fix(pkg/render/apiserver.go): Correctly add validatingadmissionpolicy rules for kubernetes 1.30+ #3781
Conversation
|
|
… rules for kubernetes 1.30+ The expectation was that the "validatingadmissionpolicies" and "validatingadmissionpolicybindings" rules would be added when using kubernetes 1.30+ but this is not happening due to reversed < > logic. This was highlighted using calico-apiserver 3.29.2 where this validation is performed by default but was unable to when using the tigera operator due to missing rules. This resolves issue tigera#3780
philroche
force-pushed
the
fix/apiserver-validating-admission-policy-rules
branch
from
61af20c to
99e56be
Compare
|
Hi Phil, thank you for your contribution. I did add a small suggestion, other than that it looks good. |
… "validatingadmission*" rules We need to also include 1.30, since that is the earliest version that ships the API. Co-authored-by: Rene Dekker <[email protected]>
|
/merge-when-ready |
|
OK, I will merge the pull request when it's ready, leave the commits as is when I merge it, and leave the branch after I've merged it. |
| @@ -651,7 +651,7 @@ func (c *apiServerComponent) calicoCustomResourcesClusterRole() *rbacv1.ClusterR | |||
| }, | |||
| }, | |||
| } | |||
| if c.cfg.KubernetesVersion == nil || !(c.cfg.KubernetesVersion != nil && c.cfg.KubernetesVersion.Major < 2 && c.cfg.KubernetesVersion.Minor < 30) { | |||
| if c.cfg.KubernetesVersion == nil || !(c.cfg.KubernetesVersion != nil && c.cfg.KubernetesVersion.Major < 2 && c.cfg.KubernetesVersion.Minor >= 30) { | |||
There was a problem hiding this comment.
Can we make sure we have unit tests that verify the correct behavior for relevant versions?
e.g., 1.29, 1.30, 1.31
There was a problem hiding this comment.
I am not familiar with the codebase yet and was hoping i'd learn how to run the tests via CI check logs.
I'll spend some time understanding the tests.
There was a problem hiding this comment.
On second glance I missed the !. I think the original code was correct. That said, it is an overly hard-to-read statement.
I think it can be simplified to if c.cfg.KubernetesVersion == nil || (c.cfg.KubernetesVersion.Major == 1 && c.cfg.KubernetesVersion.Minor >= 30) {
On further review you are right yes, but in my tests the rules are not being added when testing with Kubernetes 1.32 |
|
@rene-dekker Thanks for pointing out my error. Revisiting the original if statement And given a test kubernetes version of So evaluating to
Yes, much more readable |
|
@philroche FYI we'll need you to sign the CLA in order to make the bot happy before merging |
Yup I have escalated to Chainguard legal team to make sure that's OK for me using my Chainguard email. |
|
Further debug output added to original issue @ #3780 (comment) |
|
@caseydavenport CLA signed |
|
This PR is stale because it has been open for 60 days with no activity. |
|
/sem-approve |
|
Sorry this got delayed.. I am not sure if this is still needed, but it seems like there are some test failures. |
The expectation was that the "validatingadmissionpolicies" and "validatingadmissionpolicybindings" rules would
be added when using kubernetes 1.30+ but this is not happening due to reversed < > logic.
This was highlighted using calico-apiserver 3.29.2 where this validation is performed by default but was unable
to when using the tigera operator due to missing rules.
This resolves issue #3780