Cannot install moco 0.25.0 without `admissionregistration.k8s.io/v1beta1=true` for k8s 1.30 or above

[pddg]

Describe the bug

751 introduces ValidatingAdmissionPolicy. This feature is GA in Kubernetes 1.30.

https://kubernetes.io/blog/2024/04/24/validating-admission-policy-ga/

Kubernetes 1.30 or above only accepts admissionregistration.k8s.io/v1, not admissionregistration.k8s.io/v1beta1 by default.

Environments

• Version: 0.25.0
• K8s: 1.30.6

To Reproduce

kind create cluster --name moco --image kindest/node:v1.30.6
curl -fsL https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml | kubectl apply -f -
helm install --create-namespace --namespace moco-system moco moco/moco

Following errors are shown:

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "moco-delete-validator" namespace: "" from "": no matches for kind "ValidatingAdmissionPolicy" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "moco-delete-validator" namespace: "" from "": no matches for kind "ValidatingAdmissionPolicyBinding" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first]

Expected behavior

moco 0.25.0 can be installed for any supported kubernetes versions.

Additional context

K8s cluster used in E2E Test enables the admissionregistration.k8s.io/v1beta1. https://github.com/cybozu-go/moco/blob/389ae1248865a443f9fd152406d630faaecf0cd5/e2e/kind-config.yaml#L3-L6

So the tests passed, but installation fails for the cluster with default configuration.

Replace admissionregistration.k8s.io/v1beta1 with admissionregistration.k8s.io/v1, then it can be installed without any configuration.

helm template --namespace moco-system moco moco/moco > manifests.yaml
kubectl create ns moco-system
sed s%admissionregistration.k8s.io/v1beta1%admissionregistration.k8s.io/v1%g manifests.yaml | kubectl apply -f -

❯ sed s%admissionregistration.k8s.io/v1beta1%admissionregistration.k8s.io/v1%g manifests.yaml | kubectl apply -f -
serviceaccount/moco-controller-manager created
customresourcedefinition.apiextensions.k8s.io/backuppolicies.moco.cybozu.com created
customresourcedefinition.apiextensions.k8s.io/mysqlclusters.moco.cybozu.com created
clusterrole.rbac.authorization.k8s.io/moco-backuppolicy-editor-role created
clusterrole.rbac.authorization.k8s.io/moco-backuppolicy-viewer-role created
clusterrole.rbac.authorization.k8s.io/moco-manager-role created
clusterrole.rbac.authorization.k8s.io/moco-mysqlcluster-editor-role created
clusterrole.rbac.authorization.k8s.io/moco-mysqlcluster-viewer-role created
clusterrolebinding.rbac.authorization.k8s.io/moco-manager-rolebinding created
role.rbac.authorization.k8s.io/moco-leader-election-role created
rolebinding.rbac.authorization.k8s.io/moco-leader-election-rolebinding created
service/moco-webhook-service created
deployment.apps/moco-controller created
certificate.cert-manager.io/moco-controller-grpc created
certificate.cert-manager.io/moco-grpc-ca created
certificate.cert-manager.io/moco-serving-cert created
issuer.cert-manager.io/moco-grpc-issuer created
issuer.cert-manager.io/moco-selfsigned-issuer created
mutatingwebhookconfiguration.admissionregistration.k8s.io/moco-mutating-webhook-configuration created
validatingadmissionpolicy.admissionregistration.k8s.io/moco-delete-validator created
validatingadmissionpolicybinding.admissionregistration.k8s.io/moco-delete-validator created
validatingwebhookconfiguration.admissionregistration.k8s.io/moco-validating-webhook-configuration created

❯ kubectl get po -n moco-system
NAME                               READY   STATUS    RESTARTS   AGE
moco-controller-6d7867d984-gl8n8   1/1     Running   0          29s
moco-controller-6d7867d984-gwrdk   1/1     Running   0          29s

❯ kubectl get validatingadmissionpolicy
NAME                    VALIDATIONS   PARAMKIND   AGE
moco-delete-validator   1             <unset>     60s

❯ kubectl get validatingadmissionpolicybinding
NAME                    POLICYNAME              PARAMREF   AGE
moco-delete-validator   moco-delete-validator   <unset>    78s

If additional FeatureGates are required for installation, it should be documented. ValidatingAdmissionPolicy is not available in K8s 1.29 by default.

[shunki-fujita]

@pddg Thank you for the report. It seems there was an omission in the documentation, so I will take care of it.

[mhkarimi1383]

Fixed after https://github.com/cybozu-go/moco/pull/760 (tested by installing chart from git repo), We should wait for chart release :)