diff --git a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go index ff6b314e371..10e99b73591 100644 --- a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go +++ b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go @@ -19,7 +19,7 @@ package app import ( "context" - admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" + admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" "k8s.io/apiserver/pkg/cel/openapi/resolver" "k8s.io/client-go/kubernetes/scheme" @@ -28,7 +28,7 @@ import ( "k8s.io/kubernetes/pkg/generated/openapi" ) -var validatingAdmissionPolicyResource = admissionregistrationv1alpha1.SchemeGroupVersion.WithResource("validatingadmissionpolicies") +var validatingAdmissionPolicyResource = admissionregistrationv1beta1.SchemeGroupVersion.WithResource("validatingadmissionpolicies") func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) { // intended check against served resource but not feature gate. @@ -41,8 +41,8 @@ func startValidatingAdmissionPolicyStatusController(ctx context.Context, control RestMapper: controllerContext.RESTMapper, } c, err := validatingadmissionpolicystatus.NewController( - controllerContext.InformerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(), - controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(), + controllerContext.InformerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(), + controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(), typeChecker, ) diff --git a/pkg/controller/validatingadmissionpolicystatus/controller.go b/pkg/controller/validatingadmissionpolicystatus/controller.go index 6b887c38d72..db6593a0234 100644 --- a/pkg/controller/validatingadmissionpolicystatus/controller.go +++ b/pkg/controller/validatingadmissionpolicystatus/controller.go @@ -21,15 +21,15 @@ import ( "fmt" "time" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" - admissionregistrationv1alpha1apply "k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1" - informerv1alpha1 "k8s.io/client-go/informers/admissionregistration/v1alpha1" - admissionregistrationv1alpha1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1" + admissionregistrationv1beta1apply "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1" + informerv1beta1 "k8s.io/client-go/informers/admissionregistration/v1beta1" + admissionregistrationv1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" ) @@ -40,10 +40,10 @@ const ControllerName = "validatingadmissionpolicy-status" // Controller is the ValidatingAdmissionPolicy Status controller that reconciles the Status field of each policy object. // This controller runs type checks against referred types for each policy definition. type Controller struct { - policyInformer informerv1alpha1.ValidatingAdmissionPolicyInformer + policyInformer informerv1beta1.ValidatingAdmissionPolicyInformer policyQueue workqueue.RateLimitingInterface policySynced cache.InformerSynced - policyClient admissionregistrationv1alpha1.ValidatingAdmissionPolicyInterface + policyClient admissionregistrationv1beta1.ValidatingAdmissionPolicyInterface // typeChecker checks the policy's expressions for type errors. // Type of params is defined in policy.Spec.ParamsKind @@ -66,7 +66,7 @@ func (c *Controller) Run(ctx context.Context, workers int) { <-ctx.Done() } -func NewController(policyInformer informerv1alpha1.ValidatingAdmissionPolicyInformer, policyClient admissionregistrationv1alpha1.ValidatingAdmissionPolicyInterface, typeChecker *validatingadmissionpolicy.TypeChecker) (*Controller, error) { +func NewController(policyInformer informerv1beta1.ValidatingAdmissionPolicyInformer, policyClient admissionregistrationv1beta1.ValidatingAdmissionPolicyInterface, typeChecker *validatingadmissionpolicy.TypeChecker) (*Controller, error) { c := &Controller{ policyInformer: policyInformer, policyQueue: workqueue.NewRateLimitingQueueWithConfig(workqueue.DefaultControllerRateLimiter(), workqueue.RateLimitingQueueConfig{Name: ControllerName}), @@ -89,7 +89,7 @@ func NewController(policyInformer informerv1alpha1.ValidatingAdmissionPolicyInfo } func (c *Controller) enqueuePolicy(policy any) { - if policy, ok := policy.(*v1alpha1.ValidatingAdmissionPolicy); ok { + if policy, ok := policy.(*v1beta1.ValidatingAdmissionPolicy); ok { // policy objects are cluster-scoped, no point include its namespace. key := policy.ObjectMeta.Name if key == "" { @@ -138,7 +138,7 @@ func (c *Controller) processNextWorkItem(ctx context.Context) bool { return true } -func (c *Controller) reconcile(ctx context.Context, policy *v1alpha1.ValidatingAdmissionPolicy) error { +func (c *Controller) reconcile(ctx context.Context, policy *v1beta1.ValidatingAdmissionPolicy) error { if policy == nil { return nil } @@ -146,16 +146,16 @@ func (c *Controller) reconcile(ctx context.Context, policy *v1alpha1.ValidatingA return nil } warnings := c.typeChecker.Check(policy) - warningsConfig := make([]*admissionregistrationv1alpha1apply.ExpressionWarningApplyConfiguration, 0, len(warnings)) + warningsConfig := make([]*admissionregistrationv1beta1apply.ExpressionWarningApplyConfiguration, 0, len(warnings)) for _, warning := range warnings { - warningsConfig = append(warningsConfig, admissionregistrationv1alpha1apply.ExpressionWarning(). + warningsConfig = append(warningsConfig, admissionregistrationv1beta1apply.ExpressionWarning(). WithFieldRef(warning.FieldRef). WithWarning(warning.Warning)) } - applyConfig := admissionregistrationv1alpha1apply.ValidatingAdmissionPolicy(policy.Name). - WithStatus(admissionregistrationv1alpha1apply.ValidatingAdmissionPolicyStatus(). + applyConfig := admissionregistrationv1beta1apply.ValidatingAdmissionPolicy(policy.Name). + WithStatus(admissionregistrationv1beta1apply.ValidatingAdmissionPolicyStatus(). WithObservedGeneration(policy.Generation). - WithTypeChecking(admissionregistrationv1alpha1apply.TypeChecking(). + WithTypeChecking(admissionregistrationv1beta1apply.TypeChecking(). WithExpressionWarnings(warningsConfig...))) _, err := c.policyClient.ApplyStatus(ctx, applyConfig, metav1.ApplyOptions{FieldManager: ControllerName, Force: true}) return err diff --git a/pkg/controller/validatingadmissionpolicystatus/controller_test.go b/pkg/controller/validatingadmissionpolicystatus/controller_test.go index af7232b4f48..6eb684e74c6 100644 --- a/pkg/controller/validatingadmissionpolicystatus/controller_test.go +++ b/pkg/controller/validatingadmissionpolicystatus/controller_test.go @@ -23,7 +23,7 @@ import ( "time" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" - admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" + admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" "k8s.io/apimachinery/pkg/api/meta/testrestmapper" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" @@ -38,13 +38,13 @@ import ( func TestTypeChecking(t *testing.T) { for _, tc := range []struct { name string - policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy - assertFieldRef func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) // warning.fieldRef - assertWarnings func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) // warning.warning + policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy + assertFieldRef func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) // warning.fieldRef + assertWarnings func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) // warning.warning }{ { name: "deployment with correct expression", - policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.spec.replicas > 1", }, @@ -54,7 +54,7 @@ func TestTypeChecking(t *testing.T) { }, { name: "deployment with type confusion", - policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.spec.replicas < 100", // this one passes }, @@ -67,7 +67,7 @@ func TestTypeChecking(t *testing.T) { }, { name: "two expressions different type checking errors", - policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.spec.nonExistingFirst > 1", }, @@ -83,7 +83,7 @@ func TestTypeChecking(t *testing.T) { }, { name: "one expression, two warnings", - policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.spec.replicas < 100", // this one passes }, @@ -107,8 +107,8 @@ func TestTypeChecking(t *testing.T) { RestMapper: testrestmapper.TestOnlyStaticRESTMapper(scheme.Scheme), } controller, err := NewController( - informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(), - client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(), + informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(), + client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(), typeChecker, ) if err != nil { @@ -120,7 +120,7 @@ func TestTypeChecking(t *testing.T) { name := policy.Name // wait until the typeChecking is set, which means the type checking // is complete. - updated, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, name, metav1.GetOptions{}) + updated, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, name, metav1.GetOptions{}) if err != nil { return false, err } @@ -143,8 +143,8 @@ func TestTypeChecking(t *testing.T) { } -func toBe(expected ...string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { +func toBe(expected ...string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { if len(expected) != len(warnings) { t.Fatalf("mismatched length, expect %d, got %d", len(expected), len(warnings)) } @@ -156,8 +156,8 @@ func toBe(expected ...string) func(warnings []admissionregistrationv1alpha1.Expr } } -func toHaveSubstring(substrings ...string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { +func toHaveSubstring(substrings ...string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { if len(substrings) != len(warnings) { t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings)) } @@ -169,8 +169,8 @@ func toHaveSubstring(substrings ...string) func(warnings []admissionregistration } } -func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { +func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { if len(substrings) != len(warnings) { t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings)) } @@ -184,19 +184,19 @@ func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionr } } -func toHaveLengthOf(n int) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { +func toHaveLengthOf(n int) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) { if n != len(warnings) { t.Fatalf("mismatched length, expect %d, got %d", n, len(warnings)) } } } -func withGVRMatch(groups []string, versions []string, resources []string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { - policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{ - ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ +func withGVRMatch(groups []string, versions []string, resources []string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { + policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{ + ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{ { - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "*", }, @@ -212,13 +212,13 @@ func withGVRMatch(groups []string, versions []string, resources []string, policy return policy } -func withValidations(validations []admissionregistrationv1alpha1.Validation, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withValidations(validations []admissionregistrationv1beta1.Validation, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.Validations = validations return policy } -func makePolicy(name string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { - return &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ +func makePolicy(name string) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { + return &admissionregistrationv1beta1.ValidatingAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{Name: name}, } } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go index 5af72302639..7581e564a54 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go @@ -30,7 +30,7 @@ import ( admissionv1 "k8s.io/api/admission/v1" admissionRegistrationv1 "k8s.io/api/admissionregistration/v1" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" v1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" @@ -78,7 +78,7 @@ var ( Kind: clusterScopedParamsGVK.Kind + "List", }, &unstructured.UnstructuredList{}) - if err := v1alpha1.AddToScheme(res); err != nil { + if err := v1beta1.AddToScheme(res); err != nil { panic(err) } @@ -117,25 +117,25 @@ var ( return res }() - definitionGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1alpha1.ValidatingAdmissionPolicy{}))[0] - bindingGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1alpha1.ValidatingAdmissionPolicyBinding{}))[0] + definitionGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1beta1.ValidatingAdmissionPolicy{}))[0] + bindingGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1beta1.ValidatingAdmissionPolicyBinding{}))[0] definitionsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(definitionGVK.GroupKind(), definitionGVK.Version)).Resource bindingsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(bindingGVK.GroupKind(), bindingGVK.Version)).Resource // Common objects - denyPolicy *v1alpha1.ValidatingAdmissionPolicy = &v1alpha1.ValidatingAdmissionPolicy{ + denyPolicy *v1beta1.ValidatingAdmissionPolicy = &v1beta1.ValidatingAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "denypolicy.example.com", ResourceVersion: "1", }, - Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - ParamKind: &v1alpha1.ParamKind{ + Spec: v1beta1.ValidatingAdmissionPolicySpec{ + ParamKind: &v1beta1.ParamKind{ APIVersion: paramsGVK.GroupVersion().String(), Kind: paramsGVK.Kind, }, - FailurePolicy: ptrTo(v1alpha1.Fail), - Validations: []v1alpha1.Validation{ + FailurePolicy: ptrTo(v1beta1.Fail), + Validations: []v1beta1.Validation{ { Expression: "messageId for deny policy", }, @@ -156,61 +156,61 @@ var ( }, } - denyBinding *v1alpha1.ValidatingAdmissionPolicyBinding = &v1alpha1.ValidatingAdmissionPolicyBinding{ + denyBinding *v1beta1.ValidatingAdmissionPolicyBinding = &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "denybinding.example.com", ResourceVersion: "1", }, - Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: denyPolicy.Name, - ParamRef: &v1alpha1.ParamRef{ + ParamRef: &v1beta1.ParamRef{ Name: fakeParams.GetName(), Namespace: fakeParams.GetNamespace(), // fake object tracker does not populate defaults - ParameterNotFoundAction: ptrTo(v1alpha1.DenyAction), + ParameterNotFoundAction: v1beta1.DenyAction, }, - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny}, }, } - denyBindingWithNoParamRef *v1alpha1.ValidatingAdmissionPolicyBinding = &v1alpha1.ValidatingAdmissionPolicyBinding{ + denyBindingWithNoParamRef *v1beta1.ValidatingAdmissionPolicyBinding = &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "denybinding.example.com", ResourceVersion: "1", }, - Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: denyPolicy.Name, - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny}, }, } - denyBindingWithAudit = &v1alpha1.ValidatingAdmissionPolicyBinding{ + denyBindingWithAudit = &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "denybinding.example.com", ResourceVersion: "1", }, - Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: denyPolicy.Name, - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Audit}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Audit}, }, } - denyBindingWithWarn = &v1alpha1.ValidatingAdmissionPolicyBinding{ + denyBindingWithWarn = &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "denybinding.example.com", ResourceVersion: "1", }, - Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: denyPolicy.Name, - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Warn}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Warn}, }, } - denyBindingWithAll = &v1alpha1.ValidatingAdmissionPolicyBinding{ + denyBindingWithAll = &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "denybinding.example.com", ResourceVersion: "1", }, - Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: denyPolicy.Name, - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny, v1alpha1.Warn, v1alpha1.Audit}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny, v1beta1.Warn, v1beta1.Audit}, }, } ) @@ -275,7 +275,7 @@ func (f *fakeCompiler) Compile( return &fakeFilter{} } -func (f *fakeCompiler) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, compileFunc func([]cel.ExpressionAccessor, cel.OptionalVariableDeclarations) cel.Filter) { +func (f *fakeCompiler) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, compileFunc func([]cel.ExpressionAccessor, cel.OptionalVariableDeclarations) cel.Filter) { //Key must be something that we can decipher from the inputs to Validate so using expression which will be passed to validate on the filter key := definition.Spec.Validations[0].Expression if compileFunc != nil { @@ -321,7 +321,7 @@ type fakeValidator struct { ValidateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult } -func (f *fakeValidator) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, validateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult) { +func (f *fakeValidator) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, validateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult) { //Key must be something that we can decipher from the inputs to Validate so using message which will be on the validationCondition object of evalResult var key string if len(definition.Spec.Validations) > 0 { @@ -354,11 +354,11 @@ func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) { type fakeMatcher struct { DefaultMatch bool - DefinitionMatchFuncs map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool - BindingMatchFuncs map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool + DefinitionMatchFuncs map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool + BindingMatchFuncs map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool } -func (f *fakeMatcher) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, matchFunc func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool) { +func (f *fakeMatcher) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, matchFunc func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool) { namespace, name := definition.Namespace, definition.Name key := namespacedName{ name: name, @@ -367,13 +367,13 @@ func (f *fakeMatcher) RegisterDefinition(definition *v1alpha1.ValidatingAdmissio if matchFunc != nil { if f.DefinitionMatchFuncs == nil { - f.DefinitionMatchFuncs = make(map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool) + f.DefinitionMatchFuncs = make(map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool) } f.DefinitionMatchFuncs[key] = matchFunc } } -func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding, matchFunc func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) { +func (f *fakeMatcher) RegisterBinding(binding *v1beta1.ValidatingAdmissionPolicyBinding, matchFunc func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) { namespace, name := binding.Namespace, binding.Name key := namespacedName{ name: name, @@ -382,7 +382,7 @@ func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolic if matchFunc != nil { if f.BindingMatchFuncs == nil { - f.BindingMatchFuncs = make(map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) + f.BindingMatchFuncs = make(map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) } f.BindingMatchFuncs[key] = matchFunc } @@ -390,7 +390,7 @@ func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolic // Matches says whether this policy definition matches the provided admission // resource request -func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) { +func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) { namespace, name := definition.Namespace, definition.Name key := namespacedName{ name: name, @@ -406,7 +406,7 @@ func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.Obje // Matches says whether this policy definition matches the provided admission // resource request -func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) { +func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) { namespace, name := binding.Namespace, binding.Name key := namespacedName{ name: name, @@ -516,7 +516,7 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher, i := 0 - dummyPolicy := &v1alpha1.ValidatingAdmissionPolicy{ + dummyPolicy := &v1beta1.ValidatingAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "dummypolicy.example.com", Annotations: map[string]string{ @@ -525,7 +525,7 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher, }, } - dummyBinding := &v1alpha1.ValidatingAdmissionPolicyBinding{ + dummyBinding := &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "dummybinding.example.com", Annotations: map[string]string{ @@ -581,7 +581,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O defer c.policyController.mutex.RUnlock() switch obj.(type) { - case *v1alpha1.ValidatingAdmissionPolicyBinding: + case *v1beta1.ValidatingAdmissionPolicyBinding: nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName()) info, ok := c.policyController.bindingInfos[nn] if !ok { @@ -589,7 +589,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O } return info.lastReconciledValue, nil - case *v1alpha1.ValidatingAdmissionPolicy: + case *v1beta1.ValidatingAdmissionPolicy: nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName()) info, ok := c.policyController.definitionInfo[nn] if !ok { @@ -601,7 +601,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O // If test isn't trying to fetch a policy or binding, assume it is // fetching a param paramSourceGVK := obj.GetObjectKind().GroupVersionKind() - paramKind := v1alpha1.ParamKind{ + paramKind := v1beta1.ParamKind{ APIVersion: paramSourceGVK.GroupVersion().String(), Kind: paramSourceGVK.Kind, } @@ -915,7 +915,7 @@ func TestDefinitionDoesntMatch(t *testing.T) { } }) - matcher.RegisterDefinition(denyPolicy, func(vap *v1alpha1.ValidatingAdmissionPolicy, a admission.Attributes) bool { + matcher.RegisterDefinition(denyPolicy, func(vap *v1beta1.ValidatingAdmissionPolicy, a admission.Attributes) bool { // Match names with even-numbered length obj := a.GetObject() @@ -1030,19 +1030,19 @@ func TestReconfigureBinding(t *testing.T) { } }) - denyBinding2 := &v1alpha1.ValidatingAdmissionPolicyBinding{ + denyBinding2 := &v1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "denybinding.example.com", ResourceVersion: "2", }, - Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: denyPolicy.Name, - ParamRef: &v1alpha1.ParamRef{ + ParamRef: &v1beta1.ParamRef{ Name: fakeParams2.GetName(), Namespace: fakeParams2.GetNamespace(), - ParameterNotFoundAction: ptrTo(v1alpha1.DenyAction), + ParameterNotFoundAction: v1beta1.DenyAction, }, - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny}, }, } @@ -1251,7 +1251,7 @@ func TestInvalidParamSourceGVK(t *testing.T) { passedParams := make(chan *unstructured.Unstructured) badPolicy := *denyPolicy - badPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ + badPolicy.Spec.ParamKind = &v1beta1.ParamKind{ APIVersion: paramsGVK.GroupVersion().String(), Kind: "BadParamKind", } @@ -1499,13 +1499,13 @@ func TestMultiplePoliciesSharedParamType(t *testing.T) { // Use ConfigMap native-typed param policy1 := *denyPolicy policy1.Name = "denypolicy1.example.com" - policy1.Spec = v1alpha1.ValidatingAdmissionPolicySpec{ - ParamKind: &v1alpha1.ParamKind{ + policy1.Spec = v1beta1.ValidatingAdmissionPolicySpec{ + ParamKind: &v1beta1.ParamKind{ APIVersion: paramsGVK.GroupVersion().String(), Kind: paramsGVK.Kind, }, - FailurePolicy: ptrTo(v1alpha1.Fail), - Validations: []v1alpha1.Validation{ + FailurePolicy: ptrTo(v1beta1.Fail), + Validations: []v1beta1.Validation{ { Expression: "policy1", }, @@ -1514,13 +1514,13 @@ func TestMultiplePoliciesSharedParamType(t *testing.T) { policy2 := *denyPolicy policy2.Name = "denypolicy2.example.com" - policy2.Spec = v1alpha1.ValidatingAdmissionPolicySpec{ - ParamKind: &v1alpha1.ParamKind{ + policy2.Spec = v1beta1.ValidatingAdmissionPolicySpec{ + ParamKind: &v1beta1.ParamKind{ APIVersion: paramsGVK.GroupVersion().String(), Kind: paramsGVK.Kind, }, - FailurePolicy: ptrTo(v1alpha1.Fail), - Validations: []v1alpha1.Validation{ + FailurePolicy: ptrTo(v1beta1.Fail), + Validations: []v1beta1.Validation{ { Expression: "policy2", }, @@ -1665,7 +1665,7 @@ func TestNativeTypeParam(t *testing.T) { // Use ConfigMap native-typed param nativeTypeParamPolicy := *denyPolicy - nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ + nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{ APIVersion: "v1", Kind: "ConfigMap", } @@ -1800,7 +1800,7 @@ func TestAuditValidationAction(t *testing.T) { expected := []validationFailureValue{{ ExpressionIndex: 0, Message: "I'm sorry Dave", - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Audit}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Audit}, Binding: "denybinding.example.com", Policy: noParamSourcePolicy.Name, }} @@ -1931,7 +1931,7 @@ func TestAllValidationActions(t *testing.T) { expected := []validationFailureValue{{ ExpressionIndex: 0, Message: "I'm sorry Dave", - ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny, v1alpha1.Warn, v1alpha1.Audit}, + ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny, v1beta1.Warn, v1beta1.Audit}, Binding: "denybinding.example.com", Policy: noParamSourcePolicy.Name, }} @@ -1957,13 +1957,13 @@ func TestNamespaceParamRefName(t *testing.T) { // Use ConfigMap native-typed param nativeTypeParamPolicy := *denyPolicy - nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ + nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{ APIVersion: "v1", Kind: "ConfigMap", } namespaceParamBinding := *denyBinding - namespaceParamBinding.Spec.ParamRef = &v1alpha1.ParamRef{ + namespaceParamBinding.Spec.ParamRef = &v1beta1.ParamRef{ Name: "replicas-test.example.com", } @@ -2194,7 +2194,7 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs // Create a cluster scoped and a namespace scoped CRD policy := *denyPolicy binding := *denyBinding - binding.Spec.ParamRef = &v1alpha1.ParamRef{} + binding.Spec.ParamRef = &v1beta1.ParamRef{} paramRef := binding.Spec.ParamRef shouldErrorOnClusterScopedRequests := !namespaceIsSet && !paramIsClusterScoped @@ -2208,12 +2208,12 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs otherNonmatchingLabels := labels.Set{"notaffiliated": "no"} if paramIsClusterScoped { - policy.Spec.ParamKind = &v1alpha1.ParamKind{ + policy.Spec.ParamKind = &v1beta1.ParamKind{ APIVersion: clusterScopedParamsGVK.GroupVersion().String(), Kind: clusterScopedParamsGVK.Kind, } } else { - policy.Spec.ParamKind = &v1alpha1.ParamKind{ + policy.Spec.ParamKind = &v1beta1.ParamKind{ APIVersion: paramsGVK.GroupVersion().String(), Kind: paramsGVK.Kind, } @@ -2232,9 +2232,9 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs } if denyNotFound { - paramRef.ParameterNotFoundAction = ptrTo(v1alpha1.DenyAction) + paramRef.ParameterNotFoundAction = v1beta1.DenyAction } else { - paramRef.ParameterNotFoundAction = ptrTo(v1alpha1.AllowAction) + paramRef.ParameterNotFoundAction = v1beta1.AllowAction } compiler := &fakeCompiler{} @@ -2486,13 +2486,13 @@ func TestNamespaceParamRefClusterScopedParamError(t *testing.T) { // Use ValidatingAdmissionPolicy for param type since it is cluster-scoped nativeTypeParamPolicy := *denyPolicy - nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ - APIVersion: "admissionregistration.k8s.io/v1alpha1", + nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{ + APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "ValidatingAdmissionPolicy", } namespaceParamBinding := *denyBinding - namespaceParamBinding.Spec.ParamRef = &v1alpha1.ParamRef{ + namespaceParamBinding.Spec.ParamRef = &v1beta1.ParamRef{ Name: "other-param-to-use-with-no-label.example.com", Namespace: "mynamespace", } @@ -2507,7 +2507,7 @@ func TestNamespaceParamRefClusterScopedParamError(t *testing.T) { validator.RegisterDefinition(&nativeTypeParamPolicy, func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult { evaluations.Add(1) - if _, ok := versionedParams.(*v1alpha1.ValidatingAdmissionPolicy); ok { + if _, ok := versionedParams.(*v1beta1.ValidatingAdmissionPolicy); ok { return ValidateResult{ Decisions: []PolicyDecision{ { diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go index b3c092ab8aa..a14412856c2 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go @@ -25,7 +25,7 @@ import ( "sync/atomic" "time" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" v1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" @@ -81,8 +81,8 @@ type policyData struct { // that determined the decision type policyDecisionWithMetadata struct { PolicyDecision - Definition *v1alpha1.ValidatingAdmissionPolicy - Binding *v1alpha1.ValidatingAdmissionPolicyBinding + Definition *v1beta1.ValidatingAdmissionPolicy + Binding *v1beta1.ValidatingAdmissionPolicyBinding } // namespaceName is used as a key in definitionInfo and bindingInfos @@ -98,7 +98,7 @@ type definitionInfo struct { // Last value seen by this controller to be used in policy enforcement // May not be nil - lastReconciledValue *v1alpha1.ValidatingAdmissionPolicy + lastReconciledValue *v1beta1.ValidatingAdmissionPolicy } type bindingInfo struct { @@ -107,7 +107,7 @@ type bindingInfo struct { // Last value seen by this controller to be used in policy enforcement // May not be nil - lastReconciledValue *v1alpha1.ValidatingAdmissionPolicyBinding + lastReconciledValue *v1beta1.ValidatingAdmissionPolicyBinding } type paramInfo struct { @@ -141,10 +141,10 @@ func NewAdmissionController( informerFactory, nil, NewMatcher(matching.NewMatcher(informerFactory.Core().V1().Namespaces().Lister(), client)), - generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicy]( - informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies().Informer()), - generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicyBinding]( - informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings().Informer()), + generic.NewInformer[*v1beta1.ValidatingAdmissionPolicy]( + informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies().Informer()), + generic.NewInformer[*v1beta1.ValidatingAdmissionPolicyBinding]( + informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings().Informer()), ), authz: authz, } @@ -192,21 +192,21 @@ func (c *celAdmissionController) Validate( var deniedDecisions []policyDecisionWithMetadata - addConfigError := func(err error, definition *v1alpha1.ValidatingAdmissionPolicy, binding *v1alpha1.ValidatingAdmissionPolicyBinding) { + addConfigError := func(err error, definition *v1beta1.ValidatingAdmissionPolicy, binding *v1beta1.ValidatingAdmissionPolicyBinding) { // we always default the FailurePolicy if it is unset and validate it in API level - var policy v1alpha1.FailurePolicyType + var policy v1beta1.FailurePolicyType if definition.Spec.FailurePolicy == nil { - policy = v1alpha1.Fail + policy = v1beta1.Fail } else { policy = *definition.Spec.FailurePolicy } // apply FailurePolicy specified in ValidatingAdmissionPolicy, the default would be Fail switch policy { - case v1alpha1.Ignore: + case v1beta1.Ignore: // TODO: add metrics for ignored error here return - case v1alpha1.Fail: + case v1beta1.Fail: var message string if binding == nil { message = fmt.Errorf("failed to configure policy: %w", err).Error() @@ -336,17 +336,17 @@ func (c *celAdmissionController) Validate( case ActionDeny: for _, action := range binding.Spec.ValidationActions { switch action { - case v1alpha1.Deny: + case v1beta1.Deny: deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{ Definition: definition, Binding: binding, PolicyDecision: decision, }) celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active") - case v1alpha1.Audit: + case v1beta1.Audit: c.publishValidationFailureAnnotation(binding, i, decision, versionedAttr) celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active") - case v1alpha1.Warn: + case v1beta1.Warn: warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message)) celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active") } @@ -412,9 +412,9 @@ func (c *celAdmissionController) Validate( // Returns objects to use to evaluate the policy func (c *celAdmissionController) collectParams( - paramKind *v1alpha1.ParamKind, + paramKind *v1beta1.ParamKind, info paramInfo, - paramRef *v1alpha1.ParamRef, + paramRef *v1beta1.ParamRef, namespace string, ) ([]runtime.Object, error) { // If definition has paramKind, paramRef is required in binding. @@ -520,14 +520,14 @@ func (c *celAdmissionController) collectParams( } // Apply fail action for params not found case - if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == v1alpha1.DenyAction { + if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == v1beta1.DenyAction { return nil, errors.New("no params found for policy binding with `Deny` parameterNotFoundAction") } return params, nil } -func (c *celAdmissionController) publishValidationFailureAnnotation(binding *v1alpha1.ValidatingAdmissionPolicyBinding, expressionIndex int, decision PolicyDecision, attributes admission.Attributes) { +func (c *celAdmissionController) publishValidationFailureAnnotation(binding *v1beta1.ValidatingAdmissionPolicyBinding, expressionIndex int, decision PolicyDecision, attributes admission.Attributes) { key := "validation.policy.admission.k8s.io/validation_failure" // Marshal to a list of failures since, in the future, we may need to support multiple failures valueJson, err := utiljson.Marshal([]validationFailureValue{{ @@ -561,11 +561,11 @@ func (c *celAdmissionController) refreshPolicies() { // validationFailureValue defines the JSON format of a "validation.policy.admission.k8s.io/validation_failure" audit // annotation value. type validationFailureValue struct { - Message string `json:"message"` - Policy string `json:"policy"` - Binding string `json:"binding"` - ExpressionIndex int `json:"expressionIndex"` - ValidationActions []v1alpha1.ValidationAction `json:"validationActions"` + Message string `json:"message"` + Policy string `json:"policy"` + Binding string `json:"binding"` + ExpressionIndex int `json:"expressionIndex"` + ValidationActions []v1beta1.ValidationAction `json:"validationActions"` } type auditAnnotationCollector struct { diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go index b7cc81349d9..b2624694c84 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go @@ -23,7 +23,7 @@ import ( "time" v1 "k8s.io/api/admissionregistration/v1" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" corev1 "k8s.io/api/core/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/meta" @@ -49,8 +49,8 @@ type policyController struct { dynamicClient dynamic.Interface informerFactory informers.SharedInformerFactory restMapper meta.RESTMapper - policyDefinitionsController generic.Controller[*v1alpha1.ValidatingAdmissionPolicy] - policyBindingController generic.Controller[*v1alpha1.ValidatingAdmissionPolicyBinding] + policyDefinitionsController generic.Controller[*v1beta1.ValidatingAdmissionPolicy] + policyBindingController generic.Controller[*v1beta1.ValidatingAdmissionPolicyBinding] // Provided to the policy's Compile function as an injected dependency to // assist with compiling its expressions to CEL @@ -70,7 +70,7 @@ type policyController struct { cachedPolicies []policyData // controller and metadata - paramsCRDControllers map[v1alpha1.ParamKind]*paramInfo + paramsCRDControllers map[v1beta1.ParamKind]*paramInfo // Index for each definition namespace/name, contains all binding // namespace/names known to exist for that definition @@ -96,15 +96,15 @@ func newPolicyController( informerFactory informers.SharedInformerFactory, filterCompiler cel.FilterCompiler, matcher Matcher, - policiesInformer generic.Informer[*v1alpha1.ValidatingAdmissionPolicy], - bindingsInformer generic.Informer[*v1alpha1.ValidatingAdmissionPolicyBinding], + policiesInformer generic.Informer[*v1beta1.ValidatingAdmissionPolicy], + bindingsInformer generic.Informer[*v1beta1.ValidatingAdmissionPolicyBinding], ) *policyController { res := &policyController{} *res = policyController{ filterCompiler: filterCompiler, definitionInfo: make(map[namespacedName]*definitionInfo), bindingInfos: make(map[namespacedName]*bindingInfo), - paramsCRDControllers: make(map[v1alpha1.ParamKind]*paramInfo), + paramsCRDControllers: make(map[v1beta1.ParamKind]*paramInfo), definitionsToBindings: make(map[namespacedName]sets.Set[namespacedName]), matcher: matcher, newValidator: NewValidator, @@ -160,14 +160,14 @@ func (c *policyController) HasSynced() bool { return c.policyDefinitionsController.HasSynced() && c.policyBindingController.HasSynced() } -func (c *policyController) reconcilePolicyDefinition(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error { +func (c *policyController) reconcilePolicyDefinition(namespace, name string, definition *v1beta1.ValidatingAdmissionPolicy) error { c.mutex.Lock() defer c.mutex.Unlock() err := c.reconcilePolicyDefinitionSpec(namespace, name, definition) return err } -func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error { +func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, definition *v1beta1.ValidatingAdmissionPolicy) error { c.cachedPolicies = nil // invalidate cachedPolicies // Namespace for policydefinition is empty. @@ -186,7 +186,7 @@ func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, return nil } - var paramSource *v1alpha1.ParamKind + var paramSource *v1beta1.ParamKind if definition != nil { paramSource = definition.Spec.ParamKind } @@ -266,7 +266,7 @@ func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, // Ensures that there is an informer started for the given GVK to be used as a // param -func (c *policyController) ensureParamInfo(paramSource *v1alpha1.ParamKind, mapping *meta.RESTMapping) *paramInfo { +func (c *policyController) ensureParamInfo(paramSource *v1beta1.ParamKind, mapping *meta.RESTMapping) *paramInfo { if info, ok := c.paramsCRDControllers[*paramSource]; ok { return info } @@ -329,7 +329,7 @@ func (c *policyController) ensureParamInfo(paramSource *v1alpha1.ParamKind, mapp } -func (c *policyController) reconcilePolicyBinding(namespace, name string, binding *v1alpha1.ValidatingAdmissionPolicyBinding) error { +func (c *policyController) reconcilePolicyBinding(namespace, name string, binding *v1beta1.ValidatingAdmissionPolicyBinding) error { c.mutex.Lock() defer c.mutex.Unlock() @@ -432,7 +432,7 @@ func (c *policyController) latestPolicyData() []policyData { } optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true} expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false} - failurePolicy := convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy) + failurePolicy := convertv1beta1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy) var matcher matchconditions.Matcher = nil matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions @@ -441,7 +441,7 @@ func (c *policyController) latestPolicyData() []policyData { compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) if err == nil { filterCompiler = compositedCompiler - compositedCompiler.CompileAndStoreVariables(convertV1alpha1Variables(definitionInfo.lastReconciledValue.Spec.Variables), optionalVars, environment.StoredExpressions) + compositedCompiler.CompileAndStoreVariables(convertv1beta1Variables(definitionInfo.lastReconciledValue.Spec.Variables), optionalVars, environment.StoredExpressions) } else { utilruntime.HandleError(err) } @@ -454,10 +454,10 @@ func (c *policyController) latestPolicyData() []policyData { matcher = matchconditions.NewMatcher(filterCompiler.Compile(matchExpressionAccessors, optionalVars, environment.StoredExpressions), failurePolicy, "policy", "validate", definitionInfo.lastReconciledValue.Name) } bindingInfo.validator = c.newValidator( - filterCompiler.Compile(convertv1alpha1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, environment.StoredExpressions), + filterCompiler.Compile(convertv1beta1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, environment.StoredExpressions), matcher, - filterCompiler.Compile(convertv1alpha1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, environment.StoredExpressions), - filterCompiler.Compile(convertV1Alpha1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, environment.StoredExpressions), + filterCompiler.Compile(convertv1beta1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, environment.StoredExpressions), + filterCompiler.Compile(convertv1beta1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, environment.StoredExpressions), failurePolicy, ) } @@ -482,21 +482,21 @@ func (c *policyController) latestPolicyData() []policyData { return res } -func convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(policyType *v1alpha1.FailurePolicyType) *v1.FailurePolicyType { +func convertv1beta1FailurePolicyTypeTov1FailurePolicyType(policyType *v1beta1.FailurePolicyType) *v1.FailurePolicyType { if policyType == nil { return nil } var v1FailPolicy v1.FailurePolicyType - if *policyType == v1alpha1.Fail { + if *policyType == v1beta1.Fail { v1FailPolicy = v1.Fail - } else if *policyType == v1alpha1.Ignore { + } else if *policyType == v1beta1.Ignore { v1FailPolicy = v1.Ignore } return &v1FailPolicy } -func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor { +func convertv1beta1Validations(inputValidations []v1beta1.Validation) []cel.ExpressionAccessor { celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations)) for i, validation := range inputValidations { validation := ValidationCondition{ @@ -509,7 +509,7 @@ func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.Ex return celExpressionAccessor } -func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor { +func convertv1beta1MessageExpressions(inputValidations []v1beta1.Validation) []cel.ExpressionAccessor { celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations)) for i, validation := range inputValidations { if validation.MessageExpression != "" { @@ -522,7 +522,7 @@ func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) [ return celExpressionAccessor } -func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation) []cel.ExpressionAccessor { +func convertv1beta1AuditAnnotations(inputValidations []v1beta1.AuditAnnotation) []cel.ExpressionAccessor { celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations)) for i, validation := range inputValidations { validation := AuditAnnotationCondition{ @@ -534,7 +534,7 @@ func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation return celExpressionAccessor } -func convertV1alpha1Variables(variables []v1alpha1.Variable) []cel.NamedExpressionAccessor { +func convertv1beta1Variables(variables []v1beta1.Variable) []cel.NamedExpressionAccessor { namedExpressions := make([]cel.NamedExpressionAccessor, len(variables)) for i, variable := range variables { namedExpressions[i] = &Variable{Name: variable.Name, Expression: variable.Expression} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go index 28c5a0dad50..a7ba0d370e2 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go @@ -21,7 +21,7 @@ import ( celgo "github.com/google/cel-go/cel" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -86,11 +86,11 @@ type Matcher interface { // DefinitionMatches says whether this policy definition matches the provided admission // resource request - DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) + DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) // BindingMatches says whether this policy definition matches the provided admission // resource request - BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) + BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) // GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case // GetNamespace must return nil, nil diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matcher.go index 5ed3d17b142..8c1757c852f 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matcher.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matcher.go @@ -17,7 +17,7 @@ limitations under the License. package validatingadmissionpolicy import ( - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -29,7 +29,7 @@ import ( var _ matching.MatchCriteria = &matchCriteria{} type matchCriteria struct { - constraints *v1alpha1.MatchResources + constraints *v1beta1.MatchResources } // GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector @@ -43,7 +43,7 @@ func (m *matchCriteria) GetParsedObjectSelector() (labels.Selector, error) { } // GetMatchResources returns the matchConstraints -func (m *matchCriteria) GetMatchResources() v1alpha1.MatchResources { +func (m *matchCriteria) GetMatchResources() v1beta1.MatchResources { return *m.constraints } @@ -63,13 +63,13 @@ func (c *matcher) ValidateInitialization() error { } // DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request -func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) { +func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) { criteria := matchCriteria{constraints: definition.Spec.MatchConstraints} return c.Matcher.Matches(a, o, &criteria) } // BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request -func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) { +func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) { if binding.Spec.MatchResources == nil { return true, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go index a97adb17143..ce81de36f6b 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go @@ -20,7 +20,7 @@ import ( "fmt" v1 "k8s.io/api/admissionregistration/v1" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/admission" @@ -36,7 +36,7 @@ type MatchCriteria interface { namespace.NamespaceSelectorProvider object.ObjectSelectorProvider - GetMatchResources() v1alpha1.MatchResources + GetMatchResources() v1beta1.MatchResources } // Matcher decides if a request matches against matchCriteria @@ -119,7 +119,7 @@ func (m *Matcher) Matches(attr admission.Attributes, o admission.ObjectInterface return true, matchKind, nil } -func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPolicy *v1alpha1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) { +func matchesResourceRules(namedRules []v1beta1.NamedRuleWithOperations, matchPolicy *v1beta1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) { matchKind := attr.GetKind() for _, namedRule := range namedRules { rule := v1.RuleWithOperations(namedRule.RuleWithOperations) @@ -146,7 +146,7 @@ func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPo // if match policy is undefined or exact, don't perform fuzzy matching // note that defaulting to fuzzy matching is set by the API - if matchPolicy == nil || *matchPolicy == v1alpha1.Exact { + if matchPolicy == nil || *matchPolicy == v1beta1.Exact { return false, schema.GroupVersionKind{}, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go index 3f1c23de4c9..f6bd39ba4f4 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go @@ -22,7 +22,7 @@ import ( "testing" v1 "k8s.io/api/admissionregistration/v1" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -38,10 +38,10 @@ import ( var _ MatchCriteria = &fakeCriteria{} type fakeCriteria struct { - matchResources v1alpha1.MatchResources + matchResources v1beta1.MatchResources } -func (fc *fakeCriteria) GetMatchResources() v1alpha1.MatchResources { +func (fc *fakeCriteria) GetMatchResources() v1beta1.MatchResources { return fc.matchResources } @@ -65,8 +65,8 @@ func TestMatcher(t *testing.T) { a := &Matcher{namespaceMatcher: &namespace.Matcher{}, objectMatcher: &object.Matcher{}} allScopes := v1.AllScopes - exactMatch := v1alpha1.Exact - equivalentMatch := v1alpha1.Equivalent + exactMatch := v1beta1.Exact + equivalentMatch := v1beta1.Equivalent mapper := runtime.NewEquivalentResourceRegistryWithIdentity(func(resource schema.GroupResource) string { if resource.Resource == "deployments" { @@ -95,7 +95,7 @@ func TestMatcher(t *testing.T) { testcases := []struct { name string - criteria *v1alpha1.MatchResources + criteria *v1beta1.MatchResources attrs admission.Attributes expectMatches bool @@ -104,17 +104,17 @@ func TestMatcher(t *testing.T) { }{ { name: "no rules (just write)", - criteria: &v1alpha1.MatchResources{NamespaceSelector: &metav1.LabelSelector{}, ResourceRules: []v1alpha1.NamedRuleWithOperations{}}, + criteria: &v1beta1.MatchResources{NamespaceSelector: &metav1.LabelSelector{}, ResourceRules: []v1beta1.NamedRuleWithOperations{}}, attrs: admission.NewAttributesRecord(nil, nil, gvk("apps", "v1", "Deployment"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil), expectMatches: false, }, { name: "wildcard rule, match as requested", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes}, }, @@ -125,21 +125,21 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, prefer exact match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -150,16 +150,16 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, match miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -169,17 +169,17 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, exact match miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &exactMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -189,17 +189,17 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, equivalent match, prefer extensions", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -210,17 +210,17 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, equivalent match, prefer apps", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -232,21 +232,21 @@ func TestMatcher(t *testing.T) { { name: "specific rules, subresource prefer exact match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -257,16 +257,16 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, subresource match miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -276,17 +276,17 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, subresource exact match miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &exactMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -296,17 +296,17 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, subresource equivalent match, prefer extensions", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -317,17 +317,17 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, subresource equivalent match, prefer apps", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -338,12 +338,12 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, prefer exact match and name match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ ResourceNames: []string{"name"}, - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -354,12 +354,12 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, prefer exact match and name match miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ ResourceNames: []string{"wrong-name"}, - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -369,13 +369,13 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, subresource equivalent match, prefer extensions and name match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ ResourceNames: []string{"name"}, - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -386,13 +386,13 @@ func TestMatcher(t *testing.T) { }, { name: "specific rules, subresource equivalent match, prefer extensions and name match miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ ResourceNames: []string{"wrong-name"}, - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -402,17 +402,17 @@ func TestMatcher(t *testing.T) { }, { name: "exclude resource match on miss", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes}, }, }}, - ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -424,17 +424,17 @@ func TestMatcher(t *testing.T) { }, { name: "exclude resource miss on match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes}, }, }}, - ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -445,11 +445,11 @@ func TestMatcher(t *testing.T) { }, { name: "treat empty ResourceRules as match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, }, @@ -460,23 +460,23 @@ func TestMatcher(t *testing.T) { }, { name: "treat non-empty ResourceRules as no match", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{}}, + ResourceRules: []v1beta1.NamedRuleWithOperations{{}}, }, attrs: admission.NewAttributesRecord(nil, nil, gvk("autoscaling", "v1", "Scale"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil), expectMatches: false, }, { name: "erroring namespace selector on otherwise non-matching rule doesn't error", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key ", Operator: "In", Values: []string{"bad value"}}}}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}}, - Operations: []v1alpha1.OperationType{"*"}, + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}}, + Operations: []v1beta1.OperationType{"*"}, }, }}, }, @@ -486,13 +486,13 @@ func TestMatcher(t *testing.T) { }, { name: "erroring namespace selector on otherwise matching rule errors", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}}, - Operations: []v1alpha1.OperationType{"*"}, + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}}, + Operations: []v1beta1.OperationType{"*"}, }, }}, }, @@ -502,13 +502,13 @@ func TestMatcher(t *testing.T) { }, { name: "erroring object selector on otherwise non-matching rule doesn't error", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}}, - Operations: []v1alpha1.OperationType{"*"}, + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}}, + Operations: []v1beta1.OperationType{"*"}, }, }}, }, @@ -518,13 +518,13 @@ func TestMatcher(t *testing.T) { }, { name: "erroring object selector on otherwise matching rule errors", - criteria: &v1alpha1.MatchResources{ + criteria: &v1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{{ - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}}, - Operations: []v1alpha1.OperationType{"*"}, + ResourceRules: []v1beta1.NamedRuleWithOperations{{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}}, + Operations: []v1beta1.OperationType{"*"}, }, }}, }, @@ -579,7 +579,7 @@ func (f fakeNamespaceLister) Get(name string) (*corev1.Namespace, error) { func BenchmarkMatcher(b *testing.B) { allScopes := v1.AllScopes - equivalentMatch := v1alpha1.Equivalent + equivalentMatch := v1beta1.Equivalent namespace1Labels := map[string]string{"ns": "ns1"} namespace1 := corev1.Namespace{ @@ -620,19 +620,19 @@ func BenchmarkMatcher(b *testing.B) { nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i) } - mr := v1alpha1.MatchResources{ + mr := v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{ + ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, }, @@ -652,7 +652,7 @@ func BenchmarkMatcher(b *testing.B) { func BenchmarkShouldCallHookWithComplexRule(b *testing.B) { allScopes := v1.AllScopes - equivalentMatch := v1alpha1.Equivalent + equivalentMatch := v1beta1.Equivalent namespace1Labels := map[string]string{"ns": "ns1"} namespace1 := corev1.Namespace{ @@ -688,16 +688,16 @@ func BenchmarkShouldCallHookWithComplexRule(b *testing.B) { mapper.RegisterKindFor(gvr("apps", "v1beta1", "statefulset"), "scale", gvk("apps", "v1beta1", "Scale")) mapper.RegisterKindFor(gvr("apps", "v1alpha2", "statefulset"), "scale", gvk("apps", "v1beta2", "Scale")) - mr := v1alpha1.MatchResources{ + mr := v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"a": "b"}}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{}, + ResourceRules: []v1beta1.NamedRuleWithOperations{}, } for i := 0; i < 100; i++ { - rule := v1alpha1.NamedRuleWithOperations{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + rule := v1beta1.NamedRuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{ APIGroups: []string{fmt.Sprintf("app-%d", i)}, @@ -722,7 +722,7 @@ func BenchmarkShouldCallHookWithComplexRule(b *testing.B) { func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) { allScopes := v1.AllScopes - equivalentMatch := v1alpha1.Equivalent + equivalentMatch := v1beta1.Equivalent namespace1Labels := map[string]string{"ns": "ns1"} namespace1 := corev1.Namespace{ @@ -763,16 +763,16 @@ func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) { nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i) } - mr := v1alpha1.MatchResources{ + mr := v1beta1.MatchResources{ MatchPolicy: &equivalentMatch, NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector}, ObjectSelector: &metav1.LabelSelector{}, - ResourceRules: []v1alpha1.NamedRuleWithOperations{}, + ResourceRules: []v1beta1.NamedRuleWithOperations{}, } for i := 0; i < 100; i++ { - rule := v1alpha1.NamedRuleWithOperations{ - RuleWithOperations: v1alpha1.RuleWithOperations{ + rule := v1beta1.NamedRuleWithOperations{ + RuleWithOperations: v1beta1.RuleWithOperations{ Operations: []v1.OperationType{"*"}, Rule: v1.Rule{ APIGroups: []string{fmt.Sprintf("app-%d", i)}, diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go index 8857933c3d8..6d73e237b07 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go @@ -25,7 +25,7 @@ import ( "github.com/google/cel-go/cel" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" @@ -102,18 +102,18 @@ func (r *TypeCheckingResult) String() string { // as []ExpressionWarning that is ready to be set in policy.Status // The result is nil if type checking returns no warning. // The policy object is NOT mutated. The caller should update Status accordingly -func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alpha1.ExpressionWarning { +func (c *TypeChecker) Check(policy *v1beta1.ValidatingAdmissionPolicy) []v1beta1.ExpressionWarning { ctx := c.CreateContext(policy) // warnings to return, note that the capacity is optimistically set to zero - var warnings []v1alpha1.ExpressionWarning // intentionally not setting capacity + var warnings []v1beta1.ExpressionWarning // intentionally not setting capacity // check main validation expressions and their message expressions, located in spec.validations[*] fieldRef := field.NewPath("spec", "validations") for i, v := range policy.Spec.Validations { results := c.CheckExpression(ctx, v.Expression) if len(results) != 0 { - warnings = append(warnings, v1alpha1.ExpressionWarning{ + warnings = append(warnings, v1beta1.ExpressionWarning{ FieldRef: fieldRef.Index(i).Child("expression").String(), Warning: results.String(), }) @@ -124,7 +124,7 @@ func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alph } results = c.CheckExpression(ctx, v.MessageExpression) if len(results) != 0 { - warnings = append(warnings, v1alpha1.ExpressionWarning{ + warnings = append(warnings, v1beta1.ExpressionWarning{ FieldRef: fieldRef.Index(i).Child("messageExpression").String(), Warning: results.String(), }) @@ -135,7 +135,7 @@ func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alph } // CreateContext resolves all types and their schemas from a policy definition and creates the context. -func (c *TypeChecker) CreateContext(policy *v1alpha1.ValidatingAdmissionPolicy) *TypeCheckingContext { +func (c *TypeChecker) CreateContext(policy *v1beta1.ValidatingAdmissionPolicy) *TypeCheckingContext { ctx := new(TypeCheckingContext) allGvks := c.typesToCheck(policy) gvks := make([]schema.GroupVersionKind, 0, len(allGvks)) @@ -203,7 +203,7 @@ func (c *TypeChecker) declType(gvk schema.GroupVersionKind) (*apiservercel.DeclT return common.SchemaDeclType(&openapi.Schema{Schema: s}, true).MaybeAssignTypeName(generateUniqueTypeName(gvk.Kind)), nil } -func (c *TypeChecker) paramsGVK(policy *v1alpha1.ValidatingAdmissionPolicy) schema.GroupVersionKind { +func (c *TypeChecker) paramsGVK(policy *v1beta1.ValidatingAdmissionPolicy) schema.GroupVersionKind { if policy.Spec.ParamKind == nil { return schema.GroupVersionKind{} } @@ -233,7 +233,7 @@ func (c *TypeChecker) checkExpression(expression string, hasParams, hasAuthorize // typesToCheck extracts a list of GVKs that needs type checking from the policy // the result is sorted in the order of Group, Version, and Kind -func (c *TypeChecker) typesToCheck(p *v1alpha1.ValidatingAdmissionPolicy) []schema.GroupVersionKind { +func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schema.GroupVersionKind { gvks := sets.New[schema.GroupVersionKind]() if p.Spec.MatchConstraints == nil || len(p.Spec.MatchConstraints.ResourceRules) == 0 { return nil @@ -294,7 +294,7 @@ func (c *TypeChecker) typesToCheck(p *v1alpha1.ValidatingAdmissionPolicy) []sche return sortGVKList(gvks.UnsortedList()) } -func extractGroups(rule *v1alpha1.Rule) []string { +func extractGroups(rule *v1beta1.Rule) []string { groups := make([]string, 0, len(rule.APIGroups)) for _, group := range rule.APIGroups { // give up if wildcard @@ -306,7 +306,7 @@ func extractGroups(rule *v1alpha1.Rule) []string { return groups } -func extractVersions(rule *v1alpha1.Rule) []string { +func extractVersions(rule *v1beta1.Rule) []string { versions := make([]string, 0, len(rule.APIVersions)) for _, version := range rule.APIVersions { if strings.ContainsAny(version, "*") { @@ -317,7 +317,7 @@ func extractVersions(rule *v1alpha1.Rule) []string { return versions } -func extractResources(rule *v1alpha1.Rule) []string { +func extractResources(rule *v1beta1.Rule) []string { resources := make([]string, 0, len(rule.Resources)) for _, resource := range rule.Resources { // skip wildcard and subresources diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go index 7a4fe293544..e4b9a5d153d 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go @@ -22,7 +22,7 @@ import ( "strings" "testing" - "k8s.io/api/admissionregistration/v1alpha1" + "k8s.io/api/admissionregistration/v1beta1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -34,21 +34,21 @@ import ( func TestExtractTypeNames(t *testing.T) { for _, tc := range []struct { name string - policy *v1alpha1.ValidatingAdmissionPolicy + policy *v1beta1.ValidatingAdmissionPolicy expected []schema.GroupVersionKind // must be sorted }{ { name: "empty", - policy: &v1alpha1.ValidatingAdmissionPolicy{}, + policy: &v1beta1.ValidatingAdmissionPolicy{}, expected: nil, }, { name: "specific", - policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -65,19 +65,19 @@ func TestExtractTypeNames(t *testing.T) { }, { name: "multiple", - policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, }, }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"pods"}, @@ -98,11 +98,11 @@ func TestExtractTypeNames(t *testing.T) { }, { name: "all resources", - policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"*"}, @@ -115,11 +115,11 @@ func TestExtractTypeNames(t *testing.T) { }, { name: "sub resources", - policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"pods/*"}, @@ -132,11 +132,11 @@ func TestExtractTypeNames(t *testing.T) { }, { name: "mixtures", - policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -144,8 +144,8 @@ func TestExtractTypeNames(t *testing.T) { }, }, { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}, @@ -172,16 +172,16 @@ func TestExtractTypeNames(t *testing.T) { } func TestTypeCheck(t *testing.T) { - deploymentPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - Validations: []v1alpha1.Validation{ + deploymentPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + Validations: []v1beta1.Validation{ { Expression: "object.foo == 'bar'", }, }, - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -194,8 +194,8 @@ func TestTypeCheck(t *testing.T) { deploymentPolicyWithBadMessageExpression := deploymentPolicy.DeepCopy() deploymentPolicyWithBadMessageExpression.Spec.Validations[0].MessageExpression = "object.foo + 114514" // confusion - multiExpressionPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - Validations: []v1alpha1.Validation{ + multiExpressionPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + Validations: []v1beta1.Validation{ { Expression: "object.foo == 'bar'", }, @@ -203,10 +203,10 @@ func TestTypeCheck(t *testing.T) { Expression: "object.bar == 'foo'", }, }, - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -215,20 +215,20 @@ func TestTypeCheck(t *testing.T) { }, }}, }} - paramsRefPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - ParamKind: &v1alpha1.ParamKind{ + paramsRefPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + ParamKind: &v1beta1.ParamKind{ APIVersion: "v1", Kind: "DoesNotMatter", }, - Validations: []v1alpha1.Validation{ + Validations: []v1beta1.Validation{ { Expression: "object.foo == params.bar", }, }, - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -237,16 +237,16 @@ func TestTypeCheck(t *testing.T) { }, }}, }} - authorizerPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - Validations: []v1alpha1.Validation{ + authorizerPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + Validations: []v1beta1.Validation{ { Expression: "authorizer.group('').resource('endpoints').check('create').allowed()", }, }, - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -255,16 +255,16 @@ func TestTypeCheck(t *testing.T) { }, }}, }} - authorizerInvalidPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ - Validations: []v1alpha1.Validation{ + authorizerInvalidPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{ + Validations: []v1beta1.Validation{ { Expression: "authorizer.allowed()", }, }, - MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ + MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{ { - RuleWithOperations: v1alpha1.RuleWithOperations{ - Rule: v1alpha1.Rule{ + RuleWithOperations: v1beta1.RuleWithOperations{ + Rule: v1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -276,12 +276,12 @@ func TestTypeCheck(t *testing.T) { for _, tc := range []struct { name string schemaToReturn *spec.Schema - policy *v1alpha1.ValidatingAdmissionPolicy + policy *v1beta1.ValidatingAdmissionPolicy assertions []assertionFunc }{ { name: "empty", - policy: &v1alpha1.ValidatingAdmissionPolicy{}, + policy: &v1beta1.ValidatingAdmissionPolicy{}, assertions: []assertionFunc{toBeEmpty}, }, { @@ -451,14 +451,14 @@ func (r *fakeSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.S return r.schemaToReturn, nil } -func toBeEmpty(warnings []v1alpha1.ExpressionWarning, t *testing.T) { +func toBeEmpty(warnings []v1beta1.ExpressionWarning, t *testing.T) { if len(warnings) != 0 { t.Fatalf("expected empty but got %v", warnings) } } -func toContain(substring string) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { +func toContain(substring string) func(warnings []v1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []v1beta1.ExpressionWarning, t *testing.T) { if len(warnings) == 0 { t.Errorf("expected containing %q but got empty", substring) } @@ -470,8 +470,8 @@ func toContain(substring string) func(warnings []v1alpha1.ExpressionWarning, t * } } -func toHaveLengthOf(expected int) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { +func toHaveLengthOf(expected int) func(warnings []v1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []v1beta1.ExpressionWarning, t *testing.T) { got := len(warnings) if expected != got { t.Errorf("expect warnings to have length of %d, but got %d", expected, got) @@ -479,8 +479,8 @@ func toHaveLengthOf(expected int) func(warnings []v1alpha1.ExpressionWarning, t } } -func toHaveFieldRef(paths ...string) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { - return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { +func toHaveFieldRef(paths ...string) func(warnings []v1beta1.ExpressionWarning, t *testing.T) { + return func(warnings []v1beta1.ExpressionWarning, t *testing.T) { if len(paths) != len(warnings) { t.Errorf("expect warnings to have length of %d, but got %d", len(paths), len(warnings)) } @@ -492,4 +492,4 @@ func toHaveFieldRef(paths ...string) func(warnings []v1alpha1.ExpressionWarning, } } -type assertionFunc func(warnings []v1alpha1.ExpressionWarning, t *testing.T) +type assertionFunc func(warnings []v1beta1.ExpressionWarning, t *testing.T) diff --git a/test/e2e/apimachinery/validatingadmissionpolicy.go b/test/e2e/apimachinery/validatingadmissionpolicy.go index fe85f8d7912..4f06cac7986 100644 --- a/test/e2e/apimachinery/validatingadmissionpolicy.go +++ b/test/e2e/apimachinery/validatingadmissionpolicy.go @@ -25,7 +25,7 @@ import ( "github.com/onsi/gomega" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" - admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" + admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" appsv1 "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -46,10 +46,10 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][ var err error client, err = clientset.NewForConfig(f.ClientConfig()) framework.ExpectNoError(err, "initializing client") - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().List(context.Background(), metav1.ListOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().List(context.Background(), metav1.ListOptions{}) if apierrors.IsNotFound(err) { // TODO: feature check should fail after GA graduation - ginkgo.Skip(fmt.Sprintf("server does not support ValidatingAdmissionPolicy v1alpha1: %v, feature gate not enabled?", err)) + ginkgo.Skip(fmt.Sprintf("server does not support ValidatingAdmissionPolicy v1beta1: %v, feature gate not enabled?", err)) } }) @@ -68,25 +68,25 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][ StartResourceRule(). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). EndResourceRule(). - WithValidation(admissionregistrationv1alpha1.Validation{ + WithValidation(admissionregistrationv1beta1.Validation{ Expression: "object.spec.replicas > 1", MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas", }). - WithValidation(admissionregistrationv1alpha1.Validation{ + WithValidation(admissionregistrationv1beta1.Validation{ Expression: "namespaceObject.metadata.name == '" + f.UniqueName + "'", Message: "Internal error! Other namespace should not be allowed.", }). Build() - policy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) + policy, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) framework.ExpectNoError(err, "create policy") ginkgo.DeferCleanup(func(ctx context.Context, name string) error { - return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) + return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) }, policy.Name) binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name) - binding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{}) + binding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{}) framework.ExpectNoError(err, "create policy binding") ginkgo.DeferCleanup(func(ctx context.Context, name string) error { - return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{}) + return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{}) }, binding.Name) }) ginkgo.By("waiting until the marker is denied", func() { @@ -119,27 +119,27 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][ }) ginkgo.It("should type check validation expressions", func(ctx context.Context) { - var policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy + var policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy ginkgo.By("creating the policy with correct types", func() { policy = newValidatingAdmissionPolicyBuilder(f.UniqueName+".correct-policy.example.com"). MatchUniqueNamespace(f.UniqueName). StartResourceRule(). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). EndResourceRule(). - WithValidation(admissionregistrationv1alpha1.Validation{ + WithValidation(admissionregistrationv1beta1.Validation{ Expression: "object.spec.replicas > 1", }). Build() var err error - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) framework.ExpectNoError(err, "create policy") ginkgo.DeferCleanup(func(ctx context.Context, name string) error { - return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) + return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) }, policy.Name) }) ginkgo.By("waiting for the type check to finish without any warnings", func() { err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{}) if err != nil { return false, err } @@ -157,21 +157,21 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][ StartResourceRule(). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). EndResourceRule(). - WithValidation(admissionregistrationv1alpha1.Validation{ + WithValidation(admissionregistrationv1beta1.Validation{ Expression: "object.spec.replicas > '1'", // confusion: int > string MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas", // confusion: string + int }). Build() var err error - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) framework.ExpectNoError(err, "create policy") ginkgo.DeferCleanup(func(ctx context.Context, name string) error { - return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) + return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) }, policy.Name) }) ginkgo.By("waiting for the type check to finish with warnings", func() { err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{}) if err != nil { return false, err } @@ -200,28 +200,28 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][ StartResourceRule(). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). EndResourceRule(). - WithVariable(admissionregistrationv1alpha1.Variable{ + WithVariable(admissionregistrationv1beta1.Variable{ Name: "replicas", Expression: "object.spec.replicas", }). - WithVariable(admissionregistrationv1alpha1.Variable{ + WithVariable(admissionregistrationv1beta1.Variable{ Name: "replicasReminder", // a bit artificial but good for testing purpose Expression: "variables.replicas % 2", }). - WithValidation(admissionregistrationv1alpha1.Validation{ + WithValidation(admissionregistrationv1beta1.Validation{ Expression: "variables.replicas > 1 && variables.replicasReminder == 1", }). Build() - policy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) + policy, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) framework.ExpectNoError(err, "create policy") ginkgo.DeferCleanup(func(ctx context.Context, name string) error { - return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) + return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) }, policy.Name) binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name) - binding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{}) + binding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{}) framework.ExpectNoError(err, "create policy binding") ginkgo.DeferCleanup(func(ctx context.Context, name string) error { - return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{}) + return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{}) }, binding.Name) }) ginkgo.By("waiting until the marker is denied", func() { @@ -254,17 +254,17 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][ }) }) -func createBinding(bindingName string, uniqueLabel string, policyName string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding { - return &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{ +func createBinding(bindingName string, uniqueLabel string, policyName string) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding { + return &admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{Name: bindingName}, - Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: admissionregistrationv1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: policyName, - MatchResources: &admissionregistrationv1alpha1.MatchResources{ + MatchResources: &admissionregistrationv1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{uniqueLabel: "true"}, }, }, - ValidationActions: []admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Deny}, + ValidationActions: []admissionregistrationv1beta1.ValidationAction{admissionregistrationv1beta1.Deny}, }, } } @@ -324,17 +324,17 @@ func basicReplicaSet(name string, replicas int32) *appsv1.ReplicaSet { } type validatingAdmissionPolicyBuilder struct { - policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy + policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy } type resourceRuleBuilder struct { policyBuilder *validatingAdmissionPolicyBuilder - resourceRule *admissionregistrationv1alpha1.NamedRuleWithOperations + resourceRule *admissionregistrationv1beta1.NamedRuleWithOperations } func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmissionPolicyBuilder { return &validatingAdmissionPolicyBuilder{ - policy: &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ + policy: &admissionregistrationv1beta1.ValidatingAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{Name: policyName}, }, } @@ -342,7 +342,7 @@ func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmission func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel string) *validatingAdmissionPolicyBuilder { if b.policy.Spec.MatchConstraints == nil { - b.policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{} + b.policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{} } b.policy.Spec.MatchConstraints.NamespaceSelector = &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -355,10 +355,10 @@ func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel stri func (b *validatingAdmissionPolicyBuilder) StartResourceRule() *resourceRuleBuilder { return &resourceRuleBuilder{ policyBuilder: b, - resourceRule: &admissionregistrationv1alpha1.NamedRuleWithOperations{ - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + resourceRule: &admissionregistrationv1beta1.NamedRuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update}, - Rule: admissionregistrationv1alpha1.Rule{ + Rule: admissionregistrationv1beta1.Rule{ APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, @@ -374,7 +374,7 @@ func (rb *resourceRuleBuilder) CreateAndUpdate() *resourceRuleBuilder { } func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string, resources []string) *resourceRuleBuilder { - rb.resourceRule.Rule = admissionregistrationv1alpha1.Rule{ + rb.resourceRule.Rule = admissionregistrationv1beta1.Rule{ APIGroups: groups, APIVersions: versions, Resources: resources, @@ -385,22 +385,22 @@ func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string, func (rb *resourceRuleBuilder) EndResourceRule() *validatingAdmissionPolicyBuilder { b := rb.policyBuilder if b.policy.Spec.MatchConstraints == nil { - b.policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{} + b.policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{} } b.policy.Spec.MatchConstraints.ResourceRules = append(b.policy.Spec.MatchConstraints.ResourceRules, *rb.resourceRule) return b } -func (b *validatingAdmissionPolicyBuilder) WithValidation(validation admissionregistrationv1alpha1.Validation) *validatingAdmissionPolicyBuilder { +func (b *validatingAdmissionPolicyBuilder) WithValidation(validation admissionregistrationv1beta1.Validation) *validatingAdmissionPolicyBuilder { b.policy.Spec.Validations = append(b.policy.Spec.Validations, validation) return b } -func (b *validatingAdmissionPolicyBuilder) WithVariable(variable admissionregistrationv1alpha1.Variable) *validatingAdmissionPolicyBuilder { +func (b *validatingAdmissionPolicyBuilder) WithVariable(variable admissionregistrationv1beta1.Variable) *validatingAdmissionPolicyBuilder { b.policy.Spec.Variables = append(b.policy.Spec.Variables, variable) return b } -func (b *validatingAdmissionPolicyBuilder) Build() *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func (b *validatingAdmissionPolicyBuilder) Build() *admissionregistrationv1beta1.ValidatingAdmissionPolicy { return b.policy } diff --git a/test/integration/apiserver/cel/validatingadmissionpolicy_test.go b/test/integration/apiserver/cel/validatingadmissionpolicy_test.go index fffc3df8a4b..0be54688f76 100644 --- a/test/integration/apiserver/cel/validatingadmissionpolicy_test.go +++ b/test/integration/apiserver/cel/validatingadmissionpolicy_test.go @@ -59,7 +59,7 @@ import ( clientset "k8s.io/client-go/kubernetes" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" - admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" + admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" authorizationv1 "k8s.io/api/authorization/v1" v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -71,19 +71,19 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { testcases := []struct { name string - policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy - policyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding + policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy + policyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding namespace *v1.Namespace err string failureReason metav1.StatusReason }{ { name: "namespace name contains suffix enforced by validating admission policy, using object metadata fields", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith('k8s')", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -94,11 +94,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "namespace name does NOT contain suffix enforced by validating admission policyusing, object metadata fields", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith('k8s')", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -110,12 +110,12 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "namespace name does NOT contain suffix enforced by validating admission policy using object metadata fields, AND validating expression returns StatusReasonForbidden", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith('k8s')", Reason: &forbiddenReason, }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -127,11 +127,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "namespace name contains suffix enforced by validating admission policy, using request field", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "request.name.endsWith('k8s')", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -142,11 +142,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "namespace name does NOT contains suffix enforced by validating admission policy, using request field", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "request.name.endsWith('k8s')", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -157,11 +157,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "runtime error when validating namespace, but failurePolicy=Ignore", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.nonExistentProperty == 'someval'", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Ignore, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Ignore, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -172,11 +172,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "runtime error when validating namespace, but failurePolicy=Fail", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.nonExistentProperty == 'someval'", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -188,11 +188,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "runtime error due to unguarded params", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith(params.metadata.name)", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -204,11 +204,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "with check against unguarded params using has()", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "has(params.metadata) && has(params.metadata.name) && object.metadata.name.endsWith(params.metadata.name)", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -220,11 +220,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "with check against null params", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "(params != null && object.metadata.name.endsWith(params.metadata.name))", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -236,11 +236,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "with check against unguarded params using has() and default check", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "(has(params.metadata) && has(params.metadata.name) && object.metadata.name.startsWith(params.metadata.name)) || object.metadata.name.endsWith('k8s')", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -251,11 +251,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "with check against null params and default check", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "(params != null && object.metadata.name.startsWith(params.metadata.name)) || object.metadata.name.endsWith('k8s')", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -266,11 +266,11 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { }, { name: "with check against namespaceObject", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "namespaceObject == null", // because namespace itself is cluster-scoped. }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", ""), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -299,7 +299,7 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { t.Fatal(err) } policy := withWaitReadyConstraintAndExpression(testcase.policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } if err := createAndWaitReady(t, client, testcase.policyBinding, nil); err != nil { @@ -316,8 +316,8 @@ func Test_ValidateNamespace_NoParams(t *testing.T) { func Test_ValidateAnnotationsAndWarnings(t *testing.T) { testcases := []struct { name string - policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy - policyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding + policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy + policyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding object *v1.ConfigMap err string failureReason metav1.StatusReason @@ -326,7 +326,7 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { }{ { name: "with audit annotations", - policy: withAuditAnnotations([]admissionregistrationv1alpha1.AuditAnnotation{ + policy: withAuditAnnotations([]admissionregistrationv1beta1.AuditAnnotation{ { Key: "example-key", ValueExpression: "'object name: ' + object.metadata.name", @@ -335,7 +335,7 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { Key: "exclude-key", ValueExpression: "null", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withConfigMapMatch(makePolicy("validate-audit-annotations"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withConfigMapMatch(makePolicy("validate-audit-annotations"))))), policyBinding: makeBinding("validate-audit-annotations-binding", "validate-audit-annotations", ""), object: &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -349,12 +349,12 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { }, { name: "with audit annotations with invalid expression", - policy: withAuditAnnotations([]admissionregistrationv1alpha1.AuditAnnotation{ + policy: withAuditAnnotations([]admissionregistrationv1beta1.AuditAnnotation{ { Key: "example-key", ValueExpression: "string(params.metadata.name)", // runtime error, params is null }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withConfigMapMatch(makePolicy("validate-audit-annotations-invalid"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withConfigMapMatch(makePolicy("validate-audit-annotations-invalid"))))), policyBinding: makeBinding("validate-audit-annotations-invalid-binding", "validate-audit-annotations-invalid", ""), object: &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -366,12 +366,12 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { }, { name: "with audit annotations with invalid expression and ignore failure policy", - policy: withAuditAnnotations([]admissionregistrationv1alpha1.AuditAnnotation{ + policy: withAuditAnnotations([]admissionregistrationv1beta1.AuditAnnotation{ { Key: "example-key", ValueExpression: "string(params.metadata.name)", // runtime error, params is null }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Ignore, withConfigMapMatch(makePolicy("validate-audit-annotations-invalid-ignore"))))), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Ignore, withConfigMapMatch(makePolicy("validate-audit-annotations-invalid-ignore"))))), policyBinding: makeBinding("validate-audit-annotations-invalid-ignore-binding", "validate-audit-annotations-invalid-ignore", ""), object: &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -382,12 +382,12 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { }, { name: "with warn validationActions", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith('k8s')", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withConfigMapMatch(makePolicy("validate-actions-warn"))))), - policyBinding: withValidationActions([]admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Warn}, makeBinding("validate-actions-warn-binding", "validate-actions-warn", "")), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withConfigMapMatch(makePolicy("validate-actions-warn"))))), + policyBinding: withValidationActions([]admissionregistrationv1beta1.ValidationAction{admissionregistrationv1beta1.Warn}, makeBinding("validate-actions-warn-binding", "validate-actions-warn", "")), object: &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test4-nope", @@ -397,12 +397,12 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { }, { name: "with audit validationActions", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith('k8s')", }, - }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1alpha1.Fail, withConfigMapMatch(makePolicy("validate-actions-audit"))))), - policyBinding: withValidationActions([]admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Deny, admissionregistrationv1alpha1.Audit}, makeBinding("validate-actions-audit-binding", "validate-actions-audit", "")), + }, withParams(configParamKind(), withFailurePolicy(admissionregistrationv1beta1.Fail, withConfigMapMatch(makePolicy("validate-actions-audit"))))), + policyBinding: withValidationActions([]admissionregistrationv1beta1.ValidationAction{admissionregistrationv1beta1.Deny, admissionregistrationv1beta1.Audit}, makeBinding("validate-actions-audit-binding", "validate-actions-audit", "")), object: &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test5-nope", @@ -469,7 +469,7 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { } policy := withWaitReadyConstraintAndExpression(testcase.policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } @@ -503,8 +503,8 @@ func Test_ValidateAnnotationsAndWarnings(t *testing.T) { func Test_ValidateNamespace_WithConfigMapParams(t *testing.T) { testcases := []struct { name string - policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy - policyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding + policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy + policyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding configMap *v1.ConfigMap namespace *v1.Namespace err string @@ -512,11 +512,11 @@ func Test_ValidateNamespace_WithConfigMapParams(t *testing.T) { }{ { name: "namespace name contains suffix enforced by validating admission policy", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith(params.data.namespaceSuffix)", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withParams(configParamKind(), withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withParams(configParamKind(), withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", "validate-namespace-suffix-param"), configMap: makeConfigParams("validate-namespace-suffix-param", map[string]string{ "namespaceSuffix": "k8s", @@ -530,11 +530,11 @@ func Test_ValidateNamespace_WithConfigMapParams(t *testing.T) { }, { name: "namespace name does NOT contain suffix enforced by validating admission policy", - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.endsWith(params.data.namespaceSuffix)", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withParams(configParamKind(), withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withParams(configParamKind(), withNamespaceMatch(makePolicy("validate-namespace-suffix"))))), policyBinding: makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", "validate-namespace-suffix-param"), configMap: makeConfigParams("validate-namespace-suffix-param", map[string]string{ "namespaceSuffix": "k8s", @@ -572,7 +572,7 @@ func Test_ValidateNamespace_WithConfigMapParams(t *testing.T) { } policy := withWaitReadyConstraintAndExpression(testcase.policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } if err := createAndWaitReady(t, client, testcase.policyBinding, nil); err != nil { @@ -602,18 +602,18 @@ func TestMultiplePolicyBindings(t *testing.T) { t.Fatal(err) } - paramKind := &admissionregistrationv1alpha1.ParamKind{ + paramKind := &admissionregistrationv1beta1.ParamKind{ APIVersion: "v1", Kind: "ConfigMap", } - policy := withPolicyExistsLabels([]string{"paramIdent"}, withParams(paramKind, withPolicyMatch("secrets", withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("test-policy"))))) - policy.Spec.Validations = []admissionregistrationv1alpha1.Validation{ + policy := withPolicyExistsLabels([]string{"paramIdent"}, withParams(paramKind, withPolicyMatch("secrets", withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("test-policy"))))) + policy.Spec.Validations = []admissionregistrationv1beta1.Validation{ { Expression: "params.data.autofail != 'true' && (params.data.conditional == 'false' || object.metadata.name.startsWith(params.data.check))", }, } policy = withWaitReadyConstraintAndExpression(policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } @@ -732,10 +732,10 @@ func Test_PolicyExemption(t *testing.T) { } policy := makePolicy("test-policy") - policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{ - ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ + policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{ + ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{ { - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "*", }, @@ -755,12 +755,12 @@ func Test_PolicyExemption(t *testing.T) { }, } - policy.Spec.Validations = []admissionregistrationv1alpha1.Validation{{ + policy.Spec.Validations = []admissionregistrationv1beta1.Validation{{ Expression: "false", Message: "marker denied; policy is ready", }} - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -771,18 +771,18 @@ func Test_PolicyExemption(t *testing.T) { } // validate that operations to ValidatingAdmissionPolicy are exempt from an existing policy that catches all resources - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(context.TODO(), policy.Name, metav1.GetOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(context.TODO(), policy.Name, metav1.GetOptions{}) if err != nil { t.Fatal(err) } - ignoreFailurePolicy := admissionregistrationv1alpha1.Ignore + ignoreFailurePolicy := admissionregistrationv1beta1.Ignore policy.Spec.FailurePolicy = &ignoreFailurePolicy - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Update(context.TODO(), policy, metav1.UpdateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Update(context.TODO(), policy, metav1.UpdateOptions{}) if err != nil { t.Error(err) } - policyBinding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Get(context.TODO(), policyBinding.Name, metav1.GetOptions{}) + policyBinding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Get(context.TODO(), policyBinding.Name, metav1.GetOptions{}) if err != nil { t.Fatal(err) } @@ -790,7 +790,7 @@ func Test_PolicyExemption(t *testing.T) { // validate that operations to ValidatingAdmissionPolicyBindings are exempt from an existing policy that catches all resources policyBindingCopy := policyBinding.DeepCopy() policyBindingCopy.Spec.PolicyName = "different-binding" - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Update(context.TODO(), policyBindingCopy, metav1.UpdateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Update(context.TODO(), policyBindingCopy, metav1.UpdateOptions{}) if err != nil { t.Error(err) } @@ -836,19 +836,19 @@ func Test_ValidatingAdmissionPolicy_UpdateParamKind(t *testing.T) { t.Fatal(err) } - paramKind := &admissionregistrationv1alpha1.ParamKind{ + paramKind := &admissionregistrationv1beta1.ParamKind{ APIVersion: "v1", Kind: "ConfigMap", } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith(params.kind.lowerAscii())", Message: "wrong paramKind", }, - }, withParams(paramKind, withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("allowed-prefixes"))))) + }, withParams(paramKind, withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("allowed-prefixes"))))) policy = withWaitReadyConstraintAndExpression(policy) - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -885,16 +885,16 @@ func Test_ValidatingAdmissionPolicy_UpdateParamKind(t *testing.T) { checkFailureReason(t, err, metav1.StatusReasonInvalid) // update the policy ParamKind to reference a Secret - paramKind = &admissionregistrationv1alpha1.ParamKind{ + paramKind = &admissionregistrationv1beta1.ParamKind{ APIVersion: "v1", Kind: "Secret", } - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(context.TODO(), policy.Name, metav1.GetOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(context.TODO(), policy.Name, metav1.GetOptions{}) if err != nil { t.Error(err) } policy.Spec.ParamKind = paramKind - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Update(context.TODO(), policy, metav1.UpdateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Update(context.TODO(), policy, metav1.UpdateOptions{}) if err != nil { t.Error(err) } @@ -979,14 +979,14 @@ func Test_ValidatingAdmissionPolicy_UpdateParamRef(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith(params.metadata.name)", Message: "wrong paramRef", }, - }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("allowed-prefixes"))))) + }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("allowed-prefixes"))))) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1034,17 +1034,19 @@ func Test_ValidatingAdmissionPolicy_UpdateParamRef(t *testing.T) { } // Update the paramRef in the policy binding to use the test-2 ConfigMap - policyBinding, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Get(context.TODO(), allowedPrefixesBinding.Name, metav1.GetOptions{}) + policyBinding, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Get(context.TODO(), allowedPrefixesBinding.Name, metav1.GetOptions{}) if err != nil { t.Fatal(err) } + denyAction := admissionregistrationv1beta1.DenyAction policyBindingCopy := policyBinding.DeepCopy() - policyBindingCopy.Spec.ParamRef = &admissionregistrationv1alpha1.ParamRef{ - Name: "test-2", - Namespace: "default", + policyBindingCopy.Spec.ParamRef = &admissionregistrationv1beta1.ParamRef{ + Name: "test-2", + Namespace: "default", + ParameterNotFoundAction: &denyAction, } - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Update(context.TODO(), policyBindingCopy, metav1.UpdateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Update(context.TODO(), policyBindingCopy, metav1.UpdateOptions{}) if err != nil { t.Error(err) } @@ -1119,14 +1121,14 @@ func Test_ValidatingAdmissionPolicy_UpdateParamResource(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith(params.data['prefix'])", Message: "wrong prefix", }, - }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("allowed-prefixes"))))) + }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("allowed-prefixes"))))) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1244,15 +1246,15 @@ func Test_ValidatingAdmissionPolicy_MatchByObjectSelector(t *testing.T) { }, } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "matched by object selector!", }, - }, withConfigMapMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("match-by-object-selector")))) + }, withConfigMapMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("match-by-object-selector")))) policy = withObjectSelector(labelSelector, policy) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1317,21 +1319,21 @@ func Test_ValidatingAdmissionPolicy_MatchByNamespaceSelector(t *testing.T) { }, } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "matched by namespace selector!", }, - }, withConfigMapMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("match-by-namespace-selector")))) + }, withConfigMapMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("match-by-namespace-selector")))) policy = withNamespaceSelector(labelSelector, policy) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } policyBinding := makeBinding("match-by-namespace-selector-binding", "match-by-namespace-selector", "") - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), policyBinding, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), policyBinding, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1398,15 +1400,15 @@ func Test_ValidatingAdmissionPolicy_MatchByResourceNames(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "matched by resource names!", }, - }, withConfigMapMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("match-by-resource-names")))) + }, withConfigMapMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("match-by-resource-names")))) policy.Spec.MatchConstraints.ResourceRules[0].ResourceNames = []string{"matched-by-resource-name"} policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1457,21 +1459,21 @@ func Test_ValidatingAdmissionPolicy_MatchWithExcludeResources(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "not matched by exclude resources!", }, - }, withPolicyMatch("*", withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("match-by-resource-names")))) + }, withPolicyMatch("*", withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("match-by-resource-names")))) policy = withExcludePolicyMatch("configmaps", policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } policyBinding := makeBinding("match-by-resource-names-binding", "match-by-resource-names", "") - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), policyBinding, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), policyBinding, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1530,16 +1532,16 @@ func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyEquivalent(t *testing.T) t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "matched by equivalent match policy!", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("match-by-match-policy-equivalent"))) - policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{ - ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ + }, withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("match-by-match-policy-equivalent"))) + policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{ + ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{ { - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "*", }, @@ -1559,7 +1561,7 @@ func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyEquivalent(t *testing.T) }, } policy = withWaitReadyConstraintAndExpression(policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } @@ -1622,18 +1624,18 @@ func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyExact(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "matched by exact match policy!", }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("match-by-match-policy-exact"))) - matchPolicyExact := admissionregistrationv1alpha1.Exact - policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{ + }, withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("match-by-match-policy-exact"))) + matchPolicyExact := admissionregistrationv1beta1.Exact + policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{ MatchPolicy: &matchPolicyExact, - ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ + ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{ { - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "*", }, @@ -1653,7 +1655,7 @@ func Test_ValidatingAdmissionPolicy_MatchWithMatchPolicyExact(t *testing.T) { }, } policy = withWaitReadyConstraintAndExpression(policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } @@ -1718,14 +1720,14 @@ func Test_ValidatingAdmissionPolicy_PolicyDeletedThenRecreated(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith('test')", Message: "wrong prefix", }, - }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("allowed-prefixes"))))) + }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("allowed-prefixes"))))) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1762,7 +1764,7 @@ func Test_ValidatingAdmissionPolicy_PolicyDeletedThenRecreated(t *testing.T) { } // delete the binding object and validate that policy is not enforced - if err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(context.TODO(), "allowed-prefixes", metav1.DeleteOptions{}); err != nil { + if err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(context.TODO(), "allowed-prefixes", metav1.DeleteOptions{}); err != nil { t.Fatal(err) } @@ -1787,7 +1789,7 @@ func Test_ValidatingAdmissionPolicy_PolicyDeletedThenRecreated(t *testing.T) { t.Errorf("timed out waiting: %v", err) } - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1836,14 +1838,14 @@ func Test_ValidatingAdmissionPolicy_BindingDeletedThenRecreated(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith('test')", Message: "wrong prefix", }, - }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("allowed-prefixes"))))) + }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("allowed-prefixes"))))) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1880,7 +1882,7 @@ func Test_ValidatingAdmissionPolicy_BindingDeletedThenRecreated(t *testing.T) { } // delete the binding object and validate that policy is not enforced - if err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(context.TODO(), "allowed-prefixes-binding", metav1.DeleteOptions{}); err != nil { + if err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(context.TODO(), "allowed-prefixes-binding", metav1.DeleteOptions{}); err != nil { t.Fatal(err) } @@ -1906,7 +1908,7 @@ func Test_ValidatingAdmissionPolicy_BindingDeletedThenRecreated(t *testing.T) { } // recreate the policy binding and test that policy is enforced again - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), policyBinding, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), policyBinding, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -1965,14 +1967,14 @@ func Test_ValidatingAdmissionPolicy_ParamResourceDeletedThenRecreated(t *testing t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "object.metadata.name.startsWith(params.metadata.name)", Message: "wrong prefix", }, - }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("allowed-prefixes"))))) + }, withParams(configParamKind(), withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("allowed-prefixes"))))) policy = withWaitReadyConstraintAndExpression(policy) - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}) if err != nil { t.Fatal(err) } @@ -2068,8 +2070,8 @@ func TestCRDParams(t *testing.T) { testcases := []struct { name string resource *unstructured.Unstructured - policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy - policyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding + policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy + policyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding namespace *v1.Namespace err string failureReason metav1.StatusReason @@ -2086,11 +2088,11 @@ func TestCRDParams(t *testing.T) { "nameCheck": "crd-test-k8s", }, }}, - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "params.spec.nameCheck == object.metadata.name", }, - }, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("test-policy"))))), + }, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("test-policy"))))), policyBinding: makeBinding("crd-policy-binding", "test-policy", "config-obj"), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -2112,11 +2114,11 @@ func TestCRDParams(t *testing.T) { "nameCheck": "crd-test-k8s", }, }}, - policy: withValidations([]admissionregistrationv1alpha1.Validation{ + policy: withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "params.spec.nameCheck == object.metadata.name", }, - }, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("test-policy"))))), + }, withNamespaceMatch(withParams(withCRDParamKind("Panda", "awesome.bears.com", "v1"), withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("test-policy"))))), policyBinding: makeBinding("crd-policy-binding", "test-policy", "config-obj"), namespace: &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -2163,7 +2165,7 @@ func TestCRDParams(t *testing.T) { } policy := withWaitReadyConstraintAndExpression(testcase.policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } // remove default namespace since the CRD is cluster-scoped @@ -2197,14 +2199,14 @@ func TestBindingRemoval(t *testing.T) { t.Fatal(err) } - policy := withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withValidations([]admissionregistrationv1beta1.Validation{ { Expression: "false", Message: "policy still in effect", }, - }, withNamespaceMatch(withFailurePolicy(admissionregistrationv1alpha1.Fail, makePolicy("test-policy")))) + }, withNamespaceMatch(withFailurePolicy(admissionregistrationv1beta1.Fail, makePolicy("test-policy")))) policy = withWaitReadyConstraintAndExpression(policy) - if _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } @@ -2232,14 +2234,14 @@ func TestBindingRemoval(t *testing.T) { }); waitErr != nil { t.Errorf("timed out waiting: %v", waitErr) } - if err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(context.TODO(), "test-binding", metav1.DeleteOptions{}); err != nil { + if err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(context.TODO(), "test-binding", metav1.DeleteOptions{}); err != nil { t.Fatal(err) } // wait for binding to be deleted if waitErr := wait.PollImmediate(time.Millisecond*10, wait.ForeverTestTimeout, func() (bool, error) { - _, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Get(context.TODO(), "test-binding", metav1.GetOptions{}) + _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Get(context.TODO(), "test-binding", metav1.GetOptions{}) if err != nil { if apierrors.IsNotFound(err) { return true, nil @@ -2371,12 +2373,12 @@ func Test_ValidateSecondaryAuthorization(t *testing.T) { testcase.extraAccountFn(t, adminClient, server.ClientConfig, extraRules) } - policy := withWaitReadyConstraintAndExpression(withValidations([]admissionregistrationv1alpha1.Validation{ + policy := withWaitReadyConstraintAndExpression(withValidations([]admissionregistrationv1beta1.Validation{ { Expression: testcase.expression, }, - }, withFailurePolicy(admissionregistrationv1alpha1.Fail, withNamespaceMatch(makePolicy("validate-authz"))))) - if _, err := adminClient.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { + }, withFailurePolicy(admissionregistrationv1beta1.Fail, withNamespaceMatch(makePolicy("validate-authz"))))) + if _, err := adminClient.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil { t.Fatal(err) } if err := createAndWaitReady(t, adminClient, makeBinding("validate-authz-binding", "validate-authz", ""), nil); err != nil { @@ -2443,11 +2445,11 @@ func serviceAccountClient(namespace, name string) clientFn { } } -func withWaitReadyConstraintAndExpression(policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withWaitReadyConstraintAndExpression(policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy = policy.DeepCopy() - policy.Spec.MatchConstraints.ResourceRules = append(policy.Spec.MatchConstraints.ResourceRules, admissionregistrationv1alpha1.NamedRuleWithOperations{ + policy.Spec.MatchConstraints.ResourceRules = append(policy.Spec.MatchConstraints.ResourceRules, admissionregistrationv1beta1.NamedRuleWithOperations{ ResourceNames: []string{"test-marker"}, - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "UPDATE", }, @@ -2464,22 +2466,22 @@ func withWaitReadyConstraintAndExpression(policy *admissionregistrationv1alpha1. }, }, }) - policy.Spec.Validations = append([]admissionregistrationv1alpha1.Validation{{ + policy.Spec.Validations = append([]admissionregistrationv1beta1.Validation{{ Expression: "object.metadata.name != 'test-marker'", Message: "marker denied; policy is ready", }}, policy.Spec.Validations...) return policy } -func createAndWaitReady(t *testing.T, client clientset.Interface, binding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, matchLabels map[string]string) error { +func createAndWaitReady(t *testing.T, client clientset.Interface, binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, matchLabels map[string]string) error { return createAndWaitReadyNamespaced(t, client, binding, matchLabels, "default") } -func createAndWaitReadyNamespaced(t *testing.T, client clientset.Interface, binding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, matchLabels map[string]string, ns string) error { +func createAndWaitReadyNamespaced(t *testing.T, client clientset.Interface, binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, matchLabels map[string]string, ns string) error { return createAndWaitReadyNamespacedWithWarnHandler(t, client, binding, matchLabels, ns, newWarningHandler()) } -func createAndWaitReadyNamespacedWithWarnHandler(t *testing.T, client clientset.Interface, binding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, matchLabels map[string]string, ns string, handler *warningHandler) error { +func createAndWaitReadyNamespacedWithWarnHandler(t *testing.T, client clientset.Interface, binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, matchLabels map[string]string, ns string, handler *warningHandler) error { marker := &v1.Endpoints{ObjectMeta: metav1.ObjectMeta{Name: "test-marker", Namespace: ns, Labels: matchLabels}} defer func() { err := client.CoreV1().Endpoints(ns).Delete(context.TODO(), marker.Name, metav1.DeleteOptions{}) @@ -2492,7 +2494,7 @@ func createAndWaitReadyNamespacedWithWarnHandler(t *testing.T, client clientset. return err } - _, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), binding, metav1.CreateOptions{}) + _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(context.TODO(), binding, metav1.CreateOptions{}) if err != nil { return err } @@ -2520,8 +2522,8 @@ func createAndWaitReadyNamespacedWithWarnHandler(t *testing.T, client clientset. return nil } -func withMatchNamespace(binding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, ns string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding { - binding.Spec.MatchResources = &admissionregistrationv1alpha1.MatchResources{ +func withMatchNamespace(binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, ns string) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding { + binding.Spec.MatchResources = &admissionregistrationv1beta1.MatchResources{ NamespaceSelector: &metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{ { @@ -2535,52 +2537,52 @@ func withMatchNamespace(binding *admissionregistrationv1alpha1.ValidatingAdmissi return binding } -func makePolicy(name string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { - return &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ +func makePolicy(name string) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { + return &admissionregistrationv1beta1.ValidatingAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{Name: name}, } } -func withParams(params *admissionregistrationv1alpha1.ParamKind, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withParams(params *admissionregistrationv1beta1.ParamKind, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.ParamKind = params return policy } -func configParamKind() *admissionregistrationv1alpha1.ParamKind { - return &admissionregistrationv1alpha1.ParamKind{ +func configParamKind() *admissionregistrationv1beta1.ParamKind { + return &admissionregistrationv1beta1.ParamKind{ APIVersion: "v1", Kind: "ConfigMap", } } -func withFailurePolicy(failure admissionregistrationv1alpha1.FailurePolicyType, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withFailurePolicy(failure admissionregistrationv1beta1.FailurePolicyType, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.FailurePolicy = &failure return policy } -func withNamespaceMatch(policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withNamespaceMatch(policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { return withPolicyMatch("namespaces", policy) } -func withConfigMapMatch(policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withConfigMapMatch(policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { return withPolicyMatch("configmaps", policy) } -func withObjectSelector(labelSelector *metav1.LabelSelector, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withObjectSelector(labelSelector *metav1.LabelSelector, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.MatchConstraints.ObjectSelector = labelSelector return policy } -func withNamespaceSelector(labelSelector *metav1.LabelSelector, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withNamespaceSelector(labelSelector *metav1.LabelSelector, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.MatchConstraints.NamespaceSelector = labelSelector return policy } -func withPolicyMatch(resource string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { - policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{ - ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ +func withPolicyMatch(resource string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { + policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{ + ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{ { - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "*", }, @@ -2602,10 +2604,10 @@ func withPolicyMatch(resource string, policy *admissionregistrationv1alpha1.Vali return policy } -func withExcludePolicyMatch(resource string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { - policy.Spec.MatchConstraints.ExcludeResourceRules = []admissionregistrationv1alpha1.NamedRuleWithOperations{ +func withExcludePolicyMatch(resource string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { + policy.Spec.MatchConstraints.ExcludeResourceRules = []admissionregistrationv1beta1.NamedRuleWithOperations{ { - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ "*", }, @@ -2626,9 +2628,9 @@ func withExcludePolicyMatch(resource string, policy *admissionregistrationv1alph return policy } -func withPolicyExistsLabels(labels []string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withPolicyExistsLabels(labels []string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { if policy.Spec.MatchConstraints == nil { - policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{} + policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{} } matchExprs := buildExistsSelector(labels) policy.Spec.MatchConstraints.ObjectSelector = &metav1.LabelSelector{ @@ -2637,40 +2639,41 @@ func withPolicyExistsLabels(labels []string, policy *admissionregistrationv1alph return policy } -func withValidations(validations []admissionregistrationv1alpha1.Validation, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withValidations(validations []admissionregistrationv1beta1.Validation, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.Validations = validations return policy } -func withAuditAnnotations(auditAnnotations []admissionregistrationv1alpha1.AuditAnnotation, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { +func withAuditAnnotations(auditAnnotations []admissionregistrationv1beta1.AuditAnnotation, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy { policy.Spec.AuditAnnotations = auditAnnotations return policy } -func makeBinding(name, policyName, paramName string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding { - var paramRef *admissionregistrationv1alpha1.ParamRef +func makeBinding(name, policyName, paramName string) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding { + var paramRef *admissionregistrationv1beta1.ParamRef if paramName != "" { - paramRef = &admissionregistrationv1alpha1.ParamRef{ - Name: paramName, - Namespace: "default", + paramRef = &admissionregistrationv1beta1.ParamRef{ + Name: paramName, + Namespace: "default", + ParameterNotFoundAction: admissionregistrationv1beta1.DenyAction, } } - return &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{ + return &admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{ ObjectMeta: metav1.ObjectMeta{Name: name}, - Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{ + Spec: admissionregistrationv1beta1.ValidatingAdmissionPolicyBindingSpec{ PolicyName: policyName, ParamRef: paramRef, - ValidationActions: []admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Deny}, + ValidationActions: []admissionregistrationv1beta1.ValidationAction{admissionregistrationv1beta1.Deny}, }, } } -func withValidationActions(validationActions []admissionregistrationv1alpha1.ValidationAction, binding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding { +func withValidationActions(validationActions []admissionregistrationv1beta1.ValidationAction, binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding { binding.Spec.ValidationActions = validationActions return binding } -func withBindingExistsLabels(labels []string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, binding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding { +func withBindingExistsLabels(labels []string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding { if policy != nil { // shallow copy constraintsCopy := *policy.Spec.MatchConstraints @@ -2756,8 +2759,8 @@ func checkAuditEvents(t *testing.T, logFile *os.File, auditEvents []utils.AuditE } } -func withCRDParamKind(kind, crdGroup, crdVersion string) *admissionregistrationv1alpha1.ParamKind { - return &admissionregistrationv1alpha1.ParamKind{ +func withCRDParamKind(kind, crdGroup, crdVersion string) *admissionregistrationv1beta1.ParamKind { + return &admissionregistrationv1beta1.ParamKind{ APIVersion: crdGroup + "/" + crdVersion, Kind: kind, } @@ -2915,11 +2918,11 @@ rules: func TestAuthorizationDecisionCaching(t *testing.T) { for _, tc := range []struct { name string - validations []admissionregistrationv1alpha1.Validation + validations []admissionregistrationv1beta1.Validation }{ { name: "hit", - validations: []admissionregistrationv1alpha1.Validation{ + validations: []admissionregistrationv1beta1.Validation{ { Expression: "authorizer.requestResource.check('test').reason() == authorizer.requestResource.check('test').reason()", }, @@ -2927,7 +2930,7 @@ func TestAuthorizationDecisionCaching(t *testing.T) { }, { name: "miss", - validations: []admissionregistrationv1alpha1.Validation{ + validations: []admissionregistrationv1beta1.Validation{ { Expression: "authorizer.requestResource.subresource('a').check('test').reason() == '1'", }, @@ -3016,16 +3019,16 @@ contexts: }) defer teardown() - policy := &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ + policy := &admissionregistrationv1beta1.ValidatingAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "test-authorization-decision-caching-policy", }, - Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicySpec{ - MatchConstraints: &admissionregistrationv1alpha1.MatchResources{ - ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ + Spec: admissionregistrationv1beta1.ValidatingAdmissionPolicySpec{ + MatchConstraints: &admissionregistrationv1beta1.MatchResources{ + ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{ { ResourceNames: []string{"test-authorization-decision-caching-namespace"}, - RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ + RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{ Operations: []admissionregistrationv1.OperationType{ admissionregistrationv1.Create, }, @@ -3042,7 +3045,7 @@ contexts: }, } - policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, withWaitReadyConstraintAndExpression(policy), metav1.CreateOptions{}) + policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, withWaitReadyConstraintAndExpression(policy), metav1.CreateOptions{}) if err != nil { t.Fatal(err) }