData() []policyData {
compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
if err == nil {
filterCompiler = compositedCompiler
compositedCompiler.CompileAndStoreVariables(convertV1alpha1Variables(definitionInfo.lastReconciledValue.Spec.Variables), optionalVars, environment.StoredExpressions)
compositedCompiler.CompileAndStoreVariables(convertv1beta1Variables(definitionInfo.lastReconciledValue.Spec.Variables), optionalVars, environment.StoredExpressions)
} else {
utilruntime.HandleError(err)
}
@ -454,10 +454,10 @@ func (c *policyController) latestPolicyData() []policyData {
matcher = matchconditions.NewMatcher(filterCompiler.Compile(matchExpressionAccessors, optionalVars, environment.StoredExpressions), failurePolicy, "policy", "validate", definitionInfo.lastReconciledValue.Name)
}
bindingInfo.validator = c.newValidator(
filterCompiler.Compile(convertv1alpha1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, environment.StoredExpressions),
filterCompiler.Compile(convertv1beta1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, environment.StoredExpressions),
matcher,
filterCompiler.Compile(convertv1alpha1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, environment.StoredExpressions),
filterCompiler.Compile(convertV1Alpha1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, environment.StoredExpressions),
filterCompiler.Compile(convertv1beta1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, environment.StoredExpressions),
filterCompiler.Compile(convertv1beta1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, environment.StoredExpressions),
failurePolicy,
)
}
@ -482,21 +482,21 @@ func (c *policyController) latestPolicyData() []policyData {
return res
}
func convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(policyType *v1alpha1.FailurePolicyType) *v1.FailurePolicyType {
func convertv1beta1FailurePolicyTypeTov1FailurePolicyType(policyType *v1beta1.FailurePolicyType) *v1.FailurePolicyType {
if policyType == nil {
return nil
}
var v1FailPolicy v1.FailurePolicyType
if *policyType == v1alpha1.Fail {
if *policyType == v1beta1.Fail {
v1FailPolicy = v1.Fail
} else if *policyType == v1alpha1.Ignore {
} else if *policyType == v1beta1.Ignore {
v1FailPolicy = v1.Ignore
}
return &v1FailPolicy
}
func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor {
func convertv1beta1Validations(inputValidations []v1beta1.Validation) []cel.ExpressionAccessor {
celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
for i, validation := range inputValidations {
validation := ValidationCondition{
@ -509,7 +509,7 @@ func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.Ex
return celExpressionAccessor
}
func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor {
func convertv1beta1MessageExpressions(inputValidations []v1beta1.Validation) []cel.ExpressionAccessor {
celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
for i, validation := range inputValidations {
if validation.MessageExpression != "" {
@ -522,7 +522,7 @@ func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) [
return celExpressionAccessor
}
func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation) []cel.ExpressionAccessor {
func convertv1beta1AuditAnnotations(inputValidations []v1beta1.AuditAnnotation) []cel.ExpressionAccessor {
celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
for i, validation := range inputValidations {
validation := AuditAnnotationCondition{
@ -534,7 +534,7 @@ func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation
return celExpressionAccessor
}
func convertV1alpha1Variables(variables []v1alpha1.Variable) []cel.NamedExpressionAccessor {
func convertv1beta1Variables(variables []v1beta1.Variable) []cel.NamedExpressionAccessor {
namedExpressions := make([]cel.NamedExpressionAccessor, len(variables))
for i, variable := range variables {
namedExpressions[i] = &Variable{Name: variable.Name, Expression: variable.Expression}

6
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go
View File

@ -21,7 +21,7 @@ import (
celgo "github.com/google/cel-go/cel"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
@ -86,11 +86,11 @@ type Matcher interface {
// DefinitionMatches says whether this policy definition matches the provided admission
// resource request
DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)
DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)
// BindingMatches says whether this policy definition matches the provided admission
// resource request
BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error)
BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error)
// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
// GetNamespace must return nil, nil

10
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matcher.go
View File

@ -17,7 +17,7 @@ limitations under the License.
package validatingadmissionpolicy
import (
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@ -29,7 +29,7 @@ import (
var _ matching.MatchCriteria = &matchCriteria{}
type matchCriteria struct {
constraints *v1alpha1.MatchResources
constraints *v1beta1.MatchResources
}
// GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector
@ -43,7 +43,7 @@ func (m *matchCriteria) GetParsedObjectSelector() (labels.Selector, error) {
}
// GetMatchResources returns the matchConstraints
func (m *matchCriteria) GetMatchResources() v1alpha1.MatchResources {
func (m *matchCriteria) GetMatchResources() v1beta1.MatchResources {
return *m.constraints
}
@ -63,13 +63,13 @@ func (c *matcher) ValidateInitialization() error {
}
// DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request
func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
criteria := matchCriteria{constraints: definition.Spec.MatchConstraints}
return c.Matcher.Matches(a, o, &criteria)
}
// BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request
func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) {
func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) {
if binding.Spec.MatchResources == nil {
return true, nil
}

8
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go
View File

@ -20,7 +20,7 @@ import (
"fmt"
v1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/admission"
@ -36,7 +36,7 @@ type MatchCriteria interface {
namespace.NamespaceSelectorProvider
object.ObjectSelectorProvider
GetMatchResources() v1alpha1.MatchResources
GetMatchResources() v1beta1.MatchResources
}
// Matcher decides if a request matches against matchCriteria
@ -119,7 +119,7 @@ func (m *Matcher) Matches(attr admission.Attributes, o admission.ObjectInterface
return true, matchKind, nil
}
func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPolicy *v1alpha1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) {
func matchesResourceRules(namedRules []v1beta1.NamedRuleWithOperations, matchPolicy *v1beta1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) {
matchKind := attr.GetKind()
for _, namedRule := range namedRules {
rule := v1.RuleWithOperations(namedRule.RuleWithOperations)
@ -146,7 +146,7 @@ func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPo
// if match policy is undefined or exact, don't perform fuzzy matching
// note that defaulting to fuzzy matching is set by the API
if matchPolicy == nil || *matchPolicy == v1alpha1.Exact {
if matchPolicy == nil || *matchPolicy == v1beta1.Exact {
return false, schema.GroupVersionKind{}, nil
}

228
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go
View File

@ -22,7 +22,7 @@ import (
"testing"
v1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -38,10 +38,10 @@ import (
var _ MatchCriteria = &fakeCriteria{}
type fakeCriteria struct {
matchResources v1alpha1.MatchResources
matchResources v1beta1.MatchResources
}
func (fc *fakeCriteria) GetMatchResources() v1alpha1.MatchResources {
func (fc *fakeCriteria) GetMatchResources() v1beta1.MatchResources {
return fc.matchResources
}
@ -65,8 +65,8 @@ func TestMatcher(t *testing.T) {
a := &Matcher{namespaceMatcher: &namespace.Matcher{}, objectMatcher: &object.Matcher{}}
allScopes := v1.AllScopes
exactMatch := v1alpha1.Exact
equivalentMatch := v1alpha1.Equivalent
exactMatch := v1beta1.Exact
equivalentMatch := v1beta1.Equivalent
mapper := runtime.NewEquivalentResourceRegistryWithIdentity(func(resource schema.GroupResource) string {
if resource.Resource == "deployments" {
@ -95,7 +95,7 @@ func TestMatcher(t *testing.T) {
testcases := []struct {
name string
criteria *v1alpha1.MatchResources
criteria *v1beta1.MatchResources
attrs admission.Attributes
expectMatches bool
@ -104,17 +104,17 @@ func TestMatcher(t *testing.T) {
}{
{
name: "no rules (just write)",
criteria: &v1alpha1.MatchResources{NamespaceSelector: &metav1.LabelSelector{}, ResourceRules: []v1alpha1.NamedRuleWithOperations{}},
criteria: &v1beta1.MatchResources{NamespaceSelector: &metav1.LabelSelector{}, ResourceRules: []v1beta1.NamedRuleWithOperations{}},
attrs: admission.NewAttributesRecord(nil, nil, gvk("apps", "v1", "Deployment"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil),
expectMatches: false,
},
{
name: "wildcard rule, match as requested",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes},
},
@ -125,21 +125,21 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, prefer exact match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -150,16 +150,16 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, match miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -169,17 +169,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, exact match miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &exactMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -189,17 +189,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, equivalent match, prefer extensions",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -210,17 +210,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, equivalent match, prefer apps",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -232,21 +232,21 @@ func TestMatcher(t *testing.T) {
{
name: "specific rules, subresource prefer exact match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -257,16 +257,16 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, subresource match miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -276,17 +276,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, subresource exact match miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &exactMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -296,17 +296,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, subresource equivalent match, prefer extensions",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -317,17 +317,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, subresource equivalent match, prefer apps",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -338,12 +338,12 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, prefer exact match and name match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"name"},
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -354,12 +354,12 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, prefer exact match and name match miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"wrong-name"},
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -369,13 +369,13 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, subresource equivalent match, prefer extensions and name match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"name"},
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -386,13 +386,13 @@ func TestMatcher(t *testing.T) {
},
{
name: "specific rules, subresource equivalent match, prefer extensions and name match miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"wrong-name"},
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -402,17 +402,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "exclude resource match on miss",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes},
},
}},
ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -424,17 +424,17 @@ func TestMatcher(t *testing.T) {
},
{
name: "exclude resource miss on match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes},
},
}},
ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -445,11 +445,11 @@ func TestMatcher(t *testing.T) {
},
{
name: "treat empty ResourceRules as match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
},
@ -460,23 +460,23 @@ func TestMatcher(t *testing.T) {
},
{
name: "treat non-empty ResourceRules as no match",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{}},
ResourceRules: []v1beta1.NamedRuleWithOperations{{}},
},
attrs: admission.NewAttributesRecord(nil, nil, gvk("autoscaling", "v1", "Scale"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil),
expectMatches: false,
},
{
name: "erroring namespace selector on otherwise non-matching rule doesn't error",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key ", Operator: "In", Values: []string{"bad value"}}}},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}},
Operations: []v1alpha1.OperationType{"*"},
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}},
Operations: []v1beta1.OperationType{"*"},
},
}},
},
@ -486,13 +486,13 @@ func TestMatcher(t *testing.T) {
},
{
name: "erroring namespace selector on otherwise matching rule errors",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}},
Operations: []v1alpha1.OperationType{"*"},
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}},
Operations: []v1beta1.OperationType{"*"},
},
}},
},
@ -502,13 +502,13 @@ func TestMatcher(t *testing.T) {
},
{
name: "erroring object selector on otherwise non-matching rule doesn't error",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}},
Operations: []v1alpha1.OperationType{"*"},
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}},
Operations: []v1beta1.OperationType{"*"},
},
}},
},
@ -518,13 +518,13 @@ func TestMatcher(t *testing.T) {
},
{
name: "erroring object selector on otherwise matching rule errors",
criteria: &v1alpha1.MatchResources{
criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}},
Operations: []v1alpha1.OperationType{"*"},
ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}},
Operations: []v1beta1.OperationType{"*"},
},
}},
},
@ -579,7 +579,7 @@ func (f fakeNamespaceLister) Get(name string) (*corev1.Namespace, error) {
func BenchmarkMatcher(b *testing.B) {
allScopes := v1.AllScopes
equivalentMatch := v1alpha1.Equivalent
equivalentMatch := v1beta1.Equivalent
namespace1Labels := map[string]string{"ns": "ns1"}
namespace1 := corev1.Namespace{
@ -620,19 +620,19 @@ func BenchmarkMatcher(b *testing.B) {
nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i)
}
mr := v1alpha1.MatchResources{
mr := v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{
ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
},
{
RuleWithOperations: v1alpha1.RuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
},
@ -652,7 +652,7 @@ func BenchmarkMatcher(b *testing.B) {
func BenchmarkShouldCallHookWithComplexRule(b *testing.B) {
allScopes := v1.AllScopes
equivalentMatch := v1alpha1.Equivalent
equivalentMatch := v1beta1.Equivalent
namespace1Labels := map[string]string{"ns": "ns1"}
namespace1 := corev1.Namespace{
@ -688,16 +688,16 @@ func BenchmarkShouldCallHookWithComplexRule(b *testing.B) {
mapper.RegisterKindFor(gvr("apps", "v1beta1", "statefulset"), "scale", gvk("apps", "v1beta1", "Scale"))
mapper.RegisterKindFor(gvr("apps", "v1alpha2", "statefulset"), "scale", gvk("apps", "v1beta2", "Scale"))
mr := v1alpha1.MatchResources{
mr := v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"a": "b"}},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{},
ResourceRules: []v1beta1.NamedRuleWithOperations{},
}
for i := 0; i < 100; i++ {
rule := v1alpha1.NamedRuleWithOperations{
RuleWithOperations: v1alpha1.RuleWithOperations{
rule := v1beta1.NamedRuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{
APIGroups: []string{fmt.Sprintf("app-%d", i)},
@ -722,7 +722,7 @@ func BenchmarkShouldCallHookWithComplexRule(b *testing.B) {
func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) {
allScopes := v1.AllScopes
equivalentMatch := v1alpha1.Equivalent
equivalentMatch := v1beta1.Equivalent
namespace1Labels := map[string]string{"ns": "ns1"}
namespace1 := corev1.Namespace{
@ -763,16 +763,16 @@ func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) {
nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i)
}
mr := v1alpha1.MatchResources{
mr := v1beta1.MatchResources{
MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector},
ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{},
ResourceRules: []v1beta1.NamedRuleWithOperations{},
}
for i := 0; i < 100; i++ {
rule := v1alpha1.NamedRuleWithOperations{
RuleWithOperations: v1alpha1.RuleWithOperations{
rule := v1beta1.NamedRuleWithOperations{
RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"},
Rule: v1.Rule{
APIGroups: []string{fmt.Sprintf("app-%d", i)},

22
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go
View File

@ -25,7 +25,7 @@ import (
"github.com/google/cel-go/cel"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
@ -102,18 +102,18 @@ func (r *TypeCheckingResult) String() string {
// as []ExpressionWarning that is ready to be set in policy.Status
// The result is nil if type checking returns no warning.
// The policy object is NOT mutated. The caller should update Status accordingly
func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alpha1.ExpressionWarning {
func (c *TypeChecker) Check(policy *v1beta1.ValidatingAdmissionPolicy) []v1beta1.ExpressionWarning {
ctx := c.CreateContext(policy)
// warnings to return, note that the capacity is optimistically set to zero
var warnings []v1alpha1.ExpressionWarning // intentionally not setting capacity
var warnings []v1beta1.ExpressionWarning // intentionally not setting capacity
// check main validation expressions and their message expressions, located in spec.validations[*]
fieldRef := field.NewPath("spec", "validations")
for i, v := range policy.Spec.Validations {
results := c.CheckExpression(ctx, v.Expression)
if len(results) != 0 {
warnings = append(warnings, v1alpha1.ExpressionWarning{
warnings = append(warnings, v1beta1.ExpressionWarning{
FieldRef: fieldRef.Index(i).Child("expression").String(),
Warning: results.String(),
})
@ -124,7 +124,7 @@ func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alph
}
results = c.CheckExpression(ctx, v.MessageExpression)
if len(results) != 0 {
warnings = append(warnings, v1alpha1.ExpressionWarning{
warnings = append(warnings, v1beta1.ExpressionWarning{
FieldRef: fieldRef.Index(i).Child("messageExpression").String(),
Warning: results.String(),
})
@ -135,7 +135,7 @@ func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alph
}
// CreateContext resolves all types and their schemas from a policy definition and creates the context.
func (c *TypeChecker) CreateContext(policy *v1alpha1.ValidatingAdmissionPolicy) *TypeCheckingContext {
func (c *TypeChecker) CreateContext(policy *v1beta1.ValidatingAdmissionPolicy) *TypeCheckingContext {
ctx := new(TypeCheckingContext)
allGvks := c.typesToCheck(policy)
gvks := make([]schema.GroupVersionKind, 0, len(allGvks))
@ -203,7 +203,7 @@ func (c *TypeChecker) declType(gvk schema.GroupVersionKind) (*apiservercel.DeclT
return common.SchemaDeclType(&openapi.Schema{Schema: s}, true).MaybeAssignTypeName(generateUniqueTypeName(gvk.Kind)), nil
}
func (c *TypeChecker) paramsGVK(policy *v1alpha1.ValidatingAdmissionPolicy) schema.GroupVersionKind {
func (c *TypeChecker) paramsGVK(policy *v1beta1.ValidatingAdmissionPolicy) schema.GroupVersionKind {
if policy.Spec.ParamKind == nil {
return schema.GroupVersionKind{}
}
@ -233,7 +233,7 @@ func (c *TypeChecker) checkExpression(expression string, hasParams, hasAuthorize
// typesToCheck extracts a list of GVKs that needs type checking from the policy
// the result is sorted in the order of Group, Version, and Kind
func (c *TypeChecker) typesToCheck(p *v1alpha1.ValidatingAdmissionPolicy) []schema.GroupVersionKind {
func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schema.GroupVersionKind {
gvks := sets.New[schema.GroupVersionKind]()
if p.Spec.MatchConstraints == nil || len(p.Spec.MatchConstraints.ResourceRules) == 0 {
return nil
@ -294,7 +294,7 @@ func (c *TypeChecker) typesToCheck(p *v1alpha1.ValidatingAdmissionPolicy) []sche
return sortGVKList(gvks.UnsortedList())
}
func extractGroups(rule *v1alpha1.Rule) []string {
func extractGroups(rule *v1beta1.Rule) []string {
groups := make([]string, 0, len(rule.APIGroups))
for _, group := range rule.APIGroups {
// give up if wildcard
@ -306,7 +306,7 @@ func extractGroups(rule *v1alpha1.Rule) []string {
return groups
}
func extractVersions(rule *v1alpha1.Rule) []string {
func extractVersions(rule *v1beta1.Rule) []string {
versions := make([]string, 0, len(rule.APIVersions))
for _, version := range rule.APIVersions {
if strings.ContainsAny(version, "*") {
@ -317,7 +317,7 @@ func extractVersions(rule *v1alpha1.Rule) []string {
return versions
}
func extractResources(rule *v1alpha1.Rule) []string {
func extractResources(rule *v1beta1.Rule) []string {
resources := make([]string, 0, len(rule.Resources))
for _, resource := range rule.Resources {
// skip wildcard and subresources

126
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go
View File

@ -22,7 +22,7 @@ import (
"strings"
"testing"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/meta"
@ -34,21 +34,21 @@ import (
func TestExtractTypeNames(t *testing.T) {
for _, tc := range []struct {
name string
policy *v1alpha1.ValidatingAdmissionPolicy
policy *v1beta1.ValidatingAdmissionPolicy
expected []schema.GroupVersionKind // must be sorted
}{
{
name: "empty",
policy: &v1alpha1.ValidatingAdmissionPolicy{},
policy: &v1beta1.ValidatingAdmissionPolicy{},
expected: nil,
},
{
name: "specific",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -65,19 +65,19 @@ func TestExtractTypeNames(t *testing.T) {
},
{
name: "multiple",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
},
},
}, {
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"pods"},
@ -98,11 +98,11 @@ func TestExtractTypeNames(t *testing.T) {
},
{
name: "all resources",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"*"},
@ -115,11 +115,11 @@ func TestExtractTypeNames(t *testing.T) {
},
{
name: "sub resources",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"pods/*"},
@ -132,11 +132,11 @@ func TestExtractTypeNames(t *testing.T) {
},
{
name: "mixtures",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -144,8 +144,8 @@ func TestExtractTypeNames(t *testing.T) {
},
},
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"*"},
Resources: []string{"deployments"},
@ -172,16 +172,16 @@ func TestExtractTypeNames(t *testing.T) {
}
func TestTypeCheck(t *testing.T) {
deploymentPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{
deploymentPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1beta1.Validation{
{
Expression: "object.foo == 'bar'",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -194,8 +194,8 @@ func TestTypeCheck(t *testing.T) {
deploymentPolicyWithBadMessageExpression := deploymentPolicy.DeepCopy()
deploymentPolicyWithBadMessageExpression.Spec.Validations[0].MessageExpression = "object.foo + 114514" // confusion
multiExpressionPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{
multiExpressionPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1beta1.Validation{
{
Expression: "object.foo == 'bar'",
},
@ -203,10 +203,10 @@ func TestTypeCheck(t *testing.T) {
Expression: "object.bar == 'foo'",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -215,20 +215,20 @@ func TestTypeCheck(t *testing.T) {
},
}},
}}
paramsRefPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{
paramsRefPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1beta1.ParamKind{
APIVersion: "v1",
Kind: "DoesNotMatter",
},
Validations: []v1alpha1.Validation{
Validations: []v1beta1.Validation{
{
Expression: "object.foo == params.bar",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -237,16 +237,16 @@ func TestTypeCheck(t *testing.T) {
},
}},
}}
authorizerPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{
authorizerPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1beta1.Validation{
{
Expression: "authorizer.group('').resource('endpoints').check('create').allowed()",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -255,16 +255,16 @@ func TestTypeCheck(t *testing.T) {
},
}},
}}
authorizerInvalidPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{
authorizerInvalidPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1beta1.Validation{
{
Expression: "authorizer.allowed()",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -276,12 +276,12 @@ func TestTypeCheck(t *testing.T) {
for _, tc := range []struct {
name string
schemaToReturn *spec.Schema
policy *v1alpha1.ValidatingAdmissionPolicy
policy *v1beta1.ValidatingAdmissionPolicy
assertions []assertionFunc
}{
{
name: "empty",
policy: &v1alpha1.ValidatingAdmissionPolicy{},
policy: &v1beta1.ValidatingAdmissionPolicy{},
assertions: []assertionFunc{toBeEmpty},
},
{
@ -451,14 +451,14 @@ func (r *fakeSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.S
return r.schemaToReturn, nil
}
func toBeEmpty(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
func toBeEmpty(warnings []v1beta1.ExpressionWarning, t *testing.T) {
if len(warnings) != 0 {
t.Fatalf("expected empty but got %v", warnings)
}
}
func toContain(substring string) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
func toContain(substring string) func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
if len(warnings) == 0 {
t.Errorf("expected containing %q but got empty", substring)
}
@ -470,8 +470,8 @@ func toContain(substring string) func(warnings []v1alpha1.ExpressionWarning, t *
}
}
func toHaveLengthOf(expected int) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
func toHaveLengthOf(expected int) func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
got := len(warnings)
if expected != got {
t.Errorf("expect warnings to have length of %d, but got %d", expected, got)
@ -479,8 +479,8 @@ func toHaveLengthOf(expected int) func(warnings []v1alpha1.ExpressionWarning, t
}
}
func toHaveFieldRef(paths ...string) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) {
func toHaveFieldRef(paths ...string) func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
if len(paths) != len(warnings) {
t.Errorf("expect warnings to have length of %d, but got %d", len(paths), len(warnings))
}
@ -492,4 +492,4 @@ func toHaveFieldRef(paths ...string) func(warnings []v1alpha1.ExpressionWarning,
}
}
type assertionFunc func(warnings []v1alpha1.ExpressionWarning, t *testing.T)
type assertionFunc func(warnings []v1beta1.ExpressionWarning, t *testing.T)

84
test/e2e/apimachinery/validatingadmissionpolicy.go
View File

@ -25,7 +25,7 @@ import (
"github.com/onsi/gomega"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
appsv1 "k8s.io/api/apps/v1"
v1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
@ -46,10 +46,10 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
var err error
client, err = clientset.NewForConfig(f.ClientConfig())
framework.ExpectNoError(err, "initializing client")
_, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().List(context.Background(), metav1.ListOptions{})
_, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().List(context.Background(), metav1.ListOptions{})
if apierrors.IsNotFound(err) {
// TODO: feature check should fail after GA graduation
ginkgo.Skip(fmt.Sprintf("server does not support ValidatingAdmissionPolicy v1alpha1: %v, feature gate not enabled?", err))
ginkgo.Skip(fmt.Sprintf("server does not support ValidatingAdmissionPolicy v1beta1: %v, feature gate not enabled?", err))
}
})
@ -68,25 +68,25 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule().
WithValidation(admissionregistrationv1alpha1.Validation{
WithValidation(admissionregistrationv1beta1.Validation{
Expression: "object.spec.replicas > 1",
MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas",
}).
WithValidation(admissionregistrationv1alpha1.Validation{
WithValidation(admissionregistrationv1beta1.Validation{
Expression: "namespaceObject.metadata.name == '" + f.UniqueName + "'",
Message: "Internal error! Other namespace should not be allowed.",
}).
Build()
policy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
policy, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name)
binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name)
binding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
binding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy binding")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{})
return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{})
}, binding.Name)
})
ginkgo.By("waiting until the marker is denied", func() {
@ -119,27 +119,27 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
})
ginkgo.It("should type check validation expressions", func(ctx context.Context) {
var policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy
var policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy
ginkgo.By("creating the policy with correct types", func() {
policy = newValidatingAdmissionPolicyBuilder(f.UniqueName+".correct-policy.example.com").
MatchUniqueNamespace(f.UniqueName).
StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule().
WithValidation(admissionregistrationv1alpha1.Validation{
WithValidation(admissionregistrationv1beta1.Validation{
Expression: "object.spec.replicas > 1",
}).
Build()
var err error
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name)
})
ginkgo.By("waiting for the type check to finish without any warnings", func() {
err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) {
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{})
policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{})
if err != nil {
return false, err
}
@ -157,21 +157,21 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule().
WithValidation(admissionregistrationv1alpha1.Validation{
WithValidation(admissionregistrationv1beta1.Validation{
Expression: "object.spec.replicas > '1'", // confusion: int > string
MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas", // confusion: string + int
}).
Build()
var err error
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name)
})
ginkgo.By("waiting for the type check to finish with warnings", func() {
err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) {
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{})
policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{})
if err != nil {
return false, err
}
@ -200,28 +200,28 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule().
WithVariable(admissionregistrationv1alpha1.Variable{
WithVariable(admissionregistrationv1beta1.Variable{
Name: "replicas",
Expression: "object.spec.replicas",
}).
WithVariable(admissionregistrationv1alpha1.Variable{
WithVariable(admissionregistrationv1beta1.Variable{
Name: "replicasReminder", // a bit artificial but good for testing purpose
Expression: "variables.replicas % 2",
}).
WithValidation(admissionregistrationv1alpha1.Validation{
WithValidation(admissionregistrationv1beta1.Validation{
Expression: "variables.replicas > 1 && variables.replicasReminder == 1",
}).
Build()
policy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
policy, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name)
binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name)
binding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
binding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy binding")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{})
return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{})
}, binding.Name)
})
ginkgo.By("waiting until the marker is denied", func() {
@ -254,17 +254,17 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
})
})
func createBinding(bindingName string, uniqueLabel string, policyName string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding {
return &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
func createBinding(bindingName string, uniqueLabel string, policyName string) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding {
return &admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{Name: bindingName},
Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{
Spec: admissionregistrationv1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: policyName,
MatchResources: &admissionregistrationv1alpha1.MatchResources{
MatchResources: &admissionregistrationv1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{uniqueLabel: "true"},
},
},
ValidationActions: []admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Deny},
ValidationActions: []admissionregistrationv1beta1.ValidationAction{admissionregistrationv1beta1.Deny},
},
}
}
@ -324,17 +324,17 @@ func basicReplicaSet(name string, replicas int32) *appsv1.ReplicaSet {
}
type validatingAdmissionPolicyBuilder struct {
policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy
policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy
}
type resourceRuleBuilder struct {
policyBuilder *validatingAdmissionPolicyBuilder
resourceRule *admissionregistrationv1alpha1.NamedRuleWithOperations
resourceRule *admissionregistrationv1beta1.NamedRuleWithOperations
}
func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmissionPolicyBuilder {
return &validatingAdmissionPolicyBuilder{
policy: &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
policy: &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{Name: policyName},
},
}
@ -342,7 +342,7 @@ func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmission
func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel string) *validatingAdmissionPolicyBuilder {
if b.policy.Spec.MatchConstraints == nil {
b.policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{}
b.policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{}
}
b.policy.Spec.MatchConstraints.NamespaceSelector = &metav1.LabelSelector{
MatchLabels: map[string]string{
@ -355,10 +355,10 @@ func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel stri
func (b *validatingAdmissionPolicyBuilder) StartResourceRule() *resourceRuleBuilder {
return &resourceRuleBuilder{
policyBuilder: b,
resourceRule: &admissionregistrationv1alpha1.NamedRuleWithOperations{
RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{
resourceRule: &admissionregistrationv1beta1.NamedRuleWithOperations{
RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
Rule: admissionregistrationv1alpha1.Rule{
Rule: admissionregistrationv1beta1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
@ -374,7 +374,7 @@ func (rb *resourceRuleBuilder) CreateAndUpdate() *resourceRuleBuilder {
}
func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string, resources []string) *resourceRuleBuilder {
rb.resourceRule.Rule = admissionregistrationv1alpha1.Rule{
rb.resourceRule.Rule = admissionregistrationv1beta1.Rule{
APIGroups: groups,
APIVersions: versions,
Resources: resources,
@ -385,22 +385,22 @@ func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string,
func (rb *resourceRuleBuilder) EndResourceRule() *validatingAdmissionPolicyBuilder {
b := rb.policyBuilder
if b.policy.Spec.MatchConstraints == nil {
b.policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{}
b.policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{}
}
b.policy.Spec.MatchConstraints.ResourceRules = append(b.policy.Spec.MatchConstraints.ResourceRules, *rb.resourceRule)
return b
}
func (b *validatingAdmissionPolicyBuilder) WithValidation(validation admissionregistrationv1alpha1.Validation) *validatingAdmissionPolicyBuilder {
func (b *validatingAdmissionPolicyBuilder) WithValidation(validation admissionregistrationv1beta1.Validation) *validatingAdmissionPolicyBuilder {
b.policy.Spec.Validations = append(b.policy.Spec.Validations, validation)
return b
}
func (b *validatingAdmissionPolicyBuilder) WithVariable(variable admissionregistrationv1alpha1.Variable) *validatingAdmissionPolicyBuilder {
func (b *validatingAdmissionPolicyBuilder) WithVariable(variable admissionregistrationv1beta1.Variable) *validatingAdmissionPolicyBuilder {
b.policy.Spec.Variables = append(b.policy.Spec.Variables, variable)
return b
}
func (b *validatingAdmissionPolicyBuilder) Build() *admissionregistrationv1alpha1.ValidatingAdmissionPolicy {
func (b *validatingAdmissionPolicyBuilder) Build() *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return b.policy
}

385
test/integration/apiserver/cel/validatingadmissionpolicy_test.go
View File

File diff suppressed because it is too large Load Diff