From 4666344cbcd76aba5a198e0fdfc3e7e5051698a9 Mon Sep 17 00:00:00 2001 From: Max Smythe Date: Wed, 15 Mar 2023 17:23:15 -0700 Subject: [PATCH] Custom match criteria (#116350) * Add custom match conditions for CEL admission This PR is based off of, and dependent on the following PR: https://github.com/kubernetes/kubernetes/pull/116261 Signed-off-by: Max Smythe * run `make update` Signed-off-by: Max Smythe * Fix unit tests Signed-off-by: Max Smythe * Fix unit tests Signed-off-by: Max Smythe * Update compatibility test data Signed-off-by: Max Smythe * Revert "Update compatibility test data" This reverts commit 312ba7f9e74e0ec4a7ac1f07bf575479c608af28. * Allow params during validation; make match conditions optional Signed-off-by: Max Smythe * Add conditional ignoring of matcher CEL expression validation on update Signed-off-by: Max Smythe * Run codegen Signed-off-by: Max Smythe * Add more validation tests Signed-off-by: Max Smythe * Short-circuit CEL matcher when no matchers specified Signed-off-by: Max Smythe * Run codegen Signed-off-by: Max Smythe * Address review comments Signed-off-by: Max Smythe --------- Signed-off-by: Max Smythe Kubernetes-commit: e5fd204c33e90a7e8f5a0ee70242f1296a5ec7af --- .../v1alpha1/matchcondition.go | 48 +++++++++++++++++++ .../v1alpha1/validatingadmissionpolicyspec.go | 14 ++++++ applyconfigurations/internal/internal.go | 19 ++++++++ applyconfigurations/utils.go | 2 + go.mod | 4 +- go.sum | 4 +- 6 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 applyconfigurations/admissionregistration/v1alpha1/matchcondition.go diff --git a/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go b/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go new file mode 100644 index 0000000000..186c750f96 --- /dev/null +++ b/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go @@ -0,0 +1,48 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// MatchConditionApplyConfiguration represents an declarative configuration of the MatchCondition type for use +// with apply. +type MatchConditionApplyConfiguration struct { + Name *string `json:"name,omitempty"` + Expression *string `json:"expression,omitempty"` +} + +// MatchConditionApplyConfiguration constructs an declarative configuration of the MatchCondition type for use with +// apply. +func MatchCondition() *MatchConditionApplyConfiguration { + return &MatchConditionApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *MatchConditionApplyConfiguration) WithName(value string) *MatchConditionApplyConfiguration { + b.Name = &value + return b +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *MatchConditionApplyConfiguration) WithExpression(value string) *MatchConditionApplyConfiguration { + b.Expression = &value + return b +} diff --git a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go index a0763b518c..f674b5b1ec 100644 --- a/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go +++ b/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go @@ -30,6 +30,7 @@ type ValidatingAdmissionPolicySpecApplyConfiguration struct { Validations []ValidationApplyConfiguration `json:"validations,omitempty"` FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"` AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"` + MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"` } // ValidatingAdmissionPolicySpecApplyConfiguration constructs an declarative configuration of the ValidatingAdmissionPolicySpec type for use with @@ -87,3 +88,16 @@ func (b *ValidatingAdmissionPolicySpecApplyConfiguration) WithAuditAnnotations(v } return b } + +// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the MatchConditions field. +func (b *ValidatingAdmissionPolicySpecApplyConfiguration) WithMatchConditions(values ...*MatchConditionApplyConfiguration) *ValidatingAdmissionPolicySpecApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithMatchConditions") + } + b.MatchConditions = append(b.MatchConditions, *values[i]) + } + return b +} diff --git a/applyconfigurations/internal/internal.go b/applyconfigurations/internal/internal.go index e490be8123..df8f5ebba5 100644 --- a/applyconfigurations/internal/internal.go +++ b/applyconfigurations/internal/internal.go @@ -274,6 +274,17 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: io.k8s.api.admissionregistration.v1alpha1.MatchCondition + map: + fields: + - name: expression + type: + scalar: string + default: "" + - name: name + type: + scalar: string + default: "" - name: io.k8s.api.admissionregistration.v1alpha1.MatchResources map: fields: @@ -433,6 +444,14 @@ var schemaYAML = typed.YAMLObject(`types: - name: failurePolicy type: scalar: string + - name: matchConditions + type: + list: + elementType: + namedType: io.k8s.api.admissionregistration.v1alpha1.MatchCondition + elementRelationship: associative + keys: + - name - name: matchConstraints type: namedType: io.k8s.api.admissionregistration.v1alpha1.MatchResources diff --git a/applyconfigurations/utils.go b/applyconfigurations/utils.go index c9becae24c..1d4cee853b 100644 --- a/applyconfigurations/utils.go +++ b/applyconfigurations/utils.go @@ -145,6 +145,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &admissionregistrationv1alpha1.AuditAnnotationApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ExpressionWarning"): return &admissionregistrationv1alpha1.ExpressionWarningApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("MatchCondition"): + return &admissionregistrationv1alpha1.MatchConditionApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("MatchResources"): return &admissionregistrationv1alpha1.MatchResourcesApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("NamedRuleWithOperations"): diff --git a/go.mod b/go.mod index 80b67a2ae2..d10459072c 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( golang.org/x/term v0.6.0 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 google.golang.org/protobuf v1.28.1 - k8s.io/api v0.0.0-20230315032826-0b4c449988b1 + k8s.io/api v0.0.0-20230316002315-c80582ebe125 k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38 k8s.io/klog/v2 v2.90.1 k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a @@ -59,6 +59,6 @@ require ( ) replace ( - k8s.io/api => k8s.io/api v0.0.0-20230315032826-0b4c449988b1 + k8s.io/api => k8s.io/api v0.0.0-20230316002315-c80582ebe125 k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38 ) diff --git a/go.sum b/go.sum index 78b935180c..58a26d9ce6 100644 --- a/go.sum +++ b/go.sum @@ -477,8 +477,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.0.0-20230315032826-0b4c449988b1 h1:wlCdY1kqV0RkfnfRr4mEZ3fGJ1VvLelr5Q2vCnCICIo= -k8s.io/api v0.0.0-20230315032826-0b4c449988b1/go.mod h1:aZ6MBt4NMLXSxkSKFkoDaP4hTutnZIvH5dCSpOis9g4= +k8s.io/api v0.0.0-20230316002315-c80582ebe125 h1:sNLUUpJNxIYmttU1YQIm4nhSD2jK3wOkSQVsqhlFh2A= +k8s.io/api v0.0.0-20230316002315-c80582ebe125/go.mod h1:aZ6MBt4NMLXSxkSKFkoDaP4hTutnZIvH5dCSpOis9g4= k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38 h1:n1qDRCTPAXwyXYg7eSpWDO9FdW79lwAQ9dAr1vETpn4= k8s.io/apimachinery v0.0.0-20230315054728-8d1258da8f38/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM= k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw=