Unclear documentation for ValidatingAdmissionPolicy and contents of CEL context

kubernetes / website

Kubernetes website and documentation repo:

https://kubernetes.io

Creative Commons Attribution 4.0 International

4.5k stars 14.45k forks source link

Unclear documentation for ValidatingAdmissionPolicy and contents of CEL context #39368

Open divanodestiny opened 1 year ago

divanodestiny commented 1 year ago

i wonder why it says that

The apiVersion, kind, metadata.name and metadata.generateName are always accessible from the root of the object. No other metadata properties are accessible.

i create a ValidatingAdmissionPolicy like

apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
  name: "dp"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  validations:
    - expression: "object.spec.replicas <= 5 || has(object.metadata.labels.test)"
      reason: Invalid

it can reject creating or updating deployments without label test. So metadata.labels is accessible.

sftim commented 1 year ago

/retitle Unclear documentation for ValidatingAdmissionPolicy and contents of CEL context

/kind bug /language en /sig api-machinery /priority backlog /triage accepted

tallclair commented 1 year ago

Should be fixed with https://github.com/kubernetes/website/issues/39089

/cc @jpbetz

mrgiles commented 1 year ago

This issue doesn't mention which page is referring to. I did some search and found this page, which contains the quoted paragraph: https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-admission-policy-v1alpha1/

Are these reference/api pages auto-generated @sftim? If not, I can try to update it.

sftim commented 1 year ago

Have a look at https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-admission-policy-v1alpha1/#auto-generated-edit-notice - yes, that's auto generated.

See https://github.com/kubernetes-sigs/reference-docs/ for the code that does the generation. Improvements are welcome.

sftim commented 1 year ago

This still needs a fix, BTW.

sftim commented 1 year ago

Page to fix: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/

k8s-triage-robot commented 3 months ago

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

Confirm that this issue is still relevant with /triage accepted (org members only)
Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

k8s-triage-robot commented 2 weeks ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale