github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
115,038 Commits 1 Branch 31 Tags 1,019 MiB
e5fd204c33
Commit Graph

51 Commits

Author SHA1 Message Date
Max Smythe
e5fd204c33
Custom match criteria (#116350) 
* Add custom match conditions for CEL admission

This PR is based off of, and dependent on the following PR:

https://github.com/kubernetes/kubernetes/pull/116261

Signed-off-by: Max Smythe <smythe@google.com>

* run `make update`

Signed-off-by: Max Smythe <smythe@google.com>

* Fix unit tests

Signed-off-by: Max Smythe <smythe@google.com>

* Fix unit tests

Signed-off-by: Max Smythe <smythe@google.com>

* Update compatibility test data

Signed-off-by: Max Smythe <smythe@google.com>

* Revert "Update compatibility test data"

This reverts commit 312ba7f9e74e0ec4a7ac1f07bf575479c608af28.

* Allow params during validation; make match conditions optional

Signed-off-by: Max Smythe <smythe@google.com>

* Add conditional ignoring of matcher CEL expression validation on update

Signed-off-by: Max Smythe <smythe@google.com>

* Run codegen

Signed-off-by: Max Smythe <smythe@google.com>

* Add more validation tests

Signed-off-by: Max Smythe <smythe@google.com>

* Short-circuit CEL matcher when no matchers specified

Signed-off-by: Max Smythe <smythe@google.com>

* Run codegen

Signed-off-by: Max Smythe <smythe@google.com>

* Address review comments

Signed-off-by: Max Smythe <smythe@google.com>

---------

Signed-off-by: Max Smythe <smythe@google.com>
 2023-03-15 17:23:15 -07:00
Igor Velichkovich
5e5b3029f3
Matchconditions admission webhooks alpha implementation for kep-3716 (#116261) 
* api changes adding match conditions

* feature gate and registry strategy to drop fields

* matchConditions logic for admission webhooks

* feedback

* update test

* import order

* bears.com

* update fail policy ignore behavior

* update docs and matcher to hold fail policy as non-pointer

* update matcher error aggregation, fix early fail failpolicy ignore, update docs

* final cleanup

* openapi gen
 2023-03-14 20:28:26 -07:00
Jiahui Feng
68ac7acbce [API REVIEW] ValidatingAdmissionPolicyStatus 2023-03-07 15:43:34 -08:00
Jiahui Feng
d8be7aa9ca implement message expression. 2023-03-08 17:36:11 -08:00
Joe Betz
d221ddb89a Implement validationActions and auditAnnotations 2023-03-06 21:51:27 -05:00
Cici Huang
244c63a2e6 Apply resource constraints to ValidatingAdmissionPolicy. 2023-03-06 20:43:59 +00:00
Joe Betz
7bbda746fe Implement secondary authz 2023-03-06 12:08:14 -05:00
Igor Velichkovich
e96ef31187 refactor admission cel validator and compiler to be reusable 2023-03-01 18:46:45 -06:00
Cici Huang
40c21dafcd Rename admission cel package to validatingadmissionpolicy 2022-11-10 03:37:30 +00:00
Jordan Liggitt
fc69084bf1
Update workload selector validation 2022-11-07 20:52:02 -05:00
Manjusaka
0843c4dfca
Add extra value validation for matchExpression field in LabelSelector 2022-11-07 20:48:21 -05:00
Cici Huang
0486e06261 Adding new api version of admissionregistration.k8s.io v1alpha1 for CEL in Admission Control 2022-11-07 20:51:51 +00:00
Kubernetes Prow Robot
cfb2219ded
Merge pull request #107175 from roycaihw/doc/webhook-rule-validation 
Fix examples of admission registration rules that contain wildcards
 2022-02-09 15:35:44 -08:00
guoyao
d9f99489ee fix duplicate webhook insert operation 
Signed-off-by: guoyao <1015105054@qq.com>
 2022-01-05 08:59:13 +08:00
Haowei Cai
8ddd030cd9 Fix examples of rules with wildcard 2021-12-21 16:46:54 -08:00
Jordan Liggitt
befffd1565 Drop legacy validation logic for admission registration 2021-08-09 12:37:18 -04:00
Jeremy Shih
4ee5cdc838 fixed golint error in pkg/apis/admissionregistration 2020-08-31 09:43:51 +08:00
Jordan Liggitt
eedf063599 Allow v1 review versions in 1.17+ 2019-09-13 13:52:28 -04:00
Jordan Liggitt
190c926d1f Limit v1 webhooks to None and NoneOnDryRun side effects classes 2019-08-06 20:54:06 -04:00
Jordan Liggitt
649ee4f2d0 Clarify accepted versions skew requirements, update field documentation 2019-08-01 17:17:42 -04:00
Jordan Liggitt
08b15d32f7 Require webhook names to be unique in v1 2019-07-10 17:38:09 -04:00
Jordan Liggitt
6c3891a25f Remove default admissionReviewVersions in v1, make required in validation 2019-07-10 17:38:09 -04:00
Jordan Liggitt
9dcc722d2e Remove default sideEffects in v1, make required in validation 2019-07-10 17:38:08 -04:00
Chao Xu
70f1b052e3 api 2019-05-30 16:46:00 -07:00
Joe Betz
95fa928ecb Add mutating admission webhook reinvocation 2019-05-30 14:31:09 -07:00
Joe Betz
55ecc45455 split admissionregistration.v1beta1/Webhook into MutatingWebhook and ValidatingWebhook 2019-05-30 14:31:09 -07:00
Jordan Liggitt
b6fa0f5b0f AdmissionRegistration API changes: MatchPolicy 2019-05-28 14:26:06 -04:00
Daniel (Shijun) Qian
5268f69405 fix duplicated imports of k8s code (#77484) 
* fix duplicated imports of api/core/v1

* fix duplicated imports of client-go/kubernetes

* fix duplicated imports of rest code

* change import name to more reasonable
 2019-05-08 10:12:47 -07:00
Mehdy Bohlool
404e2f7a30 Add port to ServiceReference of Admission Webhooks, ConversionWebhooks and AuditSync with defaulter and validator 2019-04-08 00:18:36 -07:00
Mehdy Bohlool
f7dff4725f Add AdmissionReviewVersions to admissionregistration and default it 2019-03-07 15:02:16 -08:00
Jordan Liggitt
0797d81222 Add scope restrictions to webhook admission rules 2019-03-05 00:30:12 +00:00
Haowei Cai
1cd9162c15 default and validation 2019-02-26 14:41:43 -08:00
Nguyen Hai Truong
34961dc16c trivial fix typo: resouce -> resource 
Although it is spelling mistakes, it might make an affects while reading.

Signed-off-by: Nguyen Hai Truong <truongnh@vn.fujitsu.com>
 2019-02-15 02:05:28 -08:00
Jordan Liggitt
dc1fa870bf Remove alpha InitializerConfiguration types, Initializers admission plugin 2019-01-23 11:37:39 -05:00
Mehdy Bohlool
1587d189cb Refactor webhookclientConfig validation of admission and audit registration 2018-10-31 11:14:47 -07:00
Patrick Barker
381d0a5d14 adds dynamic audit api 2018-10-16 06:46:34 -06:00
jennybuckley
2d0ec48f9b Support dry run in admission webhooks 2018-08-22 16:26:47 -07:00
Daniel Smith
e73fd87844 fix docs and validation 2017-11-11 18:42:48 -08:00
Daniel Smith
a0cb2ce697 Add URL beside service 2017-11-11 16:09:34 -08:00
Chao Xu
7006d224be add NamespaceSelector to the api 
business logic in webhook plugin and unit test

add a e2e test for namespace selector
 2017-11-10 13:40:16 -08:00
mbohlool
fc5a613c17 Add MutatingWebhookConfiguration type 2017-11-09 14:00:14 -08:00
mbohlool
9ddea83a2c Rename ExternalAdmissionHookConfiguration to ValidatingWebhookConfiguration 2017-11-09 11:39:50 -08:00
David Eads
730d42011a generated 2017-10-19 08:06:38 -04:00
David Eads
33deaedaf6 add url path for admission webhooks 2017-10-19 08:06:38 -04:00
David Eads
f81b6004de allow fail close webhook admission 2017-10-18 14:28:02 -04:00
Kubernetes Submit Queue
12f96e2e35 Merge pull request #51283 from caesarxuchao/fix-initializer-validate 
Automatic merge from submit-queue (batch tested with PRs 51583, 51283, 51374, 51690, 51716)

Unify initializer name validation

Unify the validation rules on initializer names. Fix https://github.com/kubernetes/kubernetes/issues/51843.

```release-note
Action required: validation rule on metadata.initializers.pending[x].name is tightened. The initializer name needs to contain at least three segments separated by dots. If you create objects with pending initializers, (i.e., not relying on apiserver adding pending initializers according to initializerconfiguration), you need to update the initializer name in existing objects and in configuration files to comply to the new validation rule.
```
 2017-09-02 20:35:22 -07:00
Chao Xu
c33de9f204 unify the validation rules on initializer name 2017-08-28 16:17:05 -07:00
Chao Xu
b642c9afbb remove failure policy from intializer configuration 2017-08-28 15:24:50 -07:00
Chao Xu
80a53d52fd do not allow subresources in initializer rules 2017-05-31 15:20:32 -07:00
Chao Xu
ab3e7a73ec validation of subresources 2017-05-31 15:20:22 -07:00