Skip to content

Commit 2b521e5

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#123405 from cici37/vapGA
[KEP-3488]Promote ValidatingAdmissionPolicy to GA
2 parents 39b085d + 5d83282 commit 2b521e5

File tree

99 files changed

+19297
-3057
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

99 files changed

+19297
-3057
lines changed

api/discovery/aggregated_v2beta1.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1255,6 +1255,67 @@
12551255
"watch"
12561256
]
12571257
},
1258+
{
1259+
"categories": [
1260+
"api-extensions"
1261+
],
1262+
"resource": "validatingadmissionpolicies",
1263+
"responseKind": {
1264+
"group": "",
1265+
"kind": "ValidatingAdmissionPolicy",
1266+
"version": ""
1267+
},
1268+
"scope": "Cluster",
1269+
"singularResource": "validatingadmissionpolicy",
1270+
"subresources": [
1271+
{
1272+
"responseKind": {
1273+
"group": "",
1274+
"kind": "ValidatingAdmissionPolicy",
1275+
"version": ""
1276+
},
1277+
"subresource": "status",
1278+
"verbs": [
1279+
"get",
1280+
"patch",
1281+
"update"
1282+
]
1283+
}
1284+
],
1285+
"verbs": [
1286+
"create",
1287+
"delete",
1288+
"deletecollection",
1289+
"get",
1290+
"list",
1291+
"patch",
1292+
"update",
1293+
"watch"
1294+
]
1295+
},
1296+
{
1297+
"categories": [
1298+
"api-extensions"
1299+
],
1300+
"resource": "validatingadmissionpolicybindings",
1301+
"responseKind": {
1302+
"group": "",
1303+
"kind": "ValidatingAdmissionPolicyBinding",
1304+
"version": ""
1305+
},
1306+
"scope": "Cluster",
1307+
"singularResource": "validatingadmissionpolicybinding",
1308+
"verbs": [
1309+
"create",
1310+
"delete",
1311+
"deletecollection",
1312+
"get",
1313+
"list",
1314+
"patch",
1315+
"update",
1316+
"watch"
1317+
]
1318+
},
12581319
{
12591320
"categories": [
12601321
"api-extensions"

api/discovery/apis__admissionregistration.k8s.io__v1.json

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,57 @@
2323
"watch"
2424
]
2525
},
26+
{
27+
"categories": [
28+
"api-extensions"
29+
],
30+
"kind": "ValidatingAdmissionPolicy",
31+
"name": "validatingadmissionpolicies",
32+
"namespaced": false,
33+
"singularName": "validatingadmissionpolicy",
34+
"storageVersionHash": "P/h9c6yIbaY=",
35+
"verbs": [
36+
"create",
37+
"delete",
38+
"deletecollection",
39+
"get",
40+
"list",
41+
"patch",
42+
"update",
43+
"watch"
44+
]
45+
},
46+
{
47+
"kind": "ValidatingAdmissionPolicy",
48+
"name": "validatingadmissionpolicies/status",
49+
"namespaced": false,
50+
"singularName": "",
51+
"verbs": [
52+
"get",
53+
"patch",
54+
"update"
55+
]
56+
},
57+
{
58+
"categories": [
59+
"api-extensions"
60+
],
61+
"kind": "ValidatingAdmissionPolicyBinding",
62+
"name": "validatingadmissionpolicybindings",
63+
"namespaced": false,
64+
"singularName": "validatingadmissionpolicybinding",
65+
"storageVersionHash": "XYju31JKYek=",
66+
"verbs": [
67+
"create",
68+
"delete",
69+
"deletecollection",
70+
"get",
71+
"list",
72+
"patch",
73+
"update",
74+
"watch"
75+
]
76+
},
2677
{
2778
"categories": [
2879
"api-extensions"

api/openapi-spec/swagger.json

Lines changed: 1913 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json

Lines changed: 4286 additions & 1129 deletions
Large diffs are not rendered by default.

cmd/kube-apiserver/app/server.go

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -299,7 +299,7 @@ func CreateKubeAPIServerConfig(opts options.CompletedOptions) (
299299
CloudConfigFile: opts.CloudProvider.CloudConfigFile,
300300
}
301301
serviceResolver := buildServiceResolver(opts.EnableAggregatorRouting, genericConfig.LoopbackClientConfig.Host, versionedInformers)
302-
pluginInitializers, admissionPostStartHook, err := admissionConfig.New(proxyTransport, genericConfig.EgressSelector, serviceResolver, genericConfig.TracerProvider)
302+
pluginInitializers, err := admissionConfig.New(proxyTransport, genericConfig.EgressSelector, serviceResolver, genericConfig.TracerProvider)
303303
if err != nil {
304304
return nil, nil, nil, fmt.Errorf("failed to create admission plugin initializer: %v", err)
305305
}
@@ -321,9 +321,6 @@ func CreateKubeAPIServerConfig(opts options.CompletedOptions) (
321321
if err != nil {
322322
return nil, nil, nil, fmt.Errorf("failed to apply admission: %w", err)
323323
}
324-
if err := config.GenericConfig.AddPostStartHook("start-kube-apiserver-admission-initializer", admissionPostStartHook); err != nil {
325-
return nil, nil, nil, err
326-
}
327324

328325
if config.GenericConfig.EgressSelector != nil {
329326
// Use the config.GenericConfig.EgressSelector lookup to find the dialer to connect to the kubelet

cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,8 @@ func startValidatingAdmissionPolicyStatusController(ctx context.Context, control
5252
RestMapper: controllerContext.RESTMapper,
5353
}
5454
c, err := validatingadmissionpolicystatus.NewController(
55-
controllerContext.InformerFactory.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
56-
controllerContext.ClientBuilder.ClientOrDie(names.ValidatingAdmissionPolicyStatusController).AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
55+
controllerContext.InformerFactory.Admissionregistration().V1().ValidatingAdmissionPolicies(),
56+
controllerContext.ClientBuilder.ClientOrDie(names.ValidatingAdmissionPolicyStatusController).AdmissionregistrationV1().ValidatingAdmissionPolicies(),
5757
typeChecker,
5858
)
5959

pkg/api/testing/defaulting_test.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,10 @@ func TestDefaulting(t *testing.T) {
151151
{Group: "admissionregistration.k8s.io", Version: "v1beta1", Kind: "ValidatingAdmissionPolicyList"}: {},
152152
{Group: "admissionregistration.k8s.io", Version: "v1beta1", Kind: "ValidatingAdmissionPolicyBinding"}: {},
153153
{Group: "admissionregistration.k8s.io", Version: "v1beta1", Kind: "ValidatingAdmissionPolicyBindingList"}: {},
154+
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingAdmissionPolicy"}: {},
155+
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingAdmissionPolicyList"}: {},
156+
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingAdmissionPolicyBinding"}: {},
157+
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingAdmissionPolicyBindingList"}: {},
154158
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingWebhookConfiguration"}: {},
155159
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingWebhookConfigurationList"}: {},
156160
{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "MutatingWebhookConfiguration"}: {},

pkg/apis/admissionregistration/v1/defaults.go

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,3 +93,27 @@ func SetDefaults_ServiceReference(obj *admissionregistrationv1.ServiceReference)
9393
obj.Port = utilpointer.Int32(443)
9494
}
9595
}
96+
97+
// SetDefaults_ValidatingAdmissionPolicySpec sets defaults for ValidatingAdmissionPolicySpec
98+
func SetDefaults_ValidatingAdmissionPolicySpec(obj *admissionregistrationv1.ValidatingAdmissionPolicySpec) {
99+
if obj.FailurePolicy == nil {
100+
policy := admissionregistrationv1.Fail
101+
obj.FailurePolicy = &policy
102+
}
103+
}
104+
105+
// SetDefaults_MatchResources sets defaults for MatchResources
106+
func SetDefaults_MatchResources(obj *admissionregistrationv1.MatchResources) {
107+
if obj.MatchPolicy == nil {
108+
policy := admissionregistrationv1.Equivalent
109+
obj.MatchPolicy = &policy
110+
}
111+
if obj.NamespaceSelector == nil {
112+
selector := metav1.LabelSelector{}
113+
obj.NamespaceSelector = &selector
114+
}
115+
if obj.ObjectSelector == nil {
116+
selector := metav1.LabelSelector{}
117+
obj.ObjectSelector = &selector
118+
}
119+
}

pkg/apis/admissionregistration/v1/defaults_test.go

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,3 +132,91 @@ func TestDefaultAdmissionWebhook(t *testing.T) {
132132
})
133133
}
134134
}
135+
136+
func TestDefaultAdmissionPolicy(t *testing.T) {
137+
fail := v1.Fail
138+
equivalent := v1.Equivalent
139+
allScopes := v1.AllScopes
140+
141+
tests := []struct {
142+
name string
143+
original runtime.Object
144+
expected runtime.Object
145+
}{
146+
{
147+
name: "ValidatingAdmissionPolicy",
148+
original: &v1.ValidatingAdmissionPolicy{
149+
Spec: v1.ValidatingAdmissionPolicySpec{
150+
MatchConstraints: &v1.MatchResources{},
151+
},
152+
},
153+
expected: &v1.ValidatingAdmissionPolicy{
154+
Spec: v1.ValidatingAdmissionPolicySpec{
155+
MatchConstraints: &v1.MatchResources{
156+
MatchPolicy: &equivalent,
157+
NamespaceSelector: &metav1.LabelSelector{},
158+
ObjectSelector: &metav1.LabelSelector{},
159+
},
160+
FailurePolicy: &fail,
161+
},
162+
},
163+
},
164+
{
165+
name: "ValidatingAdmissionPolicyBinding",
166+
original: &v1.ValidatingAdmissionPolicyBinding{
167+
Spec: v1.ValidatingAdmissionPolicyBindingSpec{
168+
MatchResources: &v1.MatchResources{},
169+
},
170+
},
171+
expected: &v1.ValidatingAdmissionPolicyBinding{
172+
Spec: v1.ValidatingAdmissionPolicyBindingSpec{
173+
MatchResources: &v1.MatchResources{
174+
MatchPolicy: &equivalent,
175+
NamespaceSelector: &metav1.LabelSelector{},
176+
ObjectSelector: &metav1.LabelSelector{},
177+
},
178+
},
179+
},
180+
},
181+
{
182+
name: "scope=*",
183+
original: &v1.ValidatingAdmissionPolicy{
184+
Spec: v1.ValidatingAdmissionPolicySpec{
185+
MatchConstraints: &v1.MatchResources{
186+
ResourceRules: []v1.NamedRuleWithOperations{{}},
187+
},
188+
},
189+
},
190+
expected: &v1.ValidatingAdmissionPolicy{
191+
Spec: v1.ValidatingAdmissionPolicySpec{
192+
MatchConstraints: &v1.MatchResources{
193+
MatchPolicy: &equivalent,
194+
NamespaceSelector: &metav1.LabelSelector{},
195+
ObjectSelector: &metav1.LabelSelector{},
196+
ResourceRules: []v1.NamedRuleWithOperations{
197+
{
198+
RuleWithOperations: v1.RuleWithOperations{
199+
Rule: v1.Rule{
200+
Scope: &allScopes, // defaulted
201+
},
202+
},
203+
},
204+
},
205+
},
206+
FailurePolicy: &fail,
207+
},
208+
},
209+
},
210+
}
211+
212+
for _, test := range tests {
213+
t.Run(test.name, func(t *testing.T) {
214+
original := test.original
215+
expected := test.expected
216+
legacyscheme.Scheme.Default(original)
217+
if !apiequality.Semantic.DeepEqual(original, expected) {
218+
t.Error(cmp.Diff(expected, original))
219+
}
220+
})
221+
}
222+
}

0 commit comments

Comments
 (0)