Merge pull request #40711 from tengqm/fix-examples-test

Fix examples test for 1.27

Author: k8s-ci-robot

content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md

@@ -736,7 +736,55 @@ webhook to be called.
 
 Here is an example illustrating a few different uses for match conditions:
 
-{{< codenew file="access/admission-webhook-match-conditions.yaml" >}}
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+  - name: my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['*']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Ignore' # Fail-open (optional)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    matchConditions:
+      - name: 'exclude-leases' # Each match condition must have a unique name
+        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
+      - name: 'exclude-kubelet-requests'
+        expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
+      - name: 'rbac' # Skip RBAC requests, which are handled by the second webhook.
+        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+  
+  # This example illustrates the use of the 'authorizer'. The authorization check is more expensive
+  # than a simple expression, so in this example it is scoped to only RBAC requests by using a second
+  # webhook. Both webhooks can be served by the same endpoint.
+  - name: rbac.my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['rbac.authorization.k8s.io']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Fail' # Fail-closed (the default)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    matchConditions:
+      - name: 'breakglass'
+        # Skip requests made by users authorized to 'breakglass' on this webhook.
+        # The 'breakglass' API verb does not need to exist outside this check.
+        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
+```
 
 Match conditions have access to the following CEL variables:
 

content/en/docs/reference/access-authn-authz/validating-admission-policy.md

@@ -438,7 +438,20 @@ For example, here is an admission policy with an audit annotation:
 
 When an API request is validated with this admission policy, the resulting audit event will look like:
 
-{{< codenew file="access/audit-event-with-audit-annotation.yaml" >}}
+```
+# the audit event recorded
+{
+    "kind": "Event",
+    "apiVersion": "audit.k8s.io/v1",
+    "annotations": {
+        "demo-policy.example.com/high-replica-count": "Deployment spec.replicas set to 128"
+        # other annotations
+        ...
+    }
+    # other fields
+    ...
+}
+```
 
 In this example the annotation will only be included if the `spec.replicas` of the Deployment is more than
 50, otherwise the CEL expression evalutes to null and the annotation will not be included.
@@ -564,4 +577,4 @@ Type Checking has the following limitation:
   to consume excessive computing resources. In the order of ascending group, version, and then resource, 11th combination and beyond are ignored.
 - Type Checking does not affect the policy behavior in any way. Even if the type checking detects errors, the policy will continue
   to evaluate. If errors do occur during evaluate, the failure policy will decide its outcome.
-- Type Checking does not apply to CRDs, including matched CRD types and reference of paramKind. The support for CRDs will come in future release.
+- Type Checking does not apply to CRDs, including matched CRD types and reference of paramKind. The support for CRDs will come in future release.

content/en/examples/access/admission-webhook-match-conditions.yaml

@@ -4,9 +4,8 @@ metadata:
   name: "deploy-replica-policy.example.com"
 spec:
   paramKind:
-    group: rules.example.com
+    apiVersion: rules.example.com/v1
     kind: ReplicaLimit
-    version: v1
   matchConstraints:
     resourceRules:
     - apiGroups:   ["apps"]

content/en/examples/access/audit-event-with-audit-annotation.yaml

@@ -12,4 +12,5 @@ spec:
       resources:   ["deployments"]
   validations:
     - key: "high-replica-count"
-      valueExpression: "object.spec.replicas > 50 ? 'Deployment spec.replicas set to ' + string(object.spec.replicas) : null"
+      expression: "object.spec.replicas > 50"
+      messageExpression: "'Deployment spec.replicas set to ' + string(object.spec.replicas)"

content/en/examples/access/deployment-replicas-policy.yaml

@@ -34,6 +34,9 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
+	"k8s.io/kubernetes/pkg/apis/admissionregistration"
+	admreg_validation "k8s.io/kubernetes/pkg/apis/admissionregistration/validation"
+
 	"k8s.io/kubernetes/pkg/apis/apps"
 	apps_validation "k8s.io/kubernetes/pkg/apis/apps/validation"
 
@@ -65,6 +68,7 @@ import (
 	"k8s.io/kubernetes/pkg/registry/batch/job"
 
 	// initialize install packages
+	_ "k8s.io/kubernetes/pkg/apis/admissionregistration/install"
 	_ "k8s.io/kubernetes/pkg/apis/apps/install"
 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install"
 	_ "k8s.io/kubernetes/pkg/apis/batch/install"
@@ -102,6 +106,7 @@ func (g TestGroup) Codec() runtime.Codec {
 func initGroups() {
 	Groups = make(map[string]TestGroup)
 	groupNames := []string{
+		admissionregistration.GroupName,
 		api.GroupName,
 		apps.GroupName,
 		autoscaling.GroupName,
@@ -152,7 +157,6 @@ func getCodecForObject(obj runtime.Object) (runtime.Codec, error) {
 
 func validateObject(obj runtime.Object) (errors field.ErrorList) {
 	podValidationOptions := validation.PodValidationOptions{
-		AllowDownwardAPIHugePages:       true,
 		AllowInvalidPodDeletionCost:     false,
 		AllowIndivisibleHugePagesValues: true,
 		AllowExpandedDNSConfig:          true,
@@ -170,6 +174,10 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 	// Enable CustomPodDNS for testing
 	// feature.DefaultFeatureGate.Set("CustomPodDNS=true")
 	switch t := obj.(type) {
+	case *admissionregistration.ValidatingWebhookConfiguration:
+		errors = admreg_validation.ValidateValidatingWebhookConfiguration(t)
+	case *admissionregistration.ValidatingAdmissionPolicy:
+		errors = admreg_validation.ValidateValidatingAdmissionPolicy(t)
 	case *api.ConfigMap:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
@@ -390,7 +398,10 @@ func TestExampleObjectSchemas(t *testing.T) {
 	// Please help maintain the alphabeta order in the map
 	cases := map[string]map[string][]runtime.Object{
 		"access": {
-			"endpoints-aggregated": {&rbac.ClusterRole{}},
+			"deployment-replicas-policy":                   {&admissionregistration.ValidatingAdmissionPolicy{}},
+			"endpoints-aggregated":                         {&rbac.ClusterRole{}},
+			"validating-admission-policy-audit-annotation": {&admissionregistration.ValidatingAdmissionPolicy{}},
+			"validating-admission-policy-match-conditions": {&admissionregistration.ValidatingAdmissionPolicy{}},
 		},
 		"access/certificate-signing-request": {
 			"clusterrole-approve": {&rbac.ClusterRole{}},
@@ -544,20 +555,21 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"configure-pod":       {&api.Pod{}},
 		},
 		"controllers": {
-			"daemonset":                      {&apps.DaemonSet{}},
-			"fluentd-daemonset":              {&apps.DaemonSet{}},
-			"fluentd-daemonset-update":       {&apps.DaemonSet{}},
-			"frontend":                       {&apps.ReplicaSet{}},
-			"hpa-rs":                         {&autoscaling.HorizontalPodAutoscaler{}},
-			"job":                            {&batch.Job{}},
-			"job-pod-failure-policy-example": {&batch.Job{}},
-			"job-pod-failure-policy-failjob": {&batch.Job{}},
-			"job-pod-failure-policy-ignore":  {&batch.Job{}},
-			"replicaset":                     {&apps.ReplicaSet{}},
-			"replication":                    {&api.ReplicationController{}},
-			"replication-nginx-1.14.2":       {&api.ReplicationController{}},
-			"replication-nginx-1.16.1":       {&api.ReplicationController{}},
-			"nginx-deployment":               {&apps.Deployment{}},
+			"daemonset":                           {&apps.DaemonSet{}},
+			"fluentd-daemonset":                   {&apps.DaemonSet{}},
+			"fluentd-daemonset-update":            {&apps.DaemonSet{}},
+			"frontend":                            {&apps.ReplicaSet{}},
+			"hpa-rs":                              {&autoscaling.HorizontalPodAutoscaler{}},
+			"job":                                 {&batch.Job{}},
+			"job-pod-failure-policy-config-issue": {&batch.Job{}},
+			"job-pod-failure-policy-example":      {&batch.Job{}},
+			"job-pod-failure-policy-failjob":      {&batch.Job{}},
+			"job-pod-failure-policy-ignore":       {&batch.Job{}},
+			"replicaset":                          {&apps.ReplicaSet{}},
+			"replication":                         {&api.ReplicationController{}},
+			"replication-nginx-1.14.2":            {&api.ReplicationController{}},
+			"replication-nginx-1.16.1":            {&api.ReplicationController{}},
+			"nginx-deployment":                    {&apps.Deployment{}},
 		},
 		"debug": {
 			"counter-pod":                     {&api.Pod{}},
@@ -627,6 +639,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"qos-pod-2": {&api.Pod{}},
 			"qos-pod-3": {&api.Pod{}},
 			"qos-pod-4": {&api.Pod{}},
+			"qos-pod-5": {&api.Pod{}},
 		},
 		"pods/resource": {
 			"cpu-request-limit":       {&api.Pod{}},
@@ -678,13 +691,15 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"mysecretname": {&api.Secret{}},
 		},
 		"security": {
+			"example-baseline-pod":   {&api.Pod{}},
 			"podsecurity-baseline":   {&api.Namespace{}},
 			"podsecurity-privileged": {&api.Namespace{}},
 			"podsecurity-restricted": {&api.Namespace{}},
 		},
 		"service": {
-			"nginx-service":         {&api.Service{}},
-			"load-balancer-example": {&apps.Deployment{}},
+			"nginx-service":                 {&api.Service{}},
+			"load-balancer-example":         {&apps.Deployment{}},
+			"pod-with-graceful-termination": {&apps.Deployment{}},
 		},
 		"service/access": {
 			"backend-deployment":  {&apps.Deployment{}},