Merge pull request #323 from red-hat-storage/sync_us--devel

Syncing latest changes from upstream devel for ceph-csi

api/go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/openshift/api v0.0.0-20240115183315-0793e918179d
 	github.com/stretchr/testify v1.9.0
-	k8s.io/api v0.30.1
+	k8s.io/api v0.30.2
 )
 
 require (
@@ -23,7 +23,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apimachinery v0.30.1 // indirect
+	k8s.io/apimachinery v0.30.2 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

api/go.sum

@@ -5,8 +5,6 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -81,10 +79,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=
-k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM=
-k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U=
-k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI=
+k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI=
+k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg=
+k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=

api/vendor/modules.txt

@@ -55,12 +55,12 @@ gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# k8s.io/api v0.30.1
+# k8s.io/api v0.30.2
 ## explicit; go 1.22.0
 k8s.io/api/core/v1
 k8s.io/api/rbac/v1
 k8s.io/api/storage/v1
-# k8s.io/apimachinery v0.30.1
+# k8s.io/apimachinery v0.30.2
 ## explicit; go 1.22.0
 k8s.io/apimachinery/pkg/api/resource
 k8s.io/apimachinery/pkg/apis/meta/v1

go.mod

@@ -33,14 +33,14 @@ require (
 	//
 	// when updating k8s.io/kubernetes, make sure to update the replace section too
 	//
-	k8s.io/api v0.30.1
-	k8s.io/apimachinery v0.30.1
+	k8s.io/api v0.30.2
+	k8s.io/apimachinery v0.30.2
 	k8s.io/client-go v12.0.0+incompatible
-	k8s.io/cloud-provider v0.30.1
+	k8s.io/cloud-provider v0.30.2
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/kubernetes v1.30.1
-	k8s.io/mount-utils v0.29.3
-	k8s.io/pod-security-admission v0.30.1
+	k8s.io/mount-utils v0.30.2
+	k8s.io/pod-security-admission v0.30.2
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.18.4
 )
@@ -175,11 +175,11 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.30.1 // indirect
-	k8s.io/apiserver v0.30.1 // indirect
-	k8s.io/component-base v0.30.1 // indirect
-	k8s.io/component-helpers v0.30.1 // indirect
-	k8s.io/controller-manager v0.30.1 // indirect
-	k8s.io/kms v0.30.1 // indirect
+	k8s.io/apiserver v0.30.2 // indirect
+	k8s.io/component-base v0.30.2 // indirect
+	k8s.io/component-helpers v0.30.2 // indirect
+	k8s.io/controller-manager v0.30.2 // indirect
+	k8s.io/kms v0.30.2 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/kubectl v0.0.0 // indirect
 	k8s.io/kubelet v0.0.0 // indirect
@@ -199,35 +199,35 @@ replace (
 	//
 	// k8s.io/kubernetes depends on these k8s.io packages, but unversioned
 	//
-	k8s.io/api => k8s.io/api v0.30.1
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.1
-	k8s.io/apimachinery => k8s.io/apimachinery v0.30.1
-	k8s.io/apiserver => k8s.io/apiserver v0.30.1
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.1
-	k8s.io/client-go => k8s.io/client-go v0.30.1
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.1
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.1
-	k8s.io/code-generator => k8s.io/code-generator v0.30.1
-	k8s.io/component-base => k8s.io/component-base v0.30.1
-	k8s.io/component-helpers => k8s.io/component-helpers v0.30.1
-	k8s.io/controller-manager => k8s.io/controller-manager v0.30.1
-	k8s.io/cri-api => k8s.io/cri-api v0.30.1
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.1
-	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.1
-	k8s.io/endpointslice => k8s.io/endpointslice v0.30.1
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.1
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.1
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.1
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.1
-	k8s.io/kubectl => k8s.io/kubectl v0.30.1
-	k8s.io/kubelet => k8s.io/kubelet v0.30.1
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.1
-	k8s.io/metrics => k8s.io/metrics v0.30.1
+	k8s.io/api => k8s.io/api v0.30.2
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.2
+	k8s.io/apimachinery => k8s.io/apimachinery v0.30.2
+	k8s.io/apiserver => k8s.io/apiserver v0.30.2
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.2
+	k8s.io/client-go => k8s.io/client-go v0.30.2
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.2
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.2
+	k8s.io/code-generator => k8s.io/code-generator v0.30.2
+	k8s.io/component-base => k8s.io/component-base v0.30.2
+	k8s.io/component-helpers => k8s.io/component-helpers v0.30.2
+	k8s.io/controller-manager => k8s.io/controller-manager v0.30.2
+	k8s.io/cri-api => k8s.io/cri-api v0.30.2
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.2
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.2
+	k8s.io/endpointslice => k8s.io/endpointslice v0.30.2
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.2
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.2
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.2
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.2
+	k8s.io/kubectl => k8s.io/kubectl v0.30.2
+	k8s.io/kubelet => k8s.io/kubelet v0.30.2
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.2
+	k8s.io/metrics => k8s.io/metrics v0.30.2
 
 	// TODO: replace with latest once https://github.com/ceph/ceph-csi/issues/4633 is fixed
 	k8s.io/mount-utils => k8s.io/mount-utils v0.29.3
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.1
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.1
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.2
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.2
 	// layeh.com seems to be misbehaving
 	layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917
 )

go.sum

@@ -2609,27 +2609,27 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
-k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=
-k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM=
-k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws=
-k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4=
-k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U=
-k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8=
-k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo=
-k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
-k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
-k8s.io/cloud-provider v0.30.1 h1:OslHpog97zG9Kr7/vV1ki8nLKq8xTPUkN/kepCxBqKI=
-k8s.io/cloud-provider v0.30.1/go.mod h1:1uZp+FSskXQoeAAIU91/XCO8X/9N1U3z5usYeSLT4MI=
-k8s.io/code-generator v0.30.1/go.mod h1:hFgxRsvOUg79mbpbVKfjJvRhVz1qLoe40yZDJ/hwRH4=
-k8s.io/component-base v0.30.1 h1:bvAtlPh1UrdaZL20D9+sWxsJljMi0QZ3Lmw+kmZAaxQ=
-k8s.io/component-base v0.30.1/go.mod h1:e/X9kDiOebwlI41AvBHuWdqFriSRrX50CdwA9TFaHLI=
-k8s.io/component-helpers v0.30.1 h1:/UcxSLzZ0owluTE2WMDrFfZl2L+WVXKdYYYm68qnH7U=
-k8s.io/component-helpers v0.30.1/go.mod h1:b1Xk27UJ3p/AmPqDx7khrnSxrdwQy9gTP7O1y6MZ6rg=
-k8s.io/controller-manager v0.30.1 h1:vrpfinHQWGf40U08Zmrt+QxK/2yTgjJl/9DKtjaB1gI=
-k8s.io/controller-manager v0.30.1/go.mod h1:8rTEPbn8LRKC/vS+If+JAKBfsftCfTMaF8/n4SJC+PQ=
-k8s.io/csi-translation-lib v0.30.1 h1:fIBtNMQjyr7HFv3xGSSH9cWOQS1K1kIBmZ1zRsHuVKs=
-k8s.io/csi-translation-lib v0.30.1/go.mod h1:l0HrIBIxUKRvqnNWqn6AXTYgUa2mAFLT6bjo1lU+55U=
+k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI=
+k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI=
+k8s.io/apiextensions-apiserver v0.30.2 h1:l7Eue2t6QiLHErfn2vwK4KgF4NeDgjQkCXtEbOocKIE=
+k8s.io/apiextensions-apiserver v0.30.2/go.mod h1:lsJFLYyK40iguuinsb3nt+Sj6CmodSI4ACDLep1rgjw=
+k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg=
+k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.2 h1:ACouHiYl1yFI2VFI3YGM+lvxgy6ir4yK2oLOsLI1/tw=
+k8s.io/apiserver v0.30.2/go.mod h1:BOTdFBIch9Sv0ypSEcUR6ew/NUFGocRFNl72Ra7wTm8=
+k8s.io/client-go v0.30.2 h1:sBIVJdojUNPDU/jObC+18tXWcTJVcwyqS9diGdWHk50=
+k8s.io/client-go v0.30.2/go.mod h1:JglKSWULm9xlJLx4KCkfLLQ7XwtlbflV6uFFSHTMgVs=
+k8s.io/cloud-provider v0.30.2 h1:yov6r02v7sMUNNvzEz51LtL2krn2c1wsC+dy/8BxKQI=
+k8s.io/cloud-provider v0.30.2/go.mod h1:w69t2dSjDtI9BYK6SEqj6HmMKIojEk08fXRoUzjFN2I=
+k8s.io/code-generator v0.30.2/go.mod h1:RQP5L67QxqgkVquk704CyvWFIq0e6RCMmLTXxjE8dVA=
+k8s.io/component-base v0.30.2 h1:pqGBczYoW1sno8q9ObExUqrYSKhtE5rW3y6gX88GZII=
+k8s.io/component-base v0.30.2/go.mod h1:yQLkQDrkK8J6NtP+MGJOws+/PPeEXNpwFixsUI7h/OE=
+k8s.io/component-helpers v0.30.2 h1:kDMYLiWEYeWU7H6jBI+Ua1i2hqNh0DzqDHNIppFC3po=
+k8s.io/component-helpers v0.30.2/go.mod h1:tI0anfS6AbRqooaICkGg7UVAQLedOauVSQW9srDBnJw=
+k8s.io/controller-manager v0.30.2 h1:tC7V7IdGUW2I4de3bXx4m2fS3naP7VlCYlECCajK9fU=
+k8s.io/controller-manager v0.30.2/go.mod h1:CYltIHGhCgldEkXT5vS2JHCCWM1WyBI4kA2UfP9cZvY=
+k8s.io/csi-translation-lib v0.30.2 h1:ZcFVMWDHg7feW3mtdl+xClgmw1Yxv7m9ysOKt8h3K8Y=
+k8s.io/csi-translation-lib v0.30.2/go.mod h1:jFT8vquP6eSDUwDHk0mKT6uKFWlZp60ecUEUhmlGsOY=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
@@ -2639,22 +2639,22 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kms v0.30.1 h1:gEIbEeCbFiaN2tNfp/EUhFdGr5/CSj8Eyq6Mkr7cCiY=
-k8s.io/kms v0.30.1/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
+k8s.io/kms v0.30.2 h1:VSZILO/tkzrz5Tu2j+yFQZ2Dc5JerQZX2GqhFJbQrfw=
+k8s.io/kms v0.30.2/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
 k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
-k8s.io/kubectl v0.30.1 h1:sHFIRI3oP0FFZmBAVEE8ErjnTyXDPkBcvO88mH9RjuY=
-k8s.io/kubectl v0.30.1/go.mod h1:7j+L0Cc38RYEcx+WH3y44jRBe1Q1jxdGPKkX0h4iDq0=
-k8s.io/kubelet v0.30.1 h1:6gS1gWjrefUGfC/9n0ITOzxnKyt89FfkIhom70Bola4=
-k8s.io/kubelet v0.30.1/go.mod h1:5IUeAt3YlIfLNdT/YfRuCCONfEefm7qfcqz81b002Z8=
+k8s.io/kubectl v0.30.2 h1:cgKNIvsOiufgcs4yjvgkK0+aPCfa8pUwzXdJtkbhsH8=
+k8s.io/kubectl v0.30.2/go.mod h1:rz7GHXaxwnigrqob0lJsiA07Df8RE3n1TSaC2CTeuB4=
+k8s.io/kubelet v0.30.2 h1:Ck4E/pHndI20IzDXxS57dElhDGASPO5pzXF7BcKfmCY=
+k8s.io/kubelet v0.30.2/go.mod h1:DSwwTbLQmdNkebAU7ypIALR4P9aXZNFwgRmedojUE94=
 k8s.io/kubernetes v1.30.1 h1:XlqS6KslLEA5mQzLK2AJrhr4Z1m8oJfkhHiWJ5lue+I=
 k8s.io/kubernetes v1.30.1/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0=
 k8s.io/mount-utils v0.29.3 h1:iEcqPP7Vv8UClH8nnMfovtmy/04fIloRW9JuSXykoZ0=
 k8s.io/mount-utils v0.29.3/go.mod h1:9IWJTMe8tG0MYMLEp60xK9GYVeCdA3g4LowmnVi+t9Y=
-k8s.io/pod-security-admission v0.30.1 h1:r2NQSNXfnZDnm6KvLv1sYgai1ZXuO+m0qn11/Xymkf8=
-k8s.io/pod-security-admission v0.30.1/go.mod h1:O5iry5U8N0CvtfI5kfe0CZ0Ct/KYj057j6Pa+QIwp24=
+k8s.io/pod-security-admission v0.30.2 h1:UlHnkvvOr+rgQplOqD+SHzLUF8EgKIOCpDU8kaMeTQQ=
+k8s.io/pod-security-admission v0.30.2/go.mod h1:gMUJUG9zOgNBk0VIz5BS7uIYiYPEoXkBSeHh6rG2m8c=
 k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=

internal/cephfs/groupcontrollerserver.go

@@ -461,11 +461,13 @@ func (cs *ControllerServer) createSnapshotAndAddMapping(
 	}
 	defer j.Destroy()
 	// Add the snapshot to the volume group journal
-	err = j.AddVolumeSnapshotMapping(ctx,
+	err = j.AddVolumesMapping(ctx,
 		vgo.MetadataPool,
 		vgs.ReservedID,
-		req.GetSourceVolumeId(),
-		resp.GetSnapshot().GetSnapshotId())
+		map[string]string{
+			req.GetSourceVolumeId(): resp.GetSnapshot().GetSnapshotId(),
+		},
+	)
 	if err != nil {
 		log.ErrorLog(ctx, "failed to add volume snapshot mapping: %v", err)
 		// Delete the last created snapshot as its still not added to the
@@ -640,11 +642,11 @@ func (cs *ControllerServer) deleteSnapshotsAndUndoReservation(ctx context.Contex
 			return err
 		}
 		// remove the entry from the omap
-		err = j.RemoveVolumeSnapshotMapping(
+		err = j.RemoveVolumesMapping(
 			ctx,
 			vgo.MetadataPool,
 			vgsi.ReservedID,
-			volID)
+			[]string{volID})
 		j.Destroy()
 		if err != nil {
 			log.ErrorLog(ctx, "failed to remove volume snapshot mapping: %v", err)

internal/cephfs/store/volumegroup.go

@@ -169,7 +169,7 @@ func NewVolumeGroupOptionsFromID(
 	vgs.RequestName = groupAttributes.RequestName
 	vgs.FsVolumeGroupSnapshotName = groupAttributes.GroupName
 	vgs.VolumeGroupSnapshotID = volumeGroupSnapshotID
-	vgs.VolumeSnapshotMap = groupAttributes.VolumeSnapshotMap
+	vgs.VolumeSnapshotMap = groupAttributes.VolumeMap
 
 	return volOptions, &vgs, nil
 }
@@ -208,7 +208,7 @@ func CheckVolumeGroupSnapExists(
 	vgs.RequestName = volOptions.RequestName
 	vgs.ReservedID = volGroupData.GroupUUID
 	vgs.FsVolumeGroupSnapshotName = volGroupData.GroupName
-	vgs.VolumeSnapshotMap = volGroupData.VolumeGroupAttributes.VolumeSnapshotMap
+	vgs.VolumeSnapshotMap = volGroupData.VolumeGroupAttributes.VolumeMap
 
 	// found a snapshot already available, process and return it!
 	vgs.VolumeGroupSnapshotID, err = util.GenerateVolID(ctx, volOptions.Monitors, cr, volOptions.FscID,

internal/csi-addons/rbd/replication.go

@@ -74,6 +74,12 @@ const (
 	// (optional) StartTime is the time the snapshot schedule
 	// begins, can be specified using the ISO 8601 time format.
 	schedulingStartTimeKey = "schedulingStartTime"
+
+	// flattenModeKey to get the flattenMode from the parameters.
+	// (optional) flattenMode decides how to handle images with parent.
+	// (default) If set to "never", the image with parent will not be flattened.
+	// If set to "force", the image with parent will be flattened.
+	flattenModeKey = "flattenMode"
 )
 
 // ReplicationServer struct of rbd CSI driver with supported methods of Replication
@@ -115,6 +121,27 @@ func getForceOption(ctx context.Context, parameters map[string]string) (bool, er
 	return force, nil
 }
 
+// getFlattenMode gets flatten mode from the input GRPC request parameters.
+// flattenMode is the key to check the mode in the parameters.
+func getFlattenMode(ctx context.Context, parameters map[string]string) (corerbd.FlattenMode, error) {
+	val, ok := parameters[flattenModeKey]
+	if !ok {
+		log.DebugLog(ctx, "%q is not set in parameters, setting to default (%v)",
+			flattenModeKey, corerbd.FlattenModeNever)
+
+		return corerbd.FlattenModeNever, nil
+	}
+
+	mode := corerbd.FlattenMode(val)
+	switch mode {
+	case corerbd.FlattenModeForce, corerbd.FlattenModeNever:
+		return mode, nil
+	}
+	log.ErrorLog(ctx, "%q=%q is not supported", flattenModeKey, val)
+
+	return mode, status.Errorf(codes.InvalidArgument, "%q=%q is not supported", flattenModeKey, val)
+}
+
 // getMirroringMode gets the mirroring mode from the input GRPC request parameters.
 // mirroringMode is the key to check the mode in the parameters.
 func getMirroringMode(ctx context.Context, parameters map[string]string) (librbd.ImageMirrorMode, error) {
@@ -265,6 +292,11 @@ func (rs *ReplicationServer) EnableVolumeReplication(ctx context.Context,
 	if err != nil {
 		return nil, err
 	}
+	// extract the flatten mode
+	flattenMode, err := getFlattenMode(ctx, req.GetParameters())
+	if err != nil {
+		return nil, err
+	}
 
 	mirroringInfo, err := rbdVol.GetImageMirroringInfo()
 	if err != nil {
@@ -274,6 +306,12 @@ func (rs *ReplicationServer) EnableVolumeReplication(ctx context.Context,
 	}
 
 	if mirroringInfo.State != librbd.MirrorImageEnabled {
+		err = rbdVol.HandleParentImageExistence(ctx, flattenMode)
+		if err != nil {
+			log.ErrorLog(ctx, err.Error())
+
+			return nil, getGRPCError(err)
+		}
 		err = rbdVol.EnableImageMirroring(mirroringMode)
 		if err != nil {
 			log.ErrorLog(ctx, err.Error())
@@ -777,6 +815,7 @@ func getGRPCError(err error) error {
 
 	errorStatusMap := map[error]codes.Code{
 		corerbd.ErrInvalidArgument:    codes.InvalidArgument,
+		corerbd.ErrFlattenInProgress:  codes.Aborted,
 		corerbd.ErrAborted:            codes.Aborted,
 		corerbd.ErrFailedPrecondition: codes.FailedPrecondition,
 		corerbd.ErrUnavailable:        codes.Unavailable,

internal/csi-addons/rbd/replication_test.go

@@ -641,3 +641,69 @@ func Test_timestampFromString(t *testing.T) {
 		})
 	}
 }
+
+func Test_getFlattenMode(t *testing.T) {
+	t.Parallel()
+	type args struct {
+		ctx        context.Context
+		parameters map[string]string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    corerbd.FlattenMode
+		wantErr bool
+	}{
+		{
+			name: "flattenMode option not set",
+			args: args{
+				ctx:        context.TODO(),
+				parameters: map[string]string{},
+			},
+			want: corerbd.FlattenModeNever,
+		},
+		{
+			name: "flattenMode option set to never",
+			args: args{
+				ctx: context.TODO(),
+				parameters: map[string]string{
+					flattenModeKey: string(corerbd.FlattenModeNever),
+				},
+			},
+			want: corerbd.FlattenModeNever,
+		},
+		{
+			name: "flattenMode option set to force",
+			args: args{
+				ctx: context.TODO(),
+				parameters: map[string]string{
+					flattenModeKey: string(corerbd.FlattenModeForce),
+				},
+			},
+			want: corerbd.FlattenModeForce,
+		},
+
+		{
+			name: "flattenMode option set to invalid value",
+			args: args{
+				ctx: context.TODO(),
+				parameters: map[string]string{
+					flattenModeKey: "invalid123",
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := getFlattenMode(tt.args.ctx, tt.args.parameters)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("getFlattenMode() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("getFlattenMode() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

internal/journal/voljournal.go

@@ -131,6 +131,10 @@ type Config struct {
 	// of this Ceph volume
 	csiImageIDKey string
 
+	// CSI GroupName is per Ceph volume object omap, contains the group ID of
+	// this Ceph volume
+	csiGroupIDKey string
+
 	// CSI image-name key in per Ceph volume object map, containing RBD image-name
 	// of this Ceph volume
 	csiImageKey string
@@ -174,6 +178,7 @@ func NewCSIVolumeJournal(suffix string) *Config {
 		cephSnapSourceKey:       "",
 		namespace:               "",
 		csiImageIDKey:           "csi.imageid",
+		csiGroupIDKey:           "csi.groupid",
 		encryptKMSKey:           "csi.volume.encryptKMS",
 		encryptionType:          "csi.volume.encryptionType",
 		ownerKey:                "csi.volume.owner",
@@ -686,6 +691,7 @@ type ImageAttributes struct {
 	EncryptionType    util.EncryptionType // Type of encryption used, if image encrypted
 	Owner             string              // Contains the owner to be used in combination with KmsID (for some KMS)
 	ImageID           string              // Contains the image id
+	GroupID           string              // Contains the group id of the image
 	JournalPoolID     int64               // Pool ID of the CSI journal pool, stored in big endian format (on-disk data)
 	BackingSnapshotID string              // ID of the snapshot on which the CephFS snapshot-backed volume is based
 }
@@ -718,6 +724,7 @@ func (conn *Connection) GetImageAttributes(
 		cj.csiImageIDKey,
 		cj.ownerKey,
 		cj.backingSnapshotIDKey,
+		cj.csiGroupIDKey,
 	}
 	values, err := getOMapValues(
 		ctx, conn, pool, cj.namespace, cj.cephUUIDDirectoryPrefix+objectUUID,
@@ -736,6 +743,7 @@ func (conn *Connection) GetImageAttributes(
 	imageAttributes.Owner = values[cj.ownerKey]
 	imageAttributes.ImageID = values[cj.csiImageIDKey]
 	imageAttributes.BackingSnapshotID = values[cj.backingSnapshotIDKey]
+	imageAttributes.GroupID = values[cj.csiGroupIDKey]
 
 	// image key was added at a later point, so not all volumes will have this
 	// key set when ceph-csi was upgraded
@@ -795,6 +803,16 @@ func (conn *Connection) StoreAttribute(ctx context.Context, pool, reservedUUID,
 	return nil
 }
 
+// StoreGroupID stores an groupID in omap.
+func (conn *Connection) StoreGroupID(ctx context.Context, pool, reservedUUID, groupID string) error {
+	err := conn.StoreAttribute(ctx, pool, reservedUUID, conn.config.csiGroupIDKey, groupID)
+	if err != nil {
+		return fmt.Errorf("failed to store groupID %w", err)
+	}
+
+	return nil
+}
+
 // FetchAttribute fetches an attribute (key) in omap.
 func (conn *Connection) FetchAttribute(ctx context.Context, pool, reservedUUID, attribute string) (string, error) {
 	key := conn.config.commonPrefix + attribute

internal/journal/volumegroupjournal.go

@@ -41,7 +41,7 @@ type VolumeGroupJournal interface {
 	UndoReservation(
 		ctx context.Context,
 		csiJournalPool,
-		snapshotGroupName,
+		groupName,
 		reqName string) error
 	// GetGroupAttributes fetches all keys and their values, from a UUID directory,
 	// returning VolumeGroupAttributes structure.
@@ -55,19 +55,22 @@ type VolumeGroupJournal interface {
 		journalPoolID int64,
 		reqName,
 		namePrefix string) (string, string, error)
-	// AddVolumeSnapshotMapping adds a volumeID and snapshotID mapping to the UUID directory.
-	AddVolumeSnapshotMapping(
+	// AddVolumesMapping adds a volumeMap map which contains volumeID's and its
+	// corresponding values mapping which need to be added to the UUID
+	// directory. value can be anything which needs mapping, in case of
+	// volumegroupsnapshot its a snapshotID and its empty in case of
+	// volumegroup.
+	AddVolumesMapping(
 		ctx context.Context,
 		pool,
-		reservedUUID,
-		volumeID,
-		snapshotID string) error
-	// RemoveVolumeSnapshotMapping removes a volumeID and snapshotID mapping from the UUID directory.
-	RemoveVolumeSnapshotMapping(
+		reservedUUID string,
+		volumeMap map[string]string) error
+	// RemoveVolumesMapping removes volumeIDs mapping from the UUID directory.
+	RemoveVolumesMapping(
 		ctx context.Context,
 		pool,
-		reservedUUID,
-		volumeID string) error
+		reservedUUID string,
+		volumeIDs []string) error
 }
 
 // VolumeGroupJournalConfig contains the configuration.
@@ -222,7 +225,7 @@ func (vgjc *VolumeGroupJournalConnection) CheckReservation(ctx context.Context,
 	volGroupData.GroupName = savedVolumeGroupAttributes.GroupName
 	volGroupData.VolumeGroupAttributes = &VolumeGroupAttributes{}
 	volGroupData.VolumeGroupAttributes.RequestName = savedVolumeGroupAttributes.RequestName
-	volGroupData.VolumeGroupAttributes.VolumeSnapshotMap = savedVolumeGroupAttributes.VolumeSnapshotMap
+	volGroupData.VolumeGroupAttributes.VolumeMap = savedVolumeGroupAttributes.VolumeMap
 
 	return volGroupData, nil
 }
@@ -363,7 +366,7 @@ func (vgjc *VolumeGroupJournalConnection) ReserveName(ctx context.Context,
 type VolumeGroupAttributes struct {
 	RequestName string            // Contains the request name for the passed in UUID
 	GroupName   string            // Contains the group name
-	VolumeSnapshotMap map[string]string // Contains the volumeID and the corresponding snapshotID mapping
+	VolumeMap   map[string]string // Contains the volumeID and the corresponding value mapping
 }
 
 func (vgjc *VolumeGroupJournalConnection) GetVolumeGroupAttributes(
@@ -393,25 +396,24 @@ func (vgjc *VolumeGroupJournalConnection) GetVolumeGroupAttributes(
 	// looking for volumeID/snapshotID mapping
 	delete(values, cj.csiNameKey)
 	delete(values, cj.csiImageKey)
-	groupAttributes.VolumeSnapshotMap = map[string]string{}
+	groupAttributes.VolumeMap = map[string]string{}
 	for k, v := range values {
-		groupAttributes.VolumeSnapshotMap[k] = v
+		groupAttributes.VolumeMap[k] = v
 	}
 
 	return groupAttributes, nil
 }
 
-func (vgjc *VolumeGroupJournalConnection) AddVolumeSnapshotMapping(
+func (vgjc *VolumeGroupJournalConnection) AddVolumesMapping(
 	ctx context.Context,
 	pool,
-	reservedUUID,
-	volumeID,
-	snapshotID string,
+	reservedUUID string,
+	volumeMap map[string]string,
 ) error {
 	err := setOMapKeys(ctx, vgjc.connection, pool, vgjc.config.namespace, vgjc.config.cephUUIDDirectoryPrefix+reservedUUID,
-		map[string]string{volumeID: snapshotID})
+		volumeMap)
 	if err != nil {
-		log.ErrorLog(ctx, "failed adding volume snapshot mapping: %v", err)
+		log.ErrorLog(ctx, "failed to add volumeMap %v: %w ", volumeMap, err)
 
 		return err
 	}
@@ -419,17 +421,17 @@ func (vgjc *VolumeGroupJournalConnection) AddVolumeSnapshotMapping(
 	return nil
 }
 
-func (vgjc *VolumeGroupJournalConnection) RemoveVolumeSnapshotMapping(
+func (vgjc *VolumeGroupJournalConnection) RemoveVolumesMapping(
 	ctx context.Context,
 	pool,
-	reservedUUID,
-	volumeID string,
+	reservedUUID string,
+	volumeIDs []string,
 ) error {
 	err := removeMapKeys(ctx, vgjc.connection, pool, vgjc.config.namespace,
 		vgjc.config.cephUUIDDirectoryPrefix+reservedUUID,
-		[]string{volumeID})
+		volumeIDs)
 	if err != nil {
-		log.ErrorLog(ctx, "failed removing volume snapshot mapping: %v", err)
+		log.ErrorLog(ctx, "failed removing volume mapping from group: key: %q %v", volumeIDs, err)
 
 		return err
 	}

internal/rbd/controllerserver.go

@@ -1020,22 +1020,12 @@ func cleanupRBDImage(ctx context.Context,
 
 	// delete the temporary rbd image created as part of volume clone during
 	// create volume
-	tempClone := rbdVol.generateTempClone()
-	err = tempClone.deleteImage(ctx)
+	err = rbdVol.DeleteTempImage(ctx)
 	if err != nil {
-		if errors.Is(err, ErrImageNotFound) {
-			err = tempClone.ensureImageCleanup(ctx)
-			if err != nil {
-				return nil, status.Error(codes.Internal, err.Error())
-			}
-		} else {
-			// return error if it is not ErrImageNotFound
-			log.ErrorLog(ctx, "failed to delete rbd image: %s with error: %v",
-				tempClone, err)
+		log.ErrorLog(ctx, "failed to delete temporary rbd image: %v", err)
 
 		return nil, status.Error(codes.Internal, err.Error())
 	}
-	}
 
 	// Deleting rbd image
 	log.DebugLog(ctx, "deleting image %s", rbdVol.RbdImageName)

internal/rbd/mirror.go

@@ -25,6 +25,69 @@ import (
 	librbd "github.com/ceph/go-ceph/rbd"
 )
 
+// FlattenMode is used to indicate the flatten mode for an RBD image.
+type FlattenMode string
+
+const (
+	// FlattenModeNever indicates that the image should never be flattened.
+	FlattenModeNever FlattenMode = "never"
+	// FlattenModeForce indicates that the image with the parent must be flattened.
+	FlattenModeForce FlattenMode = "force"
+)
+
+// HandleParentImageExistence checks the image's parent.
+// if the parent image does not exist and is not in trash, it returns nil.
+// if the flattenMode is FlattenModeForce, it flattens the image itself.
+// if the parent image is in trash, it returns an error.
+// if the parent image exists and is not enabled for mirroring, it returns an error.
+func (rv *rbdVolume) HandleParentImageExistence(
+	ctx context.Context,
+	flattenMode FlattenMode,
+) error {
+	if rv.ParentName == "" && !rv.ParentInTrash {
+		return nil
+	}
+
+	if flattenMode == FlattenModeForce {
+		// Delete temp image that exists for volume datasource since
+		// it is no longer required when the live image is flattened.
+		err := rv.DeleteTempImage(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to delete temporary rbd image: %w", err)
+		}
+
+		err = rv.flattenRbdImage(ctx, true, 0, 0)
+		if err != nil {
+			return err
+		}
+	}
+
+	if rv.ParentInTrash {
+		return fmt.Errorf("%w: failed to enable mirroring on image %q:"+
+			" parent is in trash",
+			ErrFailedPrecondition, rv)
+	}
+
+	parent, err := rv.getParent()
+	if err != nil {
+		return err
+	}
+	parentMirroringInfo, err := parent.GetImageMirroringInfo()
+	if err != nil {
+		return fmt.Errorf(
+			"failed to get mirroring info of parent %q of image %q: %w",
+			parent, rv, err)
+	}
+
+	if parentMirroringInfo.State != librbd.MirrorImageEnabled {
+		return fmt.Errorf("%w: failed to enable mirroring on image %q: "+
+			"parent image %q is not enabled for mirroring",
+			ErrFailedPrecondition, rv, parent)
+	}
+
+	return nil
+}
+
 // EnableImageMirroring enables mirroring on an image.
 func (ri *rbdImage) EnableImageMirroring(mode librbd.ImageMirrorMode) error {
 	image, err := ri.open()

internal/rbd/rbd_util.go

@@ -703,6 +703,22 @@ func (ri *rbdImage) trashRemoveImage(ctx context.Context) error {
 	return nil
 }
 
+// DeleteTempImage deletes the temporary image created for volume datasource.
+func (rv *rbdVolume) DeleteTempImage(ctx context.Context) error {
+	tempClone := rv.generateTempClone()
+	err := tempClone.deleteImage(ctx)
+	if err != nil {
+		if errors.Is(err, ErrImageNotFound) {
+			return tempClone.ensureImageCleanup(ctx)
+		} else {
+			// return error if it is not ErrImageNotFound
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (ri *rbdImage) getCloneDepth(ctx context.Context) (uint, error) {
 	var depth uint
 	vol := rbdVolume{}

vendor/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go

@@ -222,9 +222,10 @@ func (c compiler) CompileCELExpression(expressionAccessor ExpressionAccessor, op
 func mustBuildEnvs(baseEnv *environment.EnvSet) variableDeclEnvs {
 	requestType := BuildRequestType()
 	namespaceType := BuildNamespaceType()
-	envs := make(variableDeclEnvs, 4) // since the number of variable combinations is small, pre-build a environment for each
+	envs := make(variableDeclEnvs, 8) // since the number of variable combinations is small, pre-build a environment for each
 	for _, hasParams := range []bool{false, true} {
 		for _, hasAuthorizer := range []bool{false, true} {
+			for _, strictCost := range []bool{false, true} {
 				var envOpts []cel.EnvOption
 				if hasParams {
 					envOpts = append(envOpts, cel.Variable(ParamsVarName, cel.DynType))
@@ -255,7 +256,14 @@ func mustBuildEnvs(baseEnv *environment.EnvSet) variableDeclEnvs {
 				if err != nil {
 					panic(fmt.Sprintf("environment misconfigured: %v", err))
 				}
-			envs[OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer}] = extended
+				if strictCost {
+					extended, err = extended.Extend(environment.StrictCostOpt)
+					if err != nil {
+						panic(fmt.Sprintf("environment misconfigured: %v", err))
+					}
+				}
+				envs[OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, StrictCost: strictCost}] = extended
+			}
 		}
 	}
 	return envs

vendor/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go

@@ -57,10 +57,12 @@ type OptionalVariableDeclarations struct {
 	// HasParams specifies if the "params" variable is declared.
 	// The "params" variable may still be bound to "null" when declared.
 	HasParams bool
-	// HasAuthorizer specifies if the"authorizer" and "authorizer.requestResource"
+	// HasAuthorizer specifies if the "authorizer" and "authorizer.requestResource"
 	// variables are declared. When declared, the authorizer variables are
 	// expected to be non-null.
 	HasAuthorizer bool
+	// StrictCost specifies if the CEL cost limitation is strict for extended libraries as well as native libraries.
+	StrictCost bool
 }
 
 // FilterCompiler contains a function to assist with converting types and values to/from CEL-typed values.

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go

@@ -31,6 +31,7 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/cel/environment"
 	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
@@ -43,13 +44,21 @@ const (
 )
 
 var (
-	compositionEnvTemplate *cel.CompositionEnv = func() *cel.CompositionEnv {
-		compositionEnvTemplate, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
+	compositionEnvTemplateWithStrictCost *cel.CompositionEnv = func() *cel.CompositionEnv {
+		compositionEnvTemplateWithStrictCost, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
 		if err != nil {
 			panic(err)
 		}
 
-		return compositionEnvTemplate
+		return compositionEnvTemplateWithStrictCost
+	}()
+	compositionEnvTemplateWithoutStrictCost *cel.CompositionEnv = func() *cel.CompositionEnv {
+		compositionEnvTemplateWithoutStrictCost, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
+		if err != nil {
+			panic(err)
+		}
+
+		return compositionEnvTemplateWithoutStrictCost
 	}()
 )
 
@@ -114,12 +123,18 @@ func compilePolicy(policy *Policy) Validator {
 	if policy.Spec.ParamKind != nil {
 		hasParam = true
 	}
-	optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}
-	expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}
+	strictCost := utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP)
+	optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true, StrictCost: strictCost}
+	expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false, StrictCost: strictCost}
 	failurePolicy := policy.Spec.FailurePolicy
 	var matcher matchconditions.Matcher = nil
 	matchConditions := policy.Spec.MatchConditions
-
+	var compositionEnvTemplate *cel.CompositionEnv
+	if strictCost {
+		compositionEnvTemplate = compositionEnvTemplateWithStrictCost
+	} else {
+		compositionEnvTemplate = compositionEnvTemplateWithoutStrictCost
+	}
 	filterCompiler := cel.NewCompositedCompilerFromTemplate(compositionEnvTemplate)
 	filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)
 

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go

@@ -39,6 +39,8 @@ import (
 	"k8s.io/apiserver/pkg/cel/library"
 	"k8s.io/apiserver/pkg/cel/openapi"
 	"k8s.io/apiserver/pkg/cel/openapi/resolver"
+	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 )
 
@@ -210,6 +212,7 @@ func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression strin
 		options := plugincel.OptionalVariableDeclarations{
 			HasParams:     ctx.paramDeclType != nil,
 			HasAuthorizer: true,
+			StrictCost:    utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP),
 		}
 		compiler.CompileAndStoreVariables(convertv1beta1Variables(ctx.variables), options, environment.StoredExpressions)
 		result := compiler.CompileCELExpression(celExpression(expression), options, environment.StoredExpressions)
@@ -391,7 +394,7 @@ func (c *TypeChecker) tryRefreshRESTMapper() {
 }
 
 func buildEnvSet(hasParams bool, hasAuthorizer bool, types typeOverwrite) (*environment.EnvSet, error) {
-	baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
+	baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP))
 	requestType := plugincel.BuildRequestType()
 	namespaceType := plugincel.BuildNamespaceType()
 

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go

@@ -27,6 +27,8 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/object"
 	"k8s.io/apiserver/pkg/cel/environment"
+	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/rest"
 )
@@ -139,11 +141,16 @@ func (m *mutatingWebhookAccessor) GetCompiledMatcher(compiler cel.FilterCompiler
 				Expression: matchCondition.Expression,
 			}
 		}
+		strictCost := false
+		if utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks) {
+			strictCost = true
+		}
 		m.compiledMatcher = matchconditions.NewMatcher(compiler.Compile(
 			expressions,
 			cel.OptionalVariableDeclarations{
 				HasParams:     false,
 				HasAuthorizer: true,
+				StrictCost:    strictCost,
 			},
 			environment.StoredExpressions,
 		), m.FailurePolicy, "webhook", "admit", m.Name)
@@ -267,11 +274,16 @@ func (v *validatingWebhookAccessor) GetCompiledMatcher(compiler cel.FilterCompil
 				Expression: matchCondition.Expression,
 			}
 		}
+		strictCost := false
+		if utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks) {
+			strictCost = true
+		}
 		v.compiledMatcher = matchconditions.NewMatcher(compiler.Compile(
 			expressions,
 			cel.OptionalVariableDeclarations{
 				HasParams:     false,
 				HasAuthorizer: true,
+				StrictCost:    strictCost,
 			},
 			environment.StoredExpressions,
 		), v.FailurePolicy, "webhook", "validating", v.Name)

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"io"
 
-	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
 	"k8s.io/klog/v2"
 
 	admissionv1 "k8s.io/api/admission/v1"
@@ -31,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
 	genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
+	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
 	"k8s.io/apiserver/pkg/admission/plugin/cel"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
@@ -39,6 +39,8 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/rules"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/cel/environment"
+	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
@@ -100,7 +102,7 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
 		namespaceMatcher: &namespace.Matcher{},
 		objectMatcher:    &object.Matcher{},
 		dispatcher:       dispatcherFactory(&cm),
-		filterCompiler:   cel.NewFilterCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())),
+		filterCompiler:   cel.NewFilterCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks))),
 	}, nil
 }
 

vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go

@@ -91,7 +91,8 @@ func CompileAndValidateJWTAuthenticator(authenticator api.JWTAuthenticator, disa
 func validateJWTAuthenticator(authenticator api.JWTAuthenticator, fldPath *field.Path, disallowedIssuers sets.Set[string], structuredAuthnFeatureEnabled bool) (authenticationcel.CELMapper, field.ErrorList) {
 	var allErrs field.ErrorList
 
-	compiler := authenticationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
+	// strictCost is set to true which enables the strict cost for CEL validation.
+	compiler := authenticationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
 	state := &validationState{}
 
 	allErrs = append(allErrs, validateIssuer(authenticator.Issuer, disallowedIssuers, fldPath.Child("issuer"))...)
@@ -722,7 +723,8 @@ func compileMatchConditions(matchConditions []api.WebhookMatchCondition, fldPath
 		return nil, allErrs
 	}
 
-	compiler := authorizationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
+	// strictCost is set to true which enables the strict cost for CEL validation.
+	compiler := authorizationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
 	seenExpressions := sets.NewString()
 	var compilationResults []authorizationcel.CompilationResult
 

vendor/k8s.io/apiserver/pkg/cel/environment/base.go

@@ -46,7 +46,9 @@ func DefaultCompatibilityVersion() *version.Version {
 	return version.MajorMinor(1, 29)
 }
 
-var baseOpts = []VersionedOptions{
+var baseOpts = append(baseOptsWithoutStrictCost, StrictCostOpt)
+
+var baseOptsWithoutStrictCost = []VersionedOptions{
 	{
 		// CEL epoch was actually 1.23, but we artificially set it to 1.0 because these
 		// options should always be present.
@@ -132,6 +134,14 @@ var baseOpts = []VersionedOptions{
 	},
 }
 
+var StrictCostOpt = VersionedOptions{
+	// This is to configure the cost calculation for extended libraries
+	IntroducedVersion: version.MajorMinor(1, 0),
+	ProgramOptions: []cel.ProgramOption{
+		cel.CostTracking(&library.CostEstimator{}),
+	},
+}
+
 // MustBaseEnvSet returns the common CEL base environments for Kubernetes for Version, or panics
 // if the version is nil, or does not have major and minor components.
 //
@@ -141,7 +151,8 @@ var baseOpts = []VersionedOptions{
 // The returned environment contains no CEL variable definitions or custom type declarations and
 // should be extended to construct environments with the appropriate variable definitions,
 // type declarations and any other needed configuration.
-func MustBaseEnvSet(ver *version.Version) *EnvSet {
+// strictCost is used to determine whether to enforce strict cost calculation for CEL expressions.
+func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet {
 	if ver == nil {
 		panic("version must be non-nil")
 	}
@@ -149,19 +160,33 @@ func MustBaseEnvSet(ver *version.Version) *EnvSet {
 		panic(fmt.Sprintf("version must contain an major and minor component, but got: %s", ver.String()))
 	}
 	key := strconv.FormatUint(uint64(ver.Major()), 10) + "." + strconv.FormatUint(uint64(ver.Minor()), 10)
+	var entry interface{}
+	if strictCost {
 		if entry, ok := baseEnvs.Load(key); ok {
 			return entry.(*EnvSet)
 		}
-
-	entry, _, _ := baseEnvsSingleflight.Do(key, func() (interface{}, error) {
+		entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) {
 			entry := mustNewEnvSet(ver, baseOpts)
 			baseEnvs.Store(key, entry)
 			return entry, nil
 		})
+	} else {
+		if entry, ok := baseEnvsWithOption.Load(key); ok {
+			return entry.(*EnvSet)
+		}
+		entry, _, _ = baseEnvsWithOptionSingleflight.Do(key, func() (interface{}, error) {
+			entry := mustNewEnvSet(ver, baseOptsWithoutStrictCost)
+			baseEnvsWithOption.Store(key, entry)
+			return entry, nil
+		})
+	}
+
 	return entry.(*EnvSet)
 }
 
 var (
 	baseEnvs                       = sync.Map{}
+	baseEnvsWithOption             = sync.Map{}
 	baseEnvsSingleflight           = &singleflight.Group{}
+	baseEnvsWithOptionSingleflight = &singleflight.Group{}
 )

vendor/k8s.io/apiserver/pkg/features/kube_features.go

@@ -220,6 +220,24 @@ const (
 	// if the generated name conflicts with an existing resource name, up to a maximum number of 7 retries.
 	RetryGenerateName featuregate.Feature = "RetryGenerateName"
 
+	// owner: @cici37
+	// alpha: v1.30
+	//
+	// StrictCostEnforcementForVAP is used to apply strict CEL cost validation for ValidatingAdmissionPolicy.
+	// It will be set to off by default for certain time of period to prevent the impact on the existing users.
+	// It is strongly recommended to enable this feature gate as early as possible.
+	// The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library.
+	StrictCostEnforcementForVAP featuregate.Feature = "StrictCostEnforcementForVAP"
+
+	// owner: @cici37
+	// alpha: v1.30
+	//
+	// StrictCostEnforcementForWebhooks is used to apply strict CEL cost validation for matchConditions in Webhooks.
+	// It will be set to off by default for certain time of period to prevent the impact on the existing users.
+	// It is strongly recommended to enable this feature gate as early as possible.
+	// The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library.
+	StrictCostEnforcementForWebhooks featuregate.Feature = "StrictCostEnforcementForWebhooks"
+
 	// owner: @caesarxuchao @roycaihw
 	// alpha: v1.20
 	//
@@ -347,6 +365,10 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	StorageVersionHash: {Default: true, PreRelease: featuregate.Beta},
 
+	StrictCostEnforcementForVAP: {Default: false, PreRelease: featuregate.Beta},
+
+	StrictCostEnforcementForWebhooks: {Default: false, PreRelease: featuregate.Beta},
+
 	StructuredAuthenticationConfiguration: {Default: true, PreRelease: featuregate.Beta},
 
 	StructuredAuthorizationConfiguration: {Default: true, PreRelease: featuregate.Beta},

vendor/modules.txt

@@ -943,7 +943,7 @@ gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# k8s.io/api v0.30.1 => k8s.io/api v0.30.1
+# k8s.io/api v0.30.2 => k8s.io/api v0.30.2
 ## explicit; go 1.22.0
 k8s.io/api/admission/v1
 k8s.io/api/admission/v1beta1
@@ -1001,12 +1001,12 @@ k8s.io/api/storage/v1
 k8s.io/api/storage/v1alpha1
 k8s.io/api/storage/v1beta1
 k8s.io/api/storagemigration/v1alpha1
-# k8s.io/apiextensions-apiserver v0.30.1 => k8s.io/apiextensions-apiserver v0.30.1
+# k8s.io/apiextensions-apiserver v0.30.1 => k8s.io/apiextensions-apiserver v0.30.2
 ## explicit; go 1.22.0
 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions
 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
 k8s.io/apiextensions-apiserver/pkg/features
-# k8s.io/apimachinery v0.30.1 => k8s.io/apimachinery v0.30.1
+# k8s.io/apimachinery v0.30.2 => k8s.io/apimachinery v0.30.2
 ## explicit; go 1.22.0
 k8s.io/apimachinery/pkg/api/equality
 k8s.io/apimachinery/pkg/api/errors
@@ -1070,7 +1070,7 @@ k8s.io/apimachinery/pkg/watch
 k8s.io/apimachinery/third_party/forked/golang/json
 k8s.io/apimachinery/third_party/forked/golang/netutil
 k8s.io/apimachinery/third_party/forked/golang/reflect
-# k8s.io/apiserver v0.30.1 => k8s.io/apiserver v0.30.1
+# k8s.io/apiserver v0.30.2 => k8s.io/apiserver v0.30.2
 ## explicit; go 1.22.0
 k8s.io/apiserver/pkg/admission
 k8s.io/apiserver/pkg/admission/configuration
@@ -1218,7 +1218,7 @@ k8s.io/apiserver/plugin/pkg/audit/webhook
 k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics
-# k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.30.1
+# k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.30.2
 ## explicit; go 1.22.0
 k8s.io/client-go/applyconfigurations/admissionregistration/v1
 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1
@@ -1552,7 +1552,7 @@ k8s.io/client-go/util/homedir
 k8s.io/client-go/util/keyutil
 k8s.io/client-go/util/retry
 k8s.io/client-go/util/workqueue
-# k8s.io/cloud-provider v0.30.1 => k8s.io/cloud-provider v0.30.1
+# k8s.io/cloud-provider v0.30.2 => k8s.io/cloud-provider v0.30.2
 ## explicit; go 1.22.0
 k8s.io/cloud-provider
 k8s.io/cloud-provider/app/config
@@ -1567,7 +1567,7 @@ k8s.io/cloud-provider/names
 k8s.io/cloud-provider/options
 k8s.io/cloud-provider/volume
 k8s.io/cloud-provider/volume/helpers
-# k8s.io/component-base v0.30.1 => k8s.io/component-base v0.30.1
+# k8s.io/component-base v0.30.2 => k8s.io/component-base v0.30.2
 ## explicit; go 1.22.0
 k8s.io/component-base/cli/flag
 k8s.io/component-base/config
@@ -1590,13 +1590,13 @@ k8s.io/component-base/metrics/testutil
 k8s.io/component-base/tracing
 k8s.io/component-base/tracing/api/v1
 k8s.io/component-base/version
-# k8s.io/component-helpers v0.30.1 => k8s.io/component-helpers v0.30.1
+# k8s.io/component-helpers v0.30.2 => k8s.io/component-helpers v0.30.2
 ## explicit; go 1.22.0
 k8s.io/component-helpers/node/util/sysctl
 k8s.io/component-helpers/scheduling/corev1
 k8s.io/component-helpers/scheduling/corev1/nodeaffinity
 k8s.io/component-helpers/storage/volume
-# k8s.io/controller-manager v0.30.1 => k8s.io/controller-manager v0.30.1
+# k8s.io/controller-manager v0.30.2 => k8s.io/controller-manager v0.30.2
 ## explicit; go 1.22.0
 k8s.io/controller-manager/config
 k8s.io/controller-manager/config/v1
@@ -1619,7 +1619,7 @@ k8s.io/klog/v2/internal/severity
 k8s.io/klog/v2/internal/sloghandler
 k8s.io/klog/v2/internal/verbosity
 k8s.io/klog/v2/textlogger
-# k8s.io/kms v0.30.1
+# k8s.io/kms v0.30.2
 ## explicit; go 1.22.0
 k8s.io/kms/apis/v1beta1
 k8s.io/kms/apis/v2
@@ -1646,11 +1646,11 @@ k8s.io/kube-openapi/pkg/validation/errors
 k8s.io/kube-openapi/pkg/validation/spec
 k8s.io/kube-openapi/pkg/validation/strfmt
 k8s.io/kube-openapi/pkg/validation/strfmt/bson
-# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.30.1
+# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.30.2
 ## explicit; go 1.22.0
 k8s.io/kubectl/pkg/scale
 k8s.io/kubectl/pkg/util/podutils
-# k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.30.1
+# k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.30.2
 ## explicit; go 1.22.0
 k8s.io/kubelet/pkg/apis
 k8s.io/kubelet/pkg/apis/stats/v1alpha1
@@ -1719,10 +1719,10 @@ k8s.io/kubernetes/test/utils
 k8s.io/kubernetes/test/utils/format
 k8s.io/kubernetes/test/utils/image
 k8s.io/kubernetes/test/utils/kubeconfig
-# k8s.io/mount-utils v0.29.3 => k8s.io/mount-utils v0.29.3
+# k8s.io/mount-utils v0.30.2 => k8s.io/mount-utils v0.29.3
 ## explicit; go 1.21
 k8s.io/mount-utils
-# k8s.io/pod-security-admission v0.30.1 => k8s.io/pod-security-admission v0.30.1
+# k8s.io/pod-security-admission v0.30.2 => k8s.io/pod-security-admission v0.30.2
 ## explicit; go 1.22.0
 k8s.io/pod-security-admission/api
 k8s.io/pod-security-admission/policy
@@ -1808,31 +1808,31 @@ sigs.k8s.io/yaml/goyaml.v2
 # github.com/ceph/ceph-csi/api => ./api
 # github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
 # gomodules.xyz/jsonpatch/v2 => github.com/gomodules/jsonpatch/v2 v2.2.0
-# k8s.io/api => k8s.io/api v0.30.1
-# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.1
-# k8s.io/apimachinery => k8s.io/apimachinery v0.30.1
-# k8s.io/apiserver => k8s.io/apiserver v0.30.1
-# k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.1
-# k8s.io/client-go => k8s.io/client-go v0.30.1
-# k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.1
-# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.1
-# k8s.io/code-generator => k8s.io/code-generator v0.30.1
-# k8s.io/component-base => k8s.io/component-base v0.30.1
-# k8s.io/component-helpers => k8s.io/component-helpers v0.30.1
-# k8s.io/controller-manager => k8s.io/controller-manager v0.30.1
-# k8s.io/cri-api => k8s.io/cri-api v0.30.1
-# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.1
-# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.1
-# k8s.io/endpointslice => k8s.io/endpointslice v0.30.1
-# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.1
-# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.1
-# k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.1
-# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.1
-# k8s.io/kubectl => k8s.io/kubectl v0.30.1
-# k8s.io/kubelet => k8s.io/kubelet v0.30.1
-# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.1
-# k8s.io/metrics => k8s.io/metrics v0.30.1
+# k8s.io/api => k8s.io/api v0.30.2
+# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.2
+# k8s.io/apimachinery => k8s.io/apimachinery v0.30.2
+# k8s.io/apiserver => k8s.io/apiserver v0.30.2
+# k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.2
+# k8s.io/client-go => k8s.io/client-go v0.30.2
+# k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.2
+# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.2
+# k8s.io/code-generator => k8s.io/code-generator v0.30.2
+# k8s.io/component-base => k8s.io/component-base v0.30.2
+# k8s.io/component-helpers => k8s.io/component-helpers v0.30.2
+# k8s.io/controller-manager => k8s.io/controller-manager v0.30.2
+# k8s.io/cri-api => k8s.io/cri-api v0.30.2
+# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.2
+# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.2
+# k8s.io/endpointslice => k8s.io/endpointslice v0.30.2
+# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.2
+# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.2
+# k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.2
+# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.2
+# k8s.io/kubectl => k8s.io/kubectl v0.30.2
+# k8s.io/kubelet => k8s.io/kubelet v0.30.2
+# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.2
+# k8s.io/metrics => k8s.io/metrics v0.30.2
 # k8s.io/mount-utils => k8s.io/mount-utils v0.29.3
-# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.1
-# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.1
+# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.2
+# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.2
 # layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917