change admission review to v1

Signed-off-by: Jian Qiu <[email protected]>

deploy/webhook/clusterrole.yaml

@@ -11,3 +11,6 @@ rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["get", "list", "watch"]

deploy/webhook/webhook.yaml

@@ -21,7 +21,7 @@ webhooks:
     - "*"
     resources:
     - managedclusters
-  admissionReviewVersions: ["v1beta1"]
+  admissionReviewVersions: ["v1"]
   sideEffects: None
   timeoutSeconds: 3
 
@@ -50,7 +50,7 @@ webhooks:
     - "*"
     resources:
     - managedclusters
-  admissionReviewVersions: ["v1beta1"]
+  admissionReviewVersions: ["v1"]
   sideEffects: None
   timeoutSeconds: 3
 
@@ -79,6 +79,6 @@ webhooks:
     - "*"
     resources:
     - managedclustersetbindings
-  admissionReviewVersions: ["v1beta1"]
+  admissionReviewVersions: ["v1"]
   sideEffects: None
   timeoutSeconds: 3

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/open-cluster-management/api v0.0.0-20210409125704-06f2aec1a73f
 	github.com/openshift/api v0.0.0-20210331193751-3acddb19d360
 	github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
-	github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480
+	github.com/openshift/generic-admission-server v1.14.1-0.20210422140326-da96454c926d
 	github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638
 	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -436,8 +436,8 @@ github.com/openshift/build-machinery-go v0.0.0-20210115170933-e575b44a7a94/go.mo
 github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359 h1:ehSDsWQiUVzJZrSEXMC7ceV9JIPEyTYqrpqu3m4Wa08=
 github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20210331195552-cf6c2669e01f/go.mod h1:hHaRJ6vp2MRd/CpuZ1oJkqnMGy5eEnoAkQmKPZKcUPI=
-github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480 h1:y47BAJFepK8Xls1c+quIOyc46OXiT9LRiqGVjIaMlSA=
-github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480/go.mod h1:OAHL5WnZphlhVEf5fTdeGLvNwMu1B2zCWpmxJpCA35o=
+github.com/openshift/generic-admission-server v1.14.1-0.20210422140326-da96454c926d h1:Z5xcujYaukvRqLWxBiIRn6KdM5Pd1De01fmfD1Rr4dk=
+github.com/openshift/generic-admission-server v1.14.1-0.20210422140326-da96454c926d/go.mod h1:m+wYlVQdnPe8JGqoKVpCYnFRIVraqC1SrUowQXh6XlA=
 github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638 h1:JVMywK3dwzPAwpTCWIHn2Emx5L11I+0OR15CZXHI4do=
 github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638/go.mod h1:pnz961veImKsbn7pQcuFbcVpCQosYiC1fUOjzEDeOLU=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -919,6 +919,7 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
 k8s.io/api v0.18.0-beta.2/go.mod h1:2oeNnWEqcSmaM/ibSh3t7xcIqbkGXhzZdn4ezV9T4m0=
 k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
+k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
 k8s.io/api v0.20.0 h1:WwrYoZNM1W1aQEbyl8HNG+oWGzLpZQBlcerS9BQw9yI=
 k8s.io/api v0.20.0/go.mod h1:HyLC5l5eoS/ygQYl1BXBgFzWNlkHiAuyNAbevIn+FKg=
 k8s.io/api v0.21.0-rc.0 h1:t/kW96KdNJNamYNqxaxRirahK+FaWJQ6BJPbXm5Jb+o=
@@ -932,6 +933,7 @@ k8s.io/apiextensions-apiserver v0.21.0-rc.0/go.mod h1:ItIoMBJU1gy93Qwr/B2699r4b0
 k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
 k8s.io/apimachinery v0.18.0-beta.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
 k8s.io/apimachinery v0.19.0/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
+k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
 k8s.io/apimachinery v0.20.0 h1:jjzbTJRXk0unNS71L7h3lxGDH/2HPxMPaQY+MjECKL8=
 k8s.io/apimachinery v0.20.0/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.21.0-rc.0 h1:m9dyzHb8QZAHOZKIz2SiabSif1oLsfgrnwiago/9xJA=
@@ -944,6 +946,7 @@ k8s.io/apiserver v0.21.0-rc.0/go.mod h1:QlW7+1CZTZtAcKvJ34/n4DIb8sC93FeQpkd1KSU+
 k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
 k8s.io/client-go v0.18.0-beta.2/go.mod h1:UvuVxHjKWIcgy0iMvF+bwNDW7l0mskTNOaOW1Qv5BMA=
 k8s.io/client-go v0.19.0/go.mod h1:H9E/VT95blcFQnlyShFgnFT9ZnJOAceiUHM3MlRC+mU=
+k8s.io/client-go v0.19.5/go.mod h1:BSG3iuxI40Bs0nNDLS1JRa/7ReBQDHzf0x8nZZrK0fo=
 k8s.io/client-go v0.20.0 h1:Xlax8PKbZsjX4gFvNtt4F5MoJ1V5prDvCuoq9B7iax0=
 k8s.io/client-go v0.20.0/go.mod h1:4KWh/g+Ocd8KkCwKF8vUNnmqgv+EVnQDK4MBF4oB5tY=
 k8s.io/client-go v0.21.0-rc.0 h1:lsPZHT1ZniXJcwg2udlaTOhAT8wf7BE0rn9Vj0+LWMA=
@@ -956,6 +959,7 @@ k8s.io/code-generator v0.21.0-rc.0/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64
 k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc=
 k8s.io/component-base v0.18.0-beta.2/go.mod h1:HVk5FpRnyzQ/MjBr9//e/yEBjTVa2qjGXCTuUzcD7ks=
 k8s.io/component-base v0.19.0/go.mod h1:dKsY8BxkA+9dZIAh2aWJLL/UdASFDNtGYTCItL4LM7Y=
+k8s.io/component-base v0.19.5/go.mod h1:5N/uv5A7fyr0d+t/b1HynXKkUVPEhc8ljkMaBJv4Tp8=
 k8s.io/component-base v0.21.0-rc.0 h1:8YgFPDsIhRx7zCOxikZn77nYRnwxrc9aMiuQDJtK1+g=
 k8s.io/component-base v0.21.0-rc.0/go.mod h1:XlP0bM7QJFWRGZYPc5NmphkvsYQ+o7804HWH3GTGjDY=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=

pkg/webhook/cluster/mutating_webhook.go

@@ -6,7 +6,7 @@ import (
 
 	clusterv1 "github.com/open-cluster-management/api/cluster/v1"
 
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/rest"
@@ -30,10 +30,10 @@ func (a *ManagedClusterMutatingAdmissionHook) MutatingResource() (schema.GroupVe
 }
 
 // Admit is called by generic-admission-server when the registered REST resource above is called with an admission request.
-func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
+func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
 	klog.V(4).Infof("mutate %q operation for object %q", req.Operation, req.Object)
 
-	status := &admissionv1beta1.AdmissionResponse{
+	status := &admissionv1.AdmissionResponse{
 		Allowed: true,
 	}
 
@@ -44,7 +44,7 @@ func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.Admiss
 	}
 
 	// only mutate create and update operation
-	if req.Operation != admissionv1beta1.Create && req.Operation != admissionv1beta1.Update {
+	if req.Operation != admissionv1.Create && req.Operation != admissionv1.Update {
 		return status
 	}
 
@@ -61,7 +61,7 @@ func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.Admiss
 	// If LeaseDurationSeconds value is zero, update it to 60 by default
 	if managedCluster.Spec.LeaseDurationSeconds == 0 {
 		status.Patch = []byte(defaultLeaseDurationSecondsPatch)
-		pt := admissionv1beta1.PatchTypeJSONPatch
+		pt := admissionv1.PatchTypeJSONPatch
 		status.PatchType = &pt
 	}
 

pkg/webhook/cluster/mutating_webhook_test.go

@@ -6,63 +6,63 @@ import (
 	"testing"
 
 	testinghelpers "github.com/open-cluster-management/registration/pkg/helpers/testing"
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
 func TestManagedClusterMutate(t *testing.T) {
-	pt := admissionv1beta1.PatchTypeJSONPatch
+	pt := admissionv1.PatchTypeJSONPatch
 	cases := []struct {
 		name                   string
-		request                *admissionv1beta1.AdmissionRequest
-		expectedResponse       *admissionv1beta1.AdmissionResponse
+		request                *admissionv1.AdmissionRequest
+		expectedResponse       *admissionv1.AdmissionResponse
 		allowUpdateAcceptField bool
 	}{
 		{
 			name: "mutate non-managedclusters request",
-			request: &admissionv1beta1.AdmissionRequest{
+			request: &admissionv1.AdmissionRequest{
 				Resource: metav1.GroupVersionResource{
 					Group:    "test.open-cluster-management.io",
 					Version:  "v1",
 					Resource: "tests",
 				},
 			},
-			expectedResponse: &admissionv1beta1.AdmissionResponse{
+			expectedResponse: &admissionv1.AdmissionResponse{
 				Allowed: true,
 			},
 		},
 		{
 			name: "mutate deleting operation",
-			request: &admissionv1beta1.AdmissionRequest{
+			request: &admissionv1.AdmissionRequest{
 				Resource:  managedclustersSchema,
-				Operation: admissionv1beta1.Delete,
+				Operation: admissionv1.Delete,
 			},
-			expectedResponse: &admissionv1beta1.AdmissionResponse{
+			expectedResponse: &admissionv1.AdmissionResponse{
 				Allowed: true,
 			},
 		},
 		{
 			name: "mutate a ManagedCluster without LeaseDurationSeconds setting",
-			request: &admissionv1beta1.AdmissionRequest{
+			request: &admissionv1.AdmissionRequest{
 				Resource:  managedclustersSchema,
-				Operation: admissionv1beta1.Create,
+				Operation: admissionv1.Create,
 				Object:    newManagedClusterObj(),
 			},
-			expectedResponse: &admissionv1beta1.AdmissionResponse{
+			expectedResponse: &admissionv1.AdmissionResponse{
 				Allowed:   true,
 				Patch:     []byte(`[{"op": "replace", "path": "/spec/leaseDurationSeconds", "value": 60}]`),
 				PatchType: &pt,
 			},
 		},
 		{
 			name: "mutate a ManagedCluster with LeaseDurationSeconds setting",
-			request: &admissionv1beta1.AdmissionRequest{
+			request: &admissionv1.AdmissionRequest{
 				Resource:  managedclustersSchema,
-				Operation: admissionv1beta1.Create,
+				Operation: admissionv1.Create,
 				Object:    newManagedClusterObjWithLeaseDurationSeconds(60),
 			},
-			expectedResponse: &admissionv1beta1.AdmissionResponse{
+			expectedResponse: &admissionv1.AdmissionResponse{
 				Allowed: true,
 			},
 		},

pkg/webhook/cluster/validating_webhook.go

@@ -11,7 +11,7 @@ import (
 
 	operatorhelpers "github.com/openshift/library-go/pkg/operator/v1helpers"
 
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	admissionv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -43,10 +43,10 @@ func (a *ManagedClusterValidatingAdmissionHook) ValidatingResource() (plural sch
 }
 
 // Validate is called by generic-admission-server when the registered REST resource above is called with an admission request.
-func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
+func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
 	klog.V(4).Infof("validate %q operation for object %q", admissionSpec.Operation, admissionSpec.Object)
 
-	status := &admissionv1beta1.AdmissionResponse{}
+	status := &admissionv1.AdmissionResponse{}
 
 	// only validate the request for managedcluster
 	if admissionSpec.Resource.Group != "cluster.open-cluster-management.io" ||
@@ -56,9 +56,9 @@ func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissio
 	}
 
 	switch admissionSpec.Operation {
-	case admissionv1beta1.Create:
+	case admissionv1.Create:
 		return a.validateCreateRequest(admissionSpec)
-	case admissionv1beta1.Update:
+	case admissionv1.Update:
 		return a.validateUpdateRequest(admissionSpec)
 	default:
 		status.Allowed = true
@@ -74,8 +74,8 @@ func (a *ManagedClusterValidatingAdmissionHook) Initialize(kubeClientConfig *res
 }
 
 // validateCreateRequest validates create managed cluster operation
-func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
-	status := &admissionv1beta1.AdmissionResponse{}
+func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	status := &admissionv1.AdmissionResponse{}
 
 	// validate ManagedCluster object firstly
 	managedCluster, err := a.validateManagedClusterObj(request.Object)
@@ -106,8 +106,8 @@ func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *a
 }
 
 // validateUpdateRequest validates update managed cluster operation.
-func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
-	status := &admissionv1beta1.AdmissionResponse{}
+func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	status := &admissionv1.AdmissionResponse{}
 
 	oldManagedCluster := &clusterv1.ManagedCluster{}
 	if err := json.Unmarshal(request.OldObject.Raw, oldManagedCluster); err != nil {
@@ -176,8 +176,8 @@ func (a *ManagedClusterValidatingAdmissionHook) validateManagedClusterObj(reques
 
 // allowUpdateHubAcceptsClientField using SubjectAccessReview API to check whether a request user has been authorized to update
 // HubAcceptsClient field
-func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse {
-	status := &admissionv1beta1.AdmissionResponse{}
+func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1.AdmissionResponse {
+	status := &admissionv1.AdmissionResponse{}
 
 	extra := make(map[string]authorizationv1.ExtraValue)
 	for k, v := range userInfo.Extra {
@@ -223,9 +223,9 @@ func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterNa
 }
 
 // allowSetClusterSetLabel checks whether a request user has been authorized to set clusterset label
-func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo authenticationv1.UserInfo, originalClusterSet, newClusterSet string) *admissionv1beta1.AdmissionResponse {
+func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo authenticationv1.UserInfo, originalClusterSet, newClusterSet string) *admissionv1.AdmissionResponse {
 	if originalClusterSet == newClusterSet {
-		return &admissionv1beta1.AdmissionResponse{Allowed: true}
+		return &admissionv1.AdmissionResponse{Allowed: true}
 	}
 
 	if len(originalClusterSet) > 0 {
@@ -240,15 +240,15 @@ func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo
 		}
 	}
 
-	return &admissionv1beta1.AdmissionResponse{
+	return &admissionv1.AdmissionResponse{
 		Allowed: true,
 	}
 }
 
 // allowUpdateClusterSet checks whether a request user has been authorized to add/remove a ManagedCluster
 // to/from the ManagedClusterSet
-func (a *ManagedClusterValidatingAdmissionHook) allowUpdateClusterSet(userInfo authenticationv1.UserInfo, clusterSetName string) *admissionv1beta1.AdmissionResponse {
-	status := &admissionv1beta1.AdmissionResponse{}
+func (a *ManagedClusterValidatingAdmissionHook) allowUpdateClusterSet(userInfo authenticationv1.UserInfo, clusterSetName string) *admissionv1.AdmissionResponse {
+	status := &admissionv1.AdmissionResponse{}
 
 	extra := make(map[string]authorizationv1.ExtraValue)
 	for k, v := range userInfo.Extra {