Update to admissionregistration.k8s.io/v1

[sozercan]

Signed-off-by: Sertac Ozercan sozercan@gmail.com

What this PR does / why we need it:

• Updates admissionregistration.k8s.io/v1beta1 to v1. This will change minimum required Kubernetes version to v1.16.
• Updates controller-gen to v0.5.0.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #818

Special notes for your reviewer:

• Upgrade test validates that a cluster with admissionregistration.k8s.io/v1beta1 can be upgraded to v1.

[maxsmythe]

Are there any differences between the two admission review versions?

[sozercan]

it's detailed here: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.16.md#api-changes
doesn't sounds like any major differences, just required fields and api server support for receiving corresponding versions

[maxsmythe]

LGTM

[ritazh]

Looks like caBundle is removed here but they are persisted in the MutatingWebhookConfiguration in config/overlays/mutation_webhook/webhook.yaml

[sozercan]

I think config/overlays/mutation_webhook/webhook.yaml is temporary location, and it's not generated. Once it's generated, it'll go to config/webhook/manifests.yaml (and caBundle doesn't get generated)

https://github.com/open-policy-agent/gatekeeper/pull/1250/files#diff-b51dd886772df2afc559857517988e0b2c597cc944583aa47891f6de293b4f21R50-R51

[ritazh]

ah ok. should we manually update config/overlays/mutation_webhook/webhook.yaml for now?

[sozercan]

I don't think it matters but, I updated to be same as it would have been generated.

[maxsmythe]

Related bug: #817

[ritazh]

Thanks for linking the issue @maxsmythe so this PR would fix that issue as a bonus.

[codecov-commenter]

Codecov Report

Merging #1250 (da9039d) into master (20a0e1a) will decrease coverage by 0.06%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1250      +/-   ##
==========================================
- Coverage   48.55%   48.49%   -0.07%     
==========================================
  Files          68       68              
  Lines        4879     4879              
==========================================
- Hits         2369     2366       -3     
- Misses       2159     2161       +2     
- Partials      351      352       +1     

Flag	Coverage Δ
unittests	48.49% <ø> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/webhook/mutation.go	17.64% <ø> (ø)
pkg/webhook/namespacelabel.go	72.00% <ø> (ø)
pkg/webhook/policy.go	28.62% <ø> (ø)
...onstrainttemplate/constrainttemplate_controller.go	56.63% <0.00%> (-0.98%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 20a0e1a...da9039d. Read the comment docs.

[sozercan]

cert-controller PR: open-policy-agent/cert-controller#34

[maxsmythe]

still LGTM, if needed

[maxsmythe]

Though the tests look unhappy

[sozercan]

@maxsmythe failures are due to open-policy-agent/cert-controller#31 that includes controller-runtime v0.8 which includes breaking changes

[maxsmythe]

Major breaking changes? Or do we just need to tweak some things?

[sozercan]

Sounds like conversion function changes in apimachinery. I think this will have to wait until frameworks repo updates unless we want to revert controller-runtime changes in cert-controller

#17 59.04 # github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1
#17 59.04 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go:438:22: too many arguments in call to s.Convert
#17 59.04 	have (*v1beta1.JSONSchemaProps, *apiextensions.JSONSchemaProps, number)
#17 59.04 	want (interface {}, interface {})
#17 59.04 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go:457:22: too many arguments in call to s.Convert
#17 59.04 	have (*apiextensions.JSONSchemaProps, *v1beta1.JSONSchemaProps, number)
#17 59.04 	want (interface {}, interface {})
#17 59.07 # github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1
#17 59.07 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go:438:22: too many arguments in call to s.Convert
#17 59.07 	have (*v1beta1.JSONSchemaProps, *apiextensions.JSONSchemaProps, number)
#17 59.07 	want (interface {}, interface {})
#17 59.07 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go:457:22: too many arguments in call to s.Convert
#17 59.07 	have (*apiextensions.JSONSchemaProps, *v1beta1.JSONSchemaProps, number)
#17 59.07 	want (interface {}, interface {})

[willbeason]

We should explicitly set matchPolicy and sideEffects in our Validating/MutatingWebhookConfigurations to preserve behavior and be valid. In several files we aren't declaring these fields, which is problematic as the defaults have changed.

matchPolicy now defaults to "Equivalent" instead of "Exact". We aren't being explicit in our Validating/MutatingWebhookConfiguration, so this will cause a change in behavior. I don't know whether we intend to be the current default of "Exact". Note that if a user applies a different API Version of an object than the mutator is written for, "Exact" will ignore it but "Equivalent" will match it. However, the webhook would then needs to make sure it properly converts the object to the expected API Version.

sideEffects has changed and now needs to be explicitly set. "In admissionregistration.k8s.io/v1, sideEffects must be set to None or NoneOnDryRun."

I would have linked to a specific file as an example inline but I don't seem to have permission to do that?

[sozercan]

@maxsmythe @julianKatz do we want version to be v1alpha1 or v1beta1?

[ritazh]

I think it should be v1beta1 here https://github.com/open-policy-agent/frameworks/blob/3f51770b2910689616b1c78b7b5e75010cd899a0/constraint/config/crds/templates.gatekeeper.sh_constrainttemplates.yaml#L109

[maxsmythe]

version needs to be equal to the first item in the versions list. It looks like it doesn't actually do anything except break if it doesn't match:

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#customresourcedefinitionspec-v1beta1-apiextensions-k8s-io

[ritazh]

Note: In apiextensions.k8s.io/v1beta1, there was a version field instead of versions. The version field is deprecated and optional, but if it is not empty, it must match the first item in the versions field.

Looks like version is deprecated. Do we want to keep it?

[sozercan]

It's okay to remove but @julianKatz wasn't able to find a way for controller-gen to generate without version I believe

[maxsmythe]

Yeah, it should go away when we switch to generating v1 CRDs (which don't have this field)

[sozercan]

@willbeason thanks! explicitly defined matchPolicy to be Exact to match previous behavior. I think we are already defining sideEffects explicitly.

@ritazh @maxsmythe thoughts on whether matchPolicy should be Equivalent or Exact?
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy

[ritazh]

+1 Setting matchPolicy to Exact to match previous behavior. If we have enough people asking for Equivalent, then we could expose a helm parameter for users to set it.

[maxsmythe]

Exact match works. Because we match against / by default, either would be fine. Users who customize the config may be surprised.

[sozercan]

rebased with @shomron's changes to controller-runtime. @ritazh @maxsmythe still lgty?

[maxsmythe]

still LGTM!

[ritazh]

lgtm