github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-22 18:16:52 +00:00
Code Issues Projects Releases Wiki Activity

refactor: replace usage of v1alpha1 with v1beta1

Browse Source 
v1alpha -> v1beta

fill in DenyAction where there is no ParameterNotFoundAction
This commit is contained in:
Alexander Zielenski 2023-07-19 15:53:31 -07:00
parent b3b775baa5
commit ef8670c946
14 changed files with 600 additions and 597 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
View File

@ -19,7 +19,7 @@ package app
import ( import (
"context" "context"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
"k8s.io/apiserver/pkg/cel/openapi/resolver" "k8s.io/apiserver/pkg/cel/openapi/resolver"
"k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/kubernetes/scheme"
@ -28,7 +28,7 @@ import (
"k8s.io/kubernetes/pkg/generated/openapi" "k8s.io/kubernetes/pkg/generated/openapi"
) )
var validatingAdmissionPolicyResource = admissionregistrationv1alpha1.SchemeGroupVersion.WithResource("validatingadmissionpolicies") var validatingAdmissionPolicyResource = admissionregistrationv1beta1.SchemeGroupVersion.WithResource("validatingadmissionpolicies")
func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) { func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) {
// intended check against served resource but not feature gate. // intended check against served resource but not feature gate.
@ -41,8 +41,8 @@ func startValidatingAdmissionPolicyStatusController(ctx context.Context, control
RestMapper: controllerContext.RESTMapper, RestMapper: controllerContext.RESTMapper,
} }
c, err := validatingadmissionpolicystatus.NewController( c, err := validatingadmissionpolicystatus.NewController(
controllerContext.InformerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(), controllerContext.InformerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(), controllerContext.ClientBuilder.ClientOrDie("validatingadmissionpolicy-status-controller").AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
typeChecker, typeChecker,
) )

28
pkg/controller/validatingadmissionpolicystatus/controller.go
View File

@ -21,15 +21,15 @@ import (
"fmt" "fmt"
"time" "time"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
kerrors "k8s.io/apimachinery/pkg/api/errors" kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
admissionregistrationv1alpha1apply "k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1" admissionregistrationv1beta1apply "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1"
informerv1alpha1 "k8s.io/client-go/informers/admissionregistration/v1alpha1" informerv1beta1 "k8s.io/client-go/informers/admissionregistration/v1beta1"
admissionregistrationv1alpha1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1" admissionregistrationv1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue" "k8s.io/client-go/util/workqueue"
) )
@ -40,10 +40,10 @@ const ControllerName = "validatingadmissionpolicy-status"
// Controller is the ValidatingAdmissionPolicy Status controller that reconciles the Status field of each policy object. // Controller is the ValidatingAdmissionPolicy Status controller that reconciles the Status field of each policy object.
// This controller runs type checks against referred types for each policy definition. // This controller runs type checks against referred types for each policy definition.
type Controller struct { type Controller struct {
policyInformer informerv1alpha1.ValidatingAdmissionPolicyInformer policyInformer informerv1beta1.ValidatingAdmissionPolicyInformer
policyQueue workqueue.RateLimitingInterface policyQueue workqueue.RateLimitingInterface
policySynced cache.InformerSynced policySynced cache.InformerSynced
policyClient admissionregistrationv1alpha1.ValidatingAdmissionPolicyInterface policyClient admissionregistrationv1beta1.ValidatingAdmissionPolicyInterface
// typeChecker checks the policy's expressions for type errors. // typeChecker checks the policy's expressions for type errors.
// Type of params is defined in policy.Spec.ParamsKind // Type of params is defined in policy.Spec.ParamsKind
@ -66,7 +66,7 @@ func (c *Controller) Run(ctx context.Context, workers int) {
<-ctx.Done() <-ctx.Done()
} }
func NewController(policyInformer informerv1alpha1.ValidatingAdmissionPolicyInformer, policyClient admissionregistrationv1alpha1.ValidatingAdmissionPolicyInterface, typeChecker *validatingadmissionpolicy.TypeChecker) (*Controller, error) { func NewController(policyInformer informerv1beta1.ValidatingAdmissionPolicyInformer, policyClient admissionregistrationv1beta1.ValidatingAdmissionPolicyInterface, typeChecker *validatingadmissionpolicy.TypeChecker) (*Controller, error) {
c := &Controller{ c := &Controller{
policyInformer: policyInformer, policyInformer: policyInformer,
policyQueue: workqueue.NewRateLimitingQueueWithConfig(workqueue.DefaultControllerRateLimiter(), workqueue.RateLimitingQueueConfig{Name: ControllerName}), policyQueue: workqueue.NewRateLimitingQueueWithConfig(workqueue.DefaultControllerRateLimiter(), workqueue.RateLimitingQueueConfig{Name: ControllerName}),
@ -89,7 +89,7 @@ func NewController(policyInformer informerv1alpha1.ValidatingAdmissionPolicyInfo
} }
func (c *Controller) enqueuePolicy(policy any) { func (c *Controller) enqueuePolicy(policy any) {
if policy, ok := policy.(*v1alpha1.ValidatingAdmissionPolicy); ok { if policy, ok := policy.(*v1beta1.ValidatingAdmissionPolicy); ok {
// policy objects are cluster-scoped, no point include its namespace. // policy objects are cluster-scoped, no point include its namespace.
key := policy.ObjectMeta.Name key := policy.ObjectMeta.Name
if key == "" { if key == "" {
@ -138,7 +138,7 @@ func (c *Controller) processNextWorkItem(ctx context.Context) bool {
return true return true
} }
func (c *Controller) reconcile(ctx context.Context, policy *v1alpha1.ValidatingAdmissionPolicy) error { func (c *Controller) reconcile(ctx context.Context, policy *v1beta1.ValidatingAdmissionPolicy) error {
if policy == nil { if policy == nil {
return nil return nil
} }
@ -146,16 +146,16 @@ func (c *Controller) reconcile(ctx context.Context, policy *v1alpha1.ValidatingA
return nil return nil
} }
warnings := c.typeChecker.Check(policy) warnings := c.typeChecker.Check(policy)
warningsConfig := make([]*admissionregistrationv1alpha1apply.ExpressionWarningApplyConfiguration, 0, len(warnings)) warningsConfig := make([]*admissionregistrationv1beta1apply.ExpressionWarningApplyConfiguration, 0, len(warnings))
for _, warning := range warnings { for _, warning := range warnings {
warningsConfig = append(warningsConfig, admissionregistrationv1alpha1apply.ExpressionWarning(). warningsConfig = append(warningsConfig, admissionregistrationv1beta1apply.ExpressionWarning().
WithFieldRef(warning.FieldRef). WithFieldRef(warning.FieldRef).
WithWarning(warning.Warning)) WithWarning(warning.Warning))
} }
applyConfig := admissionregistrationv1alpha1apply.ValidatingAdmissionPolicy(policy.Name). applyConfig := admissionregistrationv1beta1apply.ValidatingAdmissionPolicy(policy.Name).
WithStatus(admissionregistrationv1alpha1apply.ValidatingAdmissionPolicyStatus(). WithStatus(admissionregistrationv1beta1apply.ValidatingAdmissionPolicyStatus().
WithObservedGeneration(policy.Generation). WithObservedGeneration(policy.Generation).
WithTypeChecking(admissionregistrationv1alpha1apply.TypeChecking(). WithTypeChecking(admissionregistrationv1beta1apply.TypeChecking().
WithExpressionWarnings(warningsConfig...))) WithExpressionWarnings(warningsConfig...)))
_, err := c.policyClient.ApplyStatus(ctx, applyConfig, metav1.ApplyOptions{FieldManager: ControllerName, Force: true}) _, err := c.policyClient.ApplyStatus(ctx, applyConfig, metav1.ApplyOptions{FieldManager: ControllerName, Force: true})
return err return err

52
pkg/controller/validatingadmissionpolicystatus/controller_test.go
View File

@ -23,7 +23,7 @@ import (
"time" "time"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1" admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/api/meta/testrestmapper" "k8s.io/apimachinery/pkg/api/meta/testrestmapper"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
@ -38,13 +38,13 @@ import (
func TestTypeChecking(t *testing.T) { func TestTypeChecking(t *testing.T) {
for _, tc := range []struct { for _, tc := range []struct {
name string name string
policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy
assertFieldRef func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) // warning.fieldRef assertFieldRef func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) // warning.fieldRef
assertWarnings func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) // warning.warning assertWarnings func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) // warning.warning
}{ }{
{ {
name: "deployment with correct expression", name: "deployment with correct expression",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{ {
Expression: "object.spec.replicas > 1", Expression: "object.spec.replicas > 1",
}, },
@ -54,7 +54,7 @@ func TestTypeChecking(t *testing.T) {
}, },
{ {
name: "deployment with type confusion", name: "deployment with type confusion",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{ {
Expression: "object.spec.replicas < 100", // this one passes Expression: "object.spec.replicas < 100", // this one passes
}, },
@ -67,7 +67,7 @@ func TestTypeChecking(t *testing.T) {
}, },
{ {
name: "two expressions different type checking errors", name: "two expressions different type checking errors",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{ {
Expression: "object.spec.nonExistingFirst > 1", Expression: "object.spec.nonExistingFirst > 1",
}, },
@ -83,7 +83,7 @@ func TestTypeChecking(t *testing.T) {
}, },
{ {
name: "one expression, two warnings", name: "one expression, two warnings",
policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1alpha1.Validation{ policy: withGVRMatch([]string{"apps"}, []string{"v1"}, []string{"deployments"}, withValidations([]admissionregistrationv1beta1.Validation{
{ {
Expression: "object.spec.replicas < 100", // this one passes Expression: "object.spec.replicas < 100", // this one passes
}, },
@ -107,8 +107,8 @@ func TestTypeChecking(t *testing.T) {
RestMapper: testrestmapper.TestOnlyStaticRESTMapper(scheme.Scheme), RestMapper: testrestmapper.TestOnlyStaticRESTMapper(scheme.Scheme),
} }
controller, err := NewController( controller, err := NewController(
informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(), informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(), client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
typeChecker, typeChecker,
) )
if err != nil { if err != nil {
@ -120,7 +120,7 @@ func TestTypeChecking(t *testing.T) {
name := policy.Name name := policy.Name
// wait until the typeChecking is set, which means the type checking // wait until the typeChecking is set, which means the type checking
// is complete. // is complete.
updated, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, name, metav1.GetOptions{}) updated, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, name, metav1.GetOptions{})
if err != nil { if err != nil {
return false, err return false, err
} }
@ -143,8 +143,8 @@ func TestTypeChecking(t *testing.T) {
} }
func toBe(expected ...string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { func toBe(expected ...string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if len(expected) != len(warnings) { if len(expected) != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", len(expected), len(warnings)) t.Fatalf("mismatched length, expect %d, got %d", len(expected), len(warnings))
} }
@ -156,8 +156,8 @@ func toBe(expected ...string) func(warnings []admissionregistrationv1alpha1.Expr
} }
} }
func toHaveSubstring(substrings ...string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { func toHaveSubstring(substrings ...string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if len(substrings) != len(warnings) { if len(substrings) != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings)) t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings))
} }
@ -169,8 +169,8 @@ func toHaveSubstring(substrings ...string) func(warnings []admissionregistration
} }
} }
func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if len(substrings) != len(warnings) { if len(substrings) != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings)) t.Fatalf("mismatched length, expect %d, got %d", len(substrings), len(warnings))
} }
@ -184,19 +184,19 @@ func toHaveMultipleSubstrings(substrings ...[]string) func(warnings []admissionr
} }
} }
func toHaveLengthOf(n int) func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { func toHaveLengthOf(n int) func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []admissionregistrationv1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []admissionregistrationv1beta1.ExpressionWarning, t *testing.T) {
if n != len(warnings) { if n != len(warnings) {
t.Fatalf("mismatched length, expect %d, got %d", n, len(warnings)) t.Fatalf("mismatched length, expect %d, got %d", n, len(warnings))
} }
} }
} }
func withGVRMatch(groups []string, versions []string, resources []string, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { func withGVRMatch(groups []string, versions []string, resources []string, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{ policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{
ResourceRules: []admissionregistrationv1alpha1.NamedRuleWithOperations{ ResourceRules: []admissionregistrationv1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{ Operations: []admissionregistrationv1.OperationType{
"*", "*",
}, },
@ -212,13 +212,13 @@ func withGVRMatch(groups []string, versions []string, resources []string, policy
return policy return policy
} }
func withValidations(validations []admissionregistrationv1alpha1.Validation, policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { func withValidations(validations []admissionregistrationv1beta1.Validation, policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy) *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
policy.Spec.Validations = validations policy.Spec.Validations = validations
return policy return policy
} }
func makePolicy(name string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { func makePolicy(name string) *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ return &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{Name: name}, ObjectMeta: metav1.ObjectMeta{Name: name},
} }
} }

140
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go
View File

@ -30,7 +30,7 @@ import (
admissionv1 "k8s.io/api/admission/v1" admissionv1 "k8s.io/api/admission/v1"
admissionRegistrationv1 "k8s.io/api/admissionregistration/v1" admissionRegistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors" k8serrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/meta"
@ -78,7 +78,7 @@ var (
Kind: clusterScopedParamsGVK.Kind + "List", Kind: clusterScopedParamsGVK.Kind + "List",
}, &unstructured.UnstructuredList{}) }, &unstructured.UnstructuredList{})
if err := v1alpha1.AddToScheme(res); err != nil { if err := v1beta1.AddToScheme(res); err != nil {
panic(err) panic(err)
} }
@ -117,25 +117,25 @@ var (
return res return res
}() }()
definitionGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1alpha1.ValidatingAdmissionPolicy{}))[0] definitionGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1beta1.ValidatingAdmissionPolicy{}))[0]
bindingGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1alpha1.ValidatingAdmissionPolicyBinding{}))[0] bindingGVK schema.GroupVersionKind = must3(scheme.ObjectKinds(&v1beta1.ValidatingAdmissionPolicyBinding{}))[0]
definitionsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(definitionGVK.GroupKind(), definitionGVK.Version)).Resource definitionsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(definitionGVK.GroupKind(), definitionGVK.Version)).Resource
bindingsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(bindingGVK.GroupKind(), bindingGVK.Version)).Resource bindingsGVR schema.GroupVersionResource = must(fakeRestMapper.RESTMapping(bindingGVK.GroupKind(), bindingGVK.Version)).Resource
// Common objects // Common objects
denyPolicy *v1alpha1.ValidatingAdmissionPolicy = &v1alpha1.ValidatingAdmissionPolicy{ denyPolicy *v1beta1.ValidatingAdmissionPolicy = &v1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denypolicy.example.com", Name: "denypolicy.example.com",
ResourceVersion: "1", ResourceVersion: "1",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicySpec{ Spec: v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{ ParamKind: &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(), APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind, Kind: paramsGVK.Kind,
}, },
FailurePolicy: ptrTo(v1alpha1.Fail), FailurePolicy: ptrTo(v1beta1.Fail),
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "messageId for deny policy", Expression: "messageId for deny policy",
}, },
@ -156,61 +156,61 @@ var (
}, },
} }
denyBinding *v1alpha1.ValidatingAdmissionPolicyBinding = &v1alpha1.ValidatingAdmissionPolicyBinding{ denyBinding *v1beta1.ValidatingAdmissionPolicyBinding = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com", Name: "denybinding.example.com",
ResourceVersion: "1", ResourceVersion: "1",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name, PolicyName: denyPolicy.Name,
ParamRef: &v1alpha1.ParamRef{ ParamRef: &v1beta1.ParamRef{
Name: fakeParams.GetName(), Name: fakeParams.GetName(),
Namespace: fakeParams.GetNamespace(), Namespace: fakeParams.GetNamespace(),
// fake object tracker does not populate defaults // fake object tracker does not populate defaults
ParameterNotFoundAction: ptrTo(v1alpha1.DenyAction), ParameterNotFoundAction: v1beta1.DenyAction,
}, },
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny},
}, },
} }
denyBindingWithNoParamRef *v1alpha1.ValidatingAdmissionPolicyBinding = &v1alpha1.ValidatingAdmissionPolicyBinding{ denyBindingWithNoParamRef *v1beta1.ValidatingAdmissionPolicyBinding = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com", Name: "denybinding.example.com",
ResourceVersion: "1", ResourceVersion: "1",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name, PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny},
}, },
} }
denyBindingWithAudit = &v1alpha1.ValidatingAdmissionPolicyBinding{ denyBindingWithAudit = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com", Name: "denybinding.example.com",
ResourceVersion: "1", ResourceVersion: "1",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name, PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Audit}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Audit},
}, },
} }
denyBindingWithWarn = &v1alpha1.ValidatingAdmissionPolicyBinding{ denyBindingWithWarn = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com", Name: "denybinding.example.com",
ResourceVersion: "1", ResourceVersion: "1",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name, PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Warn}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Warn},
}, },
} }
denyBindingWithAll = &v1alpha1.ValidatingAdmissionPolicyBinding{ denyBindingWithAll = &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com", Name: "denybinding.example.com",
ResourceVersion: "1", ResourceVersion: "1",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name, PolicyName: denyPolicy.Name,
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny, v1alpha1.Warn, v1alpha1.Audit}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny, v1beta1.Warn, v1beta1.Audit},
}, },
} }
) )
@ -275,7 +275,7 @@ func (f *fakeCompiler) Compile(
return &fakeFilter{} return &fakeFilter{}
} }
func (f *fakeCompiler) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, compileFunc func([]cel.ExpressionAccessor, cel.OptionalVariableDeclarations) cel.Filter) { func (f *fakeCompiler) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, compileFunc func([]cel.ExpressionAccessor, cel.OptionalVariableDeclarations) cel.Filter) {
//Key must be something that we can decipher from the inputs to Validate so using expression which will be passed to validate on the filter //Key must be something that we can decipher from the inputs to Validate so using expression which will be passed to validate on the filter
key := definition.Spec.Validations[0].Expression key := definition.Spec.Validations[0].Expression
if compileFunc != nil { if compileFunc != nil {
@ -321,7 +321,7 @@ type fakeValidator struct {
ValidateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult ValidateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult
} }
func (f *fakeValidator) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, validateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult) { func (f *fakeValidator) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, validateFunc func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult) {
//Key must be something that we can decipher from the inputs to Validate so using message which will be on the validationCondition object of evalResult //Key must be something that we can decipher from the inputs to Validate so using message which will be on the validationCondition object of evalResult
var key string var key string
if len(definition.Spec.Validations) > 0 { if len(definition.Spec.Validations) > 0 {
@ -354,11 +354,11 @@ func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) {
type fakeMatcher struct { type fakeMatcher struct {
DefaultMatch bool DefaultMatch bool
DefinitionMatchFuncs map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool DefinitionMatchFuncs map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool
BindingMatchFuncs map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool BindingMatchFuncs map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool
} }
func (f *fakeMatcher) RegisterDefinition(definition *v1alpha1.ValidatingAdmissionPolicy, matchFunc func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool) { func (f *fakeMatcher) RegisterDefinition(definition *v1beta1.ValidatingAdmissionPolicy, matchFunc func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool) {
namespace, name := definition.Namespace, definition.Name namespace, name := definition.Namespace, definition.Name
key := namespacedName{ key := namespacedName{
name: name, name: name,
@ -367,13 +367,13 @@ func (f *fakeMatcher) RegisterDefinition(definition *v1alpha1.ValidatingAdmissio
if matchFunc != nil { if matchFunc != nil {
if f.DefinitionMatchFuncs == nil { if f.DefinitionMatchFuncs == nil {
f.DefinitionMatchFuncs = make(map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicy, admission.Attributes) bool) f.DefinitionMatchFuncs = make(map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicy, admission.Attributes) bool)
} }
f.DefinitionMatchFuncs[key] = matchFunc f.DefinitionMatchFuncs[key] = matchFunc
} }
} }
func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding, matchFunc func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) { func (f *fakeMatcher) RegisterBinding(binding *v1beta1.ValidatingAdmissionPolicyBinding, matchFunc func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) {
namespace, name := binding.Namespace, binding.Name namespace, name := binding.Namespace, binding.Name
key := namespacedName{ key := namespacedName{
name: name, name: name,
@ -382,7 +382,7 @@ func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolic
if matchFunc != nil { if matchFunc != nil {
if f.BindingMatchFuncs == nil { if f.BindingMatchFuncs == nil {
f.BindingMatchFuncs = make(map[namespacedName]func(*v1alpha1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool) f.BindingMatchFuncs = make(map[namespacedName]func(*v1beta1.ValidatingAdmissionPolicyBinding, admission.Attributes) bool)
} }
f.BindingMatchFuncs[key] = matchFunc f.BindingMatchFuncs[key] = matchFunc
} }
@ -390,7 +390,7 @@ func (f *fakeMatcher) RegisterBinding(binding *v1alpha1.ValidatingAdmissionPolic
// Matches says whether this policy definition matches the provided admission // Matches says whether this policy definition matches the provided admission
// resource request // resource request
func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) { func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
namespace, name := definition.Namespace, definition.Name namespace, name := definition.Namespace, definition.Name
key := namespacedName{ key := namespacedName{
name: name, name: name,
@ -406,7 +406,7 @@ func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.Obje
// Matches says whether this policy definition matches the provided admission // Matches says whether this policy definition matches the provided admission
// resource request // resource request
func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) { func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) {
namespace, name := binding.Namespace, binding.Name namespace, name := binding.Namespace, binding.Name
key := namespacedName{ key := namespacedName{
name: name, name: name,
@ -516,7 +516,7 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher,
i := 0 i := 0
dummyPolicy := &v1alpha1.ValidatingAdmissionPolicy{ dummyPolicy := &v1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "dummypolicy.example.com", Name: "dummypolicy.example.com",
Annotations: map[string]string{ Annotations: map[string]string{
@ -525,7 +525,7 @@ func setupTestCommon(t *testing.T, compiler cel.FilterCompiler, matcher Matcher,
}, },
} }
dummyBinding := &v1alpha1.ValidatingAdmissionPolicyBinding{ dummyBinding := &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "dummybinding.example.com", Name: "dummybinding.example.com",
Annotations: map[string]string{ Annotations: map[string]string{
@ -581,7 +581,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O
defer c.policyController.mutex.RUnlock() defer c.policyController.mutex.RUnlock()
switch obj.(type) { switch obj.(type) {
case *v1alpha1.ValidatingAdmissionPolicyBinding: case *v1beta1.ValidatingAdmissionPolicyBinding:
nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName()) nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName())
info, ok := c.policyController.bindingInfos[nn] info, ok := c.policyController.bindingInfos[nn]
if !ok { if !ok {
@ -589,7 +589,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O
} }
return info.lastReconciledValue, nil return info.lastReconciledValue, nil
case *v1alpha1.ValidatingAdmissionPolicy: case *v1beta1.ValidatingAdmissionPolicy:
nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName()) nn := getNamespaceName(accessor.GetNamespace(), accessor.GetName())
info, ok := c.policyController.definitionInfo[nn] info, ok := c.policyController.definitionInfo[nn]
if !ok { if !ok {
@ -601,7 +601,7 @@ func (c *celAdmissionController) getCurrentObject(obj runtime.Object) (runtime.O
// If test isn't trying to fetch a policy or binding, assume it is // If test isn't trying to fetch a policy or binding, assume it is
// fetching a param // fetching a param
paramSourceGVK := obj.GetObjectKind().GroupVersionKind() paramSourceGVK := obj.GetObjectKind().GroupVersionKind()
paramKind := v1alpha1.ParamKind{ paramKind := v1beta1.ParamKind{
APIVersion: paramSourceGVK.GroupVersion().String(), APIVersion: paramSourceGVK.GroupVersion().String(),
Kind: paramSourceGVK.Kind, Kind: paramSourceGVK.Kind,
} }
@ -915,7 +915,7 @@ func TestDefinitionDoesntMatch(t *testing.T) {
} }
}) })
matcher.RegisterDefinition(denyPolicy, func(vap *v1alpha1.ValidatingAdmissionPolicy, a admission.Attributes) bool { matcher.RegisterDefinition(denyPolicy, func(vap *v1beta1.ValidatingAdmissionPolicy, a admission.Attributes) bool {
// Match names with even-numbered length // Match names with even-numbered length
obj := a.GetObject() obj := a.GetObject()
@ -1030,19 +1030,19 @@ func TestReconfigureBinding(t *testing.T) {
} }
}) })
denyBinding2 := &v1alpha1.ValidatingAdmissionPolicyBinding{ denyBinding2 := &v1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "denybinding.example.com", Name: "denybinding.example.com",
ResourceVersion: "2", ResourceVersion: "2",
}, },
Spec: v1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: denyPolicy.Name, PolicyName: denyPolicy.Name,
ParamRef: &v1alpha1.ParamRef{ ParamRef: &v1beta1.ParamRef{
Name: fakeParams2.GetName(), Name: fakeParams2.GetName(),
Namespace: fakeParams2.GetNamespace(), Namespace: fakeParams2.GetNamespace(),
ParameterNotFoundAction: ptrTo(v1alpha1.DenyAction), ParameterNotFoundAction: v1beta1.DenyAction,
}, },
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny},
}, },
} }
@ -1251,7 +1251,7 @@ func TestInvalidParamSourceGVK(t *testing.T) {
passedParams := make(chan *unstructured.Unstructured) passedParams := make(chan *unstructured.Unstructured)
badPolicy := *denyPolicy badPolicy := *denyPolicy
badPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ badPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(), APIVersion: paramsGVK.GroupVersion().String(),
Kind: "BadParamKind", Kind: "BadParamKind",
} }
@ -1499,13 +1499,13 @@ func TestMultiplePoliciesSharedParamType(t *testing.T) {
// Use ConfigMap native-typed param // Use ConfigMap native-typed param
policy1 := *denyPolicy policy1 := *denyPolicy
policy1.Name = "denypolicy1.example.com" policy1.Name = "denypolicy1.example.com"
policy1.Spec = v1alpha1.ValidatingAdmissionPolicySpec{ policy1.Spec = v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{ ParamKind: &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(), APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind, Kind: paramsGVK.Kind,
}, },
FailurePolicy: ptrTo(v1alpha1.Fail), FailurePolicy: ptrTo(v1beta1.Fail),
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "policy1", Expression: "policy1",
}, },
@ -1514,13 +1514,13 @@ func TestMultiplePoliciesSharedParamType(t *testing.T) {
policy2 := *denyPolicy policy2 := *denyPolicy
policy2.Name = "denypolicy2.example.com" policy2.Name = "denypolicy2.example.com"
policy2.Spec = v1alpha1.ValidatingAdmissionPolicySpec{ policy2.Spec = v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{ ParamKind: &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(), APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind, Kind: paramsGVK.Kind,
}, },
FailurePolicy: ptrTo(v1alpha1.Fail), FailurePolicy: ptrTo(v1beta1.Fail),
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "policy2", Expression: "policy2",
}, },
@ -1665,7 +1665,7 @@ func TestNativeTypeParam(t *testing.T) {
// Use ConfigMap native-typed param // Use ConfigMap native-typed param
nativeTypeParamPolicy := *denyPolicy nativeTypeParamPolicy := *denyPolicy
nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: "v1", APIVersion: "v1",
Kind: "ConfigMap", Kind: "ConfigMap",
} }
@ -1800,7 +1800,7 @@ func TestAuditValidationAction(t *testing.T) {
expected := []validationFailureValue{{ expected := []validationFailureValue{{
ExpressionIndex: 0, ExpressionIndex: 0,
Message: "I'm sorry Dave", Message: "I'm sorry Dave",
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Audit}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Audit},
Binding: "denybinding.example.com", Binding: "denybinding.example.com",
Policy: noParamSourcePolicy.Name, Policy: noParamSourcePolicy.Name,
}} }}
@ -1931,7 +1931,7 @@ func TestAllValidationActions(t *testing.T) {
expected := []validationFailureValue{{ expected := []validationFailureValue{{
ExpressionIndex: 0, ExpressionIndex: 0,
Message: "I'm sorry Dave", Message: "I'm sorry Dave",
ValidationActions: []v1alpha1.ValidationAction{v1alpha1.Deny, v1alpha1.Warn, v1alpha1.Audit}, ValidationActions: []v1beta1.ValidationAction{v1beta1.Deny, v1beta1.Warn, v1beta1.Audit},
Binding: "denybinding.example.com", Binding: "denybinding.example.com",
Policy: noParamSourcePolicy.Name, Policy: noParamSourcePolicy.Name,
}} }}
@ -1957,13 +1957,13 @@ func TestNamespaceParamRefName(t *testing.T) {
// Use ConfigMap native-typed param // Use ConfigMap native-typed param
nativeTypeParamPolicy := *denyPolicy nativeTypeParamPolicy := *denyPolicy
nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: "v1", APIVersion: "v1",
Kind: "ConfigMap", Kind: "ConfigMap",
} }
namespaceParamBinding := *denyBinding namespaceParamBinding := *denyBinding
namespaceParamBinding.Spec.ParamRef = &v1alpha1.ParamRef{ namespaceParamBinding.Spec.ParamRef = &v1beta1.ParamRef{
Name: "replicas-test.example.com", Name: "replicas-test.example.com",
} }
@ -2194,7 +2194,7 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs
// Create a cluster scoped and a namespace scoped CRD // Create a cluster scoped and a namespace scoped CRD
policy := *denyPolicy policy := *denyPolicy
binding := *denyBinding binding := *denyBinding
binding.Spec.ParamRef = &v1alpha1.ParamRef{} binding.Spec.ParamRef = &v1beta1.ParamRef{}
paramRef := binding.Spec.ParamRef paramRef := binding.Spec.ParamRef
shouldErrorOnClusterScopedRequests := !namespaceIsSet && !paramIsClusterScoped shouldErrorOnClusterScopedRequests := !namespaceIsSet && !paramIsClusterScoped
@ -2208,12 +2208,12 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs
otherNonmatchingLabels := labels.Set{"notaffiliated": "no"} otherNonmatchingLabels := labels.Set{"notaffiliated": "no"}
if paramIsClusterScoped { if paramIsClusterScoped {
policy.Spec.ParamKind = &v1alpha1.ParamKind{ policy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: clusterScopedParamsGVK.GroupVersion().String(), APIVersion: clusterScopedParamsGVK.GroupVersion().String(),
Kind: clusterScopedParamsGVK.Kind, Kind: clusterScopedParamsGVK.Kind,
} }
} else { } else {
policy.Spec.ParamKind = &v1alpha1.ParamKind{ policy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: paramsGVK.GroupVersion().String(), APIVersion: paramsGVK.GroupVersion().String(),
Kind: paramsGVK.Kind, Kind: paramsGVK.Kind,
} }
@ -2232,9 +2232,9 @@ func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIs
} }
if denyNotFound { if denyNotFound {
paramRef.ParameterNotFoundAction = ptrTo(v1alpha1.DenyAction) paramRef.ParameterNotFoundAction = v1beta1.DenyAction
} else { } else {
paramRef.ParameterNotFoundAction = ptrTo(v1alpha1.AllowAction) paramRef.ParameterNotFoundAction = v1beta1.AllowAction
} }
compiler := &fakeCompiler{} compiler := &fakeCompiler{}
@ -2486,13 +2486,13 @@ func TestNamespaceParamRefClusterScopedParamError(t *testing.T) {
// Use ValidatingAdmissionPolicy for param type since it is cluster-scoped // Use ValidatingAdmissionPolicy for param type since it is cluster-scoped
nativeTypeParamPolicy := *denyPolicy nativeTypeParamPolicy := *denyPolicy
nativeTypeParamPolicy.Spec.ParamKind = &v1alpha1.ParamKind{ nativeTypeParamPolicy.Spec.ParamKind = &v1beta1.ParamKind{
APIVersion: "admissionregistration.k8s.io/v1alpha1", APIVersion: "admissionregistration.k8s.io/v1beta1",
Kind: "ValidatingAdmissionPolicy", Kind: "ValidatingAdmissionPolicy",
} }
namespaceParamBinding := *denyBinding namespaceParamBinding := *denyBinding
namespaceParamBinding.Spec.ParamRef = &v1alpha1.ParamRef{ namespaceParamBinding.Spec.ParamRef = &v1beta1.ParamRef{
Name: "other-param-to-use-with-no-label.example.com", Name: "other-param-to-use-with-no-label.example.com",
Namespace: "mynamespace", Namespace: "mynamespace",
} }
@ -2507,7 +2507,7 @@ func TestNamespaceParamRefClusterScopedParamError(t *testing.T) {
validator.RegisterDefinition(&nativeTypeParamPolicy, func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult { validator.RegisterDefinition(&nativeTypeParamPolicy, func(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *v1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult {
evaluations.Add(1) evaluations.Add(1)
if _, ok := versionedParams.(*v1alpha1.ValidatingAdmissionPolicy); ok { if _, ok := versionedParams.(*v1beta1.ValidatingAdmissionPolicy); ok {
return ValidateResult{ return ValidateResult{
Decisions: []PolicyDecision{ Decisions: []PolicyDecision{
{ {

52
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
View File

@ -25,7 +25,7 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors" k8serrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/meta"
@ -81,8 +81,8 @@ type policyData struct {
// that determined the decision // that determined the decision
type policyDecisionWithMetadata struct { type policyDecisionWithMetadata struct {
PolicyDecision PolicyDecision
Definition *v1alpha1.ValidatingAdmissionPolicy Definition *v1beta1.ValidatingAdmissionPolicy
Binding *v1alpha1.ValidatingAdmissionPolicyBinding Binding *v1beta1.ValidatingAdmissionPolicyBinding
} }
// namespaceName is used as a key in definitionInfo and bindingInfos // namespaceName is used as a key in definitionInfo and bindingInfos
@ -98,7 +98,7 @@ type definitionInfo struct {
// Last value seen by this controller to be used in policy enforcement // Last value seen by this controller to be used in policy enforcement
// May not be nil // May not be nil
lastReconciledValue *v1alpha1.ValidatingAdmissionPolicy lastReconciledValue *v1beta1.ValidatingAdmissionPolicy
} }
type bindingInfo struct { type bindingInfo struct {
@ -107,7 +107,7 @@ type bindingInfo struct {
// Last value seen by this controller to be used in policy enforcement // Last value seen by this controller to be used in policy enforcement
// May not be nil // May not be nil
lastReconciledValue *v1alpha1.ValidatingAdmissionPolicyBinding lastReconciledValue *v1beta1.ValidatingAdmissionPolicyBinding
} }
type paramInfo struct { type paramInfo struct {
@ -141,10 +141,10 @@ func NewAdmissionController(
informerFactory, informerFactory,
nil, nil,
NewMatcher(matching.NewMatcher(informerFactory.Core().V1().Namespaces().Lister(), client)), NewMatcher(matching.NewMatcher(informerFactory.Core().V1().Namespaces().Lister(), client)),
generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicy]( generic.NewInformer[*v1beta1.ValidatingAdmissionPolicy](
informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies().Informer()), informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies().Informer()),
generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicyBinding]( generic.NewInformer[*v1beta1.ValidatingAdmissionPolicyBinding](
informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings().Informer()), informerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings().Informer()),
), ),
authz: authz, authz: authz,
} }
@ -192,21 +192,21 @@ func (c *celAdmissionController) Validate(
var deniedDecisions []policyDecisionWithMetadata var deniedDecisions []policyDecisionWithMetadata
addConfigError := func(err error, definition *v1alpha1.ValidatingAdmissionPolicy, binding *v1alpha1.ValidatingAdmissionPolicyBinding) { addConfigError := func(err error, definition *v1beta1.ValidatingAdmissionPolicy, binding *v1beta1.ValidatingAdmissionPolicyBinding) {
// we always default the FailurePolicy if it is unset and validate it in API level // we always default the FailurePolicy if it is unset and validate it in API level
var policy v1alpha1.FailurePolicyType var policy v1beta1.FailurePolicyType
if definition.Spec.FailurePolicy == nil { if definition.Spec.FailurePolicy == nil {
policy = v1alpha1.Fail policy = v1beta1.Fail
} else { } else {
policy = *definition.Spec.FailurePolicy policy = *definition.Spec.FailurePolicy
} }
// apply FailurePolicy specified in ValidatingAdmissionPolicy, the default would be Fail // apply FailurePolicy specified in ValidatingAdmissionPolicy, the default would be Fail
switch policy { switch policy {
case v1alpha1.Ignore: case v1beta1.Ignore:
// TODO: add metrics for ignored error here // TODO: add metrics for ignored error here
return return
case v1alpha1.Fail: case v1beta1.Fail:
var message string var message string
if binding == nil { if binding == nil {
message = fmt.Errorf("failed to configure policy: %w", err).Error() message = fmt.Errorf("failed to configure policy: %w", err).Error()
@ -336,17 +336,17 @@ func (c *celAdmissionController) Validate(
case ActionDeny: case ActionDeny:
for _, action := range binding.Spec.ValidationActions { for _, action := range binding.Spec.ValidationActions {
switch action { switch action {
case v1alpha1.Deny: case v1beta1.Deny:
deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{ deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{
Definition: definition, Definition: definition,
Binding: binding, Binding: binding,
PolicyDecision: decision, PolicyDecision: decision,
}) })
celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active") celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
case v1alpha1.Audit: case v1beta1.Audit:
c.publishValidationFailureAnnotation(binding, i, decision, versionedAttr) c.publishValidationFailureAnnotation(binding, i, decision, versionedAttr)
celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active") celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
case v1alpha1.Warn: case v1beta1.Warn:
warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message)) warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message))
celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active") celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
} }
@ -412,9 +412,9 @@ func (c *celAdmissionController) Validate(
// Returns objects to use to evaluate the policy // Returns objects to use to evaluate the policy
func (c *celAdmissionController) collectParams( func (c *celAdmissionController) collectParams(
paramKind *v1alpha1.ParamKind, paramKind *v1beta1.ParamKind,
info paramInfo, info paramInfo,
paramRef *v1alpha1.ParamRef, paramRef *v1beta1.ParamRef,
namespace string, namespace string,
) ([]runtime.Object, error) { ) ([]runtime.Object, error) {
// If definition has paramKind, paramRef is required in binding. // If definition has paramKind, paramRef is required in binding.
@ -520,14 +520,14 @@ func (c *celAdmissionController) collectParams(
} }
// Apply fail action for params not found case // Apply fail action for params not found case
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == v1alpha1.DenyAction { if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == v1beta1.DenyAction {
return nil, errors.New("no params found for policy binding with `Deny` parameterNotFoundAction") return nil, errors.New("no params found for policy binding with `Deny` parameterNotFoundAction")
} }
return params, nil return params, nil
} }
func (c *celAdmissionController) publishValidationFailureAnnotation(binding *v1alpha1.ValidatingAdmissionPolicyBinding, expressionIndex int, decision PolicyDecision, attributes admission.Attributes) { func (c *celAdmissionController) publishValidationFailureAnnotation(binding *v1beta1.ValidatingAdmissionPolicyBinding, expressionIndex int, decision PolicyDecision, attributes admission.Attributes) {
key := "validation.policy.admission.k8s.io/validation_failure" key := "validation.policy.admission.k8s.io/validation_failure"
// Marshal to a list of failures since, in the future, we may need to support multiple failures // Marshal to a list of failures since, in the future, we may need to support multiple failures
valueJson, err := utiljson.Marshal([]validationFailureValue{{ valueJson, err := utiljson.Marshal([]validationFailureValue{{
@ -561,11 +561,11 @@ func (c *celAdmissionController) refreshPolicies() {
// validationFailureValue defines the JSON format of a "validation.policy.admission.k8s.io/validation_failure" audit // validationFailureValue defines the JSON format of a "validation.policy.admission.k8s.io/validation_failure" audit
// annotation value. // annotation value.
type validationFailureValue struct { type validationFailureValue struct {
Message string `json:"message"` Message string `json:"message"`
Policy string `json:"policy"` Policy string `json:"policy"`
Binding string `json:"binding"` Binding string `json:"binding"`
ExpressionIndex int `json:"expressionIndex"` ExpressionIndex int `json:"expressionIndex"`
ValidationActions []v1alpha1.ValidationAction `json:"validationActions"` ValidationActions []v1beta1.ValidationAction `json:"validationActions"`
} }
type auditAnnotationCollector struct { type auditAnnotationCollector struct {

48
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
View File

@ -23,7 +23,7 @@ import (
"time" "time"
v1 "k8s.io/api/admissionregistration/v1" v1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality" apiequality "k8s.io/apimachinery/pkg/api/equality"
"k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/meta"
@ -49,8 +49,8 @@ type policyController struct {
dynamicClient dynamic.Interface dynamicClient dynamic.Interface
informerFactory informers.SharedInformerFactory informerFactory informers.SharedInformerFactory
restMapper meta.RESTMapper restMapper meta.RESTMapper
policyDefinitionsController generic.Controller[*v1alpha1.ValidatingAdmissionPolicy] policyDefinitionsController generic.Controller[*v1beta1.ValidatingAdmissionPolicy]
policyBindingController generic.Controller[*v1alpha1.ValidatingAdmissionPolicyBinding] policyBindingController generic.Controller[*v1beta1.ValidatingAdmissionPolicyBinding]
// Provided to the policy's Compile function as an injected dependency to // Provided to the policy's Compile function as an injected dependency to
// assist with compiling its expressions to CEL // assist with compiling its expressions to CEL
@ -70,7 +70,7 @@ type policyController struct {
cachedPolicies []policyData cachedPolicies []policyData
// controller and metadata // controller and metadata
paramsCRDControllers map[v1alpha1.ParamKind]*paramInfo paramsCRDControllers map[v1beta1.ParamKind]*paramInfo
// Index for each definition namespace/name, contains all binding // Index for each definition namespace/name, contains all binding
// namespace/names known to exist for that definition // namespace/names known to exist for that definition
@ -96,15 +96,15 @@ func newPolicyController(
informerFactory informers.SharedInformerFactory, informerFactory informers.SharedInformerFactory,
filterCompiler cel.FilterCompiler, filterCompiler cel.FilterCompiler,
matcher Matcher, matcher Matcher,
policiesInformer generic.Informer[*v1alpha1.ValidatingAdmissionPolicy], policiesInformer generic.Informer[*v1beta1.ValidatingAdmissionPolicy],
bindingsInformer generic.Informer[*v1alpha1.ValidatingAdmissionPolicyBinding], bindingsInformer generic.Informer[*v1beta1.ValidatingAdmissionPolicyBinding],
) *policyController { ) *policyController {
res := &policyController{} res := &policyController{}
*res = policyController{ *res = policyController{
filterCompiler: filterCompiler, filterCompiler: filterCompiler,
definitionInfo: make(map[namespacedName]*definitionInfo), definitionInfo: make(map[namespacedName]*definitionInfo),
bindingInfos: make(map[namespacedName]*bindingInfo), bindingInfos: make(map[namespacedName]*bindingInfo),
paramsCRDControllers: make(map[v1alpha1.ParamKind]*paramInfo), paramsCRDControllers: make(map[v1beta1.ParamKind]*paramInfo),
definitionsToBindings: make(map[namespacedName]sets.Set[namespacedName]), definitionsToBindings: make(map[namespacedName]sets.Set[namespacedName]),
matcher: matcher, matcher: matcher,
newValidator: NewValidator, newValidator: NewValidator,
@ -160,14 +160,14 @@ func (c *policyController) HasSynced() bool {
return c.policyDefinitionsController.HasSynced() && c.policyBindingController.HasSynced() return c.policyDefinitionsController.HasSynced() && c.policyBindingController.HasSynced()
} }
func (c *policyController) reconcilePolicyDefinition(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error { func (c *policyController) reconcilePolicyDefinition(namespace, name string, definition *v1beta1.ValidatingAdmissionPolicy) error {
c.mutex.Lock() c.mutex.Lock()
defer c.mutex.Unlock() defer c.mutex.Unlock()
err := c.reconcilePolicyDefinitionSpec(namespace, name, definition) err := c.reconcilePolicyDefinitionSpec(namespace, name, definition)
return err return err
} }
func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error { func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string, definition *v1beta1.ValidatingAdmissionPolicy) error {
c.cachedPolicies = nil // invalidate cachedPolicies c.cachedPolicies = nil // invalidate cachedPolicies
// Namespace for policydefinition is empty. // Namespace for policydefinition is empty.
@ -186,7 +186,7 @@ func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string,
return nil return nil
} }
var paramSource *v1alpha1.ParamKind var paramSource *v1beta1.ParamKind
if definition != nil { if definition != nil {
paramSource = definition.Spec.ParamKind paramSource = definition.Spec.ParamKind
} }
@ -266,7 +266,7 @@ func (c *policyController) reconcilePolicyDefinitionSpec(namespace, name string,
// Ensures that there is an informer started for the given GVK to be used as a // Ensures that there is an informer started for the given GVK to be used as a
// param // param
func (c *policyController) ensureParamInfo(paramSource *v1alpha1.ParamKind, mapping *meta.RESTMapping) *paramInfo { func (c *policyController) ensureParamInfo(paramSource *v1beta1.ParamKind, mapping *meta.RESTMapping) *paramInfo {
if info, ok := c.paramsCRDControllers[*paramSource]; ok { if info, ok := c.paramsCRDControllers[*paramSource]; ok {
return info return info
} }
@ -329,7 +329,7 @@ func (c *policyController) ensureParamInfo(paramSource *v1alpha1.ParamKind, mapp
} }
func (c *policyController) reconcilePolicyBinding(namespace, name string, binding *v1alpha1.ValidatingAdmissionPolicyBinding) error { func (c *policyController) reconcilePolicyBinding(namespace, name string, binding *v1beta1.ValidatingAdmissionPolicyBinding) error {
c.mutex.Lock() c.mutex.Lock()
defer c.mutex.Unlock() defer c.mutex.Unlock()
@ -432,7 +432,7 @@ func (c *policyController) latestPolicyData() []policyData {
} }
optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true} optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}
expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false} expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}
failurePolicy := convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy) failurePolicy := convertv1beta1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy)
var matcher matchconditions.Matcher = nil var matcher matchconditions.Matcher = nil
matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions
@ -441,7 +441,7 @@ func (c *policyController) latestPolicyData() []policyData {
compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
if err == nil { if err == nil {
filterCompiler = compositedCompiler filterCompiler = compositedCompiler
compositedCompiler.CompileAndStoreVariables(convertV1alpha1Variables(definitionInfo.lastReconciledValue.Spec.Variables), optionalVars, environment.StoredExpressions) compositedCompiler.CompileAndStoreVariables(convertv1beta1Variables(definitionInfo.lastReconciledValue.Spec.Variables), optionalVars, environment.StoredExpressions)
} else { } else {
utilruntime.HandleError(err) utilruntime.HandleError(err)
} }
@ -454,10 +454,10 @@ func (c *policyController) latestPolicyData() []policyData {
matcher = matchconditions.NewMatcher(filterCompiler.Compile(matchExpressionAccessors, optionalVars, environment.StoredExpressions), failurePolicy, "policy", "validate", definitionInfo.lastReconciledValue.Name) matcher = matchconditions.NewMatcher(filterCompiler.Compile(matchExpressionAccessors, optionalVars, environment.StoredExpressions), failurePolicy, "policy", "validate", definitionInfo.lastReconciledValue.Name)
} }
bindingInfo.validator = c.newValidator( bindingInfo.validator = c.newValidator(
filterCompiler.Compile(convertv1alpha1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, environment.StoredExpressions), filterCompiler.Compile(convertv1beta1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, environment.StoredExpressions),
matcher, matcher,
filterCompiler.Compile(convertv1alpha1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, environment.StoredExpressions), filterCompiler.Compile(convertv1beta1AuditAnnotations(definitionInfo.lastReconciledValue.Spec.AuditAnnotations), optionalVars, environment.StoredExpressions),
filterCompiler.Compile(convertV1Alpha1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, environment.StoredExpressions), filterCompiler.Compile(convertv1beta1MessageExpressions(definitionInfo.lastReconciledValue.Spec.Validations), expressionOptionalVars, environment.StoredExpressions),
failurePolicy, failurePolicy,
) )
} }
@ -482,21 +482,21 @@ func (c *policyController) latestPolicyData() []policyData {
return res return res
} }
func convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(policyType *v1alpha1.FailurePolicyType) *v1.FailurePolicyType { func convertv1beta1FailurePolicyTypeTov1FailurePolicyType(policyType *v1beta1.FailurePolicyType) *v1.FailurePolicyType {
if policyType == nil { if policyType == nil {
return nil return nil
} }
var v1FailPolicy v1.FailurePolicyType var v1FailPolicy v1.FailurePolicyType
if *policyType == v1alpha1.Fail { if *policyType == v1beta1.Fail {
v1FailPolicy = v1.Fail v1FailPolicy = v1.Fail
} else if *policyType == v1alpha1.Ignore { } else if *policyType == v1beta1.Ignore {
v1FailPolicy = v1.Ignore v1FailPolicy = v1.Ignore
} }
return &v1FailPolicy return &v1FailPolicy
} }
func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor { func convertv1beta1Validations(inputValidations []v1beta1.Validation) []cel.ExpressionAccessor {
celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations)) celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
for i, validation := range inputValidations { for i, validation := range inputValidations {
validation := ValidationCondition{ validation := ValidationCondition{
@ -509,7 +509,7 @@ func convertv1alpha1Validations(inputValidations []v1alpha1.Validation) []cel.Ex
return celExpressionAccessor return celExpressionAccessor
} }
func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) []cel.ExpressionAccessor { func convertv1beta1MessageExpressions(inputValidations []v1beta1.Validation) []cel.ExpressionAccessor {
celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations)) celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
for i, validation := range inputValidations { for i, validation := range inputValidations {
if validation.MessageExpression != "" { if validation.MessageExpression != "" {
@ -522,7 +522,7 @@ func convertV1Alpha1MessageExpressions(inputValidations []v1alpha1.Validation) [
return celExpressionAccessor return celExpressionAccessor
} }
func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation) []cel.ExpressionAccessor { func convertv1beta1AuditAnnotations(inputValidations []v1beta1.AuditAnnotation) []cel.ExpressionAccessor {
celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations)) celExpressionAccessor := make([]cel.ExpressionAccessor, len(inputValidations))
for i, validation := range inputValidations { for i, validation := range inputValidations {
validation := AuditAnnotationCondition{ validation := AuditAnnotationCondition{
@ -534,7 +534,7 @@ func convertv1alpha1AuditAnnotations(inputValidations []v1alpha1.AuditAnnotation
return celExpressionAccessor return celExpressionAccessor
} }
func convertV1alpha1Variables(variables []v1alpha1.Variable) []cel.NamedExpressionAccessor { func convertv1beta1Variables(variables []v1beta1.Variable) []cel.NamedExpressionAccessor {
namedExpressions := make([]cel.NamedExpressionAccessor, len(variables)) namedExpressions := make([]cel.NamedExpressionAccessor, len(variables))
for i, variable := range variables { for i, variable := range variables {
namedExpressions[i] = &Variable{Name: variable.Name, Expression: variable.Expression} namedExpressions[i] = &Variable{Name: variable.Name, Expression: variable.Expression}

6
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go
View File

@ -21,7 +21,7 @@ import (
celgo "github.com/google/cel-go/cel" celgo "github.com/google/cel-go/cel"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
@ -86,11 +86,11 @@ type Matcher interface {
// DefinitionMatches says whether this policy definition matches the provided admission // DefinitionMatches says whether this policy definition matches the provided admission
// resource request // resource request
DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)
// BindingMatches says whether this policy definition matches the provided admission // BindingMatches says whether this policy definition matches the provided admission
// resource request // resource request
BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error)
// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case // GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
// GetNamespace must return nil, nil // GetNamespace must return nil, nil

10
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matcher.go
View File

@ -17,7 +17,7 @@ limitations under the License.
package validatingadmissionpolicy package validatingadmissionpolicy
import ( import (
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
@ -29,7 +29,7 @@ import (
var _ matching.MatchCriteria = &matchCriteria{} var _ matching.MatchCriteria = &matchCriteria{}
type matchCriteria struct { type matchCriteria struct {
constraints *v1alpha1.MatchResources constraints *v1beta1.MatchResources
} }
// GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector // GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector
@ -43,7 +43,7 @@ func (m *matchCriteria) GetParsedObjectSelector() (labels.Selector, error) {
} }
// GetMatchResources returns the matchConstraints // GetMatchResources returns the matchConstraints
func (m *matchCriteria) GetMatchResources() v1alpha1.MatchResources { func (m *matchCriteria) GetMatchResources() v1beta1.MatchResources {
return *m.constraints return *m.constraints
} }
@ -63,13 +63,13 @@ func (c *matcher) ValidateInitialization() error {
} }
// DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request // DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request
func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) { func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
criteria := matchCriteria{constraints: definition.Spec.MatchConstraints} criteria := matchCriteria{constraints: definition.Spec.MatchConstraints}
return c.Matcher.Matches(a, o, &criteria) return c.Matcher.Matches(a, o, &criteria)
} }
// BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request // BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request
func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) { func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error) {
if binding.Spec.MatchResources == nil { if binding.Spec.MatchResources == nil {
return true, nil return true, nil
} }

8
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go
View File

@ -20,7 +20,7 @@ import (
"fmt" "fmt"
v1 "k8s.io/api/admissionregistration/v1" v1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
@ -36,7 +36,7 @@ type MatchCriteria interface {
namespace.NamespaceSelectorProvider namespace.NamespaceSelectorProvider
object.ObjectSelectorProvider object.ObjectSelectorProvider
GetMatchResources() v1alpha1.MatchResources GetMatchResources() v1beta1.MatchResources
} }
// Matcher decides if a request matches against matchCriteria // Matcher decides if a request matches against matchCriteria
@ -119,7 +119,7 @@ func (m *Matcher) Matches(attr admission.Attributes, o admission.ObjectInterface
return true, matchKind, nil return true, matchKind, nil
} }
func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPolicy *v1alpha1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) { func matchesResourceRules(namedRules []v1beta1.NamedRuleWithOperations, matchPolicy *v1beta1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) {
matchKind := attr.GetKind() matchKind := attr.GetKind()
for _, namedRule := range namedRules { for _, namedRule := range namedRules {
rule := v1.RuleWithOperations(namedRule.RuleWithOperations) rule := v1.RuleWithOperations(namedRule.RuleWithOperations)
@ -146,7 +146,7 @@ func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPo
// if match policy is undefined or exact, don't perform fuzzy matching // if match policy is undefined or exact, don't perform fuzzy matching
// note that defaulting to fuzzy matching is set by the API // note that defaulting to fuzzy matching is set by the API
if matchPolicy == nil || *matchPolicy == v1alpha1.Exact { if matchPolicy == nil || *matchPolicy == v1beta1.Exact {
return false, schema.GroupVersionKind{}, nil return false, schema.GroupVersionKind{}, nil
} }

228
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching_test.go
View File

@ -22,7 +22,7 @@ import (
"testing" "testing"
v1 "k8s.io/api/admissionregistration/v1" v1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -38,10 +38,10 @@ import (
var _ MatchCriteria = &fakeCriteria{} var _ MatchCriteria = &fakeCriteria{}
type fakeCriteria struct { type fakeCriteria struct {
matchResources v1alpha1.MatchResources matchResources v1beta1.MatchResources
} }
func (fc *fakeCriteria) GetMatchResources() v1alpha1.MatchResources { func (fc *fakeCriteria) GetMatchResources() v1beta1.MatchResources {
return fc.matchResources return fc.matchResources
} }
@ -65,8 +65,8 @@ func TestMatcher(t *testing.T) {
a := &Matcher{namespaceMatcher: &namespace.Matcher{}, objectMatcher: &object.Matcher{}} a := &Matcher{namespaceMatcher: &namespace.Matcher{}, objectMatcher: &object.Matcher{}}
allScopes := v1.AllScopes allScopes := v1.AllScopes
exactMatch := v1alpha1.Exact exactMatch := v1beta1.Exact
equivalentMatch := v1alpha1.Equivalent equivalentMatch := v1beta1.Equivalent
mapper := runtime.NewEquivalentResourceRegistryWithIdentity(func(resource schema.GroupResource) string { mapper := runtime.NewEquivalentResourceRegistryWithIdentity(func(resource schema.GroupResource) string {
if resource.Resource == "deployments" { if resource.Resource == "deployments" {
@ -95,7 +95,7 @@ func TestMatcher(t *testing.T) {
testcases := []struct { testcases := []struct {
name string name string
criteria *v1alpha1.MatchResources criteria *v1beta1.MatchResources
attrs admission.Attributes attrs admission.Attributes
expectMatches bool expectMatches bool
@ -104,17 +104,17 @@ func TestMatcher(t *testing.T) {
}{ }{
{ {
name: "no rules (just write)", name: "no rules (just write)",
criteria: &v1alpha1.MatchResources{NamespaceSelector: &metav1.LabelSelector{}, ResourceRules: []v1alpha1.NamedRuleWithOperations{}}, criteria: &v1beta1.MatchResources{NamespaceSelector: &metav1.LabelSelector{}, ResourceRules: []v1beta1.NamedRuleWithOperations{}},
attrs: admission.NewAttributesRecord(nil, nil, gvk("apps", "v1", "Deployment"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil), attrs: admission.NewAttributesRecord(nil, nil, gvk("apps", "v1", "Deployment"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil),
expectMatches: false, expectMatches: false,
}, },
{ {
name: "wildcard rule, match as requested", name: "wildcard rule, match as requested",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes},
}, },
@ -125,21 +125,21 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, prefer exact match", name: "specific rules, prefer exact match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -150,16 +150,16 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, match miss", name: "specific rules, match miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -169,17 +169,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, exact match miss", name: "specific rules, exact match miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &exactMatch, MatchPolicy: &exactMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -189,17 +189,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, equivalent match, prefer extensions", name: "specific rules, equivalent match, prefer extensions",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -210,17 +210,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, equivalent match, prefer apps", name: "specific rules, equivalent match, prefer apps",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -232,21 +232,21 @@ func TestMatcher(t *testing.T) {
{ {
name: "specific rules, subresource prefer exact match", name: "specific rules, subresource prefer exact match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -257,16 +257,16 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, subresource match miss", name: "specific rules, subresource match miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -276,17 +276,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, subresource exact match miss", name: "specific rules, subresource exact match miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &exactMatch, MatchPolicy: &exactMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -296,17 +296,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, subresource equivalent match, prefer extensions", name: "specific rules, subresource equivalent match, prefer extensions",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -317,17 +317,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, subresource equivalent match, prefer apps", name: "specific rules, subresource equivalent match, prefer apps",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -338,12 +338,12 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, prefer exact match and name match", name: "specific rules, prefer exact match and name match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"name"}, ResourceNames: []string{"name"},
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -354,12 +354,12 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, prefer exact match and name match miss", name: "specific rules, prefer exact match and name match miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"wrong-name"}, ResourceNames: []string{"wrong-name"},
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -369,13 +369,13 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, subresource equivalent match, prefer extensions and name match", name: "specific rules, subresource equivalent match, prefer extensions and name match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"name"}, ResourceNames: []string{"name"},
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -386,13 +386,13 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "specific rules, subresource equivalent match, prefer extensions and name match miss", name: "specific rules, subresource equivalent match, prefer extensions and name match miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
ResourceNames: []string{"wrong-name"}, ResourceNames: []string{"wrong-name"},
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -402,17 +402,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "exclude resource match on miss", name: "exclude resource match on miss",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes},
}, },
}}, }},
ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{ ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -424,17 +424,17 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "exclude resource miss on match", name: "exclude resource miss on match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"*"}, Scope: &allScopes},
}, },
}}, }},
ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{ ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -445,11 +445,11 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "treat empty ResourceRules as match", name: "treat empty ResourceRules as match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ExcludeResourceRules: []v1alpha1.NamedRuleWithOperations{{ ExcludeResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments"}, Scope: &allScopes},
}, },
@ -460,23 +460,23 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "treat non-empty ResourceRules as no match", name: "treat non-empty ResourceRules as no match",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{}}, ResourceRules: []v1beta1.NamedRuleWithOperations{{}},
}, },
attrs: admission.NewAttributesRecord(nil, nil, gvk("autoscaling", "v1", "Scale"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil), attrs: admission.NewAttributesRecord(nil, nil, gvk("autoscaling", "v1", "Scale"), "ns", "name", gvr("apps", "v1", "deployments"), "", admission.Create, &metav1.CreateOptions{}, false, nil),
expectMatches: false, expectMatches: false,
}, },
{ {
name: "erroring namespace selector on otherwise non-matching rule doesn't error", name: "erroring namespace selector on otherwise non-matching rule doesn't error",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key ", Operator: "In", Values: []string{"bad value"}}}}, NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key ", Operator: "In", Values: []string{"bad value"}}}},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}}, Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}},
Operations: []v1alpha1.OperationType{"*"}, Operations: []v1beta1.OperationType{"*"},
}, },
}}, }},
}, },
@ -486,13 +486,13 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "erroring namespace selector on otherwise matching rule errors", name: "erroring namespace selector on otherwise matching rule errors",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}}, NamespaceSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}}, Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}},
Operations: []v1alpha1.OperationType{"*"}, Operations: []v1beta1.OperationType{"*"},
}, },
}}, }},
}, },
@ -502,13 +502,13 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "erroring object selector on otherwise non-matching rule doesn't error", name: "erroring object selector on otherwise non-matching rule doesn't error",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}}, ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}}, Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"deployments"}},
Operations: []v1alpha1.OperationType{"*"}, Operations: []v1beta1.OperationType{"*"},
}, },
}}, }},
}, },
@ -518,13 +518,13 @@ func TestMatcher(t *testing.T) {
}, },
{ {
name: "erroring object selector on otherwise matching rule errors", name: "erroring object selector on otherwise matching rule errors",
criteria: &v1alpha1.MatchResources{ criteria: &v1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}}, ObjectSelector: &metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{{Key: "key", Operator: "In", Values: []string{"bad value"}}}},
ResourceRules: []v1alpha1.NamedRuleWithOperations{{ ResourceRules: []v1beta1.NamedRuleWithOperations{{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}}, Rule: v1beta1.Rule{APIGroups: []string{"*"}, APIVersions: []string{"*"}, Resources: []string{"pods"}},
Operations: []v1alpha1.OperationType{"*"}, Operations: []v1beta1.OperationType{"*"},
}, },
}}, }},
}, },
@ -579,7 +579,7 @@ func (f fakeNamespaceLister) Get(name string) (*corev1.Namespace, error) {
func BenchmarkMatcher(b *testing.B) { func BenchmarkMatcher(b *testing.B) {
allScopes := v1.AllScopes allScopes := v1.AllScopes
equivalentMatch := v1alpha1.Equivalent equivalentMatch := v1beta1.Equivalent
namespace1Labels := map[string]string{"ns": "ns1"} namespace1Labels := map[string]string{"ns": "ns1"}
namespace1 := corev1.Namespace{ namespace1 := corev1.Namespace{
@ -620,19 +620,19 @@ func BenchmarkMatcher(b *testing.B) {
nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i) nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i)
} }
mr := v1alpha1.MatchResources{ mr := v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector}, NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{ ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"apps"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
}, },
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes}, Rule: v1.Rule{APIGroups: []string{"extensions"}, APIVersions: []string{"v1beta1"}, Resources: []string{"deployments", "deployments/scale"}, Scope: &allScopes},
}, },
@ -652,7 +652,7 @@ func BenchmarkMatcher(b *testing.B) {
func BenchmarkShouldCallHookWithComplexRule(b *testing.B) { func BenchmarkShouldCallHookWithComplexRule(b *testing.B) {
allScopes := v1.AllScopes allScopes := v1.AllScopes
equivalentMatch := v1alpha1.Equivalent equivalentMatch := v1beta1.Equivalent
namespace1Labels := map[string]string{"ns": "ns1"} namespace1Labels := map[string]string{"ns": "ns1"}
namespace1 := corev1.Namespace{ namespace1 := corev1.Namespace{
@ -688,16 +688,16 @@ func BenchmarkShouldCallHookWithComplexRule(b *testing.B) {
mapper.RegisterKindFor(gvr("apps", "v1beta1", "statefulset"), "scale", gvk("apps", "v1beta1", "Scale")) mapper.RegisterKindFor(gvr("apps", "v1beta1", "statefulset"), "scale", gvk("apps", "v1beta1", "Scale"))
mapper.RegisterKindFor(gvr("apps", "v1alpha2", "statefulset"), "scale", gvk("apps", "v1beta2", "Scale")) mapper.RegisterKindFor(gvr("apps", "v1alpha2", "statefulset"), "scale", gvk("apps", "v1beta2", "Scale"))
mr := v1alpha1.MatchResources{ mr := v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"a": "b"}}, NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"a": "b"}},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{}, ResourceRules: []v1beta1.NamedRuleWithOperations{},
} }
for i := 0; i < 100; i++ { for i := 0; i < 100; i++ {
rule := v1alpha1.NamedRuleWithOperations{ rule := v1beta1.NamedRuleWithOperations{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{ Rule: v1.Rule{
APIGroups: []string{fmt.Sprintf("app-%d", i)}, APIGroups: []string{fmt.Sprintf("app-%d", i)},
@ -722,7 +722,7 @@ func BenchmarkShouldCallHookWithComplexRule(b *testing.B) {
func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) { func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) {
allScopes := v1.AllScopes allScopes := v1.AllScopes
equivalentMatch := v1alpha1.Equivalent equivalentMatch := v1beta1.Equivalent
namespace1Labels := map[string]string{"ns": "ns1"} namespace1Labels := map[string]string{"ns": "ns1"}
namespace1 := corev1.Namespace{ namespace1 := corev1.Namespace{
@ -763,16 +763,16 @@ func BenchmarkShouldCallHookWithComplexSelectorAndRule(b *testing.B) {
nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i) nsSelector[fmt.Sprintf("key-%d", i)] = fmt.Sprintf("val-%d", i)
} }
mr := v1alpha1.MatchResources{ mr := v1beta1.MatchResources{
MatchPolicy: &equivalentMatch, MatchPolicy: &equivalentMatch,
NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector}, NamespaceSelector: &metav1.LabelSelector{MatchLabels: nsSelector},
ObjectSelector: &metav1.LabelSelector{}, ObjectSelector: &metav1.LabelSelector{},
ResourceRules: []v1alpha1.NamedRuleWithOperations{}, ResourceRules: []v1beta1.NamedRuleWithOperations{},
} }
for i := 0; i < 100; i++ { for i := 0; i < 100; i++ {
rule := v1alpha1.NamedRuleWithOperations{ rule := v1beta1.NamedRuleWithOperations{
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Operations: []v1.OperationType{"*"}, Operations: []v1.OperationType{"*"},
Rule: v1.Rule{ Rule: v1.Rule{
APIGroups: []string{fmt.Sprintf("app-%d", i)}, APIGroups: []string{fmt.Sprintf("app-%d", i)},

22
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go
View File

@ -25,7 +25,7 @@ import (
"github.com/google/cel-go/cel" "github.com/google/cel-go/cel"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
@ -102,18 +102,18 @@ func (r *TypeCheckingResult) String() string {
// as []ExpressionWarning that is ready to be set in policy.Status // as []ExpressionWarning that is ready to be set in policy.Status
// The result is nil if type checking returns no warning. // The result is nil if type checking returns no warning.
// The policy object is NOT mutated. The caller should update Status accordingly // The policy object is NOT mutated. The caller should update Status accordingly
func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alpha1.ExpressionWarning { func (c *TypeChecker) Check(policy *v1beta1.ValidatingAdmissionPolicy) []v1beta1.ExpressionWarning {
ctx := c.CreateContext(policy) ctx := c.CreateContext(policy)
// warnings to return, note that the capacity is optimistically set to zero // warnings to return, note that the capacity is optimistically set to zero
var warnings []v1alpha1.ExpressionWarning // intentionally not setting capacity var warnings []v1beta1.ExpressionWarning // intentionally not setting capacity
// check main validation expressions and their message expressions, located in spec.validations[*] // check main validation expressions and their message expressions, located in spec.validations[*]
fieldRef := field.NewPath("spec", "validations") fieldRef := field.NewPath("spec", "validations")
for i, v := range policy.Spec.Validations { for i, v := range policy.Spec.Validations {
results := c.CheckExpression(ctx, v.Expression) results := c.CheckExpression(ctx, v.Expression)
if len(results) != 0 { if len(results) != 0 {
warnings = append(warnings, v1alpha1.ExpressionWarning{ warnings = append(warnings, v1beta1.ExpressionWarning{
FieldRef: fieldRef.Index(i).Child("expression").String(), FieldRef: fieldRef.Index(i).Child("expression").String(),
Warning: results.String(), Warning: results.String(),
}) })
@ -124,7 +124,7 @@ func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alph
} }
results = c.CheckExpression(ctx, v.MessageExpression) results = c.CheckExpression(ctx, v.MessageExpression)
if len(results) != 0 { if len(results) != 0 {
warnings = append(warnings, v1alpha1.ExpressionWarning{ warnings = append(warnings, v1beta1.ExpressionWarning{
FieldRef: fieldRef.Index(i).Child("messageExpression").String(), FieldRef: fieldRef.Index(i).Child("messageExpression").String(),
Warning: results.String(), Warning: results.String(),
}) })
@ -135,7 +135,7 @@ func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alph
} }
// CreateContext resolves all types and their schemas from a policy definition and creates the context. // CreateContext resolves all types and their schemas from a policy definition and creates the context.
func (c *TypeChecker) CreateContext(policy *v1alpha1.ValidatingAdmissionPolicy) *TypeCheckingContext { func (c *TypeChecker) CreateContext(policy *v1beta1.ValidatingAdmissionPolicy) *TypeCheckingContext {
ctx := new(TypeCheckingContext) ctx := new(TypeCheckingContext)
allGvks := c.typesToCheck(policy) allGvks := c.typesToCheck(policy)
gvks := make([]schema.GroupVersionKind, 0, len(allGvks)) gvks := make([]schema.GroupVersionKind, 0, len(allGvks))
@ -203,7 +203,7 @@ func (c *TypeChecker) declType(gvk schema.GroupVersionKind) (*apiservercel.DeclT
return common.SchemaDeclType(&openapi.Schema{Schema: s}, true).MaybeAssignTypeName(generateUniqueTypeName(gvk.Kind)), nil return common.SchemaDeclType(&openapi.Schema{Schema: s}, true).MaybeAssignTypeName(generateUniqueTypeName(gvk.Kind)), nil
} }
func (c *TypeChecker) paramsGVK(policy *v1alpha1.ValidatingAdmissionPolicy) schema.GroupVersionKind { func (c *TypeChecker) paramsGVK(policy *v1beta1.ValidatingAdmissionPolicy) schema.GroupVersionKind {
if policy.Spec.ParamKind == nil { if policy.Spec.ParamKind == nil {
return schema.GroupVersionKind{} return schema.GroupVersionKind{}
} }
@ -233,7 +233,7 @@ func (c *TypeChecker) checkExpression(expression string, hasParams, hasAuthorize
// typesToCheck extracts a list of GVKs that needs type checking from the policy // typesToCheck extracts a list of GVKs that needs type checking from the policy
// the result is sorted in the order of Group, Version, and Kind // the result is sorted in the order of Group, Version, and Kind
func (c *TypeChecker) typesToCheck(p *v1alpha1.ValidatingAdmissionPolicy) []schema.GroupVersionKind { func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schema.GroupVersionKind {
gvks := sets.New[schema.GroupVersionKind]() gvks := sets.New[schema.GroupVersionKind]()
if p.Spec.MatchConstraints == nil || len(p.Spec.MatchConstraints.ResourceRules) == 0 { if p.Spec.MatchConstraints == nil || len(p.Spec.MatchConstraints.ResourceRules) == 0 {
return nil return nil
@ -294,7 +294,7 @@ func (c *TypeChecker) typesToCheck(p *v1alpha1.ValidatingAdmissionPolicy) []sche
return sortGVKList(gvks.UnsortedList()) return sortGVKList(gvks.UnsortedList())
} }
func extractGroups(rule *v1alpha1.Rule) []string { func extractGroups(rule *v1beta1.Rule) []string {
groups := make([]string, 0, len(rule.APIGroups)) groups := make([]string, 0, len(rule.APIGroups))
for _, group := range rule.APIGroups { for _, group := range rule.APIGroups {
// give up if wildcard // give up if wildcard
@ -306,7 +306,7 @@ func extractGroups(rule *v1alpha1.Rule) []string {
return groups return groups
} }
func extractVersions(rule *v1alpha1.Rule) []string { func extractVersions(rule *v1beta1.Rule) []string {
versions := make([]string, 0, len(rule.APIVersions)) versions := make([]string, 0, len(rule.APIVersions))
for _, version := range rule.APIVersions { for _, version := range rule.APIVersions {
if strings.ContainsAny(version, "*") { if strings.ContainsAny(version, "*") {
@ -317,7 +317,7 @@ func extractVersions(rule *v1alpha1.Rule) []string {
return versions return versions
} }
func extractResources(rule *v1alpha1.Rule) []string { func extractResources(rule *v1beta1.Rule) []string {
resources := make([]string, 0, len(rule.Resources)) resources := make([]string, 0, len(rule.Resources))
for _, resource := range rule.Resources { for _, resource := range rule.Resources {
// skip wildcard and subresources // skip wildcard and subresources

126
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go
View File

@ -22,7 +22,7 @@ import (
"strings" "strings"
"testing" "testing"
"k8s.io/api/admissionregistration/v1alpha1" "k8s.io/api/admissionregistration/v1beta1"
appsv1 "k8s.io/api/apps/v1" appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/meta"
@ -34,21 +34,21 @@ import (
func TestExtractTypeNames(t *testing.T) { func TestExtractTypeNames(t *testing.T) {
for _, tc := range []struct { for _, tc := range []struct {
name string name string
policy *v1alpha1.ValidatingAdmissionPolicy policy *v1beta1.ValidatingAdmissionPolicy
expected []schema.GroupVersionKind // must be sorted expected []schema.GroupVersionKind // must be sorted
}{ }{
{ {
name: "empty", name: "empty",
policy: &v1alpha1.ValidatingAdmissionPolicy{}, policy: &v1beta1.ValidatingAdmissionPolicy{},
expected: nil, expected: nil,
}, },
{ {
name: "specific", name: "specific",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -65,19 +65,19 @@ func TestExtractTypeNames(t *testing.T) {
}, },
{ {
name: "multiple", name: "multiple",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
}, },
}, },
}, { }, {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{""}, APIGroups: []string{""},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"pods"}, Resources: []string{"pods"},
@ -98,11 +98,11 @@ func TestExtractTypeNames(t *testing.T) {
}, },
{ {
name: "all resources", name: "all resources",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"*"}, Resources: []string{"*"},
@ -115,11 +115,11 @@ func TestExtractTypeNames(t *testing.T) {
}, },
{ {
name: "sub resources", name: "sub resources",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"pods/*"}, Resources: []string{"pods/*"},
@ -132,11 +132,11 @@ func TestExtractTypeNames(t *testing.T) {
}, },
{ {
name: "mixtures", name: "mixtures",
policy: &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ policy: &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -144,8 +144,8 @@ func TestExtractTypeNames(t *testing.T) {
}, },
}, },
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"*"}, APIVersions: []string{"*"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -172,16 +172,16 @@ func TestExtractTypeNames(t *testing.T) {
} }
func TestTypeCheck(t *testing.T) { func TestTypeCheck(t *testing.T) {
deploymentPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ deploymentPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "object.foo == 'bar'", Expression: "object.foo == 'bar'",
}, },
}, },
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -194,8 +194,8 @@ func TestTypeCheck(t *testing.T) {
deploymentPolicyWithBadMessageExpression := deploymentPolicy.DeepCopy() deploymentPolicyWithBadMessageExpression := deploymentPolicy.DeepCopy()
deploymentPolicyWithBadMessageExpression.Spec.Validations[0].MessageExpression = "object.foo + 114514" // confusion deploymentPolicyWithBadMessageExpression.Spec.Validations[0].MessageExpression = "object.foo + 114514" // confusion
multiExpressionPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ multiExpressionPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "object.foo == 'bar'", Expression: "object.foo == 'bar'",
}, },
@ -203,10 +203,10 @@ func TestTypeCheck(t *testing.T) {
Expression: "object.bar == 'foo'", Expression: "object.bar == 'foo'",
}, },
}, },
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -215,20 +215,20 @@ func TestTypeCheck(t *testing.T) {
}, },
}}, }},
}} }}
paramsRefPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ paramsRefPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
ParamKind: &v1alpha1.ParamKind{ ParamKind: &v1beta1.ParamKind{
APIVersion: "v1", APIVersion: "v1",
Kind: "DoesNotMatter", Kind: "DoesNotMatter",
}, },
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "object.foo == params.bar", Expression: "object.foo == params.bar",
}, },
}, },
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -237,16 +237,16 @@ func TestTypeCheck(t *testing.T) {
}, },
}}, }},
}} }}
authorizerPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ authorizerPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "authorizer.group('').resource('endpoints').check('create').allowed()", Expression: "authorizer.group('').resource('endpoints').check('create').allowed()",
}, },
}, },
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -255,16 +255,16 @@ func TestTypeCheck(t *testing.T) {
}, },
}}, }},
}} }}
authorizerInvalidPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{ authorizerInvalidPolicy := &v1beta1.ValidatingAdmissionPolicy{Spec: v1beta1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{ Validations: []v1beta1.Validation{
{ {
Expression: "authorizer.allowed()", Expression: "authorizer.allowed()",
}, },
}, },
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{ MatchConstraints: &v1beta1.MatchResources{ResourceRules: []v1beta1.NamedRuleWithOperations{
{ {
RuleWithOperations: v1alpha1.RuleWithOperations{ RuleWithOperations: v1beta1.RuleWithOperations{
Rule: v1alpha1.Rule{ Rule: v1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -276,12 +276,12 @@ func TestTypeCheck(t *testing.T) {
for _, tc := range []struct { for _, tc := range []struct {
name string name string
schemaToReturn *spec.Schema schemaToReturn *spec.Schema
policy *v1alpha1.ValidatingAdmissionPolicy policy *v1beta1.ValidatingAdmissionPolicy
assertions []assertionFunc assertions []assertionFunc
}{ }{
{ {
name: "empty", name: "empty",
policy: &v1alpha1.ValidatingAdmissionPolicy{}, policy: &v1beta1.ValidatingAdmissionPolicy{},
assertions: []assertionFunc{toBeEmpty}, assertions: []assertionFunc{toBeEmpty},
}, },
{ {
@ -451,14 +451,14 @@ func (r *fakeSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.S
return r.schemaToReturn, nil return r.schemaToReturn, nil
} }
func toBeEmpty(warnings []v1alpha1.ExpressionWarning, t *testing.T) { func toBeEmpty(warnings []v1beta1.ExpressionWarning, t *testing.T) {
if len(warnings) != 0 { if len(warnings) != 0 {
t.Fatalf("expected empty but got %v", warnings) t.Fatalf("expected empty but got %v", warnings)
} }
} }
func toContain(substring string) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { func toContain(substring string) func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
if len(warnings) == 0 { if len(warnings) == 0 {
t.Errorf("expected containing %q but got empty", substring) t.Errorf("expected containing %q but got empty", substring)
} }
@ -470,8 +470,8 @@ func toContain(substring string) func(warnings []v1alpha1.ExpressionWarning, t *
} }
} }
func toHaveLengthOf(expected int) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { func toHaveLengthOf(expected int) func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
got := len(warnings) got := len(warnings)
if expected != got { if expected != got {
t.Errorf("expect warnings to have length of %d, but got %d", expected, got) t.Errorf("expect warnings to have length of %d, but got %d", expected, got)
@ -479,8 +479,8 @@ func toHaveLengthOf(expected int) func(warnings []v1alpha1.ExpressionWarning, t
} }
} }
func toHaveFieldRef(paths ...string) func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { func toHaveFieldRef(paths ...string) func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
return func(warnings []v1alpha1.ExpressionWarning, t *testing.T) { return func(warnings []v1beta1.ExpressionWarning, t *testing.T) {
if len(paths) != len(warnings) { if len(paths) != len(warnings) {
t.Errorf("expect warnings to have length of %d, but got %d", len(paths), len(warnings)) t.Errorf("expect warnings to have length of %d, but got %d", len(paths), len(warnings))
} }
@ -492,4 +492,4 @@ func toHaveFieldRef(paths ...string) func(warnings []v1alpha1.ExpressionWarning,
} }
} }
type assertionFunc func(warnings []v1alpha1.ExpressionWarning, t *testing.T) type assertionFunc func(warnings []v1beta1.ExpressionWarning, t *testing.T)

84
test/e2e/apimachinery/validatingadmissionpolicy.go
View File

@ -25,7 +25,7 @@ import (
"github.com/onsi/gomega" "github.com/onsi/gomega"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1" admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
appsv1 "k8s.io/api/apps/v1" appsv1 "k8s.io/api/apps/v1"
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors" apierrors "k8s.io/apimachinery/pkg/api/errors"
@ -46,10 +46,10 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
var err error var err error
client, err = clientset.NewForConfig(f.ClientConfig()) client, err = clientset.NewForConfig(f.ClientConfig())
framework.ExpectNoError(err, "initializing client") framework.ExpectNoError(err, "initializing client")
_, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().List(context.Background(), metav1.ListOptions{}) _, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().List(context.Background(), metav1.ListOptions{})
if apierrors.IsNotFound(err) { if apierrors.IsNotFound(err) {
// TODO: feature check should fail after GA graduation // TODO: feature check should fail after GA graduation
ginkgo.Skip(fmt.Sprintf("server does not support ValidatingAdmissionPolicy v1alpha1: %v, feature gate not enabled?", err)) ginkgo.Skip(fmt.Sprintf("server does not support ValidatingAdmissionPolicy v1beta1: %v, feature gate not enabled?", err))
} }
}) })
@ -68,25 +68,25 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
StartResourceRule(). StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule(). EndResourceRule().
WithValidation(admissionregistrationv1alpha1.Validation{ WithValidation(admissionregistrationv1beta1.Validation{
Expression: "object.spec.replicas > 1", Expression: "object.spec.replicas > 1",
MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas", MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas",
}). }).
WithValidation(admissionregistrationv1alpha1.Validation{ WithValidation(admissionregistrationv1beta1.Validation{
Expression: "namespaceObject.metadata.name == '" + f.UniqueName + "'", Expression: "namespaceObject.metadata.name == '" + f.UniqueName + "'",
Message: "Internal error! Other namespace should not be allowed.", Message: "Internal error! Other namespace should not be allowed.",
}). }).
Build() Build()
policy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) policy, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy") framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error { ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name) }, policy.Name)
binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name) binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name)
binding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{}) binding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy binding") framework.ExpectNoError(err, "create policy binding")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error { ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{}) return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{})
}, binding.Name) }, binding.Name)
}) })
ginkgo.By("waiting until the marker is denied", func() { ginkgo.By("waiting until the marker is denied", func() {
@ -119,27 +119,27 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
}) })
ginkgo.It("should type check validation expressions", func(ctx context.Context) { ginkgo.It("should type check validation expressions", func(ctx context.Context) {
var policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy var policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy
ginkgo.By("creating the policy with correct types", func() { ginkgo.By("creating the policy with correct types", func() {
policy = newValidatingAdmissionPolicyBuilder(f.UniqueName+".correct-policy.example.com"). policy = newValidatingAdmissionPolicyBuilder(f.UniqueName+".correct-policy.example.com").
MatchUniqueNamespace(f.UniqueName). MatchUniqueNamespace(f.UniqueName).
StartResourceRule(). StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule(). EndResourceRule().
WithValidation(admissionregistrationv1alpha1.Validation{ WithValidation(admissionregistrationv1beta1.Validation{
Expression: "object.spec.replicas > 1", Expression: "object.spec.replicas > 1",
}). }).
Build() Build()
var err error var err error
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy") framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error { ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name) }, policy.Name)
}) })
ginkgo.By("waiting for the type check to finish without any warnings", func() { ginkgo.By("waiting for the type check to finish without any warnings", func() {
err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) {
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{}) policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{})
if err != nil { if err != nil {
return false, err return false, err
} }
@ -157,21 +157,21 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
StartResourceRule(). StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule(). EndResourceRule().
WithValidation(admissionregistrationv1alpha1.Validation{ WithValidation(admissionregistrationv1beta1.Validation{
Expression: "object.spec.replicas > '1'", // confusion: int > string Expression: "object.spec.replicas > '1'", // confusion: int > string
MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas", // confusion: string + int MessageExpression: "'wants replicas > 1, got ' + object.spec.replicas", // confusion: string + int
}). }).
Build() Build()
var err error var err error
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy") framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error { ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name) }, policy.Name)
}) })
ginkgo.By("waiting for the type check to finish with warnings", func() { ginkgo.By("waiting for the type check to finish with warnings", func() {
err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) { err := wait.PollUntilContextCancel(ctx, 100*time.Millisecond, true, func(ctx context.Context) (done bool, err error) {
policy, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{}) policy, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Get(ctx, policy.Name, metav1.GetOptions{})
if err != nil { if err != nil {
return false, err return false, err
} }
@ -200,28 +200,28 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
StartResourceRule(). StartResourceRule().
MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}). MatchResource([]string{"apps"}, []string{"v1"}, []string{"deployments"}).
EndResourceRule(). EndResourceRule().
WithVariable(admissionregistrationv1alpha1.Variable{ WithVariable(admissionregistrationv1beta1.Variable{
Name: "replicas", Name: "replicas",
Expression: "object.spec.replicas", Expression: "object.spec.replicas",
}). }).
WithVariable(admissionregistrationv1alpha1.Variable{ WithVariable(admissionregistrationv1beta1.Variable{
Name: "replicasReminder", // a bit artificial but good for testing purpose Name: "replicasReminder", // a bit artificial but good for testing purpose
Expression: "variables.replicas % 2", Expression: "variables.replicas % 2",
}). }).
WithValidation(admissionregistrationv1alpha1.Validation{ WithValidation(admissionregistrationv1beta1.Validation{
Expression: "variables.replicas > 1 && variables.replicasReminder == 1", Expression: "variables.replicas > 1 && variables.replicasReminder == 1",
}). }).
Build() Build()
policy, err := client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{}) policy, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy") framework.ExpectNoError(err, "create policy")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error { ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{}) return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, name, metav1.DeleteOptions{})
}, policy.Name) }, policy.Name)
binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name) binding := createBinding(f.UniqueName+".binding.example.com", f.UniqueName, policy.Name)
binding, err = client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{}) binding, err = client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
framework.ExpectNoError(err, "create policy binding") framework.ExpectNoError(err, "create policy binding")
ginkgo.DeferCleanup(func(ctx context.Context, name string) error { ginkgo.DeferCleanup(func(ctx context.Context, name string) error {
return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{}) return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, name, metav1.DeleteOptions{})
}, binding.Name) }, binding.Name)
}) })
ginkgo.By("waiting until the marker is denied", func() { ginkgo.By("waiting until the marker is denied", func() {
@ -254,17 +254,17 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin][Alpha][
}) })
}) })
func createBinding(bindingName string, uniqueLabel string, policyName string) *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding { func createBinding(bindingName string, uniqueLabel string, policyName string) *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding {
return &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{ return &admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{Name: bindingName}, ObjectMeta: metav1.ObjectMeta{Name: bindingName},
Spec: admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{ Spec: admissionregistrationv1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: policyName, PolicyName: policyName,
MatchResources: &admissionregistrationv1alpha1.MatchResources{ MatchResources: &admissionregistrationv1beta1.MatchResources{
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{uniqueLabel: "true"}, MatchLabels: map[string]string{uniqueLabel: "true"},
}, },
}, },
ValidationActions: []admissionregistrationv1alpha1.ValidationAction{admissionregistrationv1alpha1.Deny}, ValidationActions: []admissionregistrationv1beta1.ValidationAction{admissionregistrationv1beta1.Deny},
}, },
} }
} }
@ -324,17 +324,17 @@ func basicReplicaSet(name string, replicas int32) *appsv1.ReplicaSet {
} }
type validatingAdmissionPolicyBuilder struct { type validatingAdmissionPolicyBuilder struct {
policy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy policy *admissionregistrationv1beta1.ValidatingAdmissionPolicy
} }
type resourceRuleBuilder struct { type resourceRuleBuilder struct {
policyBuilder *validatingAdmissionPolicyBuilder policyBuilder *validatingAdmissionPolicyBuilder
resourceRule *admissionregistrationv1alpha1.NamedRuleWithOperations resourceRule *admissionregistrationv1beta1.NamedRuleWithOperations
} }
func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmissionPolicyBuilder { func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmissionPolicyBuilder {
return &validatingAdmissionPolicyBuilder{ return &validatingAdmissionPolicyBuilder{
policy: &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ policy: &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{Name: policyName}, ObjectMeta: metav1.ObjectMeta{Name: policyName},
}, },
} }
@ -342,7 +342,7 @@ func newValidatingAdmissionPolicyBuilder(policyName string) *validatingAdmission
func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel string) *validatingAdmissionPolicyBuilder { func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel string) *validatingAdmissionPolicyBuilder {
if b.policy.Spec.MatchConstraints == nil { if b.policy.Spec.MatchConstraints == nil {
b.policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{} b.policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{}
} }
b.policy.Spec.MatchConstraints.NamespaceSelector = &metav1.LabelSelector{ b.policy.Spec.MatchConstraints.NamespaceSelector = &metav1.LabelSelector{
MatchLabels: map[string]string{ MatchLabels: map[string]string{
@ -355,10 +355,10 @@ func (b *validatingAdmissionPolicyBuilder) MatchUniqueNamespace(uniqueLabel stri
func (b *validatingAdmissionPolicyBuilder) StartResourceRule() *resourceRuleBuilder { func (b *validatingAdmissionPolicyBuilder) StartResourceRule() *resourceRuleBuilder {
return &resourceRuleBuilder{ return &resourceRuleBuilder{
policyBuilder: b, policyBuilder: b,
resourceRule: &admissionregistrationv1alpha1.NamedRuleWithOperations{ resourceRule: &admissionregistrationv1beta1.NamedRuleWithOperations{
RuleWithOperations: admissionregistrationv1alpha1.RuleWithOperations{ RuleWithOperations: admissionregistrationv1beta1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update}, Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
Rule: admissionregistrationv1alpha1.Rule{ Rule: admissionregistrationv1beta1.Rule{
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
APIVersions: []string{"v1"}, APIVersions: []string{"v1"},
Resources: []string{"deployments"}, Resources: []string{"deployments"},
@ -374,7 +374,7 @@ func (rb *resourceRuleBuilder) CreateAndUpdate() *resourceRuleBuilder {
} }
func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string, resources []string) *resourceRuleBuilder { func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string, resources []string) *resourceRuleBuilder {
rb.resourceRule.Rule = admissionregistrationv1alpha1.Rule{ rb.resourceRule.Rule = admissionregistrationv1beta1.Rule{
APIGroups: groups, APIGroups: groups,
APIVersions: versions, APIVersions: versions,
Resources: resources, Resources: resources,
@ -385,22 +385,22 @@ func (rb *resourceRuleBuilder) MatchResource(groups []string, versions []string,
func (rb *resourceRuleBuilder) EndResourceRule() *validatingAdmissionPolicyBuilder { func (rb *resourceRuleBuilder) EndResourceRule() *validatingAdmissionPolicyBuilder {
b := rb.policyBuilder b := rb.policyBuilder
if b.policy.Spec.MatchConstraints == nil { if b.policy.Spec.MatchConstraints == nil {
b.policy.Spec.MatchConstraints = &admissionregistrationv1alpha1.MatchResources{} b.policy.Spec.MatchConstraints = &admissionregistrationv1beta1.MatchResources{}
} }
b.policy.Spec.MatchConstraints.ResourceRules = append(b.policy.Spec.MatchConstraints.ResourceRules, *rb.resourceRule) b.policy.Spec.MatchConstraints.ResourceRules = append(b.policy.Spec.MatchConstraints.ResourceRules, *rb.resourceRule)
return b return b
} }
func (b *validatingAdmissionPolicyBuilder) WithValidation(validation admissionregistrationv1alpha1.Validation) *validatingAdmissionPolicyBuilder { func (b *validatingAdmissionPolicyBuilder) WithValidation(validation admissionregistrationv1beta1.Validation) *validatingAdmissionPolicyBuilder {
b.policy.Spec.Validations = append(b.policy.Spec.Validations, validation) b.policy.Spec.Validations = append(b.policy.Spec.Validations, validation)
return b return b
} }
func (b *validatingAdmissionPolicyBuilder) WithVariable(variable admissionregistrationv1alpha1.Variable) *validatingAdmissionPolicyBuilder { func (b *validatingAdmissionPolicyBuilder) WithVariable(variable admissionregistrationv1beta1.Variable) *validatingAdmissionPolicyBuilder {
b.policy.Spec.Variables = append(b.policy.Spec.Variables, variable) b.policy.Spec.Variables = append(b.policy.Spec.Variables, variable)
return b return b
} }
func (b *validatingAdmissionPolicyBuilder) Build() *admissionregistrationv1alpha1.ValidatingAdmissionPolicy { func (b *validatingAdmissionPolicyBuilder) Build() *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return b.policy return b.policy
} }

385
test/integration/apiserver/cel/validatingadmissionpolicy_test.go
View File

File diff suppressed because it is too large Load Diff