Merge pull request #119109 from jiahuif-forks/feature/validating-admission-policy/crd-typechecking

ValidatingAdmissionPolicy - Type Checking for API Expensions types Kubernetes-commit: ceea5fd0cbcb29212bed8c93f1aa81ce45d3cf69
2023-10-30 21:11:19 +01:00 · 2023-10-30 21:11:19 +01:00 · 0389b07635
parent f3e30d29fe a026b6fcf5
commit 0389b07635
3 changed files with 66 additions and 5 deletions
--- a/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go
+++ b/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go
@ -238,7 +238,7 @@ func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schem
 	if p.Spec.MatchConstraints == nil || len(p.Spec.MatchConstraints.ResourceRules) == 0 {
 		return nil
 	}
-
+	restMapperRefreshAttempted := false // at most once per policy, refresh RESTMapper and retry resolution.
 	for _, rule := range p.Spec.MatchConstraints.ResourceRules {
 		groups := extractGroups(&rule.Rule)
 		if len(groups) == 0 {
@ -268,7 +268,16 @@ func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schem
 					}
 					resolved, err := c.RestMapper.KindsFor(gvr)
 					if err != nil {
-						continue
+						if restMapperRefreshAttempted {
+							// RESTMapper refresh happens at most once per policy
+							continue
+						}
+						c.tryRefreshRESTMapper()
+						restMapperRefreshAttempted = true
+						resolved, err = c.RestMapper.KindsFor(gvr)
+						if err != nil {
+							continue
+						}
 					}
 					for _, r := range resolved {
 						if !r.Empty() {
@ -344,6 +353,13 @@ func sortGVKList(list []schema.GroupVersionKind) []schema.GroupVersionKind {
 	return list
 }

+// tryRefreshRESTMapper refreshes the RESTMapper if it supports refreshing.
+func (c *TypeChecker) tryRefreshRESTMapper() {
+	if r, ok := c.RestMapper.(meta.ResettableRESTMapper); ok {
+		r.Reset()
+	}
+}
+
 func buildEnv(hasParams bool, hasAuthorizer bool, types typeOverwrite) (*cel.Env, error) {
 	baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 	requestType := plugincel.BuildRequestType()
--- a/pkg/cel/openapi/resolver/combined.go
+++ b/pkg/cel/openapi/resolver/combined.go
@ -0,0 +1,45 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// Combine combines the DefinitionsSchemaResolver with a secondary schema resolver.
+// The resulting schema resolver uses the DefinitionsSchemaResolver for a GVK that DefinitionsSchemaResolver knows,
+// and the secondary otherwise.
+func (d *DefinitionsSchemaResolver) Combine(secondary SchemaResolver) SchemaResolver {
+	return &combinedSchemaResolver{definitions: d, secondary: secondary}
+}
+
+type combinedSchemaResolver struct {
+	definitions *DefinitionsSchemaResolver
+	secondary   SchemaResolver
+}
+
+// ResolveSchema takes a GroupVersionKind (GVK) and returns the OpenAPI schema
+// identified by the GVK.
+// If the DefinitionsSchemaResolver knows the gvk, the DefinitionsSchemaResolver handles the resolution,
+// otherwise, the secondary does.
+func (r *combinedSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	if _, ok := r.definitions.gvkToSchema[gvk]; ok {
+		return r.definitions.ResolveSchema(gvk)
+	}
+	return r.secondary.ResolveSchema(gvk)
+}
--- a/pkg/cel/openapi/resolver/definitions.go
+++ b/pkg/cel/openapi/resolver/definitions.go
@ -35,11 +35,11 @@ type DefinitionsSchemaResolver struct {

 // NewDefinitionsSchemaResolver creates a new DefinitionsSchemaResolver.
 // An example working setup:
-// scheme         = "k8s.io/client-go/kubernetes/scheme".Scheme
 // getDefinitions = "k8s.io/kubernetes/pkg/generated/openapi".GetOpenAPIDefinitions
-func NewDefinitionsSchemaResolver(scheme *runtime.Scheme, getDefinitions common.GetOpenAPIDefinitions) *DefinitionsSchemaResolver {
+// scheme         = "k8s.io/client-go/kubernetes/scheme".Scheme
+func NewDefinitionsSchemaResolver(getDefinitions common.GetOpenAPIDefinitions, schemes ...*runtime.Scheme) *DefinitionsSchemaResolver {
 	gvkToSchema := make(map[schema.GroupVersionKind]*spec.Schema)
-	namer := openapi.NewDefinitionNamer(scheme)
+	namer := openapi.NewDefinitionNamer(schemes...)
 	defs := getDefinitions(func(path string) spec.Ref {
 		return spec.MustCreateRef(path)
 	})