@@ -191,7 +191,7 @@ rules:
191191 resources: 'pods'
192192matchConditions:
193193 # Only include pods with an NFS volume.
194- - expression: 'request. object.spec.volumes.exists(v, v.has(nfs))'
194+ - expression: 'object.spec.volumes.exists(v, v.has(nfs))'
195195` ` `
196196
197197# ## Goals
@@ -215,8 +215,9 @@ with a new `MatchConditions` field:
215215type ValidatingWebhook struct {
216216 // ...
217217
218- // MatchConditions is a list of conditions on the AdmissionRequest ('request') that must be met for a
219- // request to be sent to this webhook.
218+ // MatchConditions is a list of conditions on the AdmissionRequest ('request') that must be met
219+ // for a request to be sent to this webhook. All conditions in the list must evaluate to TRUE for
220+ // the request to be matched.
220221 // +optional
221222 MatchConditions []MatchCondition ` json:"matchConditions,omitempty"`
222223}
@@ -228,38 +229,16 @@ type MutatingWebhook struct {
228229
229230// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
230231type MatchCondition struct {
232+ // NOTE : Placeholder documentation, to be replaced by https://github.com/kubernetes/website/issues/39089.
233+ //
231234 // Expression represents the expression which will be evaluated by CEL.
232235 // ref: https://github.com/google/cel-spec
233236 // CEL expressions have access to the contents of the AdmissionRequest, organized into CEL variables:
234237 //
235- //'object' - The object from the incoming request. The value is null for DELETE requests.
236- //'oldObject' - The existing object. The value is null for CREATE requests.
237- //'request' - Attributes of the admission request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
238+ // 'object' - The object from the incoming request. The value is null for DELETE requests.
239+ // 'oldObject' - The existing object. The value is null for CREATE requests.
240+ // 'request' - Attributes of the admission request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
238241 //
239- // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
240- // object. No other metadata properties are accessible.
241- //
242- // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
243- // Accessible property names are escaped according to the following rules when accessed in the expression:
244- // - '__' escapes to '__underscores__'
245- // - '.' escapes to '__dot__'
246- // - '-' escapes to '__dash__'
247- // - '/' escapes to '__slash__'
248- // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
249- // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
250- // "import", "let", "loop", "package", "namespace", "return".
251- // Examples:
252- // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
253- // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
254- // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
255- //
256- // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
257- // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
258- // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
259- // non-intersecting elements in `Y` are appended, retaining their partial order.
260- // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
261- // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
262- // non-intersecting keys are appended, retaining their partial order.
263242 // Required.
264243 Expression string `json:"expression"`
265244}
@@ -285,6 +264,17 @@ manipulating match rules, namespace selector, or object selector (or reroute the
285264Currently the match conditions must be encoded in the webhook backend itself. Moving the logic
286265into a CEL expression does not materially increase the risk of a logic bug.
287266
267+ Of particular significance are match conditions tied to non-functional properties of an object, such
268+ as using labels to decide whether to opt an object out of a policy. Without additional admition
269+ controls on who can set those non-functional aspects, exempting the policy based on that could be a
270+ security vulnerability. In contrast, the
271+ [ NFS example usecase] ( #scope-an-nfs-access-management-webhook-to-pods-mounting-nfs-volumes ) exempts
272+ the policy on a _ functional_ aspect - whether an NFS volume is mounted, and thus whether the policy
273+ is relevant.
274+
275+ These risks are inherent to the feature being proposed and cannot be mitigated through technical
276+ means, but should be highlighted in the documentation.
277+
288278#### Debugability
289279
290280We do not normally log, audit, or emit an event when a webhook is out-of-scope for a request, and
0 commit comments