kubernetes
diff --git a/‎content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
Lines changed: 51 additions & 1 deletion b/‎content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
Lines changed: 51 additions & 1 deletion
diff --git a/‎content/en/examples/access/validating-webhook-configuration-match-conditions.yaml
Lines changed: 0 additions & 49 deletions b/‎content/en/examples/access/validating-webhook-configuration-match-conditions.yaml
Lines changed: 0 additions & 49 deletions
diff --git a/‎content/en/examples/examples_test.go
Lines changed: 9 additions & 4 deletions b/‎content/en/examples/examples_test.go
Lines changed: 9 additions & 4 deletions
diff --git a/‎go.mod
Lines changed: 79 additions & 76 deletions b/‎go.mod
Lines changed: 79 additions & 76 deletions
@@ -731,7 +731,57 @@ webhook to be called.
 
 Here is an example illustrating a few different uses for match conditions:
 
-{{< codenew file="access/validating-webhook-configuration-match-conditions.yaml" >}}
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+  - name: my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['*']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Ignore' # Fail-open (optional)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    # You can have up to 64 matchConditions per webhook
+    matchConditions:
+      - name: 'exclude-leases' # Each match condition must have a unique name
+        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
+      - name: 'exclude-kubelet-requests'
+        expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
+      - name: 'rbac' # Skip RBAC requests, which are handled by the second webhook.
+        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+  
+  # This example illustrates the use of the 'authorizer'. The authorization check is more expensive
+  # than a simple expression, so in this example it is scoped to only RBAC requests by using a second
+  # webhook. Both webhooks can be served by the same endpoint.
+  - name: rbac.my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['rbac.authorization.k8s.io']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Fail' # Fail-closed (the default)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    # You can have up to 64 matchConditions per webhook
+    matchConditions:
+      - name: 'breakglass'
+        # Skip requests made by users authorized to 'breakglass' on this webhook.
+        # The 'breakglass' API verb does not need to exist outside this check.
+        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
+```
 
 {{< note >}}
 You can define up to 64 elements in the `matchConditions` field per webhook.
 
@@ -159,7 +159,6 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 	podValidationOptions := validation.PodValidationOptions{
 		AllowInvalidPodDeletionCost:     false,
 		AllowIndivisibleHugePagesValues: true,
-		AllowExpandedDNSConfig:          true,
 	}
 	netValidationOptions := networking_validation.NetworkPolicyValidationOptions{
 		AllowInvalidLabelValueInSelector: false,
@@ -400,6 +399,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 		"access": {
 			"deployment-replicas-policy":                   {&admissionregistration.ValidatingAdmissionPolicy{}},
 			"endpoints-aggregated":                         {&rbac.ClusterRole{}},
+			"image-matches-namespace-environment.policy":   {&admissionregistration.ValidatingAdmissionPolicy{}},
 			"validating-admission-policy-audit-annotation": {&admissionregistration.ValidatingAdmissionPolicy{}},
 			"validating-admission-policy-match-conditions": {&admissionregistration.ValidatingAdmissionPolicy{}},
 		},
@@ -477,6 +477,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"deployment-patch":      {&apps.Deployment{}},
 			"deployment-retainkeys": {&apps.Deployment{}},
 			"deployment-scale":      {&apps.Deployment{}},
+			"deployment-sidecar":    {&apps.Deployment{}},
 			"deployment-update":     {&apps.Deployment{}},
 			"nginx-app":             {&api.Service{}, &apps.Deployment{}},
 			"nginx-with-request":    {&apps.Deployment{}},
@@ -502,6 +503,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 		},
 		"application/job": {
 			"cronjob":         {&batch.CronJob{}},
+			"job-sidecar":     {&batch.Job{}},
 			"job-tmpl":        {&batch.Job{}},
 			"indexed-job":     {&batch.Job{}},
 			"indexed-job-vol": {&batch.Job{}},
@@ -556,11 +558,13 @@ func TestExampleObjectSchemas(t *testing.T) {
 		},
 		"controllers": {
 			"daemonset":                           {&apps.DaemonSet{}},
+			"daemonset-label-selector":            {&apps.DaemonSet{}},
 			"fluentd-daemonset":                   {&apps.DaemonSet{}},
 			"fluentd-daemonset-update":            {&apps.DaemonSet{}},
 			"frontend":                            {&apps.ReplicaSet{}},
 			"hpa-rs":                              {&autoscaling.HorizontalPodAutoscaler{}},
 			"job":                                 {&batch.Job{}},
+			"job-backoff-limit-per-index-example": {&batch.Job{}},
 			"job-pod-failure-policy-config-issue": {&batch.Job{}},
 			"job-pod-failure-policy-example":      {&batch.Job{}},
 			"job-pod-failure-policy-failjob":      {&batch.Job{}},
@@ -697,9 +701,10 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"podsecurity-restricted": {&api.Namespace{}},
 		},
 		"service": {
-			"nginx-service":                 {&api.Service{}},
-			"load-balancer-example":         {&apps.Deployment{}},
-			"pod-with-graceful-termination": {&apps.Deployment{}},
+			"nginx-service":                      {&api.Service{}},
+			"load-balancer-example":              {&apps.Deployment{}},
+			"pod-with-graceful-termination":      {&apps.Deployment{}},
+			"explore-graceful-termination-nginx": {&api.Service{}},
 		},
 		"service/access": {
 			"backend-deployment":  {&apps.Deployment{}},
 
@@ -3,64 +3,63 @@ module k8s.io/website
 go 1.20
 
 require (
-	k8s.io/apimachinery v0.27.0
+	k8s.io/apimachinery v0.28.0
 	k8s.io/kubernetes v0.0.0
 )
 
 require (
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
-	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/coreos/go-semver v0.3.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.4.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/cel-go v0.12.6 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/cel-go v0.16.0 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/spf13/cobra v1.6.0 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.7 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.7 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.7 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.9 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.9 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 // indirect
 	go.opentelemetry.io/otel v1.10.0 // indirect
@@ -71,70 +70,74 @@ require (
 	go.opentelemetry.io/otel/sdk v1.10.0 // indirect
 	go.opentelemetry.io/otel/trace v1.10.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.19.0 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/term v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
+	golang.org/x/net v0.13.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
-	google.golang.org/grpc v1.51.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
+	google.golang.org/grpc v1.54.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.27.0 // indirect
-	k8s.io/apiserver v0.27.0 // indirect
-	k8s.io/client-go v0.27.0 // indirect
+	k8s.io/api v0.28.0 // indirect
+	k8s.io/apiextensions-apiserver v0.0.0 // indirect
+	k8s.io/apiserver v0.28.0 // indirect
+	k8s.io/client-go v0.28.0 // indirect
 	k8s.io/cloud-provider v0.0.0 // indirect
-	k8s.io/component-base v0.27.0 // indirect
-	k8s.io/component-helpers v0.27.0 // indirect
-	k8s.io/controller-manager v0.27.0 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
-	k8s.io/kms v0.27.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect
+	k8s.io/component-base v0.28.0 // indirect
+	k8s.io/component-helpers v0.28.0 // indirect
+	k8s.io/controller-manager v0.28.0 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kms v0.28.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
 	k8s.io/kubelet v0.0.0 // indirect
-	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.1 // indirect
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.27.0
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.27.0
-	k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
-	k8s.io/apiserver => k8s.io/apiserver v0.27.0
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.27.0
-	k8s.io/client-go => k8s.io/client-go v0.27.0
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.27.0
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.27.0
-	k8s.io/code-generator => k8s.io/code-generator v0.27.0
-	k8s.io/component-base => k8s.io/component-base v0.27.0
-	k8s.io/component-helpers => k8s.io/component-helpers v0.27.0
-	k8s.io/controller-manager => k8s.io/controller-manager v0.27.0
-	k8s.io/cri-api => k8s.io/cri-api v0.27.0
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.27.0
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.27.0
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.27.0
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.27.0
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.27.0
-	k8s.io/kubectl => k8s.io/kubectl v0.27.0
-	k8s.io/kubelet => k8s.io/kubelet v0.27.0
+	k8s.io/api => k8s.io/api v0.28.0
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.0
+	k8s.io/apimachinery => k8s.io/apimachinery v0.28.0
+	k8s.io/apiserver => k8s.io/apiserver v0.28.0
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.0
+	k8s.io/client-go => k8s.io/client-go v0.28.0
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.0
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.0
+	k8s.io/code-generator => k8s.io/code-generator v0.28.0
+	k8s.io/component-base => k8s.io/component-base v0.28.0
+	k8s.io/component-helpers => k8s.io/component-helpers v0.28.0
+	k8s.io/controller-manager => k8s.io/controller-manager v0.28.0
+	k8s.io/cri-api => k8s.io/cri-api v0.28.0
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.0
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.0
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.0
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.0
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.0
+	k8s.io/kubectl => k8s.io/kubectl v0.28.0
+	k8s.io/kubelet => k8s.io/kubelet v0.28.0
 	k8s.io/kubernetes => ../kubernetes
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.27.0
-	k8s.io/metrics => k8s.io/metrics v0.27.0
-	k8s.io/mount-utils => k8s.io/mount-utils v0.27.0
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.27.0
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.27.0
-	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.27.0
-	k8s.io/sample-controller => k8s.io/sample-controller v0.27.0
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.0
+	k8s.io/metrics => k8s.io/metrics v0.28.0
+	k8s.io/mount-utils => k8s.io/mount-utils v0.28.0
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.0
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.0
+	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.28.0
+	k8s.io/sample-controller => k8s.io/sample-controller v0.28.0
 )