Adding MatchConditions into ValidatingAdmissionPolicy

Author: cici37

content/en/docs/reference/access-authn-authz/validating-admission-policy.md

@@ -365,3 +365,24 @@ HTTP response code, are used in the HTTP response to the client.
 The currently supported reasons are: `Unauthorized`, `Forbidden`, `Invalid`, `RequestEntityTooLarge`.
 If not set, `StatusReasonInvalid` is used in the response to the client.
 
+### Matching requests: `matchConditions`
+
+You can define _match conditions_ for a `ValidatingAdmissionPolicy` if you need fine-grained request filtering. These
+conditions are useful if you find that match rules, `objectSelectors` and `namespaceSelectors` still
+doesn't provide the filtering you want. Match conditions are
+[CEL expressions](/docs/reference/using-api/cel/). All match conditions must evaluate to true for the
+resource to be evaluated.
+
+Here is an example illustrating a few different uses for match conditions:
+
+{{< codenew file="access/validating-admission-policy-match-conditions.yaml" >}}
+
+Match conditions have access to the same CEL variables as validation expressions.
+
+In the event of an error evaluating a match condition the policy is not evaluated. Whether to reject
+the request is determined as follows:
+
+1. If **any** match condition evaluated to `false` (regardless of other errors), the API server skips the policy.
+2. Otherwise:
+  - for [`failurePolicy: Fail`](#failure-policy), reject the request (without evaluating the policy).
+  - for [`failurePolicy: Ignore`](#failure-policy), proceed with the request but skip the policy.

content/en/examples/access/validating-admission-policy-match-conditions.yaml

@@ -0,0 +1,22 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "demo-policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+      - apiGroups:   ["*"]
+        apiVersions: ["*"]
+        operations:  ["CREATE", "UPDATE"]
+        resources:   ["*"]
+  matchConditions:
+    - name: 'exclude-leases' # Each match condition must have a unique name
+      expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
+    - name: 'exclude-kubelet-requests'
+      expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
+    - name: 'rbac' # Skip RBAC requests.
+      expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+  validations:
+    - expression: "object.metadata.name.startWith('demo')"
+