feat: Add ValidatingAdmissionPolicy for managedresource #1179
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Nont <[email protected]>
jim-minter
reviewed
Aug 21, 2025
jim-minter
reviewed
Aug 21, 2025
nwnt
changed the title
nwnt
changed the title
jim-minter
reviewed
Aug 21, 2025
jim-minter
reviewed
Aug 21, 2025
Signed-off-by: Nont <[email protected]>
nwnt
force-pushed
the
nwnt/add-managed-resource-vap
branch
from
90d3f41 to
6d2eee1
Compare
Signed-off-by: Nont <[email protected]>
jim-minter
reviewed
Aug 21, 2025
Signed-off-by: Nont <[email protected]>
jim-minter
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Signed-off-by: Nont <[email protected]>
Signed-off-by: Nont <[email protected]>
Arvindthiru
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Arvindthiru
reviewed
Aug 21, 2025
Signed-off-by: Nont <[email protected]>
nwnt
force-pushed
the
nwnt/add-managed-resource-vap
branch
from
7002541 to
e769fbf
Compare
| Rule: admv1.Rule{ | ||
| APIGroups: []string{""}, | ||
| Resources: []string{"namespaces"}, | ||
| APIVersions: []string{"*"}, |
Contributor
There was a problem hiding this comment.
is there any other version for namespace being used?
| RuleWithOperations: admv1.RuleWithOperations{ | ||
| Rule: admv1.Rule{ | ||
| APIGroups: []string{"placement.kubernetes-fleet.io"}, | ||
| Resources: []string{"clusterresourceplacements"}, |
Contributor
There was a problem hiding this comment.
just CRP? Why would we allow any resources managed by ARM to be touched?
Comment on lines
76
to
80
| var vap admissionregistrationv1.ValidatingAdmissionPolicy | ||
| Expect(hubClient.Get(ctx, types.NamespacedName{Name: vapName}, &vap)).Should(Succeed(), "ValidatingAdmissionPolicy should be installed") | ||
|
|
||
| var vapBinding admissionregistrationv1.ValidatingAdmissionPolicyBinding | ||
| Expect(hubClient.Get(ctx, types.NamespacedName{Name: vapBindingName}, &vapBinding)).Should(Succeed(), "ValidatingAdmissionPolicyBinding should be installed") |
Contributor
There was a problem hiding this comment.
BeforeAll is mostly for setups. These two are testing implementations rather than expected behavior.
Signed-off-by: Nont <[email protected]>
nwnt
force-pushed
the
nwnt/add-managed-resource-vap
branch
from
c1ed13d to
74eac8c
Compare
ryanzhang-oss
approved these changes
Aug 23, 2025
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of your changes
Jim had a discussion about this. We want to install this VAP into managed clusters via kubefleet crd install instead of onto CCP.
I have:
make reviewableto ensure this PR is ready for review.How has this code been tested
Unit tests.
Special notes for your reviewer
N/A