-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usage of namePrefix
or nameSuffix
with Validating Admission Policy results in a silently broken ValidatingAdmissionPolicyBinding
#5674
Comments
Forgot to mention. I think there is a workaround. Replace: namePrefix: "silently-wont-bind-" With: transformers:
- |-
apiVersion: builtin
kind: PrefixSuffixTransformer
metadata:
name: prefix-all-names
prefix: silently-wont-bind-
fieldSpecs:
- path: metadata/name
- group: admissionregistration.k8s.io
kind: ValidatingAdmissionPolicyBinding
path: spec/policyName |
/assign |
I think this ideally should be addressed in Kustomize itself because Validating Admission Policy APIs are now stable starting Kubernetes 1.30. But for these who are looking to make it work right now here is an alternative workaround with Assuming configurations:
- kustomizeconfig.yaml
namePrefix: "silently-wont-bind-"
resources:
- admission.yaml And introduce nameReference:
- kind: ValidatingAdmissionPolicy
group: admissionregistration.k8s.io
fieldSpecs:
- kind: ValidatingAdmissionPolicyBinding
group: admissionregistration.k8s.io
path: spec/policyName |
Hi there, @m1kola! This makes sense to me. I'm planning to take a look at what it would take to update Kustomize for this later today. /triage accepted |
What happened?
Validating Admission Policy APIs do not seem to be supported at the moment by
namePrefix
andnameSuffix
fields.As a result manifests that contain
ValidatingAdmissionPolicy
andValidatingAdmissionPolicyBinding
pair are being partially transformed: their names are being changed howeverValidatingAdmissionPolicyBinding
ends up referencingValidatingAdmissionPolicy
without the prefix/suffix in.spec.policyName
field.Resulting
ValidatingAdmissionPolicy
andValidatingAdmissionPolicyBinding
can still be applied to the cluster, but they will have no effect on admission.What did you expect to happen?
Name reference in
.spec.policyName
gets updated.How can we reproduce it (as minimally and precisely as possible)?
Consider the following
kustomization.yaml
:And
admission.yaml
:Expected output
Actual output
After
kustomize build
this results in the following:Note: this output is still can be applied to the cluster without any errors. But the admission policy will not have any effect. This can be tested with this deployment (policy denies deployments prefixed with
my-
):Kustomize version
v5.4.1
Operating system
MacOS
The text was updated successfully, but these errors were encountered: