diff --git a/docs/src/BINDING_VALIDATING.md b/docs/src/BINDING_VALIDATING.md index 96fc9383..a2b8b642 100644 --- a/docs/src/BINDING_VALIDATING.md +++ b/docs/src/BINDING_VALIDATING.md @@ -48,6 +48,9 @@ kubernetesValidating: failurePolicy: Ignore | Fail (default) sideEffects: None (default) | NoneOnDryRun timeoutSeconds: 2 (default is 10) + matchConditions: + - name: "exclude-user" + expression: '("system:apiserver" != request.userInfo.username)' ``` ## Parameters @@ -70,6 +73,8 @@ kubernetesValidating: - `timeoutSeconds` — a seconds API server should wait for a hook to respond before treating the call as a failure. See [timeouts][timeouts]. Default is 10 (seconds). +- `matchConditions` — an optional list of [match conditions][match-conditions] for fine-grained request filtering. Available only since v1.27 of Kubernetes. + As you can see, it is the close copy of a [Webhook configuration][webhook-configuration]. Differences are: - `objectSelector` is a `labelSelector` as in the `kubernetes` binding. - `namespaceSelector` is a `namespace.labelSelector` as in the `kubernetes` binding. @@ -254,3 +259,4 @@ Command line options: [timeouts]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts [validating-webhook-example]: https://github.com/flant/shell-operator/tree/main/examples/204-validating-webhook [webhook-configuration]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration +[match-conditions]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions diff --git a/pkg/hook/config/config_v1.go b/pkg/hook/config/config_v1.go index 68995f56..2ed8f57d 100644 --- a/pkg/hook/config/config_v1.go +++ b/pkg/hook/config/config_v1.go @@ -71,7 +71,7 @@ type KubeFieldSelectorV1 kemtypes.FieldSelector type KubeNamespaceSelectorV1 kemtypes.NamespaceSelector -// version 1 of kubernetes vali configuration +// version 1 of kubernetes validation configuration type KubernetesAdmissionConfigV1 struct { Name string `json:"name,omitempty"` IncludeSnapshotsFrom []string `json:"includeSnapshotsFrom,omitempty"` @@ -82,6 +82,7 @@ type KubernetesAdmissionConfigV1 struct { Namespace *KubeNamespaceSelectorV1 `json:"namespace,omitempty"` SideEffects *v1.SideEffectClass `json:"sideEffects"` TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"` + MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"` } // version 1 of kubernetes conversion configuration @@ -460,6 +461,8 @@ func convertValidating(cfgV1 KubernetesAdmissionConfigV1) (htypes.ValidatingConf webhook.TimeoutSeconds = &DefaultTimeoutSeconds } + webhook.MatchConditions = cfgV1.MatchConditions + cfg.Webhook = &admission.ValidatingWebhookConfig{ ValidatingWebhook: webhook, } @@ -506,6 +509,8 @@ func convertMutating(cfgV1 KubernetesAdmissionConfigV1) (htypes.MutatingConfig, webhook.TimeoutSeconds = &DefaultTimeoutSeconds } + webhook.MatchConditions = cfgV1.MatchConditions + cfg.Webhook = &admission.MutatingWebhookConfig{ MutatingWebhook: webhook, } diff --git a/pkg/hook/config/schemas.go b/pkg/hook/config/schemas.go index 6e0c778f..f6f785aa 100644 --- a/pkg/hook/config/schemas.go +++ b/pkg/hook/config/schemas.go @@ -229,6 +229,18 @@ properties: timeoutSeconds: type: integer example: 10 + matchConditions: + type: array + items: + type: object + required: + - expression + - name + properties: + expression: + type: string + name: + type: string labelSelector: "$ref": "#/definitions/labelSelector" namespace: @@ -318,6 +330,18 @@ properties: timeoutSeconds: type: integer example: 10 + matchConditions: + type: array + items: + type: object + required: + - expression + - name + properties: + expression: + type: string + name: + type: string labelSelector: "$ref": "#/definitions/labelSelector" namespace: