Add toggle to (en|dis)able the new ValidatingAdmissionPolicy feature

Nordix · Aug 16, 2024 · 086ac5d · 086ac5d
1 parent ed88c72
commit 086ac5d
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/deployments/porch/3-porch-server.yaml b/deployments/porch/3-porch-server.yaml
@@ -76,6 +76,7 @@ spec:
             - --cert-dir=/tmp/certs
             - --secure-port=4443
             - --repo-sync-frequency=60s
+            - --disable-validating-admissions-policy=true
 
 ---
 apiVersion: v1

diff --git a/deployments/porch/5-rbac.yaml b/deployments/porch/5-rbac.yaml
@@ -22,7 +22,7 @@ rules:
     verbs: ["get", "watch", "list"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources:
-      ["mutatingwebhookconfigurations", "validatingwebhookconfigurations", "validatingadmissionpolicies", "validatingadmissionpolicybindings"]
+      ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
     verbs: ["get", "watch", "list", "create", "patch", "delete"]
   - apiGroups: ["porch.kpt.dev"]
     resources: ["functions"]

diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go
@@ -49,14 +49,15 @@ const (
 
 // PorchServerOptions contains state for master/api server
 type PorchServerOptions struct {
-	RecommendedOptions       *genericoptions.RecommendedOptions
-	LocalStandaloneDebugging bool // Enables local standalone running/debugging of the apiserver.
-	CacheDirectory           string
-	CoreAPIKubeconfigPath    string
-	FunctionRunnerAddress    string
-	DefaultImagePrefix       string
-	RepoSyncFrequency        time.Duration
-	UseGitCaBundle           bool
+	RecommendedOptions       			*genericoptions.RecommendedOptions
+	LocalStandaloneDebugging 			bool // Enables local standalone running/debugging of the apiserver.
+	CacheDirectory           			string
+	CoreAPIKubeconfigPath    			string
+	FunctionRunnerAddress    			string
+	DefaultImagePrefix       			string
+	RepoSyncFrequency        			time.Duration
+	UseGitCaBundle           			bool
+	DisableValidatingAdmissionPolicy 	bool
 
 	SharedInformerFactory informers.SharedInformerFactory
 	StdOut                io.Writer
@@ -172,6 +173,10 @@ func (o *PorchServerOptions) Config() (*apiserver.Config, error) {
 		return []admission.PluginInitializer{}, nil
 	}
 
+	if o.DisableValidatingAdmissionPolicy {
+		o.RecommendedOptions.Admission.DisablePlugins = []string{"ValidatingAdmissionPolicy"}
+	}
+
 	serverConfig := genericapiserver.NewRecommendedConfig(apiserver.Codecs)
 
 	serverConfig.OpenAPIConfig = genericapiserver.DefaultOpenAPIConfig(sampleopenapi.GetOpenAPIDefinitions, openapi.NewDefinitionNamer(apiserver.Scheme))
@@ -241,5 +246,6 @@ func (o *PorchServerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.DefaultImagePrefix, "default-image-prefix", "gcr.io/kpt-fn/", "Default prefix for unqualified function names")
 	fs.StringVar(&o.CacheDirectory, "cache-directory", "", "Directory where Porch server stores repository and package caches.")
 	fs.BoolVar(&o.UseGitCaBundle, "use-git-cabundle", false, "Determine whether to use a user-defined CaBundle for TLS towards git.")
+	fs.BoolVar(&o.DisableValidatingAdmissionPolicy, "disable-validating-admissions-policy", true, "Determine whether to (dis|en)able the Validating Admission Policy, which requires k8s version >= v1.30")
 	fs.DurationVar(&o.RepoSyncFrequency, "repo-sync-frequency", 60*time.Second, "Frequency in seconds at which registered repositories will be synced.")
 }