CEL-based admission webhook match conditions

[tallclair]

Enhancement Description

• One-line enhancement description (can be used as a release note): Introduce CEL expression filters to webhooks, to allow webhooks to be scoped more narrowly.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3716-admission-webhook-match-conditions
• Discussion Link: https://docs.google.com/document/d/1x9RNaaysyO0gXHIr1y50QFbiL1x8OWnk2v3XnrdkT5Y/edit#bookmark=id.55kd8uoz25p5
• Primary contact (assignee): @tallclair
• Responsible SIGs: api-machinery
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.27
  • Beta release target (x.y):
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • KEP-3716: Admission Webhook Match Conditions #3717
  • Code (k/k) update PR(s):
    • Matchconditions admission webhooks alpha implementation for kep-3716 kubernetes#116261
    • Graduate AdmissionWebhookMatchCondition to beta kubernetes#119380
  • Docs (k/website) update PR(s):
    • AdmissionWebhookMatchConditions feature documentation website#40058
• Beta
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):
• Stable
  • KEP (k/enhancements) update PR(s): KEP-3716: graduate to stable for 1.30 #4435
  • Code (k/k) update PR(s):
    • kep-3716 GA, remove feature gate kubernetes#123560
    • promote match conditions e2e tests to conformance kubernetes#123564
  • Docs (k/website) update(s): [docs placeholder] Matchconditions 1.30 website#45279

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[sftim]

Is this for admission webhooks only, or for all HTTP callouts (eg https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook and https://kubernetes.io/docs/reference/access-authn-authz/webhook/)?

[tallclair]

@sftim this is only for admission webhooks (updated the title). We've also had conversations about doing something similar for authorization webhooks, but that will probably be folded in with #3221