Automated cherry pick of #122329: Wire in field dropping for CRDs

[jpbetz]

Cherry pick of #122329 on release-1.29.

#122329: Wire in field dropping for CRDs

For details on the cherry pick process, see the cherry pick requests page.

Fixes accidental enablement of the new alpha `optionalOldSelf` API field in CustomResourceDefinition validation rules, which should only be allowed to be set when the CRDValidationRatcheting feature gate is enabled. Existing CustomResourceDefinition objects which have the field set will retain it on update, but new CustomResourceDefinition objects will not be permitted to set the field while the CRDValidationRatcheting feature gate is disabled.

[jpbetz]

/triage accepted
/priority critical-urgent
/hold until #122329 merges

[jpbetz]

/kind bug
/kind api-change

[alexzielenski]

/retest
/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 61cc4e768bdbff66ad01fff0adeccb20bc83a1eb

[jpbetz]

/test

[k8s-ci-robot]

@jpbetz: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test pull-cadvisor-e2e-kubernetes
• /test pull-kubernetes-conformance-kind-ga-only-parallel
• /test pull-kubernetes-coverage-unit
• /test pull-kubernetes-dependencies
• /test pull-kubernetes-dependencies-go-canary
• /test pull-kubernetes-e2e-gce
• /test pull-kubernetes-e2e-gce-100-performance
• /test pull-kubernetes-e2e-gce-cos
• /test pull-kubernetes-e2e-gce-cos-canary
• /test pull-kubernetes-e2e-gce-cos-no-stage
• /test pull-kubernetes-e2e-gce-network-proxy-http-connect
• /test pull-kubernetes-e2e-kind
• /test pull-kubernetes-e2e-kind-ipv6
• /test pull-kubernetes-integration
• /test pull-kubernetes-integration-go-canary
• /test pull-kubernetes-integration-go-compatibility
• /test pull-kubernetes-kubemark-e2e-gce-scale
• /test pull-kubernetes-node-e2e-containerd
• /test pull-kubernetes-typecheck
• /test pull-kubernetes-unit
• /test pull-kubernetes-unit-go-canary
• /test pull-kubernetes-unit-go-compatibility
• /test pull-kubernetes-update
• /test pull-kubernetes-verify
• /test pull-kubernetes-verify-go-canary

The following commands are available to trigger optional jobs:

• /test check-dependency-stats
• /test pull-e2e-gce-cloud-provider-disabled
• /test pull-kubernetes-conformance-kind-ipv6-parallel
• /test pull-kubernetes-cross
• /test pull-kubernetes-e2e-autoscaling-hpa-cm
• /test pull-kubernetes-e2e-autoscaling-hpa-cpu
• /test pull-kubernetes-e2e-containerd-gce
• /test pull-kubernetes-e2e-gce-canary
• /test pull-kubernetes-e2e-gce-correctness
• /test pull-kubernetes-e2e-gce-device-plugin-gpu
• /test pull-kubernetes-e2e-gce-disruptive-canary
• /test pull-kubernetes-e2e-gce-network-proxy-grpc
• /test pull-kubernetes-e2e-gce-serial
• /test pull-kubernetes-e2e-gce-serial-canary
• /test pull-kubernetes-e2e-gci-gce-autoscaling
• /test pull-kubernetes-e2e-kind-dual-canary
• /test pull-kubernetes-e2e-kind-ipvs-dual-canary
• /test pull-kubernetes-e2e-kind-kms
• /test pull-kubernetes-e2e-kind-multizone
• /test pull-kubernetes-kubemark-e2e-gce-big
• /test pull-kubernetes-linter-hints
• /test pull-kubernetes-node-arm64-e2e-containerd-ec2
• /test pull-kubernetes-node-arm64-e2e-containerd-serial-ec2
• /test pull-kubernetes-node-arm64-ubuntu-serial-gce
• /test pull-kubernetes-node-e2e-containerd-ec2
• /test pull-kubernetes-node-e2e-containerd-kubetest2
• /test pull-kubernetes-node-e2e-containerd-serial-ec2
• /test pull-kubernetes-node-kubelet-serial-pod-disruption-conditions
• /test pull-kubernetes-verify-lint
• /test pull-publishing-bot-validate

Use /test all to run the following jobs that were automatically triggered:

• pull-kubernetes-conformance-kind-ga-only-parallel
• pull-kubernetes-dependencies
• pull-kubernetes-e2e-gce
• pull-kubernetes-e2e-gce-canary
• pull-kubernetes-e2e-kind
• pull-kubernetes-e2e-kind-ipv6
• pull-kubernetes-integration
• pull-kubernetes-integration-go-compatibility
• pull-kubernetes-linter-hints
• pull-kubernetes-node-e2e-containerd
• pull-kubernetes-typecheck
• pull-kubernetes-unit
• pull-kubernetes-unit-go-compatibility
• pull-kubernetes-verify
• pull-kubernetes-verify-lint

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jpbetz]

/hold cancel
#122329 has merged

[alexzielenski]

/retest

[liggitt]

updated the release note

/lgtm
/approve

[liggitt]

with my "be judicious about what changes get backported" hat on, thinking about whether this falls in one of the categories of kubernetes/community#7634 (regression, data loss, security fix), this is sort of the opposite of a regression, it's an accidental default enablement of capabilities we didn't intend to enable yet. Fixing that (especially ~immediately after it happens) is in bounds, but I'll leave a comment on that issue about that category of backport we should be open to.

[liggitt]

cc @kubernetes/release-managers

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jpbetz, liggitt, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiextensions-apiserver/OWNERS [jpbetz,liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment