[release-v1.42] Manage ValidatingAdmissionPolicies in admission imports (#4878)#4943
Open
lucastigera wants to merge 2 commits into
Open
[release-v1.42] Manage ValidatingAdmissionPolicies in admission imports (#4878)#4943lucastigera wants to merge 2 commits into
lucastigera wants to merge 2 commits into
Conversation
The admission import directory now carries a ValidatingAdmissionPolicy (protect-builtin-tiers) alongside the MAPs. Parse non-MutatingAdmissionPolicy kinds and manage the VAP + binding, discovering its served API version independently. Without this, operator builds whose embedded admission set is synced from calico release-v3.32 (which ships protect-builtin-tiers.yaml via projectcalico/calico#12982) panic at startup with: unexpected kind "ValidatingAdmissionPolicy" in protect-builtin-tiers.yaml Backport of tigera#4878 to release-v1.42. Adapted for v1.42: the enterprise ProductVariant constant is opv1.TigeraSecureEnterprise (not CalicoEnterprise). (cherry picked from commit eeb4d80)
…sions Point libcalico-go in calico_versions.yml and enterprise_versions.yml at the release-v3.32 (OSS) and release-calient-v3.23 (enterprise) branches so gen-versions pulls the protect-builtin-tiers ValidatingAdmissionPolicy, and regenerate the bundled pkg/imports manifests to match. Note: the enterprise protect-builtin-tiers.yaml is kept manually until tigera/calico-private#12356 moves it into api/admission/ on the release branch; gen-versions will own it once that merges. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
lucastigera
added
hold merge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #4878 to
release-v1.42Backports #4878 ("Manage ValidatingAdmissionPolicies in admission imports").
Why
Operator builds whose embedded admission set is synced from calico
release-v3.32panic at startup:Calico now ships a
ValidatingAdmissionPolicyatapi/admission/protect-builtin-tiers.yaml(OSS via projectcalico/calico#12982). The operator copiesapi/admission/*into its embedded set, but the v1.42 admission-import code only knows how to parseMutatingAdmissionPolicykinds, so it panics on the VAP instead of managing it. #4878 teaches the operator to parse/skip unknown kinds and to bootstrap + reconcile the VAP and its binding, discovering the served API version independently.Changes
-x), adapted for v1.42: the enterpriseProductVariantconstant here isopv1.TigeraSecureEnterprise(master usesCalicoEnterprise).gen-versionssync of the bundledpkg/importsCRDs/admission policies, withlibcalico-gopinned at therelease-v3.32(OSS) /release-calient-v3.23(enterprise) branches so the VAP manifests are pulled in.validate-gen-versions/dirty-checkwill fail until tigera/calico-private#12356 lands. That PR moves the enterpriseprotect-builtin-tiers.yamlfromapi/config/admission/toapi/admission/onrelease-calient-v3.23(the wire-up commit #12159 was never backported to that branch). Until it merges,make gen-versionsdeletes the enterprise manifest, producing a dirty diff. The enterpriseprotect-builtin-tiers.yamlis kept manually here in the meantime;gen-versionswill own it once #12356 merges.Tests pass locally:
pkg/imports/admission— 13/13pkg/controller/installation(VAP-focused) — 7/7Related