From 85e5970d6e44a3d0001e3820036b574320e6b923 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 3 May 2024 12:35:49 -0700 Subject: [PATCH] only auto-detect version v1 of ValidatingAdmissionPlugin during startup --- .../admissionpluginconfg.go | 8 +++----- .../admissionpluginconfg_test.go | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/internal/admissionpluginconfig/admissionpluginconfg.go b/internal/admissionpluginconfig/admissionpluginconfg.go index d0ea9766d..e118bc1a8 100644 --- a/internal/admissionpluginconfig/admissionpluginconfg.go +++ b/internal/admissionpluginconfig/admissionpluginconfg.go @@ -5,7 +5,6 @@ package admissionpluginconfig import ( "fmt" - "strings" "github.com/pkg/errors" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" @@ -82,17 +81,16 @@ func k8sAPIServerHasValidatingAdmissionPolicyResource(discoveryClient discovery. return false, fmt.Errorf("failed to perform k8s API discovery: %w", err) } - // Now look at all discovered groups until we find admissionregistration.k8s.io. - wantedGroupWithSlash := fmt.Sprintf("%s/", admissionregistrationv1.GroupName) + // Now look at all discovered groups until we find version v1 of group admissionregistration.k8s.io. for _, resourcesPerGV := range resources { - if strings.HasPrefix(resourcesPerGV.GroupVersion, wantedGroupWithSlash) { + if resourcesPerGV.GroupVersion == admissionregistrationv1.SchemeGroupVersion.String() { // Found the group, so now look to see if it includes ValidatingAdmissionPolicy as a resource, // which went GA in Kubernetes 1.30, and could be enabled by a feature flag in previous versions. for _, resource := range resourcesPerGV.APIResources { if resource.Kind == "ValidatingAdmissionPolicy" { // Found it! plog.Info("found ValidatingAdmissionPolicy resource on this Kubernetes cluster", - "group", resource.Group, "version", resource.Version, "kind", resource.Kind) + "groupVersion", resourcesPerGV.GroupVersion, "kind", resource.Kind) return true, nil } } diff --git a/internal/admissionpluginconfig/admissionpluginconfg_test.go b/internal/admissionpluginconfig/admissionpluginconfg_test.go index cd05ca0b3..52b0a2bb0 100644 --- a/internal/admissionpluginconfig/admissionpluginconfg_test.go +++ b/internal/admissionpluginconfig/admissionpluginconfg_test.go @@ -57,6 +57,14 @@ func TestConfigureAdmissionPlugins(t *testing.T) { }, } + newStyleAdmissionResourcesWithValidatingAdmissionPoliciesAtOlderAPIVersion := &metav1.APIResourceList{ + GroupVersion: admissionregistrationv1.SchemeGroupVersion.Group + "/v1beta1", + APIResources: []metav1.APIResource{ + {Name: "validatingwebhookconfigurations", Kind: "ValidatingWebhookConfiguration"}, + {Name: "validatingadmissionpolicies", Kind: "ValidatingAdmissionPolicy"}, + }, + } + oldStyleAdmissionResourcesWithoutValidatingAdmissionPolicies := &metav1.APIResourceList{ GroupVersion: admissionregistrationv1.SchemeGroupVersion.String(), APIResources: []metav1.APIResource{ @@ -92,6 +100,16 @@ func TestConfigureAdmissionPlugins(t *testing.T) { wantRegisteredPlugins: customOldStylePluginsRegistered, wantRecommendedPluginOrder: customOldStyleRecommendedPluginOrder, }, + { + name: "when there is only an older version of ValidatingAdmissionPolicy resource, as there would be in an old Kubernetes cluster with the feature flag enabled, then we change the plugin configuration to be more like it was for old versions of Kubernetes (because the admission code wants to watch v1)", + availableAPIResources: []*metav1.APIResourceList{ + coreResources, + newStyleAdmissionResourcesWithValidatingAdmissionPoliciesAtOlderAPIVersion, + appsResources, + }, + wantRegisteredPlugins: customOldStylePluginsRegistered, + wantRecommendedPluginOrder: customOldStyleRecommendedPluginOrder, + }, { name: "when there is a total error returned by discovery", discoveryErr: errors.New("total error from API discovery client"),