UPSTREAM: <carry>: openshift-kube-apiserver: add openshift-kube-apiserver code

UPSTREAM: <carry>: openshift-kube-apiserver: enabled conversion gen for admission configs

UPSTREAM: <carry>: openshift-kube-apiserver/admission: fix featuregates resource name

UPSTREAM: <carry>: openshift-kube-apiserver/admission: add missing FeatureSets

UPSTREAM: <carry>: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector

UPSTREAM: <carry>: openshift authenticator: don't allow old-style tokens

UPSTREAM: <carry>: oauth-authn: support sha256 prefixed tokens

UPSTREAM: <carry>: oauth-token-authn: switch to sha256~ prefix

UPSTREAM: <carry>: oauth-token-authn: add sha256~ support to bootstrap authenticator

UPSTREAM: <drop>: remove the openshift authenticator from the apiserver

In 4.8, we moved the authenticator to be configured via
webhookTokenAuthenticators to an endpoint in the oauth-apiserver,
this should now be safe to remove.

UPSTREAM: <carry>: set ResourceQuotaValidationOptions to true

When PodAffinityNamespaceSelector goes to beta or GA this might affect
how our ClusterResourceQuota might work

UPSTREAM: <carry>: simplify the authorizer patch to allow the flags to function

UPSTREAM: <carry>: eliminate unnecessary closure in openshift configuration wiring

UPSTREAM: <carry>: add crdvalidation for apiserver.spec.tlsSecurityProfile

UPSTREAM: <carry>: openshift-kube-apiserver: Add custom resource validation for network spec

UPSTREAM: <carry>: stop overriding flags that are explicitly set

UPSTREAM: <carry>: add readyz check for openshift apiserver availability

UPSTREAM: <carry>: wait for oauth-apiserver accessibility

UPSTREAM: <carry>: provide a new admission plugin to mutate management pods CPUs requests

The ManagementCPUOverride admission plugin replaces pod container CPU requests with a new management resource.
It applies to all pods that:
 1. are in an allowed namespace
 2. and have the workload annotation.

It also sets the new management resource request and limit and  set resource annotation that CRI-O can
recognize and apply the relevant changes.
For more information, see - openshift/enhancements#703

Conditions for CPUs requests deletion:
 1. The namespace should have allowed annotation "workload.openshift.io/allowed": "management"
 2. The pod should have management annotation: "workload.openshift.io/management": "{"effect": "PreferredDuringScheduling"}"
 3. All nodes under the cluster should have new management resource - "management.workload.openshift.io/cores"
 4. The CPU request deletion will not change the pod QoS class

UPSTREAM: <carry>: Does not prevent pod creation because of no nodes reason when it runs under the regular cluster

Check the `cluster` infrastructure resource status to be sure that we run on top of a SNO cluster
and in case if the pod runs on top of regular cluster, exit before node existence check.

UPSTREAM: <carry>: do not mutate pods when it has a container with both CPU request and limit

Removing the CPU request from the container that has a CPU limit will result in the defaulter to set the CPU request back equals to the CPU limit.

UPSTREAM: <carry>: Reject the pod creation when we can not decide the cluster type

It is possible a race condition between pod creation and the update of the
infrastructure resource status with correct values under
Status.ControlPlaneTopology and Status.InfrastructureTopology.

UPSTREAM: <carry>: add CRD validation for dnses

Add an admission plugin that validates the dnses.operator.openshift.io
custom resource.  For now, the plugin only validates the DNS pod
node-placement parameters.

This commit fixes bug 1967745.

https://bugzilla.redhat.com/show_bug.cgi?id=1967745

* openshift-kube-apiserver/admission/customresourcevalidation/attributes.go
(init): Install operatorv1 into supportedObjectsScheme.
* openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go
(AllCustomResourceValidators, RegisterCustomResourceValidation): Register
the new plugin.
* openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go:
New file.
(PluginName): New const.
(Register): New function.  Register the plugin.
(toDNSV1): New function.  Convert a runtime object to a versioned DNS.
(dnsV1): New type to represent a runtime object that is validated as a
versioned DNS.
(ValidateCreate, ValidateUpdate, ValidateStatusUpdate): New methods.
Implement the ObjectValidator interface, using the validateDNSSpecCreate
and validateDNSSpecUpdate helpers.
(validateDNSSpecCreate, validateDNSSpecUpdate): New functions.  Validate a
DNS, using the validateDNSSpec helper.
(validateDNSSpec): New function.  Validate the spec field of a DNS, using
the validateDNSNodePlacement helper.
(validateDNSNodePlacement): New function.  Validate the node selector and
tolerations in a DNS's node-placement parameters, using
validateTolerations.
(validateTolerations): New function.  Validate a slice of
corev1.Toleration.
* openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns_test.go:
New file.
(TestFailValidateDNSSpec): Verify that validateDNSSpec rejects invalid DNS
specs.
(TestSucceedValidateDNSSpec): Verify that validateDNSSpec accepts valid DNS
specs.
* vendor/*: Regenerate.

UPSTREAM: <carry>: prevent the kubecontrollermanager service-ca from getting less secure

UPSTREAM: <carry>: allow SCC to be disabled on a per-namespace basis

UPSTREAM: <carry>: verify required http2 cipher suites

In the Apiserver admission, we need to return an error if the required
http2 cipher suites are missing from a custom tlsSecurityProfile.
Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server
configuration causing the apiservers to crash.
See: go/x/net/http2.ConfigureServer for futher information.

UPSTREAM: <carry>: drop the warning to use --keep-annotations

When a user runs the `oc debug` command for the pod with the
management resource, we will inform him that he should pass
`--keep-annotations` parameter to the debug command.

UPSTREAM: <carry>: admission/managementcpusoverride: cover the roll-back case

During the upgrade and roll-back flow 4.7->4.8->4.7, the topology related
fields under the infrastructure can be empty because the
old API does not support them.

The code will equal the empty infrastructure section with the current one.
When the status has some other non-empty field, and topology fields
are empty, we assume that the cluster currently passes
via roll-back and not via the clean install.

UPSTREAM: <carry>: Remove pod warning annotation when workload partitioning is disabled

UPSTREAM: <carry>: use new access token inactivity timeout field.

UPSTREAM: <carry>: apirequestcount validation

UPSTREAM: <carry>: Added config node object validation for extreme latency profiles

UPSTREAM: <carry>: Add Upstream validation in the DNS admission check

patches

UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAddresses

UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict EndpointSlices as well

Moved SkipSystemMasterAuthorizers to the authorizer.

UPSTREAM: <carry>: Add validation plugin for CRD-based route parity.

UPSTREAM: <carry>: Add host assignment plugin for CRD-based routes.

UPSTREAM: <carry>: Apply shared defaulters to CRD-based routes.

Signed-off-by: Artyom Lukianov <[email protected]>
Signed-off-by: Damien Grisonnet <[email protected]>
Signed-off-by: Swarup Ghosh <[email protected]>
OpenShift-Rebase-Source: 932411e
OpenShift-Rebase-Source: 1899555
OpenShift-Rebase-Source: 453583e
OpenShift-Rebase-Source: bf7e23e

UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission plugin

The CSIInlineVolumeSecurity admission plugin inspects inline CSI
volumes on pod creation and compares the
security.openshift.io/csi-ephemeral-volume-profile label on the
CSIDriver object to the pod security profile on the namespace.

OpenShift-Rebase-Source: a65c34b

UPSTREAM: <carry>: add icsp,idms,itms validation reject creating icsp with idms/itms exist

    Reject icsp with idms.itms resources exists. According to the discuusion resolution https://docs.google.com/document/d/13h6IJn8wlzXdiPMvCWlMEHOXXqEZ9_GYOl02Wldb3z8/edit?usp=sharing,
            one of current icsp or new mirror setting crd should be rejected if a user tries to use them on the same cluster.

UPSTREAM: <carry>: node admission plugin for cpu partitioning

The ManagedNode admission plugin makes the Infrastructure.Status.CPUPartitioning field authoritative.
This validates that nodes that wish to join the cluster are first configured to properly handle workload pinning
For more information see - openshift/enhancements#1213

UPSTREAM: <carry>: kube-apiserver: allow injection of kube-apiserver options

UPSTREAM: <carry>: kube-apiserver: allow rewiring

OpenShift-Rebase-Source: 56b49c9
OpenShift-Rebase-Source: bcf574c

UPSTREAM: <carry>: STOR-1270: Admission plugin to deny deletion of storages.operator.openshift.io

UPSTREAM: <carry>: support for both icsp and idms objects

Revert: #1310
Add support for ICSP and IDMS objects living at the same time.

UPSTREAM: <carry>: openshift-kube-apiserver: add openshift-kube-apisever code

UPSTREAM: <carry>: featureset validation moved to CEL

UPSTREAM: <carry>: Add context to ObjectValidator
TODO: add router validation logic to implement ctx add in ObjectValidator

UPSTREAM: <carry>: loosen authentication.spec.type validation

UPSTREAM: <carry>: openshift-kube-apiserver: add kube-apiserver patches

pod .spec.nodeName should not override project node selector in
podNodeEnvironment admission plugin

UPSTREAM: <carry>: Fix sets.String and sets.Set[string] type mismatch

libray-go uses the genetic Set while upstream still uses the deprecated
sets.String in some part of its codes.

UPSTREAM: <carry>: Add RouteExternalCertificate validation in Route ObjectValidator

UPSTREAM: <carry>: Fix incorrect type casting in admission validate_apiserver

UPSTREAM: <carry>: react to library-go changes

UPSTREAM: <carry>: Update RouteExternalCertificate validation in Route ObjectValidator

UPSTREAM: <carry>: APIRequestCount Handler

OpenShift-Rebase-Source: 4d74b77

Author: deads2k

openshift-kube-apiserver/admission/admissionenablement/admission.go

@@ -0,0 +1,15 @@
+package admissionenablement
+
+import (
+	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration"
+)
+
+func InstallOpenShiftAdmissionPlugins(o *options.ServerRunOptions) {
+	existingAdmissionOrder := o.Admission.GenericAdmission.RecommendedPluginOrder
+	o.Admission.GenericAdmission.RecommendedPluginOrder = NewOrderedKubeAdmissionPlugins(existingAdmissionOrder)
+	RegisterOpenshiftKubeAdmissionPlugins(o.Admission.GenericAdmission.Plugins)
+	customresourcevalidationregistration.RegisterCustomResourceValidation(o.Admission.GenericAdmission.Plugins)
+	existingDefaultOff := o.Admission.GenericAdmission.DefaultOffPlugins
+	o.Admission.GenericAdmission.DefaultOffPlugins = NewDefaultOffPluginsFunc(existingDefaultOff)()
+}

openshift-kube-apiserver/admission/admissionenablement/admission_config.go

@@ -0,0 +1,51 @@
+package admissionenablement
+
+import (
+	"time"
+
+	"github.com/openshift/library-go/pkg/apiserver/admission/admissiontimeout"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/namespaceconditions"
+	controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver/options"
+)
+
+const disableSCCLevelLabel = "security.openshift.io/disable-securitycontextconstraints"
+
+var enforceSCCSelector labels.Selector
+
+func init() {
+	var err error
+	enforceSCCSelector, err = labels.Parse(disableSCCLevelLabel + " != true")
+	if err != nil {
+		panic(err)
+	}
+}
+
+func SetAdmissionDefaults(o *controlplaneapiserver.CompletedOptions, informers informers.SharedInformerFactory, kubeClient kubernetes.Interface) {
+	// set up the decorators we need.  This is done late and out of order because our decorators currently require informers which are not
+	// present until we start running
+	namespaceLabelDecorator := namespaceconditions.NamespaceLabelConditions{
+		NamespaceClient: kubeClient.CoreV1(),
+		NamespaceLister: informers.Core().V1().Namespaces().Lister(),
+
+		SkipLevelZeroNames: SkipRunLevelZeroPlugins,
+		SkipLevelOneNames:  SkipRunLevelOnePlugins,
+	}
+	sccLabelDecorator := namespaceconditions.NewConditionalAdmissionPlugins(
+		kubeClient.CoreV1(), informers.Core().V1().Namespaces().Lister(), enforceSCCSelector,
+		"security.openshift.io/SecurityContextConstraint", "security.openshift.io/SCCExecRestrictions")
+
+	o.Admission.GenericAdmission.Decorators = append(o.Admission.GenericAdmission.Decorators,
+		admission.Decorators{
+			// SCC can be skipped by setting a namespace label `security.openshift.io/disable-securitycontextconstraints = true`
+			// This is useful for disabling SCC and using PodSecurity admission instead.
+			admission.DecoratorFunc(sccLabelDecorator.WithNamespaceLabelSelector),
+
+			admission.DecoratorFunc(namespaceLabelDecorator.WithNamespaceLabelConditions),
+			admission.DecoratorFunc(admissiontimeout.AdmissionTimeout{Timeout: 13 * time.Second}.WithTimeout),
+		},
+	)
+}

openshift-kube-apiserver/admission/admissionenablement/register.go

@@ -0,0 +1,122 @@
+package admissionenablement
+
+import (
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/admission/plugin/resourcequota"
+	mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
+
+	"github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy"
+	imagepolicyapiv1 "github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1"
+	quotaclusterresourcequota "github.com/openshift/apiserver-library-go/pkg/admission/quota/clusterresourcequota"
+	"github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission"
+	authorizationrestrictusers "k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers"
+	quotaclusterresourceoverride "k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/clusterresourceoverride"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managednode"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managementcpusoverride"
+	quotarunonceduration "k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/runonceduration"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/network/externalipranger"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/network/restrictedendpoints"
+	ingressadmission "k8s.io/kubernetes/openshift-kube-apiserver/admission/route"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/route/hostassignment"
+	projectnodeenv "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
+	schedulerpodnodeconstraints "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/podnodeconstraints"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/storage/csiinlinevolumesecurity"
+)
+
+func RegisterOpenshiftKubeAdmissionPlugins(plugins *admission.Plugins) {
+	authorizationrestrictusers.Register(plugins)
+	hostassignment.Register(plugins)
+	imagepolicy.Register(plugins)
+	ingressadmission.Register(plugins)
+	managementcpusoverride.Register(plugins)
+	managednode.Register(plugins)
+	projectnodeenv.Register(plugins)
+	quotaclusterresourceoverride.Register(plugins)
+	quotaclusterresourcequota.Register(plugins)
+	quotarunonceduration.Register(plugins)
+	schedulerpodnodeconstraints.Register(plugins)
+	sccadmission.Register(plugins)
+	sccadmission.RegisterSCCExecRestrictions(plugins)
+	externalipranger.RegisterExternalIP(plugins)
+	restrictedendpoints.RegisterRestrictedEndpoints(plugins)
+	csiinlinevolumesecurity.Register(plugins)
+}
+
+var (
+
+	// these are admission plugins that cannot be applied until after the kubeapiserver starts.
+	// TODO if nothing comes to mind in 3.10, kill this
+	SkipRunLevelZeroPlugins = sets.NewString()
+	// these are admission plugins that cannot be applied until after the openshiftapiserver apiserver starts.
+	SkipRunLevelOnePlugins = sets.NewString(
+		imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
+		"quota.openshift.io/ClusterResourceQuota",
+		"security.openshift.io/SecurityContextConstraint",
+		"security.openshift.io/SCCExecRestrictions",
+	)
+
+	// openshiftAdmissionPluginsForKubeBeforeMutating are the admission plugins to add after kube admission, before mutating webhooks
+	openshiftAdmissionPluginsForKubeBeforeMutating = []string{
+		"autoscaling.openshift.io/ClusterResourceOverride",
+		managementcpusoverride.PluginName, // "autoscaling.openshift.io/ManagementCPUsOverride"
+		"authorization.openshift.io/RestrictSubjectBindings",
+		"autoscaling.openshift.io/RunOnceDuration",
+		"scheduling.openshift.io/PodNodeConstraints",
+		"scheduling.openshift.io/OriginPodNodeEnvironment",
+		"network.openshift.io/ExternalIPRanger",
+		"network.openshift.io/RestrictedEndpointsAdmission",
+		imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
+		"security.openshift.io/SecurityContextConstraint",
+		"security.openshift.io/SCCExecRestrictions",
+		"route.openshift.io/IngressAdmission",
+		hostassignment.PluginName,          // "route.openshift.io/RouteHostAssignment"
+		csiinlinevolumesecurity.PluginName, // "storage.openshift.io/CSIInlineVolumeSecurity"
+		managednode.PluginName,             // "autoscaling.openshift.io/ManagedNode"
+	}
+
+	// openshiftAdmissionPluginsForKubeAfterResourceQuota are the plugins to add after ResourceQuota plugin
+	openshiftAdmissionPluginsForKubeAfterResourceQuota = []string{
+		"quota.openshift.io/ClusterResourceQuota",
+	}
+
+	// additionalDefaultOnPlugins is a list of plugins we turn on by default that core kube does not.
+	additionalDefaultOnPlugins = sets.NewString(
+		"NodeRestriction",
+		"OwnerReferencesPermissionEnforcement",
+		"PodNodeSelector",
+		"PodTolerationRestriction",
+		"Priority",
+		imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
+		"StorageObjectInUseProtection",
+	)
+)
+
+func NewOrderedKubeAdmissionPlugins(kubeAdmissionOrder []string) []string {
+	ret := []string{}
+	for _, curr := range kubeAdmissionOrder {
+		if curr == mutatingwebhook.PluginName {
+			ret = append(ret, openshiftAdmissionPluginsForKubeBeforeMutating...)
+			ret = append(ret, customresourcevalidationregistration.AllCustomResourceValidators...)
+		}
+
+		ret = append(ret, curr)
+
+		if curr == resourcequota.PluginName {
+			ret = append(ret, openshiftAdmissionPluginsForKubeAfterResourceQuota...)
+		}
+	}
+	return ret
+}
+
+func NewDefaultOffPluginsFunc(kubeDefaultOffAdmission sets.Set[string]) func() sets.Set[string] {
+	return func() sets.Set[string] {
+		kubeOff := sets.New[string](kubeDefaultOffAdmission.UnsortedList()...)
+		kubeOff.Delete(additionalDefaultOnPlugins.List()...)
+		kubeOff.Delete(openshiftAdmissionPluginsForKubeBeforeMutating...)
+		kubeOff.Delete(openshiftAdmissionPluginsForKubeAfterResourceQuota...)
+		kubeOff.Delete(customresourcevalidationregistration.AllCustomResourceValidators...)
+		return kubeOff
+	}
+}

openshift-kube-apiserver/admission/admissionenablement/register_test.go

@@ -0,0 +1,55 @@
+package admissionenablement
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/admission"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/kubernetes/pkg/kubeapiserver/options"
+
+	"github.com/openshift/library-go/pkg/apiserver/admission/admissionregistrationtesting"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration"
+)
+
+func TestAdmissionRegistration(t *testing.T) {
+	orderedAdmissionChain := NewOrderedKubeAdmissionPlugins(options.AllOrderedPlugins)
+	defaultOffPlugins := NewDefaultOffPluginsFunc(options.DefaultOffAdmissionPlugins())()
+	registerAllAdmissionPlugins := func(plugins *admission.Plugins) {
+		genericapiserver.RegisterAllAdmissionPlugins(plugins)
+		options.RegisterAllAdmissionPlugins(plugins)
+		RegisterOpenshiftKubeAdmissionPlugins(plugins)
+		customresourcevalidationregistration.RegisterCustomResourceValidation(plugins)
+	}
+	plugins := admission.NewPlugins()
+	registerAllAdmissionPlugins(plugins)
+
+	err := admissionregistrationtesting.AdmissionRegistrationTest(plugins, orderedAdmissionChain, sets.Set[string](defaultOffPlugins))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestResourceQuotaBeforeClusterResourceQuota simply test wheather ResourceQuota plugin is before ClusterResourceQuota plugin
+func TestResourceQuotaBeforeClusterResourceQuota(t *testing.T) {
+	orderedAdmissionChain := NewOrderedKubeAdmissionPlugins(options.AllOrderedPlugins)
+
+	expectedOrderedAdmissionSubChain := []string{"ResourceQuota", "quota.openshift.io/ClusterResourceQuota", "AlwaysDeny"}
+	actualOrderedAdmissionChain := extractSubChain(orderedAdmissionChain, expectedOrderedAdmissionSubChain[0])
+
+	if !reflect.DeepEqual(actualOrderedAdmissionChain, expectedOrderedAdmissionSubChain) {
+		t.Fatalf("expected %v, got %v ", expectedOrderedAdmissionSubChain, actualOrderedAdmissionChain)
+	}
+}
+
+func extractSubChain(admissionChain []string, takeFrom string) []string {
+	indexOfTake := 0
+	for index, admission := range admissionChain {
+		if admission == takeFrom {
+			indexOfTake = index
+			break
+		}
+	}
+	return admissionChain[indexOfTake:]
+}

openshift-kube-apiserver/admission/authorization/restrictusers/groupcache_test.go

@@ -0,0 +1,28 @@
+package restrictusers
+
+import (
+	userv1 "github.com/openshift/api/user/v1"
+)
+
+type fakeGroupCache struct {
+	groups []userv1.Group
+}
+
+func (g fakeGroupCache) GroupsFor(user string) ([]*userv1.Group, error) {
+	ret := []*userv1.Group{}
+	for i := range g.groups {
+		group := &g.groups[i]
+		for _, currUser := range group.Users {
+			if user == currUser {
+				ret = append(ret, group)
+				break
+			}
+		}
+
+	}
+	return ret, nil
+}
+
+func (g fakeGroupCache) HasSynced() bool {
+	return true
+}

openshift-kube-apiserver/admission/authorization/restrictusers/intializers.go

@@ -0,0 +1,28 @@
+package restrictusers
+
+import (
+	"k8s.io/apiserver/pkg/admission"
+
+	userinformer "github.com/openshift/client-go/user/informers/externalversions"
+)
+
+func NewInitializer(userInformer userinformer.SharedInformerFactory) admission.PluginInitializer {
+	return &localInitializer{userInformer: userInformer}
+}
+
+type WantsUserInformer interface {
+	SetUserInformer(userinformer.SharedInformerFactory)
+	admission.InitializationValidator
+}
+
+type localInitializer struct {
+	userInformer userinformer.SharedInformerFactory
+}
+
+// Initialize will check the initialization interfaces implemented by each plugin
+// and provide the appropriate initialization data
+func (i *localInitializer) Initialize(plugin admission.Interface) {
+	if wants, ok := plugin.(WantsUserInformer); ok {
+		wants.SetUserInformer(i.userInformer)
+	}
+}