Skip to content

Commit 877e7fa

Browse files
ninglonglongninglonglong
authored
Clarify documentation for ValidatingAdmissionPolicy and contents of CEL context (#52303)
* Unclear documentation for ValidatingAdmissionPolicy and contents of CEL context #39368 Subject: docs: Clarify accessibility of metadata properties in CEL The current documentation states that "No other metadata properties are accessible" besides name and generateName. This is misleading for users of ValidatingAdmissionPolicy, as the strongly-typed object variable allows access to all metadata fields like labels and annotations. This PR clarifies the behavior by: Stating that the object variable is strongly-typed and allows full access to all schema-defined fields. Rephrasing the original statement to explain that apiVersion, kind, name, and generateName are the guaranteed minimal set of fields available for any object, which is the original intent of the sentence. This change prevents confusion for new users and more accurately reflects the capabilities of CEL in this context. * Update validating-admission-policy.md * Update validating-admission-policy.md * docs: Wrap long paragraph for readability。
1 parent 16edbd8 commit 877e7fa

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

content/en/docs/reference/access-authn-authz/validating-admission-policy.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -330,9 +330,12 @@ variables as well as some other useful variables:
330330
- `authorizer.requestResource` - A shortcut for an authorization check configured with the request
331331
resource (group, resource, (subresource), namespace, name).
332332

333-
The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from
334-
the root of the object. No other metadata properties are accessible.
335-
333+
In CEL expressions, variables like `object` and `oldObject` are strongly-typed.
334+
You can access any field in the object's schema, such as `object.metadata.labels` and fields in `spec`.
335+
336+
For any Kubernetes object, including schemaless Custom Resources, CEL guarantees access to a minimal set of properties:
337+
`apiVersion`, `kind`, `metadata.name`, and `metadata.generateName`.
338+
336339
Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
337340
Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
338341

0 commit comments

Comments
 (0)