From 882c7896e7e4c753c8f4849f31bca4e183ac8227 Mon Sep 17 00:00:00 2001
From: Rita Zhang <rita.z.zhang@gmail.com>
Date: Mon, 4 Nov 2024 16:26:42 -0800
Subject: [PATCH] Add webhookmatchcondition doc comment

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

Kubernetes-commit: 151599d47a9b866a7d7b8dffc5714557817bbcf2
---
 pkg/apis/apiserver/types.go          | 7 +++++++
 pkg/apis/apiserver/v1/types.go       | 7 +++++++
 pkg/apis/apiserver/v1alpha1/types.go | 7 +++++++
 pkg/apis/apiserver/v1beta1/types.go  | 7 +++++++
 4 files changed, 28 insertions(+)

diff --git a/pkg/apis/apiserver/types.go b/pkg/apis/apiserver/types.go
index af70fe244..a610ebc1a 100644
--- a/pkg/apis/apiserver/types.go
+++ b/pkg/apis/apiserver/types.go
@@ -401,6 +401,13 @@ type WebhookMatchCondition struct {
 	// If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
 	// the contents would be converted to the v1 version before evaluating the CEL expression.
 	//
+	// - 'resourceAttributes' describes information for a resource access request and is unset for non-resource requests. e.g. has(request.resourceAttributes) && request.resourceAttributes.namespace == 'default'
+	// - 'nonResourceAttributes' describes information for a non-resource access request and is unset for resource requests. e.g. has(request.nonResourceAttributes) && request.nonResourceAttributes.path == '/healthz'.
+	// - 'user' is the user to test for. e.g. request.user == 'alice'
+	// - 'groups' is the groups to test for. e.g. ('group1' in request.groups)
+	// - 'extra' corresponds to the user.Info.GetExtra() method from the authenticator.
+	// - 'uid' is the information about the requesting user. e.g. request.uid == '1'
+	//
 	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
 	Expression string
 }
diff --git a/pkg/apis/apiserver/v1/types.go b/pkg/apis/apiserver/v1/types.go
index e72109364..18328c558 100644
--- a/pkg/apis/apiserver/v1/types.go
+++ b/pkg/apis/apiserver/v1/types.go
@@ -164,6 +164,13 @@ type WebhookMatchCondition struct {
 	// If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
 	// the contents would be converted to the v1 version before evaluating the CEL expression.
 	//
+	// - 'resourceAttributes' describes information for a resource access request and is unset for non-resource requests. e.g. has(request.resourceAttributes) && request.resourceAttributes.namespace == 'default'
+	// - 'nonResourceAttributes' describes information for a non-resource access request and is unset for resource requests. e.g. has(request.nonResourceAttributes) && request.nonResourceAttributes.path == '/healthz'.
+	// - 'user' is the user to test for. e.g. request.user == 'alice'
+	// - 'groups' is the groups to test for. e.g. ('group1' in request.groups)
+	// - 'extra' corresponds to the user.Info.GetExtra() method from the authenticator.
+	// - 'uid' is the information about the requesting user. e.g. request.uid == '1'
+	//
 	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
 	Expression string `json:"expression"`
 }
diff --git a/pkg/apis/apiserver/v1alpha1/types.go b/pkg/apis/apiserver/v1alpha1/types.go
index 214ef4e4f..dee2c115a 100644
--- a/pkg/apis/apiserver/v1alpha1/types.go
+++ b/pkg/apis/apiserver/v1alpha1/types.go
@@ -615,6 +615,13 @@ type WebhookMatchCondition struct {
 	// If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
 	// the contents would be converted to the v1 version before evaluating the CEL expression.
 	//
+	// - 'resourceAttributes' describes information for a resource access request and is unset for non-resource requests. e.g. has(request.resourceAttributes) && request.resourceAttributes.namespace == 'default'
+	// - 'nonResourceAttributes' describes information for a non-resource access request and is unset for resource requests. e.g. has(request.nonResourceAttributes) && request.nonResourceAttributes.path == '/healthz'.
+	// - 'user' is the user to test for. e.g. request.user == 'alice'
+	// - 'groups' is the groups to test for. e.g. ('group1' in request.groups)
+	// - 'extra' corresponds to the user.Info.GetExtra() method from the authenticator.
+	// - 'uid' is the information about the requesting user. e.g. request.uid == '1'
+	//
 	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
 	Expression string `json:"expression"`
 }
diff --git a/pkg/apis/apiserver/v1beta1/types.go b/pkg/apis/apiserver/v1beta1/types.go
index 570f3c468..a0e13593b 100644
--- a/pkg/apis/apiserver/v1beta1/types.go
+++ b/pkg/apis/apiserver/v1beta1/types.go
@@ -586,6 +586,13 @@ type WebhookMatchCondition struct {
 	// If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
 	// the contents would be converted to the v1 version before evaluating the CEL expression.
 	//
+	// - 'resourceAttributes' describes information for a resource access request and is unset for non-resource requests. e.g. has(request.resourceAttributes) && request.resourceAttributes.namespace == 'default'
+	// - 'nonResourceAttributes' describes information for a non-resource access request and is unset for resource requests. e.g. has(request.nonResourceAttributes) && request.nonResourceAttributes.path == '/healthz'.
+	// - 'user' is the user to test for. e.g. request.user == 'alice'
+	// - 'groups' is the groups to test for. e.g. ('group1' in request.groups)
+	// - 'extra' corresponds to the user.Info.GetExtra() method from the authenticator.
+	// - 'uid' is the information about the requesting user. e.g. request.uid == '1'
+	//
 	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
 	Expression string `json:"expression"`
 }