api: add v1beta1 ValidatingAdmissionPolicy/Binding types and storage

Author: Alexander Zielenski

cmd/kube-apiserver/app/aggregator.go

@@ -289,6 +289,7 @@ var apiVersionPriorities = map[schema.GroupVersion]priority{
 	{Group: "storage.k8s.io", Version: "v1alpha1"}:               {group: 16800, version: 1},
 	{Group: "apiextensions.k8s.io", Version: "v1"}:               {group: 16700, version: 15},
 	{Group: "admissionregistration.k8s.io", Version: "v1"}:       {group: 16700, version: 15},
+	{Group: "admissionregistration.k8s.io", Version: "v1beta1"}:  {group: 16700, version: 12},
 	{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}: {group: 16700, version: 9},
 	{Group: "scheduling.k8s.io", Version: "v1"}:                  {group: 16600, version: 15},
 	{Group: "coordination.k8s.io", Version: "v1"}:                {group: 16500, version: 15},

pkg/apis/admissionregistration/v1beta1/defaults.go

@@ -27,6 +27,30 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
 	return RegisterDefaults(scheme)
 }
 
+// SetDefaults_ValidatingAdmissionPolicySpec sets defaults for ValidatingAdmissionPolicySpec
+func SetDefaults_ValidatingAdmissionPolicySpec(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicySpec) {
+	if obj.FailurePolicy == nil {
+		policy := admissionregistrationv1beta1.Fail
+		obj.FailurePolicy = &policy
+	}
+}
+
+// SetDefaults_MatchResources sets defaults for MatchResources
+func SetDefaults_MatchResources(obj *admissionregistrationv1beta1.MatchResources) {
+	if obj.MatchPolicy == nil {
+		policy := admissionregistrationv1beta1.Equivalent
+		obj.MatchPolicy = &policy
+	}
+	if obj.NamespaceSelector == nil {
+		selector := metav1.LabelSelector{}
+		obj.NamespaceSelector = &selector
+	}
+	if obj.ObjectSelector == nil {
+		selector := metav1.LabelSelector{}
+		obj.ObjectSelector = &selector
+	}
+}
+
 // SetDefaults_ValidatingWebhook sets defaults for webhook validating
 func SetDefaults_ValidatingWebhook(obj *admissionregistrationv1beta1.ValidatingWebhook) {
 	if obj.FailurePolicy == nil {

pkg/apis/admissionregistration/v1beta1/defaults_test.go

@@ -141,3 +141,91 @@ func TestDefaultAdmissionWebhook(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultAdmissionPolicy(t *testing.T) {
+	fail := v1beta1.Fail
+	equivalent := v1beta1.Equivalent
+	allScopes := v1beta1.AllScopes
+
+	tests := []struct {
+		name     string
+		original runtime.Object
+		expected runtime.Object
+	}{
+		{
+			name: "ValidatingAdmissionPolicy",
+			original: &v1beta1.ValidatingAdmissionPolicy{
+				Spec: v1beta1.ValidatingAdmissionPolicySpec{
+					MatchConstraints: &v1beta1.MatchResources{},
+				},
+			},
+			expected: &v1beta1.ValidatingAdmissionPolicy{
+				Spec: v1beta1.ValidatingAdmissionPolicySpec{
+					MatchConstraints: &v1beta1.MatchResources{
+						MatchPolicy:       &equivalent,
+						NamespaceSelector: &metav1.LabelSelector{},
+						ObjectSelector:    &metav1.LabelSelector{},
+					},
+					FailurePolicy: &fail,
+				},
+			},
+		},
+		{
+			name: "ValidatingAdmissionPolicyBinding",
+			original: &v1beta1.ValidatingAdmissionPolicyBinding{
+				Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
+					MatchResources: &v1beta1.MatchResources{},
+				},
+			},
+			expected: &v1beta1.ValidatingAdmissionPolicyBinding{
+				Spec: v1beta1.ValidatingAdmissionPolicyBindingSpec{
+					MatchResources: &v1beta1.MatchResources{
+						MatchPolicy:       &equivalent,
+						NamespaceSelector: &metav1.LabelSelector{},
+						ObjectSelector:    &metav1.LabelSelector{},
+					},
+				},
+			},
+		},
+		{
+			name: "scope=*",
+			original: &v1beta1.ValidatingAdmissionPolicy{
+				Spec: v1beta1.ValidatingAdmissionPolicySpec{
+					MatchConstraints: &v1beta1.MatchResources{
+						ResourceRules: []v1beta1.NamedRuleWithOperations{{}},
+					},
+				},
+			},
+			expected: &v1beta1.ValidatingAdmissionPolicy{
+				Spec: v1beta1.ValidatingAdmissionPolicySpec{
+					MatchConstraints: &v1beta1.MatchResources{
+						MatchPolicy:       &equivalent,
+						NamespaceSelector: &metav1.LabelSelector{},
+						ObjectSelector:    &metav1.LabelSelector{},
+						ResourceRules: []v1beta1.NamedRuleWithOperations{
+							{
+								RuleWithOperations: v1beta1.RuleWithOperations{
+									Rule: v1beta1.Rule{
+										Scope: &allScopes, // defaulted
+									},
+								},
+							},
+						},
+					},
+					FailurePolicy: &fail,
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			original := test.original
+			expected := test.expected
+			legacyscheme.Scheme.Default(original)
+			if !apiequality.Semantic.DeepEqual(original, expected) {
+				t.Error(cmp.Diff(expected, original))
+			}
+		})
+	}
+}

pkg/controlplane/instance.go

@@ -27,6 +27,7 @@ import (
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	apiserverinternalv1alpha1 "k8s.io/api/apiserverinternal/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
@@ -780,6 +781,7 @@ var (
 	}
 	// betaAPIGroupVersionsDisabledByDefault is for all future beta groupVersions.
 	betaAPIGroupVersionsDisabledByDefault = []schema.GroupVersion{
+		admissionregistrationv1beta1.SchemeGroupVersion,
 		authenticationv1beta1.SchemeGroupVersion,
 		storageapiv1beta1.SchemeGroupVersion,
 		flowcontrolv1beta1.SchemeGroupVersion,

pkg/registry/admissionregistration/rest/storage_apiserver.go

@@ -19,6 +19,7 @@ package rest
 import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -50,6 +51,12 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
 		apiGroupInfo.VersionedResourcesStorageMap[admissionregistrationv1.SchemeGroupVersion.Version] = storageMap
 	}
 
+	if storageMap, err := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
+		return genericapiserver.APIGroupInfo{}, err
+	} else if len(storageMap) > 0 {
+		apiGroupInfo.VersionedResourcesStorageMap[admissionregistrationv1beta1.SchemeGroupVersion.Version] = storageMap
+	}
+
 	if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
 		return genericapiserver.APIGroupInfo{}, err
 	} else if len(storageMap) > 0 {
@@ -116,6 +123,40 @@ func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstora
 	return storage, nil
 }
 
+func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
+	storage := map[string]rest.Storage{}
+
+	// use a simple wrapper so that initialization order won't cause a nil getter
+	var policyGetter rest.Getter
+
+	r, err := resolver.NewDiscoveryResourceResolver(p.DiscoveryClient)
+	if err != nil {
+		return storage, err
+	}
+
+	// validatingadmissionpolicies
+	if resource := "validatingadmissionpolicies"; apiResourceConfigSource.ResourceEnabled(admissionregistrationv1beta1.SchemeGroupVersion.WithResource(resource)) {
+		policyStorage, policyStatusStorage, err := validatingadmissionpolicystorage.NewREST(restOptionsGetter, p.Authorizer, r)
+		if err != nil {
+			return storage, err
+		}
+		policyGetter = policyStorage
+		storage[resource] = policyStorage
+		storage[resource+"/status"] = policyStatusStorage
+	}
+
+	// validatingadmissionpolicybindings
+	if resource := "validatingadmissionpolicybindings"; apiResourceConfigSource.ResourceEnabled(admissionregistrationv1beta1.SchemeGroupVersion.WithResource(resource)) {
+		policyBindingStorage, err := policybindingstorage.NewREST(restOptionsGetter, p.Authorizer, &policybindingstorage.DefaultPolicyGetter{Getter: policyGetter}, r)
+		if err != nil {
+			return storage, err
+		}
+		storage[resource] = policyBindingStorage
+	}
+
+	return storage, nil
+}
+
 func (p RESTStorageProvider) GroupName() string {
 	return admissionregistration.GroupName
 }

pkg/registry/admissionregistration/validatingadmissionpolicy/strategy.go

@@ -135,6 +135,9 @@ func (v *validatingAdmissionPolicyStrategy) GetResetFields() map[fieldpath.APIVe
 		"admissionregistration.k8s.io/v1alpha1": fieldpath.NewSet(
 			fieldpath.MakePathOrDie("status"),
 		),
+		"admissionregistration.k8s.io/v1beta1": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("status"),
+		),
 	}
 
 	return fields
@@ -170,6 +173,10 @@ func (s *validatingAdmissionPolicyStatusStrategy) GetResetFields() map[fieldpath
 			fieldpath.MakePathOrDie("spec"),
 			fieldpath.MakePathOrDie("metadata"),
 		),
+		"admissionregistration.k8s.io/v1beta1": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("spec"),
+			fieldpath.MakePathOrDie("metadata"),
+		),
 	}
 }
 

staging/src/k8s.io/api/admissionregistration/v1beta1/register.go

@@ -50,6 +50,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ValidatingWebhookConfigurationList{},
 		&MutatingWebhookConfiguration{},
 		&MutatingWebhookConfigurationList{},
+		&ValidatingAdmissionPolicy{},
+		&ValidatingAdmissionPolicyList{},
+		&ValidatingAdmissionPolicyBinding{},
+		&ValidatingAdmissionPolicyBindingList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil