Use ValidatingAdmissionPolicy in admissionregistration.k8s.io/v1

cybozu-go · Jan 24, 2025 · 8c1dc52 · 8c1dc52
1 parent 766595c
commit 8c1dc52
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 35 deletions.
diff --git a/Makefile b/Makefile
@@ -63,7 +63,7 @@ manifests: controller-gen kustomize yq ## Generate WebhookConfiguration, Cluster
 	mkdir -p charts/moco/templates/generated/crds/
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	$(KUSTOMIZE) build config/crd -o config/crd/tests # Outputs static CRDs for use with Envtest.
-	$(KUSTOMIZE) build config/kustomize-to-helm/overlays/templates | $(YQ) e ". | del(select(.kind==\"ValidatingAdmissionPolicy\" or .kind==\"ValidatingAdmissionPolicyBinding\").metadata.namespace)" - > charts/moco/templates/generated/generated.yaml # Manually remove namespaces because the API version supported by kustomize is out of date.
+	$(KUSTOMIZE) build config/kustomize-to-helm/overlays/templates | $(YQ) e "." - > charts/moco/templates/generated/generated.yaml
 	echo '{{- if .Values.crds.enabled }}' > charts/moco/templates/generated/crds/moco_crds.yaml
 	$(KUSTOMIZE) build config/kustomize-to-helm/overlays/crds | $(YQ) e "." - >> charts/moco/templates/generated/crds/moco_crds.yaml
 	echo '{{- end }}' >> charts/moco/templates/generated/crds/moco_crds.yaml

diff --git a/charts/moco/templates/_helpers.tpl b/charts/moco/templates/_helpers.tpl
@@ -23,14 +23,3 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
-
-{{/*
-Return the appropriate apiVersion for admissionregistration.
-*/}}
-{{- define "admissionregistration.apiVersion" -}}
-{{- if (lt (int .Capabilities.KubeVersion.Minor) 30) -}}
-admissionregistration.k8s.io/v1beta1
-{{- else -}}
-admissionregistration.k8s.io/v1
-{{- end }}
-{{- end }}
diff --git a/charts/moco/templates/generated/generated.yaml b/charts/moco/templates/generated/generated.yaml
@@ -372,7 +372,7 @@ spec:
     app.kubernetes.io/component: moco-controller
     app.kubernetes.io/name: '{{ include "moco.name" . }}'
 ---
-apiVersion: '{{ include "admissionregistration.apiVersion" . }}'
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   labels:
@@ -381,6 +381,7 @@ metadata:
     app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
     helm.sh/chart: '{{ include "moco.chart" . }}'
   name: moco-delete-validator
+  namespace: '{{ .Release.Namespace }}'
 spec:
   failurePolicy: Fail
   matchConstraints:
@@ -400,7 +401,7 @@ spec:
         !(oldObject.metadata.annotations["moco.cybozu.com/prevent-delete"] == "true")
       messageExpression: oldObject.metadata.name + ' is protected from deletion'
 ---
-apiVersion: '{{ include "admissionregistration.apiVersion" . }}'
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
@@ -409,6 +410,7 @@ metadata:
     app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
     helm.sh/chart: '{{ include "moco.chart" . }}'
   name: moco-delete-validator
+  namespace: '{{ .Release.Namespace }}'
 spec:
   policyName: moco-delete-validator
   validationActions:

diff --git a/config/kustomize-to-helm/overlays/templates/kustomization.yaml b/config/kustomize-to-helm/overlays/templates/kustomization.yaml
@@ -14,14 +14,3 @@ patchesStrategicMerge:
 
 transformers:
   - label-transformer.yaml
-
-patches:
-  - target:
-      group: admissionregistration.k8s.io
-      version: v1beta1
-      kind: 'ValidatingAdmissionPolicy|ValidatingAdmissionPolicyBinding'
-      name: '.*'
-    patch: |-
-      - op: replace
-        path: "/apiVersion"
-        value: '{{ include "admissionregistration.apiVersion" . }}'
diff --git a/config/webhook/validate_preventdelete.yaml b/config/webhook/validate_preventdelete.yaml
@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: delete-validator
@@ -17,7 +17,7 @@ spec:
         !(oldObject.metadata.annotations["moco.cybozu.com/prevent-delete"] == "true")
       messageExpression: oldObject.metadata.name + ' is protected from deletion'
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: delete-validator

diff --git a/e2e/kind-config.yaml b/e2e/kind-config.yaml
@@ -1,9 +1,5 @@
 apiVersion: kind.x-k8s.io/v1alpha4
 kind: Cluster
-featureGates:
-  ValidatingAdmissionPolicy: true
-runtimeConfig:
-  admissionregistration.k8s.io/v1beta1: true
 nodes:
 - role: control-plane
 - role: worker

diff --git a/e2e/kind-config_actions.yaml b/e2e/kind-config_actions.yaml
@@ -1,9 +1,5 @@
 apiVersion: kind.x-k8s.io/v1alpha4
 kind: Cluster
-featureGates:
-  ValidatingAdmissionPolicy: true
-runtimeConfig:
-  admissionregistration.k8s.io/v1beta1: true
 nodes:
 - role: control-plane
 - role: worker