[admission webhooks] add match conditions (#701)

Signed-off-by: Mikhail Scherba <mikhail.scherba@flant.com>
flant · Dec 17, 2024 · f22ccb5 · f22ccb5
1 parent 6850012
commit f22ccb5
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/docs/src/BINDING_VALIDATING.md b/docs/src/BINDING_VALIDATING.md
@@ -48,6 +48,9 @@ kubernetesValidating:
   failurePolicy: Ignore | Fail (default)
   sideEffects: None (default) | NoneOnDryRun
   timeoutSeconds: 2 (default is 10)
+  matchConditions:
+  - name: "exclude-user"
+    expression: '("system:apiserver" != request.userInfo.username)'
 ```
 
 ## Parameters
@@ -70,6 +73,8 @@ kubernetesValidating:
 
 - `timeoutSeconds` — a seconds API server should wait for a hook to respond before treating the call as a failure. See [timeouts][timeouts]. Default is 10 (seconds).
 
+- `matchConditions` — an optional list of [match conditions][match-conditions] for fine-grained request filtering. Available only since v1.27 of Kubernetes. 
+
 As you can see, it is the close copy of a [Webhook configuration][webhook-configuration]. Differences are:
 - `objectSelector` is a `labelSelector` as in the `kubernetes` binding.
 - `namespaceSelector` is a `namespace.labelSelector` as in the `kubernetes` binding.
@@ -254,3 +259,4 @@ Command line options:
 [timeouts]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
 [validating-webhook-example]: https://github.com/flant/shell-operator/tree/main/examples/204-validating-webhook
 [webhook-configuration]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration
+[match-conditions]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions
diff --git a/pkg/hook/config/config_v1.go b/pkg/hook/config/config_v1.go
@@ -71,7 +71,7 @@ type KubeFieldSelectorV1 kemtypes.FieldSelector
 
 type KubeNamespaceSelectorV1 kemtypes.NamespaceSelector
 
-// version 1 of kubernetes vali configuration
+// version 1 of kubernetes validation configuration
 type KubernetesAdmissionConfigV1 struct {
 	Name                 string                   `json:"name,omitempty"`
 	IncludeSnapshotsFrom []string                 `json:"includeSnapshotsFrom,omitempty"`
@@ -82,6 +82,7 @@ type KubernetesAdmissionConfigV1 struct {
 	Namespace            *KubeNamespaceSelectorV1 `json:"namespace,omitempty"`
 	SideEffects          *v1.SideEffectClass      `json:"sideEffects"`
 	TimeoutSeconds       *int32                   `json:"timeoutSeconds,omitempty"`
+	MatchConditions      []v1.MatchCondition      `json:"matchConditions,omitempty"`
 }
 
 // version 1 of kubernetes conversion configuration
@@ -460,6 +461,8 @@ func convertValidating(cfgV1 KubernetesAdmissionConfigV1) (htypes.ValidatingConf
 		webhook.TimeoutSeconds = &DefaultTimeoutSeconds
 	}
 
+	webhook.MatchConditions = cfgV1.MatchConditions
+
 	cfg.Webhook = &admission.ValidatingWebhookConfig{
 		ValidatingWebhook: webhook,
 	}
@@ -506,6 +509,8 @@ func convertMutating(cfgV1 KubernetesAdmissionConfigV1) (htypes.MutatingConfig,
 		webhook.TimeoutSeconds = &DefaultTimeoutSeconds
 	}
 
+	webhook.MatchConditions = cfgV1.MatchConditions
+
 	cfg.Webhook = &admission.MutatingWebhookConfig{
 		MutatingWebhook: webhook,
 	}

diff --git a/pkg/hook/config/schemas.go b/pkg/hook/config/schemas.go
@@ -229,6 +229,18 @@ properties:
         timeoutSeconds:
           type: integer
           example: 10
+        matchConditions:
+          type: array
+          items:
+            type: object
+            required:
+              - expression
+              - name
+            properties:
+              expression:
+                type: string
+              name:
+                type: string
         labelSelector:
           "$ref": "#/definitions/labelSelector"
         namespace:
@@ -318,6 +330,18 @@ properties:
         timeoutSeconds:
           type: integer
           example: 10
+        matchConditions:
+          type: array
+          items:
+            type: object
+            required:
+              - expression
+              - name
+            properties:
+              expression:
+                type: string
+              name:
+                type: string
         labelSelector:
           "$ref": "#/definitions/labelSelector"
         namespace: