admission.k8s.io/v1 AdmissionReview response requires uid

[mingfang]

According to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ the response needs to look like this

{
  "apiVersion": "admission.k8s.io/v1",
  "kind": "AdmissionReview",
  "response": {
    "uid": "<value from request.uid>",
    "allowed": true
  }
}

[patrick-east]

@mingfang is there a specific example or policy in the library that is missing this? Any more details would be helpful.

[mingfang]

So technically this library is not missing it because it's still on the older admission.k8s.io/v1beta1. I have upgraded it locally by adding the uid like this https://github.com/open-policy-agent/library/blob/ba6cc2ab32d341fd786ff462510df95b997d7c78/kubernetes/mutating-admission/main.rego#L41

response = x {
    count(patch) > 0

    # if there are missing leaves e.g. trying to add a label to something that doesn't
    # yet have any, we need to create the leaf nodes as well

    fullPatches := ensureParentPathsExist(cast_array(patch))

    x := {
        "allowed": true,
        "patchType": "JSONPatch",
        "patch": base64.encode(json.marshal(fullPatches)),
        "uid": input.request.uid, <-needed in v1
    }
}

But the problem is I can't add uid to the default response here https://github.com/open-policy-agent/library/blob/ba6cc2ab32d341fd786ff462510df95b997d7c78/kubernetes/mutating-admission/main.rego#L14 because I get here saying default response can not use refs. The workaround is to leave the uid out of the default response and Kubernetes prints out a warning.