This new field spec.matchConditions is optional, and only has effect if the Kubernetes cluster was deployed with the feature gate AdmissionWebhookMatchConditions is enabled. Knowing if that's the case isn't trivial as the K8s APIserver doesn't expose it, hence we check for the feature in kubewarden-controller:
If Kubernetes 1.26 or earlier: not available. The matchConditions are ignored
If Kubernetes 1.27, 1.28, 1.29: available only when the AdmissionWebhookMatchConditions feature gate is enabled. Otherwise, the matchConditions are ignored
If Kubernetes 1.30 or later: always available, no action required
spec.matchConditions value is a CEL expression. The Kubewarden controller takes care of validating that CEL expression syntactically, hence the UI doesn't need to.
Acceptance criteria
Add support for the new field spec.matchConditions for (Cluster)AdmissionPolicies, on policy creation and update.
Add mention that it is an optional field that only takes effect if the cluster was deployed with the AdmissionWebhookMatchConditions feature gate (the UI doesn't need to check for the feature gate).
If possible, add syntax highlight for CEL on the input value.
The CEL validation happens on the controller, and the controller returns an error rejecting the policy if the spec.matchConditions is incorrect. Check that this error is shown to the user.
Since Kubewarden 1.15, now (Cluster)AdmissionPolicies have a new field,
spec.matchConditions
. See https://github.com/kubewarden/kubewarden-controller/issues/758This new field
spec.matchConditions
is optional, and only has effect if the Kubernetes cluster was deployed with the feature gate AdmissionWebhookMatchConditions is enabled. Knowing if that's the case isn't trivial as the K8s APIserver doesn't expose it, hence we check for the feature in kubewarden-controller:spec.matchConditions
value is a CEL expression. The Kubewarden controller takes care of validating that CEL expression syntactically, hence the UI doesn't need to.Acceptance criteria
spec.matchConditions
for (Cluster)AdmissionPolicies, on policy creation and update.AdmissionWebhookMatchConditions
feature gate (the UI doesn't need to check for the feature gate).spec.matchConditions
is incorrect. Check that this error is shown to the user.