rebase: update k8s.io packages to v0.29.0

Signed-off-by: Niels de Vos <ndevos@ibm.com>

vendor/k8s.io/apiserver/pkg/admission/config.go

@@ -20,7 +20,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
@@ -60,7 +59,7 @@ func ReadAdmissionConfiguration(pluginNames []string, configFilePath string, con
 		return configProvider{config: &apiserver.AdmissionConfiguration{}}, nil
 	}
 	// a file was provided, so we just read it.
-	data, err := ioutil.ReadFile(configFilePath)
+	data, err := os.ReadFile(configFilePath)
 	if err != nil {
 		return nil, fmt.Errorf("unable to read admission control configuration from %q [%v]", configFilePath, err)
 	}
@@ -141,7 +140,7 @@ func GetAdmissionPluginConfigurationFor(pluginCfg apiserver.AdmissionPluginConfi
 	}
 	// there is nothing nested, so we delegate to path
 	if pluginCfg.Path != "" {
-		content, err := ioutil.ReadFile(pluginCfg.Path)
+		content, err := os.ReadFile(pluginCfg.Path)
 		if err != nil {
 			klog.Fatalf("Couldn't open admission plugin configuration %s: %#v", pluginCfg.Path, err)
 			return nil, err

vendor/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go

@@ -141,6 +141,7 @@ type CompilationResult struct {
 	Program            cel.Program
 	Error              *apiservercel.Error
 	ExpressionAccessor ExpressionAccessor
+	OutputType         *cel.Type
 }
 
 // Compiler provides a CEL expression compiler configured with the desired admission related CEL variables and
@@ -214,6 +215,7 @@ func (c compiler) CompileCELExpression(expressionAccessor ExpressionAccessor, op
 	return CompilationResult{
 		Program:            prog,
 		ExpressionAccessor: expressionAccessor,
+		OutputType:         ast.OutputType(),
 	}
 }
 

vendor/k8s.io/apiserver/pkg/admission/plugin/cel/composition.go

@@ -23,6 +23,7 @@ import (
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"github.com/google/cel-go/common/types/traits"
 
 	v1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -69,8 +70,8 @@ func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressio
 }
 
 func (c *CompositedCompiler) CompileAndStoreVariable(variable NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) CompilationResult {
-	c.CompositionEnv.AddField(variable.GetName())
 	result := c.Compiler.CompileCELExpression(variable, options, mode)
+	c.CompositionEnv.AddField(variable.GetName(), result.OutputType)
 	c.CompositionEnv.CompiledVariables[variable.GetName()] = result
 	return result
 }
@@ -90,8 +91,8 @@ type CompositionEnv struct {
 	CompiledVariables map[string]CompilationResult
 }
 
-func (c *CompositionEnv) AddField(name string) {
-	c.MapType.Fields[name] = apiservercel.NewDeclField(name, apiservercel.DynType, true, nil, nil)
+func (c *CompositionEnv) AddField(name string, celType *cel.Type) {
+	c.MapType.Fields[name] = apiservercel.NewDeclField(name, convertCelTypeToDeclType(celType), true, nil, nil)
 }
 
 func NewCompositionEnv(typeName string, baseEnvSet *environment.EnvSet) (*CompositionEnv, error) {
@@ -196,3 +197,48 @@ func (a *variableAccessor) Callback(_ *lazy.MapValue) ref.Val {
 	}
 	return v
 }
+
+// convertCelTypeToDeclType converts a cel.Type to DeclType, for the use of
+// the TypeProvider and the cost estimator.
+// List and map types are created on-demand with their parameters converted recursively.
+func convertCelTypeToDeclType(celType *cel.Type) *apiservercel.DeclType {
+	if celType == nil {
+		return apiservercel.DynType
+	}
+	switch celType {
+	case cel.AnyType:
+		return apiservercel.AnyType
+	case cel.BoolType:
+		return apiservercel.BoolType
+	case cel.BytesType:
+		return apiservercel.BytesType
+	case cel.DoubleType:
+		return apiservercel.DoubleType
+	case cel.DurationType:
+		return apiservercel.DurationType
+	case cel.IntType:
+		return apiservercel.IntType
+	case cel.NullType:
+		return apiservercel.NullType
+	case cel.StringType:
+		return apiservercel.StringType
+	case cel.TimestampType:
+		return apiservercel.TimestampType
+	case cel.UintType:
+		return apiservercel.UintType
+	default:
+		if celType.HasTrait(traits.ContainerType) && celType.HasTrait(traits.IndexerType) {
+			parameters := celType.Parameters()
+			switch len(parameters) {
+			case 1:
+				elemType := convertCelTypeToDeclType(parameters[0])
+				return apiservercel.NewListType(elemType, -1)
+			case 2:
+				keyType := convertCelTypeToDeclType(parameters[0])
+				valueType := convertCelTypeToDeclType(parameters[1])
+				return apiservercel.NewMapType(keyType, valueType, -1)
+			}
+		}
+		return apiservercel.DynType
+	}
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go

@@ -238,7 +238,7 @@ func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schem
 	if p.Spec.MatchConstraints == nil || len(p.Spec.MatchConstraints.ResourceRules) == 0 {
 		return nil
 	}
-
+	restMapperRefreshAttempted := false // at most once per policy, refresh RESTMapper and retry resolution.
 	for _, rule := range p.Spec.MatchConstraints.ResourceRules {
 		groups := extractGroups(&rule.Rule)
 		if len(groups) == 0 {
@@ -268,7 +268,16 @@ func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schem
 					}
 					resolved, err := c.RestMapper.KindsFor(gvr)
 					if err != nil {
-						continue
+						if restMapperRefreshAttempted {
+							// RESTMapper refresh happens at most once per policy
+							continue
+						}
+						c.tryRefreshRESTMapper()
+						restMapperRefreshAttempted = true
+						resolved, err = c.RestMapper.KindsFor(gvr)
+						if err != nil {
+							continue
+						}
 					}
 					for _, r := range resolved {
 						if !r.Empty() {
@@ -344,6 +353,13 @@ func sortGVKList(list []schema.GroupVersionKind) []schema.GroupVersionKind {
 	return list
 }
 
+// tryRefreshRESTMapper refreshes the RESTMapper if it supports refreshing.
+func (c *TypeChecker) tryRefreshRESTMapper() {
+	if r, ok := c.RestMapper.(meta.ResettableRESTMapper); ok {
+		r.Reset()
+	}
+}
+
 func buildEnv(hasParams bool, hasAuthorizer bool, types typeOverwrite) (*cel.Env, error) {
 	baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 	requestType := plugincel.BuildRequestType()

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go

@@ -19,7 +19,6 @@ package config
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"path"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -47,7 +46,7 @@ func LoadConfig(configFile io.Reader) (string, error) {
 	var kubeconfigFile string
 	if configFile != nil {
 		// we have a config so parse it.
-		data, err := ioutil.ReadAll(configFile)
+		data, err := io.ReadAll(configFile)
 		if err != nil {
 			return "", err
 		}

vendor/k8s.io/apiserver/pkg/admission/plugins.go

@@ -20,7 +20,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"reflect"
 	"sort"
 	"strings"
@@ -115,7 +114,7 @@ func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
 		return nil, nil, nil
 	}
 
-	configBytes, err := ioutil.ReadAll(config)
+	configBytes, err := io.ReadAll(config)
 	if err != nil {
 		return nil, nil, err
 	}