rebase: update all k8s packages to 0.27.2

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2025-06-13 02:33:34 +00:00 · 2023-06-01 18:58:10 +02:00
parent 07b05616a0
commit 2551a0b05f
618 changed files with 42944 additions and 16168 deletions
--- a/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
+++ b/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
@ -29,6 +29,84 @@ import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
 // Package-wide variables from generator "generated".
 option go_package = "k8s.io/api/admissionregistration/v1alpha1";

+// AuditAnnotation describes how to produce an audit annotation for an API request.
+message AuditAnnotation {
+  // key specifies the audit annotation key. The audit annotation keys of
+  // a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+  // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+  //
+  // The key is combined with the resource name of the
+  // ValidatingAdmissionPolicy to construct an audit annotation key:
+  // "{ValidatingAdmissionPolicy name}/{key}".
+  //
+  // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+  // and the same audit annotation key, the annotation key will be identical.
+  // In this case, the first annotation written with the key will be included
+  // in the audit event and all subsequent annotations with the same key
+  // will be discarded.
+  //
+  // Required.
+  optional string key = 1;
+
+  // valueExpression represents the expression which is evaluated by CEL to
+  // produce an audit annotation value. The expression must evaluate to either
+  // a string or null value. If the expression evaluates to a string, the
+  // audit annotation is included with the string value. If the expression
+  // evaluates to null or empty string the audit annotation will be omitted.
+  // The valueExpression may be no longer than 5kb in length.
+  // If the result of the valueExpression is more than 10kb in length, it
+  // will be truncated to 10kb.
+  //
+  // If multiple ValidatingAdmissionPolicyBinding resources match an
+  // API request, then the valueExpression will be evaluated for
+  // each binding. All unique values produced by the valueExpressions
+  // will be joined together in a comma-separated list.
+  //
+  // Required.
+  optional string valueExpression = 2;
+}
+
+// ExpressionWarning is a warning information that targets a specific expression.
+message ExpressionWarning {
+  // The path to the field that refers the expression.
+  // For example, the reference to the expression of the first item of
+  // validations is "spec.validations[0].expression"
+  optional string fieldRef = 2;
+
+  // The content of type checking information in a human-readable form.
+  // Each line of the warning contains the type that the expression is checked
+  // against, followed by the type check error from the compiler.
+  optional string warning = 3;
+}
+
+message MatchCondition {
+  // Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+  // as well as providing an identifier for logging purposes. A good name should be descriptive of
+  // the associated expression.
+  // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+  // must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+  // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+  // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+  //
+  // Required.
+  optional string name = 1;
+
+  // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+  // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+  //
+  // 'object' - The object from the incoming request. The value is null for DELETE requests.
+  // 'oldObject' - The existing object. The value is null for CREATE requests.
+  // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+  // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+  //   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+  // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+  //   request resource.
+  // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+  //
+  // Required.
+  optional string expression = 2;
+}
+
 // MatchResources decides whether to run the admission control policy on an object based
 // on whether it meets the match criteria.
 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
@ -161,6 +239,15 @@ message ParamRef {
  optional string namespace = 2;
 }

+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
+message TypeChecking {
+  // The type checking warnings for each expression.
+  // +optional
+  // +listType=atomic
+  repeated ExpressionWarning expressionWarnings = 1;
+}
+
 // ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 message ValidatingAdmissionPolicy {
  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
@ -169,6 +256,13 @@ message ValidatingAdmissionPolicy {

  // Specification of the desired behavior of the ValidatingAdmissionPolicy.
  optional ValidatingAdmissionPolicySpec spec = 2;
+
+  // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+  // behaves in the expected way.
+  // Populated by the system.
+  // Read-only.
+  // +optional
+  optional ValidatingAdmissionPolicyStatus status = 3;
 }

 // ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
@ -213,6 +307,48 @@ message ValidatingAdmissionPolicyBindingSpec {
  // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
  // +optional
  optional MatchResources matchResources = 3;
+
+  // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+  // If a validation evaluates to false it is always enforced according to these actions.
+  //
+  // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+  // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+  // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+  //
+  // validationActions is declared as a set of action values. Order does
+  // not matter. validationActions may not contain duplicates of the same action.
+  //
+  // The supported actions values are:
+  //
+  // "Deny" specifies that a validation failure results in a denied request.
+  //
+  // "Warn" specifies that a validation failure is reported to the request client
+  // in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+  // both for allowed or denied admission responses.
+  //
+  // "Audit" specifies that a validation failure is included in the published
+  // audit event for the request. The audit event will contain a
+  // `validation.policy.admission.k8s.io/validation_failure` audit annotation
+  // with a value containing the details of the validation failures, formatted as
+  // a JSON list of objects, each with the following fields:
+  // - message: The validation failure message string
+  // - policy: The resource name of the ValidatingAdmissionPolicy
+  // - binding: The resource name of the ValidatingAdmissionPolicyBinding
+  // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+  // - validationActions: The enforcement actions enacted for the validation failure
+  // Example audit annotation:
+  // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+  //
+  // Clients should expect to handle additional values by ignoring
+  // any values not recognized.
+  //
+  // "Deny" and "Warn" may not be used together since this combination
+  // needlessly duplicates the validation failure both in the
+  // API response body and the HTTP warning headers.
+  //
+  // Required.
+  // +listType=set
+  repeated string validationActions = 4;
 }

 // ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.
@ -243,30 +379,91 @@ message ValidatingAdmissionPolicySpec {
  optional MatchResources matchConstraints = 2;

  // Validations contain CEL expressions which is used to apply the validation.
-  // A minimum of one validation is required for a policy definition.
+  // Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+  // required.
  // +listType=atomic
-  // Required.
+  // +optional
  repeated Validation validations = 3;

-  // FailurePolicy defines how to handle failures for the admission policy.
-  // Failures can occur from invalid or mis-configured policy definitions or bindings.
+  // failurePolicy defines how to handle failures for the admission policy. Failures can
+  // occur from CEL expression parse errors, type check errors, runtime errors and invalid
+  // or mis-configured policy definitions or bindings.
+  //
  // A policy is invalid if spec.paramKind refers to a non-existent Kind.
  // A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+  //
+  // failurePolicy does not define how validations that evaluate to false are handled.
+  //
+  // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+  // define how failures are enforced.
+  //
  // Allowed values are Ignore or Fail. Defaults to Fail.
  // +optional
  optional string failurePolicy = 4;
+
+  // auditAnnotations contains CEL expressions which are used to produce audit
+  // annotations for the audit event of the API request.
+  // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+  // required.
+  // +listType=atomic
+  // +optional
+  repeated AuditAnnotation auditAnnotations = 5;
+
+  // MatchConditions is a list of conditions that must be met for a request to be validated.
+  // Match conditions filter requests that have already been matched by the rules,
+  // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+  // There are a maximum of 64 match conditions allowed.
+  //
+  // If a parameter object is provided, it can be accessed via the `params` handle in the same
+  // manner as validation expressions.
+  //
+  // The exact matching logic is (in order):
+  //   1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+  //   2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+  //   3. If any matchCondition evaluates to an error (but none are FALSE):
+  //      - If failurePolicy=Fail, reject the request
+  //      - If failurePolicy=Ignore, the policy is skipped
+  //
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  // +listType=map
+  // +listMapKey=name
+  // +optional
+  repeated MatchCondition matchConditions = 6;
+}
+
+// ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.
+message ValidatingAdmissionPolicyStatus {
+  // The generation observed by the controller.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // The results of type checking for each expression.
+  // Presence of this field indicates the completion of the type checking.
+  // +optional
+  optional TypeChecking typeChecking = 2;
+
+  // The conditions represent the latest available observations of a policy's current state.
+  // +optional
+  // +listType=map
+  // +listMapKey=type
+  repeated k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 3;
 }

 // Validation specifies the CEL expression which is used to apply the validation.
 message Validation {
  // Expression represents the expression which will be evaluated by CEL.
  // ref: https://github.com/google/cel-spec
-  // CEL expressions have access to the contents of the Admission request/response, organized into CEL variables as well as some other useful variables:
+  // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
  //
-  // 'object' - The object from the incoming request. The value is null for DELETE requests.
-  // 'oldObject' - The existing object. The value is null for CREATE requests.
-  // 'request' - Attributes of the admission request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
-  // 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+  // - 'object' - The object from the incoming request. The value is null for DELETE requests.
+  // - 'oldObject' - The existing object. The value is null for CREATE requests.
+  // - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+  // - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+  // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+  //   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+  // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+  //   request resource.
  //
  // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
  // object. No other metadata properties are accessible.
@ -313,5 +510,18 @@ message Validation {
  // If not set, StatusReasonInvalid is used in the response to the client.
  // +optional
  optional string reason = 3;
+
+  // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+  // Since messageExpression is used as a failure message, it must evaluate to a string.
+  // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+  // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+  // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+  // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+  // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+  // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+  // Example:
+  // "object.x must be less than max ("+string(params.max)+")"
+  // +optional
+  optional string messageExpression = 4;
 }