build: move e2e dependencies into e2e/go.mod

Several packages are only used while running the e2e suite. These packages are less important to update, as the they can not influence the final executable that is part of the Ceph-CSI container-image. By moving these dependencies out of the main Ceph-CSI go.mod, it is easier to identify if a reported CVE affects Ceph-CSI, or only the testing (like most of the Kubernetes CVEs). Signed-off-by: Niels de Vos <ndevos@ibm.com>
2025-06-14 02:43:36 +00:00 · 2025-03-04 08:57:28 +01:00
parent 15da101b1b
commit bec6090996
8047 changed files with 1407827 additions and 3453 deletions
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/adaptor.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/adaptor.go
@ -0,0 +1,229 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi
+
+import (
+	"github.com/google/cel-go/common/types/ref"
+
+	apiservercel "k8s.io/apiserver/pkg/cel"
+	"k8s.io/apiserver/pkg/cel/common"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+var _ common.Schema = (*Schema)(nil)
+var _ common.SchemaOrBool = (*SchemaOrBool)(nil)
+
+type Schema struct {
+	Schema *spec.Schema
+}
+
+type SchemaOrBool struct {
+	SchemaOrBool *spec.SchemaOrBool
+}
+
+func (sb *SchemaOrBool) Schema() common.Schema {
+	return &Schema{Schema: sb.SchemaOrBool.Schema}
+}
+
+func (sb *SchemaOrBool) Allows() bool {
+	return sb.SchemaOrBool.Allows
+}
+
+func (s *Schema) Type() string {
+	if len(s.Schema.Type) == 0 {
+		return ""
+	}
+	return s.Schema.Type[0]
+}
+
+func (s *Schema) Format() string {
+	return s.Schema.Format
+}
+
+func (s *Schema) Pattern() string {
+	return s.Schema.Pattern
+}
+
+func (s *Schema) Items() common.Schema {
+	if s.Schema.Items == nil || s.Schema.Items.Schema == nil {
+		return nil
+	}
+	return &Schema{Schema: s.Schema.Items.Schema}
+}
+
+func (s *Schema) Properties() map[string]common.Schema {
+	if s.Schema.Properties == nil {
+		return nil
+	}
+	res := make(map[string]common.Schema, len(s.Schema.Properties))
+	for n, prop := range s.Schema.Properties {
+		// map value is unaddressable, create a shallow copy
+		// this is a shallow non-recursive copy
+		s := prop
+		res[n] = &Schema{Schema: &s}
+	}
+	return res
+}
+
+func (s *Schema) AdditionalProperties() common.SchemaOrBool {
+	if s.Schema.AdditionalProperties == nil {
+		return nil
+	}
+	return &SchemaOrBool{SchemaOrBool: s.Schema.AdditionalProperties}
+}
+
+func (s *Schema) Default() any {
+	return s.Schema.Default
+}
+
+func (s *Schema) Minimum() *float64 {
+	return s.Schema.Minimum
+}
+
+func (s *Schema) IsExclusiveMinimum() bool {
+	return s.Schema.ExclusiveMinimum
+}
+
+func (s *Schema) Maximum() *float64 {
+	return s.Schema.Maximum
+}
+
+func (s *Schema) IsExclusiveMaximum() bool {
+	return s.Schema.ExclusiveMaximum
+}
+
+func (s *Schema) MultipleOf() *float64 {
+	return s.Schema.MultipleOf
+}
+
+func (s *Schema) UniqueItems() bool {
+	return s.Schema.UniqueItems
+}
+
+func (s *Schema) MinItems() *int64 {
+	return s.Schema.MinItems
+}
+
+func (s *Schema) MaxItems() *int64 {
+	return s.Schema.MaxItems
+}
+
+func (s *Schema) MinLength() *int64 {
+	return s.Schema.MinLength
+}
+
+func (s *Schema) MaxLength() *int64 {
+	return s.Schema.MaxLength
+}
+
+func (s *Schema) MinProperties() *int64 {
+	return s.Schema.MinProperties
+}
+
+func (s *Schema) MaxProperties() *int64 {
+	return s.Schema.MaxProperties
+}
+
+func (s *Schema) Required() []string {
+	return s.Schema.Required
+}
+
+func (s *Schema) Enum() []any {
+	return s.Schema.Enum
+}
+
+func (s *Schema) Nullable() bool {
+	return s.Schema.Nullable
+}
+
+func (s *Schema) AllOf() []common.Schema {
+	var res []common.Schema
+	for _, nestedSchema := range s.Schema.AllOf {
+		nestedSchema := nestedSchema
+		res = append(res, &Schema{&nestedSchema})
+	}
+	return res
+}
+
+func (s *Schema) AnyOf() []common.Schema {
+	var res []common.Schema
+	for _, nestedSchema := range s.Schema.AnyOf {
+		nestedSchema := nestedSchema
+		res = append(res, &Schema{&nestedSchema})
+	}
+	return res
+}
+
+func (s *Schema) OneOf() []common.Schema {
+	var res []common.Schema
+	for _, nestedSchema := range s.Schema.OneOf {
+		nestedSchema := nestedSchema
+		res = append(res, &Schema{&nestedSchema})
+	}
+	return res
+}
+
+func (s *Schema) Not() common.Schema {
+	if s.Schema.Not == nil {
+		return nil
+	}
+	return &Schema{s.Schema.Not}
+}
+
+func (s *Schema) IsXIntOrString() bool {
+	return isXIntOrString(s.Schema)
+}
+
+func (s *Schema) IsXEmbeddedResource() bool {
+	return isXEmbeddedResource(s.Schema)
+}
+
+func (s *Schema) IsXPreserveUnknownFields() bool {
+	return isXPreserveUnknownFields(s.Schema)
+}
+
+func (s *Schema) XListType() string {
+	return getXListType(s.Schema)
+}
+
+func (s *Schema) XMapType() string {
+	return getXMapType(s.Schema)
+}
+
+func (s *Schema) XListMapKeys() []string {
+	return getXListMapKeys(s.Schema)
+}
+
+func (s *Schema) XValidations() []common.ValidationRule {
+	return getXValidations(s.Schema)
+}
+
+func (s *Schema) WithTypeAndObjectMeta() common.Schema {
+	return &Schema{common.WithTypeAndObjectMeta(s.Schema)}
+}
+
+func UnstructuredToVal(unstructured any, schema *spec.Schema) ref.Val {
+	return common.UnstructuredToVal(unstructured, &Schema{schema})
+}
+
+func SchemaDeclType(s *spec.Schema, isResourceRoot bool) *apiservercel.DeclType {
+	return common.SchemaDeclType(&Schema{Schema: s}, isResourceRoot)
+}
+
+func MakeMapList(sts *spec.Schema, items []interface{}) (rv common.MapList) {
+	return common.MakeMapList(&Schema{Schema: sts}, items)
+}
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/extensions.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/extensions.go
@ -0,0 +1,107 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi
+
+import (
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apiserver/pkg/cel/common"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+var intOrStringFormat = intstr.IntOrString{}.OpenAPISchemaFormat()
+
+func isExtension(schema *spec.Schema, key string) bool {
+	v, ok := schema.Extensions.GetBool(key)
+	return v && ok
+}
+
+func isXIntOrString(schema *spec.Schema) bool {
+	// built-in types have the Format while CRDs use extension
+	// both are valid, checking both
+	return schema.Format == intOrStringFormat || isExtension(schema, extIntOrString)
+}
+
+func isXEmbeddedResource(schema *spec.Schema) bool {
+	return isExtension(schema, extEmbeddedResource)
+}
+
+func isXPreserveUnknownFields(schema *spec.Schema) bool {
+	return isExtension(schema, extPreserveUnknownFields)
+}
+
+func getXListType(schema *spec.Schema) string {
+	s, _ := schema.Extensions.GetString(extListType)
+	return s
+}
+
+func getXMapType(schema *spec.Schema) string {
+	s, _ := schema.Extensions.GetString(extMapType)
+	return s
+}
+
+func getXListMapKeys(schema *spec.Schema) []string {
+	mapKeys, ok := schema.Extensions.GetStringSlice(extListMapKeys)
+	if !ok {
+		return nil
+	}
+	return mapKeys
+}
+
+type ValidationRule struct {
+	RuleField              string `json:"rule"`
+	MessageField           string `json:"message"`
+	MessageExpressionField string `json:"messageExpression"`
+	PathField              string `json:"fieldPath"`
+}
+
+func (v ValidationRule) Rule() string {
+	return v.RuleField
+}
+
+func (v ValidationRule) Message() string {
+	return v.MessageField
+}
+
+func (v ValidationRule) FieldPath() string {
+	return v.PathField
+}
+
+func (v ValidationRule) MessageExpression() string {
+	return v.MessageExpressionField
+}
+
+// TODO: simplify
+func getXValidations(schema *spec.Schema) []common.ValidationRule {
+	var rules []ValidationRule
+	err := schema.Extensions.GetObject(extValidations, &rules)
+	if err != nil {
+		return nil
+	}
+	results := make([]common.ValidationRule, len(rules))
+	for i, rule := range rules {
+		results[i] = rule
+	}
+	return results
+}
+
+const extIntOrString = "x-kubernetes-int-or-string"
+const extEmbeddedResource = "x-kubernetes-embedded-resource"
+const extPreserveUnknownFields = "x-kubernetes-preserve-unknown-fields"
+const extListType = "x-kubernetes-list-type"
+const extMapType = "x-kubernetes-map-type"
+const extListMapKeys = "x-kubernetes-list-map-keys"
+const extValidations = "x-kubernetes-validations"
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/combined.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/combined.go
@ -0,0 +1,45 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// Combine combines the DefinitionsSchemaResolver with a secondary schema resolver.
+// The resulting schema resolver uses the DefinitionsSchemaResolver for a GVK that DefinitionsSchemaResolver knows,
+// and the secondary otherwise.
+func (d *DefinitionsSchemaResolver) Combine(secondary SchemaResolver) SchemaResolver {
+	return &combinedSchemaResolver{definitions: d, secondary: secondary}
+}
+
+type combinedSchemaResolver struct {
+	definitions *DefinitionsSchemaResolver
+	secondary   SchemaResolver
+}
+
+// ResolveSchema takes a GroupVersionKind (GVK) and returns the OpenAPI schema
+// identified by the GVK.
+// If the DefinitionsSchemaResolver knows the gvk, the DefinitionsSchemaResolver handles the resolution,
+// otherwise, the secondary does.
+func (r *combinedSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	if _, ok := r.definitions.gvkToRef[gvk]; ok {
+		return r.definitions.ResolveSchema(gvk)
+	}
+	return r.secondary.ResolveSchema(gvk)
+}
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go
@ -0,0 +1,114 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/endpoints/openapi"
+	"k8s.io/kube-openapi/pkg/common"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// DefinitionsSchemaResolver resolves the schema of a built-in type
+// by looking up the OpenAPI definitions.
+type DefinitionsSchemaResolver struct {
+	defs     map[string]common.OpenAPIDefinition
+	gvkToRef map[schema.GroupVersionKind]string
+}
+
+// NewDefinitionsSchemaResolver creates a new DefinitionsSchemaResolver.
+// An example working setup:
+// getDefinitions = "k8s.io/kubernetes/pkg/generated/openapi".GetOpenAPIDefinitions
+// scheme         = "k8s.io/client-go/kubernetes/scheme".Scheme
+func NewDefinitionsSchemaResolver(getDefinitions common.GetOpenAPIDefinitions, schemes ...*runtime.Scheme) *DefinitionsSchemaResolver {
+	gvkToRef := make(map[schema.GroupVersionKind]string)
+	namer := openapi.NewDefinitionNamer(schemes...)
+	defs := getDefinitions(func(path string) spec.Ref {
+		return spec.MustCreateRef(path)
+	})
+	for name := range defs {
+		_, e := namer.GetDefinitionName(name)
+		gvks := extensionsToGVKs(e)
+		for _, gvk := range gvks {
+			gvkToRef[gvk] = name
+		}
+	}
+	return &DefinitionsSchemaResolver{
+		gvkToRef: gvkToRef,
+		defs:     defs,
+	}
+}
+
+func (d *DefinitionsSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	ref, ok := d.gvkToRef[gvk]
+	if !ok {
+		return nil, fmt.Errorf("cannot resolve %v: %w", gvk, ErrSchemaNotFound)
+	}
+	s, err := PopulateRefs(func(ref string) (*spec.Schema, bool) {
+		// find the schema by the ref string, and return a deep copy
+		def, ok := d.defs[ref]
+		if !ok {
+			return nil, false
+		}
+		s := def.Schema
+		return &s, true
+	}, ref)
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+func extensionsToGVKs(extensions spec.Extensions) []schema.GroupVersionKind {
+	gvksAny, ok := extensions[extGVK]
+	if !ok {
+		return nil
+	}
+	gvks, ok := gvksAny.([]any)
+	if !ok {
+		return nil
+	}
+	result := make([]schema.GroupVersionKind, 0, len(gvks))
+	for _, gvkAny := range gvks {
+		// type check the map and all fields
+		gvkMap, ok := gvkAny.(map[string]any)
+		if !ok {
+			return nil
+		}
+		g, ok := gvkMap["group"].(string)
+		if !ok {
+			return nil
+		}
+		v, ok := gvkMap["version"].(string)
+		if !ok {
+			return nil
+		}
+		k, ok := gvkMap["kind"].(string)
+		if !ok {
+			return nil
+		}
+		result = append(result, schema.GroupVersionKind{
+			Group:   g,
+			Version: v,
+			Kind:    k,
+		})
+	}
+	return result
+}
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/discovery.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/discovery.go
@ -0,0 +1,104 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// ClientDiscoveryResolver uses client-go discovery to resolve schemas at run time.
+type ClientDiscoveryResolver struct {
+	Discovery discovery.DiscoveryInterface
+}
+
+var _ SchemaResolver = (*ClientDiscoveryResolver)(nil)
+
+func (r *ClientDiscoveryResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	p, err := r.Discovery.OpenAPIV3().Paths()
+	if err != nil {
+		return nil, err
+	}
+	resourcePath := resourcePathFromGV(gvk.GroupVersion())
+	c, ok := p[resourcePath]
+	if !ok {
+		return nil, fmt.Errorf("cannot resolve group version %q: %w", gvk.GroupVersion(), ErrSchemaNotFound)
+	}
+	b, err := c.Schema(runtime.ContentTypeJSON)
+	if err != nil {
+		return nil, err
+	}
+	resp := new(schemaResponse)
+	err = json.Unmarshal(b, resp)
+	if err != nil {
+		return nil, err
+	}
+	ref, err := resolveRef(resp, gvk)
+	if err != nil {
+		return nil, err
+	}
+	s, err := PopulateRefs(func(ref string) (*spec.Schema, bool) {
+		s, ok := resp.Components.Schemas[strings.TrimPrefix(ref, refPrefix)]
+		return s, ok
+	}, ref)
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+func resolveRef(resp *schemaResponse, gvk schema.GroupVersionKind) (string, error) {
+	for ref, s := range resp.Components.Schemas {
+		var gvks []schema.GroupVersionKind
+		err := s.Extensions.GetObject(extGVK, &gvks)
+		if err != nil {
+			return "", err
+		}
+		for _, g := range gvks {
+			if g == gvk {
+				return ref, nil
+			}
+		}
+	}
+	return "", fmt.Errorf("cannot resolve group version kind %q: %w", gvk, ErrSchemaNotFound)
+}
+
+func resourcePathFromGV(gv schema.GroupVersion) string {
+	var resourcePath string
+	if len(gv.Group) == 0 {
+		resourcePath = fmt.Sprintf("api/%s", gv.Version)
+	} else {
+		resourcePath = fmt.Sprintf("apis/%s/%s", gv.Group, gv.Version)
+	}
+	return resourcePath
+}
+
+type schemaResponse struct {
+	Components struct {
+		Schemas map[string]*spec.Schema `json:"schemas"`
+	} `json:"components"`
+}
+
+const refPrefix = "#/components/schemas/"
+
+const extGVK = "x-kubernetes-group-version-kind"
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/refs.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/refs.go
@ -0,0 +1,122 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// PopulateRefs recursively replaces Refs in the schema with the referred one.
+// schemaOf is the callback to find the corresponding schema by the ref.
+// This function will not mutate the original schema. If the schema needs to be
+// mutated, a copy will be returned, otherwise it returns the original schema.
+func PopulateRefs(schemaOf func(ref string) (*spec.Schema, bool), rootRef string) (*spec.Schema, error) {
+	visitedRefs := sets.New[string]()
+	rootSchema, ok := schemaOf(rootRef)
+	visitedRefs.Insert(rootRef)
+	if !ok {
+		return nil, fmt.Errorf("internal error: cannot resolve Ref for root schema %q: %w", rootRef, ErrSchemaNotFound)
+	}
+	return populateRefs(schemaOf, visitedRefs, rootSchema)
+}
+
+func populateRefs(schemaOf func(ref string) (*spec.Schema, bool), visited sets.Set[string], schema *spec.Schema) (*spec.Schema, error) {
+	result := *schema
+	changed := false
+
+	ref, isRef := refOf(schema)
+	if isRef {
+		if visited.Has(ref) {
+			return &spec.Schema{
+				// for circular ref, return an empty object as placeholder
+				SchemaProps: spec.SchemaProps{Type: []string{"object"}},
+			}, nil
+		}
+		visited.Insert(ref)
+		// restore visited state at the end of the recursion.
+		defer func() {
+			visited.Delete(ref)
+		}()
+		// replace the whole schema with the referred one.
+		resolved, ok := schemaOf(ref)
+		if !ok {
+			return nil, fmt.Errorf("internal error: cannot resolve Ref %q: %w", ref, ErrSchemaNotFound)
+		}
+		result = *resolved
+		changed = true
+	}
+	// schema is an object, populate its properties and additionalProperties
+	props := make(map[string]spec.Schema, len(schema.Properties))
+	propsChanged := false
+	for name, prop := range result.Properties {
+		populated, err := populateRefs(schemaOf, visited, &prop)
+		if err != nil {
+			return nil, err
+		}
+		if populated != &prop {
+			propsChanged = true
+		}
+		props[name] = *populated
+	}
+	if propsChanged {
+		changed = true
+		result.Properties = props
+	}
+	if result.AdditionalProperties != nil && result.AdditionalProperties.Schema != nil {
+		populated, err := populateRefs(schemaOf, visited, result.AdditionalProperties.Schema)
+		if err != nil {
+			return nil, err
+		}
+		if populated != result.AdditionalProperties.Schema {
+			changed = true
+			result.AdditionalProperties.Schema = populated
+		}
+	}
+	// schema is a list, populate its items
+	if result.Items != nil && result.Items.Schema != nil {
+		populated, err := populateRefs(schemaOf, visited, result.Items.Schema)
+		if err != nil {
+			return nil, err
+		}
+		if populated != result.Items.Schema {
+			changed = true
+			result.Items.Schema = populated
+		}
+	}
+	if changed {
+		return &result, nil
+	}
+	return schema, nil
+}
+
+func refOf(schema *spec.Schema) (string, bool) {
+	if schema.Ref.GetURL() != nil {
+		return schema.Ref.String(), true
+	}
+	// A Ref may be wrapped in allOf to preserve its description
+	// see https://github.com/kubernetes/kubernetes/issues/106387
+	// For kube-openapi, allOf is only used for wrapping a Ref.
+	for _, allOf := range schema.AllOf {
+		if ref, isRef := refOf(&allOf); isRef {
+			return ref, isRef
+		}
+	}
+	return "", false
+}
--- a/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/resolver.go
+++ b/e2e/vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/resolver.go
@ -0,0 +1,39 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// SchemaResolver finds the OpenAPI schema for the given GroupVersionKind.
+// This interface uses the type defined by k8s.io/kube-openapi
+type SchemaResolver interface {
+	// ResolveSchema takes a GroupVersionKind (GVK) and returns the OpenAPI schema
+	// identified by the GVK.
+	// The function returns a non-nil error if the schema cannot be found or fail
+	// to resolve. The returned error wraps ErrSchemaNotFound if the resolution is
+	// attempted but the corresponding schema cannot be found.
+	ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error)
+}
+
+// ErrSchemaNotFound is wrapped and returned if the schema cannot be located
+// by the resolver.
+var ErrSchemaNotFound = fmt.Errorf("schema not found")