CEL-based admission webhook match conditions

[tallclair]

Enhancement Description

• One-line enhancement description (can be used as a release note): Introduce CEL expression filters to webhooks, to allow webhooks to be scoped more narrowly.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3716-admission-webhook-match-conditions
• Discussion Link: https://docs.google.com/document/d/1x9RNaaysyO0gXHIr1y50QFbiL1x8OWnk2v3XnrdkT5Y/edit#bookmark=id.55kd8uoz25p5
• Primary contact (assignee): @tallclair
• Responsible SIGs: api-machinery
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.27
  • Beta release target (x.y):
  • Stable release target (x.y):
• [x] Alpha
  • [x] KEP (k/enhancements) update PR(s):
    • https://github.com/kubernetes/enhancements/pull/3717
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/116261
    • https://github.com/kubernetes/kubernetes/pull/119380
  • [x] Docs (k/website) update PR(s):
    • https://github.com/kubernetes/website/pull/40058
• [x] Beta
  • [x] KEP (k/enhancements) update PR(s):
  • [x] Code (k/k) update PR(s):
  • [x] Docs (k/website) update(s):
• [ ] Stable
  • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/4435
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/123560
    • https://github.com/kubernetes/kubernetes/pull/123564
  • [ ] Docs (k/website) update(s): https://github.com/kubernetes/website/pull/45279

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[sftim]

Is this for admission webhooks only, or for all HTTP callouts (eg https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook and https://kubernetes.io/docs/reference/access-authn-authz/webhook/)?

[tallclair]

@sftim this is only for admission webhooks (updated the title). We've also had conversations about doing something similar for authorization webhooks, but that will probably be folded in with https://github.com/kubernetes/enhancements/issues/3221

[logicalhan]

Is there a KEP for this I can review for PRR?

[fsmunoz]

Hello @tallclair 👋, v1.27 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (please correct me, if otherwise)

Here's where this enhancement currently stands:

• [ ] KEP readme using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable for latest-milestone: 1.27
• [ ] KEP readme has a updated detailed test plan section filled out
• [ ] KEP readme has up to date graduation criteria
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

For this enhancement, the first thing we need is access to the KEP so we can then confirm the rest.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[logicalhan]

@sftim this is only for admission webhooks (updated the title). We've also had conversations about doing something similar for authorization webhooks, but that will probably be folded in with #3221

If so, should this be tracked separately? I've confused about what I'm supposed to review for PRR here.

[sftim]

The problem was the original title - the rename fully addressed my concern.

[sftim]

If we want CEL conditions for ~admission~ authz webhooks, that change won't be part of this KEP.

[fsmunoz]

Hi @logicalhan , an update based on the linked KEP PR.

This enhancement is targeting for stage alpha for 1.27 (please correct me, if otherwise)

Here's where this enhancement currently stands, assuming #3717 in it's current state:

• [x] KEP readme using the latest template has been merged into the k/enhancements repo.
• [X] KEP status is marked as implementable for latest-milestone: 1.27
• [x] KEP readme has a updated detailed test plan section filled out
• [x] KEP readme has up to date graduation criteria
• [X] KEP has a production readiness review that has been completed and merged into k/enhancements.

For this enhancement, the following would need to be updated, assuming #3717 in it's current state:

• Use the latest version of the template. There is an additional question on the Scalability section of the PRR, although in one that isn't mandatory for alpha, it would be a good time to add it and sync with the latest template structure.
• An updated Test Plan, with the sections filled.
• Up-to-date graduation criteria filled.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[tallclair]

@fsmunoz Thanks for the list. The remaining items are addressed in https://github.com/kubernetes/enhancements/pull/3861

@logicalhan sorry for missing your earlier questions! It looks like you figured it out, but please ping me on chat/slack if you have any outstanding questions.

[fsmunoz]

Hello @tallclair , thank you.

I'm marking this as tracked with two comments:

• The Test Plan has TBD information that should be analysed and reviewed.
• The Graduation Criteria would benefit from including other stages, but it does contain the alpha one.

This enhancement is ready to be traced for graduation to alpha in v1.27

/stage alpha /label tracked/yes

[k8s-ci-robot]

@fsmunoz: The label(s) /label stage/alpha cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, lead-opted-in, tracked/no, tracked/out-of-tree, tracked/yes. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

Hello @tallclair , thank you.

I'm marking this as tracked with two comments:

• The Test Plan has TBD information that should be analysed and reviewed.
• The Graduation Criteria would benefit from including other stages, but it does contain the alpha one.

This enhancement is ready to be traced for graduation to alpha in v1.27

/label stage/alpha /label tracked/yes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fsmunoz]

/stage alpha

[katmutua]

Hello @tallclair 👋🏾 !

@katmutua 1.27 Release Docs shadow here. This enhancement is marked as ‘Needs Docs’ for 1.27 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by March 16. For more information, please take a look at Documenting for a release to familiarize yourself with the documentation requirements for the release.

If you already have existing open PRs please link them to the description so we can easily track them. Thanks!

[fsmunoz]

Hi @tallclair 👋,

Checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.

Please ensure the following items are completed:

• [x] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• [ ] All PRs are fully merged by the code freeze deadline.

For this enhancement, it looks like the following PRs need to be merged before code freeze:

• https://github.com/kubernetes/kubernetes/pull/116261

Please let me know what other PRs in k/k I should be tracking for this KEP.

As always, we are here to help should questions come up. Thanks!

[ivelichkovich]

This should be graduation criteria for beta: https://github.com/kubernetes/kubernetes/issues/116588

[ivelichkovich]

another beta graduation requirement: https://github.com/kubernetes/kubernetes/issues/116609

[salaxander]

Hey folks! With everything merged, I've marked the exception as complete on our tracking. Thanks!!

[mickeyboxell]

Hi @tallclair, as @katmutua mentioned, please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This placeholder PR must be created by today, March 16, and should be ready for review on Tuesday, March 21.

[tallclair]

Docs PR: https://github.com/kubernetes/website/pull/40058

[deads2k]

/milestone v1.28

[deads2k]

/label lead-opted-in

[andrewsykim]

/assign

Igor asked me to take over the KEP update since he's on vacation

[aramase]

Hello @andrewsykim 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 01:00 UTC Friday, 16th June 2023.

This enhancement is targeting for stage beta for 1.28 (correct me, if otherwise)

Here's where this enhancement currently stands:

• [ ] KEP readme using the latest template has been merged into the k/enhancements repo.
• [X] KEP status is marked as implementable for latest-milestone: 1.28
• [x] KEP readme has a updated detailed test plan section filled out
• [x] KEP readme has up to date graduation criteria
• [x] KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[andrewsykim]

KEP readme using the latest template has been merged into the k/enhancements repo.

@aramase the KEP template is up to date as far as I know, is there a specific section missing?

[Atharva-Shinde]

Hey @andrewsykim As this enhancement is targeting stage beta this KEP should have the new question addressed which is not currently, but as the PRR team seems fine with this I'll mark status of the enhancement as tracked :)

[katcosgrove]

Hello @tallclair and @andrewsykim! 1.28 Docs Shadow here.

Does this enhancement work planned for 1.28 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against dev-1.28 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 20th July 2023.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[Rishit-dagli]

Hey @tallclair , could you please create a docs PR even if it is a draft PR with no content yet against dev-1.28 branch in the k/website repo. The deadline to create this draft PR is Thursday 20th July 2023.

[a-hilaly]

@katcosgrove @Rishit-dagli I just opened a WIP here https://github.com/kubernetes/website/pull/42060 - will work it soon.

[aramase]

Hey again @andrewsykim:wave:

Just checking in as we approach Code freeze at 01:00 UTC Friday, 19th July 2023 .

Here’s the enhancement’s state for the upcoming code freeze:

• [x] All the PRs that are related to your enhancement are linked in the above issue description (for tracking purposes). This includes code, tests, and documentation related PR/s.
• [x] All code related PR/s are merged or are in merge-ready state ( i.e they have approved and lgtm labels applied) by the code freeze deadline. This includes any tests related PR/s too.
  • https://github.com/kubernetes/kubernetes/pull/116261 ~~- https://github.com/kubernetes/website/pull/40058~~

If there are any other k/k related PR(s) that we should be tracking for this KEP please link them in the issue description above.

As always, we are here to help if any questions come up. Thanks!

[Atharva-Shinde]

Hey @andrewsykim 👋 Enhancements Lead here, With https://github.com/kubernetes/kubernetes/pull/116261 and https://github.com/kubernetes/kubernetes/pull/119380 merged as per the issue description, this enhancement is now tracked for v1.28 Code Freeze!