Merge pull request #1934 from vmware-tanzu/admission_plugins_need_v1

only auto-detect version v1 of ValidatingAdmissionPlugin during startup

internal/admissionpluginconfig/admissionpluginconfg.go

@@ -5,7 +5,6 @@ package admissionpluginconfig
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/pkg/errors"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -82,17 +81,16 @@ func k8sAPIServerHasValidatingAdmissionPolicyResource(discoveryClient discovery.
 		return false, fmt.Errorf("failed to perform k8s API discovery: %w", err)
 	}
 
-	// Now look at all discovered groups until we find admissionregistration.k8s.io.
-	wantedGroupWithSlash := fmt.Sprintf("%s/", admissionregistrationv1.GroupName)
+	// Now look at all discovered groups until we find version v1 of group admissionregistration.k8s.io.
 	for _, resourcesPerGV := range resources {
-		if strings.HasPrefix(resourcesPerGV.GroupVersion, wantedGroupWithSlash) {
+		if resourcesPerGV.GroupVersion == admissionregistrationv1.SchemeGroupVersion.String() {
 			// Found the group, so now look to see if it includes ValidatingAdmissionPolicy as a resource,
 			// which went GA in Kubernetes 1.30, and could be enabled by a feature flag in previous versions.
 			for _, resource := range resourcesPerGV.APIResources {
 				if resource.Kind == "ValidatingAdmissionPolicy" {
 					// Found it!
 					plog.Info("found ValidatingAdmissionPolicy resource on this Kubernetes cluster",
-						"group", resource.Group, "version", resource.Version, "kind", resource.Kind)
+						"groupVersion", resourcesPerGV.GroupVersion, "kind", resource.Kind)
 					return true, nil
 				}
 			}

internal/admissionpluginconfig/admissionpluginconfg_test.go

@@ -57,6 +57,14 @@ func TestConfigureAdmissionPlugins(t *testing.T) {
 		},
 	}
 
+	newStyleAdmissionResourcesWithValidatingAdmissionPoliciesAtOlderAPIVersion := &metav1.APIResourceList{
+		GroupVersion: admissionregistrationv1.SchemeGroupVersion.Group + "/v1beta1",
+		APIResources: []metav1.APIResource{
+			{Name: "validatingwebhookconfigurations", Kind: "ValidatingWebhookConfiguration"},
+			{Name: "validatingadmissionpolicies", Kind: "ValidatingAdmissionPolicy"},
+		},
+	}
+
 	oldStyleAdmissionResourcesWithoutValidatingAdmissionPolicies := &metav1.APIResourceList{
 		GroupVersion: admissionregistrationv1.SchemeGroupVersion.String(),
 		APIResources: []metav1.APIResource{
@@ -92,6 +100,16 @@ func TestConfigureAdmissionPlugins(t *testing.T) {
 			wantRegisteredPlugins:      customOldStylePluginsRegistered,
 			wantRecommendedPluginOrder: customOldStyleRecommendedPluginOrder,
 		},
+		{
+			name: "when there is only an older version of ValidatingAdmissionPolicy resource, as there would be in an old Kubernetes cluster with the feature flag enabled, then we change the plugin configuration to be more like it was for old versions of Kubernetes (because the admission code wants to watch v1)",
+			availableAPIResources: []*metav1.APIResourceList{
+				coreResources,
+				newStyleAdmissionResourcesWithValidatingAdmissionPoliciesAtOlderAPIVersion,
+				appsResources,
+			},
+			wantRegisteredPlugins:      customOldStylePluginsRegistered,
+			wantRecommendedPluginOrder: customOldStyleRecommendedPluginOrder,
+		},
 		{
 			name:                       "when there is a total error returned by discovery",
 			discoveryErr:               errors.New("total error from API discovery client"),