-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: Enables the binding of APIs in protected groups #1104
Conversation
One comment. Otherwise, looks very good. |
Unless I'm mistaken, the changes from 1ed6920 aren't strictly required for the protected API use case. My understanding is that the approved annotation is set at the end of the import execution path, when the kcp/pkg/reconciler/apis/apiresource/negotiation.go Lines 702 to 707 in 5dd2f2a
That being said, it would be required if we were to propagated the set of annotations arbitrarily, then the set would have to be transported along the resources chain ( |
But it does not hurt either. Bonus: we don't get this fake pull request number 4, but the real one in case of CRDs on the pcluster side. |
Agreed, that's a good point about that fake approval PR 👍🏼. |
Summary
This PR enables the binding of APIs whose groups are protected, as defined in kubernetes/enhancements#1111.
The proposed solution delegates to the user the responsibility of adding the
api-approved.kubernetes.io
annotation to theAPIResourceSchema
resource, as for standard CRDs, so it makes it explicit, and prevents from accidentally declaring APIs in a protected group. With this PR, the APIBinding controller will simply propagate the annotation to the projected CRDs.In the API import case, where CRDs are generated following the creation of
APIResourceImport
resources, theNegociatedAPIResource
controller already adds the approval annotation, assuming the API have already been explicitly declared as approved in the downstream workload cluster.TODO:
APIResourceSchema
resources to the generated CRDsAPIResouceSchema
resources in protected groups without the approval annotationAPIBinding
condition message when the generated CRD is invalidRelated issue(s)
Fixes #1083