[release-4.19] OCPBUGS-66920: Add ValidatingAdmissionPolicy and check for omissions next time.

[benluddy]

Manual cherry pick of #577.

The default admission plugin list requires manual synchronization every time upstream introduces a new default plugin. To make future dependency bumps less error-prone, it should now fail if upstream's default list names a plugin that is not either included in the downstream list or in a list of intentionally-omitted plugins. Likewise, it should also fail if the downstream list contains a plugin that is not either included in the upstream list or in a list of intentionally-added plugins.

[openshift-ci-robot]

@benluddy: An error was encountered searching for bug OCPBUGS-66920 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 401:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Manual cherry pick of #577.

The default admission plugin list requires manual synchronization every time upstream introduces a new default plugin. To make future dependency bumps less error-prone, it should now fail if upstream's default list names a plugin that is not either included in the downstream list or in a list of intentionally-omitted plugins. Likewise, it should also fail if the downstream list contains a plugin that is not either included in the upstream list or in a list of intentionally-added plugins.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[benluddy]

/label backport-risk-assessed

[benluddy]

/jira refresh

[openshift-ci-robot]

@benluddy: This pull request references Jira Issue OCPBUGS-66920, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-65848 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-65848 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

Requesting review from QA contact:
/cc @gangwgr

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[benluddy]

/cc @sanchezl

[openshift-ci]

@benluddy: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[wangke19]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, wangke19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [benluddy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gangwgr]

Pre-merge verifcation of bug

oc get no
NAME                                         STATUS   ROLES                  AGE   VERSION
ip-10-0-114-81.us-west-2.compute.internal    Ready    control-plane,master   50m   v1.32.10
ip-10-0-125-175.us-west-2.compute.internal   Ready    control-plane,master   50m   v1.32.10
ip-10-0-52-175.us-west-2.compute.internal    Ready    worker                 35m   v1.32.10
ip-10-0-59-125.us-west-2.compute.internal    Ready    control-plane,master   50m   v1.32.10
ip-10-0-84-99.us-west-2.compute.internal     Ready    worker                 35m   v1.32.10
ip-10-0-97-170.us-west-2.compute.internal    Ready    worker                 42m   v1.32.10
rgangwar@rgangwar-mac cluster-kube-apiserver-operator % oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0-2025-12-19-061413-test-ci-ln-m9d1tl2-latest   True        False         21m     Cluster version is 4.19.0-0-2025-12-19-061413-test-ci-ln-m9d1tl2-latest
rgangwar@rgangwar-mac cluster-kube-apiserver-operator % cat <<EOF | oc apply -f -
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: deny-creation-of-build-configs
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - operations: ["CREATE"]
      apiGroups: ["build.openshift.io"]
      apiVersions: ["v1"]
      resources: ["buildconfigs"]
  validations:
  - expression: "false"
    message: "Creation of BuildConfigs is not allowed."
    reason: Invalid
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: deny-creation-of-build-configs-binding
spec:
  policyName: deny-creation-of-build-configs
  validationActions:
  - Deny
EOF
validatingadmissionpolicy.admissionregistration.k8s.io/deny-creation-of-build-configs created
validatingadmissionpolicybinding.admissionregistration.k8s.io/deny-creation-of-build-configs-binding created
rgangwar@rgangwar-mac cluster-kube-apiserver-operator % oc new-build --binary --name test-bc
    * A Docker build using binary input will be created
      * The resulting image will be pushed to image stream tag "test-bc:latest"
      * A binary build was created, use 'oc start-build --from-dir' to trigger a new build
 
--> Creating resources with label build=test-bc ...
    imagestream.image.openshift.io "test-bc" created
    error: buildconfigs.build.openshift.io "test-bc" is forbidden: ValidatingAdmissionPolicy 'deny-creation-of-build-configs' with binding 'deny-creation-of-build-configs-binding' denied request: Creation of BuildConfigs is not allowed.
--> Failed
 
rgangwar@rgangwar-mac cluster-kube-apiserver-operator % cat <<EOF | oc apply -f -   
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: test-bc
spec:
  runPolicy: Serial
  source:
    type: Binary
  strategy:
    type: Source
    sourceStrategy:
      from:
        kind: ImageStreamTag
        name: "ruby:2.7"
EOF
The buildconfigs "test-bc" is invalid: : ValidatingAdmissionPolicy 'deny-creation-of-build-configs' with binding 'deny-creation-of-build-configs-binding' denied request: Creation of BuildConfigs is not allowed.

[gangwgr]

/verified by #588 (comment)

[openshift-ci-robot]

@gangwgr: This PR has been marked as verified by https://github.com/openshift/openshift-apiserver/pull/588#issuecomment-3674089113.

Details

In response to this:

/verified by #588 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@benluddy: Jira Issue OCPBUGS-66920: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

• openshift/openshift-apiserver#586 is closed

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-66920 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Manual cherry pick of #577.

The default admission plugin list requires manual synchronization every time upstream introduces a new default plugin. To make future dependency bumps less error-prone, it should now fail if upstream's default list names a plugin that is not either included in the downstream list or in a list of intentionally-omitted plugins. Likewise, it should also fail if the downstream list contains a plugin that is not either included in the upstream list or in a list of intentionally-added plugins.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[benluddy]

/cherry-pick release-4.18

[openshift-cherrypick-robot]

@benluddy: new pull request created: #589

Details

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.