Add x-preserve... to Constraint kind status

Gatekeeper adds the byPod field to the status of a Constraint once it is applied to the cluster. This previously relied on the preservation of unknown fields by the API server. As we are now applying Constraint kind CRDs as v1 CRDs, this behavior breaks. This PR adds an empty `status` to the Constraint kind's CRD's schema. That status includes the `x-kubernetes-preserve-unknown-fields: true` key/value pair, retaining the existing Gatekeeper functionality. Contributes to open-policy-agent/gatekeeper#550 Signed-off-by: juliankatz <juliankatz@google.com>
open-policy-agent · May 22, 2021 · 5c03494 · 5c03494
1 parent 3501137
commit 5c03494
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/constraint/pkg/client/crd_helpers.go b/constraint/pkg/client/crd_helpers.go
@@ -42,10 +42,13 @@ func (h *crdHelper) createSchema(templ *templates.ConstraintTemplate, target Mat
 		"match":             target.MatchSchema(),
 		"enforcementAction": {Type: "string"},
 	}
+
 	if templ.Spec.CRD.Spec.Validation != nil && templ.Spec.CRD.Spec.Validation.OpenAPIV3Schema != nil {
 		internalSchema := *templ.Spec.CRD.Spec.Validation.OpenAPIV3Schema.DeepCopy()
 		props["parameters"] = internalSchema
 	}
+
+	trueBool := true
 	schema := &apiextensions.JSONSchemaProps{
 		Type: "object",
 		Properties: map[string]apiextensions.JSONSchemaProps{
@@ -62,8 +65,12 @@ func (h *crdHelper) createSchema(templ *templates.ConstraintTemplate, target Mat
 				Type:       "object",
 				Properties: props,
 			},
+			"status": {
+				XPreserveUnknownFields: &trueBool,
+			},
 		},
 	}
+
 	return schema, nil
 }
 
@@ -122,12 +129,14 @@ func (h *crdHelper) createCRD(
 			},
 		},
 	}
+
 	// Defaulting functions are not found in versionless CRD package
 	crdv1 := &apiextensionsv1.CustomResourceDefinition{}
 	if err := h.scheme.Convert(crd, crdv1, nil); err != nil {
 		return nil, err
 	}
 	h.scheme.Default(crdv1)
+
 	crd2 := &apiextensions.CustomResourceDefinition{}
 	if err := h.scheme.Convert(crdv1, crd2, nil); err != nil {
 		return nil, err

diff --git a/constraint/pkg/client/crd_helpers_test.go b/constraint/pkg/client/crd_helpers_test.go
@@ -117,6 +117,7 @@ func tProp(t string) apiextensions.JSONSchemaProps {
 
 func expectedSchema(pm propMap) *apiextensions.JSONSchemaProps {
 	pm["enforcementAction"] = apiextensions.JSONSchemaProps{Type: "string"}
+	trueBool := true
 	p := prop(
 		propMap{
 			"metadata": prop(propMap{
@@ -125,7 +126,8 @@ func expectedSchema(pm propMap) *apiextensions.JSONSchemaProps {
 					MaxLength: func(i int64) *int64 { return &i }(63),
 				},
 			}),
-			"spec": prop(pm),
+			"spec":   prop(pm),
+			"status": {XPreserveUnknownFields: &trueBool},
 		},
 	)
 	return &p