Finish wiring validating admission policy

Signed-off-by: Andy Goldstein <[email protected]>

pkg/admission/initializers/initializer.go

@@ -17,6 +17,7 @@ limitations under the License.
 package initializers
 
 import (
+ kcpdynamic "github.com/kcp-dev/client-go/dynamic"
  kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
  kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 
@@ -165,3 +166,19 @@ func (i *serverShutdownChannelInitializer) Initialize(plugin admission.Interface
  wants.SetServerShutdownChannel(i.ch)
  }
 }
+
+type dynamicClusterClientInitializer struct {
+ dynamicClusterClient kcpdynamic.ClusterInterface
+}
+
+func NewDynamicClusterClientInitializer(dynamicClusterClient kcpdynamic.ClusterInterface) *dynamicClusterClientInitializer {
+ return &dynamicClusterClientInitializer{
+ dynamicClusterClient: dynamicClusterClient,
+ }
+}
+
+func (i *dynamicClusterClientInitializer) Initialize(plugin admission.Interface) {
+ if wants, ok := plugin.(WantsDynamicClusterClient); ok {
+ wants.SetDynamicClusterClient(i.dynamicClusterClient)
+ }
+}

pkg/admission/initializers/interfaces.go

@@ -17,6 +17,7 @@ limitations under the License.
 package initializers
 
 import (
+ kcpdynamic "github.com/kcp-dev/client-go/dynamic"
  kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
  kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 
@@ -60,3 +61,9 @@ type WantsDeepSARClient interface {
 type WantsServerShutdownChannel interface {
  SetServerShutdownChannel(<-chan struct{})
 }
+
+// WantsDynamicClusterClient is an interface that should be implemented by admission plugins that need a dynamic cluster
+// client.
+type WantsDynamicClusterClient interface {
+ SetDynamicClusterClient(clusterInterface kcpdynamic.ClusterInterface)
+}

pkg/admission/validatingadmissionpolicy/validating_admission_policy.go

@@ -27,11 +27,10 @@ import (
  "github.com/kcp-dev/logicalcluster/v3"
 
  "k8s.io/apiserver/pkg/admission"
+ "k8s.io/apiserver/pkg/admission/initializer"
  "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
- "k8s.io/apiserver/pkg/dynamichack"
  genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
  "k8s.io/client-go/discovery/cached/memory"
- "k8s.io/client-go/dynamic"
  "k8s.io/client-go/restmapper"
  "k8s.io/component-base/featuregate"
  "k8s.io/klog/v2"
@@ -53,7 +52,10 @@ func Register(plugins *admission.Plugins) {
 }
 
 func NewKubeValidatingAdmissionPolicy() *KubeValidatingAdmissionPolicy {
- return &KubeValidatingAdmissionPolicy{}
+ return &KubeValidatingAdmissionPolicy{
+ Handler: admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
+ delegates: make(map[logicalcluster.Name]*stoppableValidatingAdmissionPolicy),
+ }
 }
 
 type KubeValidatingAdmissionPolicy struct {
@@ -77,6 +79,9 @@ var _ admission.ValidationInterface = &KubeValidatingAdmissionPolicy{}
 var _ = initializers.WantsKcpInformers(&KubeValidatingAdmissionPolicy{})
 var _ = initializers.WantsKubeClusterClient(&KubeValidatingAdmissionPolicy{})
 var _ = initializers.WantsServerShutdownChannel(&KubeValidatingAdmissionPolicy{})
+var _ = initializers.WantsDynamicClusterClient(&KubeValidatingAdmissionPolicy{})
+var _ = initializer.WantsFeatures(&KubeValidatingAdmissionPolicy{})
+var _ = admission.InitializationValidator(&KubeValidatingAdmissionPolicy{})
 
 func (k *KubeValidatingAdmissionPolicy) SetKubeClusterClient(kubeClusterClient kcpkubernetesclientset.ClusterInterface) {
  k.kubeClusterClient = kubeClusterClient
@@ -87,14 +92,23 @@ func (k *KubeValidatingAdmissionPolicy) SetKcpInformers(local, global kcpinforme
 }
 
 func (k *KubeValidatingAdmissionPolicy) SetKubeInformers(local, global kcpkubernetesinformers.SharedInformerFactory) {
+ k.kubeSharedInformerFactory = local
 }
 
 func (k *KubeValidatingAdmissionPolicy) SetServerShutdownChannel(ch <-chan struct{}) {
  k.serverDone = ch
 }
 
-func (k *KubeValidatingAdmissionPolicy) SetDynamicClient(c dynamic.Interface) {
- k.dynamicClusterClient = dynamichack.Unwrap(c)
+func (k *KubeValidatingAdmissionPolicy) SetDynamicClusterClient(c kcpdynamic.ClusterInterface) {
+ k.dynamicClusterClient = c
+}
+
+func (k *KubeValidatingAdmissionPolicy) InspectFeatureGates(featureGates featuregate.FeatureGate) {
+ k.featureGates = featureGates
+}
+
+func (k *KubeValidatingAdmissionPolicy) ValidateInitialization() error {
+ return nil
 }
 
 func (k *KubeValidatingAdmissionPolicy) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {

pkg/server/config.go

@@ -480,6 +480,7 @@ func NewConfig(opts kcpserveroptions.CompletedOptions) (*Config, error) {
  // with the default secure port, when the config is later completed.
  kcpadmissioninitializers.NewKubeQuotaConfigurationInitializer(quotaConfiguration),
  kcpadmissioninitializers.NewServerShutdownInitializer(c.quotaAdmissionStopCh),
+ kcpadmissioninitializers.NewDynamicClusterClientInitializer(c.DynamicClusterClient),
  }
 
  c.ShardBaseURL = func() string {

pkg/server/options/options.go

@@ -136,6 +136,11 @@ func NewOptions(rootDir string) *Options {
  // turn on the watch cache
  o.GenericControlPlane.Etcd.EnableWatchCache = true
 
+ // Turn on admissionregistration for validating admission policy
+ if err := o.GenericControlPlane.APIEnablement.RuntimeConfig.Set("admissionregistration.k8s.io/v1alpha1=true"); err != nil {
+ panic(fmt.Errorf("error setting APIEnablement: %w", err))
+ }
+
  return o
 }
 

pkg/virtual/apiexport/schemas/builtin/builtin.go

@@ -20,6 +20,7 @@ import (
  "fmt"
 
  admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+ admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
  certificatesv1 "k8s.io/api/certificates/v1"
  coordinationv1 "k8s.io/api/coordination/v1"
  corev1 "k8s.io/api/core/v1"
@@ -243,4 +244,24 @@ var BuiltInAPIs = []internalapis.InternalAPI{
  Instance: &eventsv1.Event{},
  ResourceScope: apiextensionsv1.NamespaceScoped,
  },
+ {
+ Names: apiextensionsv1.CustomResourceDefinitionNames{
+ Plural: "validatingadmissionpolicies",
+ Singular: "validatingadmissionpolicy",
+ Kind: "ValidatingAdmissionPolicy",
+ },
+ GroupVersion: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"},
+ Instance: &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{},
+ ResourceScope: apiextensionsv1.ClusterScoped,
+ },
+ {
+ Names: apiextensionsv1.CustomResourceDefinitionNames{
+ Plural: "validatingadmissionpolicybindings",
+ Singular: "validatingadmissionpolicybinding",
+ Kind: "ValidatingAdmissionPolicyBinding",
+ },
+ GroupVersion: schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"},
+ Instance: &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{},
+ ResourceScope: apiextensionsv1.ClusterScoped,
+ },
 }