diff --git a/go.mod b/go.mod index f84548222f..e6af6909f4 100644 --- a/go.mod +++ b/go.mod @@ -40,14 +40,14 @@ require ( google.golang.org/grpc v1.64.0 gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.30.2 - k8s.io/apiextensions-apiserver v0.30.1 + k8s.io/apiextensions-apiserver v0.30.2 k8s.io/apimachinery v0.30.2 - k8s.io/apiserver v0.30.1 + k8s.io/apiserver v0.30.2 k8s.io/client-go v0.30.2 k8s.io/code-generator v0.30.2 k8s.io/component-base v0.30.2 k8s.io/klog v1.0.0 - k8s.io/kube-aggregator v0.30.1 + k8s.io/kube-aggregator v0.30.2 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 k8s.io/utils v0.0.0-20240102154912-e7106e64919e sigs.k8s.io/controller-runtime v0.18.4 @@ -168,7 +168,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 // indirect k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kms v0.30.1 // indirect + k8s.io/kms v0.30.2 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/go.sum b/go.sum index ab3dcd2b25..4bb8f0d2da 100644 --- a/go.sum +++ b/go.sum @@ -2818,12 +2818,12 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI= k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI= -k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= -k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= +k8s.io/apiextensions-apiserver v0.30.2 h1:l7Eue2t6QiLHErfn2vwK4KgF4NeDgjQkCXtEbOocKIE= +k8s.io/apiextensions-apiserver v0.30.2/go.mod h1:lsJFLYyK40iguuinsb3nt+Sj6CmodSI4ACDLep1rgjw= k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg= k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8= -k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo= +k8s.io/apiserver v0.30.2 h1:ACouHiYl1yFI2VFI3YGM+lvxgy6ir4yK2oLOsLI1/tw= +k8s.io/apiserver v0.30.2/go.mod h1:BOTdFBIch9Sv0ypSEcUR6ew/NUFGocRFNl72Ra7wTm8= k8s.io/client-go v0.30.2 h1:sBIVJdojUNPDU/jObC+18tXWcTJVcwyqS9diGdWHk50= k8s.io/client-go v0.30.2/go.mod h1:JglKSWULm9xlJLx4KCkfLLQ7XwtlbflV6uFFSHTMgVs= k8s.io/code-generator v0.30.2 h1:ZY1+aGkqZVwKIyGsOzquaeZ5rSfE6wZHur8z3jQAaiw= @@ -2836,10 +2836,10 @@ k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.30.1 h1:gEIbEeCbFiaN2tNfp/EUhFdGr5/CSj8Eyq6Mkr7cCiY= -k8s.io/kms v0.30.1/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= -k8s.io/kube-aggregator v0.30.1 h1:ymR2BsxDacTKwzKTuNhGZttuk009c+oZbSeD+IPX5q4= -k8s.io/kube-aggregator v0.30.1/go.mod h1:SFbqWsM6ea8dHd3mPLsZFzJHbjBOS5ykIgJh4znZ5iQ= +k8s.io/kms v0.30.2 h1:VSZILO/tkzrz5Tu2j+yFQZ2Dc5JerQZX2GqhFJbQrfw= +k8s.io/kms v0.30.2/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= +k8s.io/kube-aggregator v0.30.2 h1:0+yk/ED6foCprY8VmkDPUhngjaAPKsNTXB/UrtvbIz0= +k8s.io/kube-aggregator v0.30.2/go.mod h1:EhqCfDdxysNWXk1wRL9SEHAdo1DKl6EULQagztkBcXE= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go index 970a6519c1..7133776fbb 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go @@ -92,7 +92,8 @@ func ValidateCustomResourceDefinition(ctx context.Context, obj *apiextensions.Cu requirePrunedDefaults: true, requireAtomicSetType: true, requireMapListKeysMapSetValidation: true, - celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()), + // strictCost is always true to enforce cost limits. + celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true), } allErrs := genericvalidation.ValidateObjectMeta(&obj.ObjectMeta, false, nameValidationFn, field.NewPath("metadata")) @@ -231,7 +232,8 @@ func ValidateCustomResourceDefinitionUpdate(ctx context.Context, obj, oldObj *ap requireMapListKeysMapSetValidation: requireMapListKeysMapSetValidation(&oldObj.Spec), preexistingExpressions: findPreexistingExpressions(&oldObj.Spec), versionsWithUnchangedSchemas: findVersionsWithUnchangedSchemas(obj, oldObj), - celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()), + // strictCost is always true to enforce cost limits. + celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true), } return validateCustomResourceDefinitionUpdate(ctx, obj, oldObj, opts) } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go index b4c8afa9af..d9b595805b 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go @@ -90,7 +90,8 @@ func NewValidator(s *schema.Structural, isResourceRoot bool, perCallLimit uint64 // exist. declType is expected to be a CEL DeclType corresponding to the structural schema. // perCallLimit was added for testing purpose only. Callers should always use const PerCallLimit from k8s.io/apiserver/pkg/apis/cel/config.go as input. func validator(s *schema.Structural, isResourceRoot bool, declType *cel.DeclType, perCallLimit uint64) *Validator { - compiledRules, err := Compile(s, declType, perCallLimit, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()), StoredExpressionsEnvLoader()) + // strictCost is always true to enforce cost limits. + compiledRules, err := Compile(s, declType, perCallLimit, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true), StoredExpressionsEnvLoader()) var itemsValidator, additionalPropertiesValidator *Validator var propertiesValidators map[string]Validator if s.Items != nil { diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go index b7b589d273..bb5e233d45 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go @@ -222,40 +222,48 @@ func (c compiler) CompileCELExpression(expressionAccessor ExpressionAccessor, op func mustBuildEnvs(baseEnv *environment.EnvSet) variableDeclEnvs { requestType := BuildRequestType() namespaceType := BuildNamespaceType() - envs := make(variableDeclEnvs, 4) // since the number of variable combinations is small, pre-build a environment for each + envs := make(variableDeclEnvs, 8) // since the number of variable combinations is small, pre-build a environment for each for _, hasParams := range []bool{false, true} { for _, hasAuthorizer := range []bool{false, true} { - var envOpts []cel.EnvOption - if hasParams { - envOpts = append(envOpts, cel.Variable(ParamsVarName, cel.DynType)) - } - if hasAuthorizer { + for _, strictCost := range []bool{false, true} { + var envOpts []cel.EnvOption + if hasParams { + envOpts = append(envOpts, cel.Variable(ParamsVarName, cel.DynType)) + } + if hasAuthorizer { + envOpts = append(envOpts, + cel.Variable(AuthorizerVarName, library.AuthorizerType), + cel.Variable(RequestResourceAuthorizerVarName, library.ResourceCheckType)) + } envOpts = append(envOpts, - cel.Variable(AuthorizerVarName, library.AuthorizerType), - cel.Variable(RequestResourceAuthorizerVarName, library.ResourceCheckType)) - } - envOpts = append(envOpts, - cel.Variable(ObjectVarName, cel.DynType), - cel.Variable(OldObjectVarName, cel.DynType), - cel.Variable(NamespaceVarName, namespaceType.CelType()), - cel.Variable(RequestVarName, requestType.CelType())) + cel.Variable(ObjectVarName, cel.DynType), + cel.Variable(OldObjectVarName, cel.DynType), + cel.Variable(NamespaceVarName, namespaceType.CelType()), + cel.Variable(RequestVarName, requestType.CelType())) - extended, err := baseEnv.Extend( - environment.VersionedOptions{ - // Feature epoch was actually 1.26, but we artificially set it to 1.0 because these - // options should always be present. - IntroducedVersion: version.MajorMinor(1, 0), - EnvOptions: envOpts, - DeclTypes: []*apiservercel.DeclType{ - namespaceType, - requestType, + extended, err := baseEnv.Extend( + environment.VersionedOptions{ + // Feature epoch was actually 1.26, but we artificially set it to 1.0 because these + // options should always be present. + IntroducedVersion: version.MajorMinor(1, 0), + EnvOptions: envOpts, + DeclTypes: []*apiservercel.DeclType{ + namespaceType, + requestType, + }, }, - }, - ) - if err != nil { - panic(fmt.Sprintf("environment misconfigured: %v", err)) + ) + if err != nil { + panic(fmt.Sprintf("environment misconfigured: %v", err)) + } + if strictCost { + extended, err = extended.Extend(environment.StrictCostOpt) + if err != nil { + panic(fmt.Sprintf("environment misconfigured: %v", err)) + } + } + envs[OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, StrictCost: strictCost}] = extended } - envs[OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer}] = extended } } return envs diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go index c9f4e63369..ae61dc826c 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go @@ -57,10 +57,12 @@ type OptionalVariableDeclarations struct { // HasParams specifies if the "params" variable is declared. // The "params" variable may still be bound to "null" when declared. HasParams bool - // HasAuthorizer specifies if the"authorizer" and "authorizer.requestResource" + // HasAuthorizer specifies if the "authorizer" and "authorizer.requestResource" // variables are declared. When declared, the authorizer variables are // expected to be non-null. HasAuthorizer bool + // StrictCost specifies if the CEL cost limitation is strict for extended libraries as well as native libraries. + StrictCost bool } // FilterCompiler contains a function to assist with converting types and values to/from CEL-typed values. diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go index c286cffbdc..fb097737a8 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go @@ -31,6 +31,7 @@ import ( "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/cel/environment" "k8s.io/apiserver/pkg/features" + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/dynamic" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" @@ -43,13 +44,21 @@ const ( ) var ( - compositionEnvTemplate *cel.CompositionEnv = func() *cel.CompositionEnv { - compositionEnvTemplate, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) + compositionEnvTemplateWithStrictCost *cel.CompositionEnv = func() *cel.CompositionEnv { + compositionEnvTemplateWithStrictCost, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true)) if err != nil { panic(err) } - return compositionEnvTemplate + return compositionEnvTemplateWithStrictCost + }() + compositionEnvTemplateWithoutStrictCost *cel.CompositionEnv = func() *cel.CompositionEnv { + compositionEnvTemplateWithoutStrictCost, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false)) + if err != nil { + panic(err) + } + + return compositionEnvTemplateWithoutStrictCost }() ) @@ -114,12 +123,18 @@ func compilePolicy(policy *Policy) Validator { if policy.Spec.ParamKind != nil { hasParam = true } - optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true} - expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false} + strictCost := utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP) + optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true, StrictCost: strictCost} + expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false, StrictCost: strictCost} failurePolicy := policy.Spec.FailurePolicy var matcher matchconditions.Matcher = nil matchConditions := policy.Spec.MatchConditions - + var compositionEnvTemplate *cel.CompositionEnv + if strictCost { + compositionEnvTemplate = compositionEnvTemplateWithStrictCost + } else { + compositionEnvTemplate = compositionEnvTemplateWithoutStrictCost + } filterCompiler := cel.NewCompositedCompilerFromTemplate(compositionEnvTemplate) filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions) diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go index 16184b4bad..192be9621b 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go @@ -39,6 +39,8 @@ import ( "k8s.io/apiserver/pkg/cel/library" "k8s.io/apiserver/pkg/cel/openapi" "k8s.io/apiserver/pkg/cel/openapi/resolver" + "k8s.io/apiserver/pkg/features" + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/klog/v2" ) @@ -210,6 +212,7 @@ func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression strin options := plugincel.OptionalVariableDeclarations{ HasParams: ctx.paramDeclType != nil, HasAuthorizer: true, + StrictCost: utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP), } compiler.CompileAndStoreVariables(convertv1beta1Variables(ctx.variables), options, environment.StoredExpressions) result := compiler.CompileCELExpression(celExpression(expression), options, environment.StoredExpressions) @@ -391,7 +394,7 @@ func (c *TypeChecker) tryRefreshRESTMapper() { } func buildEnvSet(hasParams bool, hasAuthorizer bool, types typeOverwrite) (*environment.EnvSet, error) { - baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()) + baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP)) requestType := plugincel.BuildRequestType() namespaceType := plugincel.BuildNamespaceType() diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go index e60d245a62..f23580cc09 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go @@ -27,6 +27,8 @@ import ( "k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace" "k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/object" "k8s.io/apiserver/pkg/cel/environment" + "k8s.io/apiserver/pkg/features" + utilfeature "k8s.io/apiserver/pkg/util/feature" webhookutil "k8s.io/apiserver/pkg/util/webhook" "k8s.io/client-go/rest" ) @@ -139,11 +141,16 @@ func (m *mutatingWebhookAccessor) GetCompiledMatcher(compiler cel.FilterCompiler Expression: matchCondition.Expression, } } + strictCost := false + if utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks) { + strictCost = true + } m.compiledMatcher = matchconditions.NewMatcher(compiler.Compile( expressions, cel.OptionalVariableDeclarations{ HasParams: false, HasAuthorizer: true, + StrictCost: strictCost, }, environment.StoredExpressions, ), m.FailurePolicy, "webhook", "admit", m.Name) @@ -267,11 +274,16 @@ func (v *validatingWebhookAccessor) GetCompiledMatcher(compiler cel.FilterCompil Expression: matchCondition.Expression, } } + strictCost := false + if utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks) { + strictCost = true + } v.compiledMatcher = matchconditions.NewMatcher(compiler.Compile( expressions, cel.OptionalVariableDeclarations{ HasParams: false, HasAuthorizer: true, + StrictCost: strictCost, }, environment.StoredExpressions, ), v.FailurePolicy, "webhook", "validating", v.Name) diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go index 6a513f1c11..f067b3f723 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go @@ -21,7 +21,6 @@ import ( "fmt" "io" - admissionmetrics "k8s.io/apiserver/pkg/admission/metrics" "k8s.io/klog/v2" admissionv1 "k8s.io/api/admission/v1" @@ -31,6 +30,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/admission" genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer" + admissionmetrics "k8s.io/apiserver/pkg/admission/metrics" "k8s.io/apiserver/pkg/admission/plugin/cel" "k8s.io/apiserver/pkg/admission/plugin/webhook" "k8s.io/apiserver/pkg/admission/plugin/webhook/config" @@ -39,6 +39,8 @@ import ( "k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/rules" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/cel/environment" + "k8s.io/apiserver/pkg/features" + utilfeature "k8s.io/apiserver/pkg/util/feature" webhookutil "k8s.io/apiserver/pkg/util/webhook" "k8s.io/client-go/informers" clientset "k8s.io/client-go/kubernetes" @@ -100,7 +102,7 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory namespaceMatcher: &namespace.Matcher{}, objectMatcher: &object.Matcher{}, dispatcher: dispatcherFactory(&cm), - filterCompiler: cel.NewFilterCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())), + filterCompiler: cel.NewFilterCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks))), }, nil } diff --git a/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go index 35ee8a4503..471eb4a741 100644 --- a/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go +++ b/vendor/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go @@ -91,7 +91,8 @@ func CompileAndValidateJWTAuthenticator(authenticator api.JWTAuthenticator, disa func validateJWTAuthenticator(authenticator api.JWTAuthenticator, fldPath *field.Path, disallowedIssuers sets.Set[string], structuredAuthnFeatureEnabled bool) (authenticationcel.CELMapper, field.ErrorList) { var allErrs field.ErrorList - compiler := authenticationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) + // strictCost is set to true which enables the strict cost for CEL validation. + compiler := authenticationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true)) state := &validationState{} allErrs = append(allErrs, validateIssuer(authenticator.Issuer, disallowedIssuers, fldPath.Child("issuer"))...) @@ -722,7 +723,8 @@ func compileMatchConditions(matchConditions []api.WebhookMatchCondition, fldPath return nil, allErrs } - compiler := authorizationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) + // strictCost is set to true which enables the strict cost for CEL validation. + compiler := authorizationcel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true)) seenExpressions := sets.NewString() var compilationResults []authorizationcel.CompilationResult diff --git a/vendor/k8s.io/apiserver/pkg/cel/environment/base.go b/vendor/k8s.io/apiserver/pkg/cel/environment/base.go index c108bdd644..2cea83c2e1 100644 --- a/vendor/k8s.io/apiserver/pkg/cel/environment/base.go +++ b/vendor/k8s.io/apiserver/pkg/cel/environment/base.go @@ -46,7 +46,9 @@ func DefaultCompatibilityVersion() *version.Version { return version.MajorMinor(1, 29) } -var baseOpts = []VersionedOptions{ +var baseOpts = append(baseOptsWithoutStrictCost, StrictCostOpt) + +var baseOptsWithoutStrictCost = []VersionedOptions{ { // CEL epoch was actually 1.23, but we artificially set it to 1.0 because these // options should always be present. @@ -132,6 +134,14 @@ var baseOpts = []VersionedOptions{ }, } +var StrictCostOpt = VersionedOptions{ + // This is to configure the cost calculation for extended libraries + IntroducedVersion: version.MajorMinor(1, 0), + ProgramOptions: []cel.ProgramOption{ + cel.CostTracking(&library.CostEstimator{}), + }, +} + // MustBaseEnvSet returns the common CEL base environments for Kubernetes for Version, or panics // if the version is nil, or does not have major and minor components. // @@ -141,7 +151,8 @@ var baseOpts = []VersionedOptions{ // The returned environment contains no CEL variable definitions or custom type declarations and // should be extended to construct environments with the appropriate variable definitions, // type declarations and any other needed configuration. -func MustBaseEnvSet(ver *version.Version) *EnvSet { +// strictCost is used to determine whether to enforce strict cost calculation for CEL expressions. +func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet { if ver == nil { panic("version must be non-nil") } @@ -149,19 +160,33 @@ func MustBaseEnvSet(ver *version.Version) *EnvSet { panic(fmt.Sprintf("version must contain an major and minor component, but got: %s", ver.String())) } key := strconv.FormatUint(uint64(ver.Major()), 10) + "." + strconv.FormatUint(uint64(ver.Minor()), 10) - if entry, ok := baseEnvs.Load(key); ok { - return entry.(*EnvSet) + var entry interface{} + if strictCost { + if entry, ok := baseEnvs.Load(key); ok { + return entry.(*EnvSet) + } + entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) { + entry := mustNewEnvSet(ver, baseOpts) + baseEnvs.Store(key, entry) + return entry, nil + }) + } else { + if entry, ok := baseEnvsWithOption.Load(key); ok { + return entry.(*EnvSet) + } + entry, _, _ = baseEnvsWithOptionSingleflight.Do(key, func() (interface{}, error) { + entry := mustNewEnvSet(ver, baseOptsWithoutStrictCost) + baseEnvsWithOption.Store(key, entry) + return entry, nil + }) } - entry, _, _ := baseEnvsSingleflight.Do(key, func() (interface{}, error) { - entry := mustNewEnvSet(ver, baseOpts) - baseEnvs.Store(key, entry) - return entry, nil - }) return entry.(*EnvSet) } var ( - baseEnvs = sync.Map{} - baseEnvsSingleflight = &singleflight.Group{} + baseEnvs = sync.Map{} + baseEnvsWithOption = sync.Map{} + baseEnvsSingleflight = &singleflight.Group{} + baseEnvsWithOptionSingleflight = &singleflight.Group{} ) diff --git a/vendor/k8s.io/apiserver/pkg/features/kube_features.go b/vendor/k8s.io/apiserver/pkg/features/kube_features.go index dbd41b8c5f..bae04d9545 100644 --- a/vendor/k8s.io/apiserver/pkg/features/kube_features.go +++ b/vendor/k8s.io/apiserver/pkg/features/kube_features.go @@ -220,6 +220,24 @@ const ( // if the generated name conflicts with an existing resource name, up to a maximum number of 7 retries. RetryGenerateName featuregate.Feature = "RetryGenerateName" + // owner: @cici37 + // alpha: v1.30 + // + // StrictCostEnforcementForVAP is used to apply strict CEL cost validation for ValidatingAdmissionPolicy. + // It will be set to off by default for certain time of period to prevent the impact on the existing users. + // It is strongly recommended to enable this feature gate as early as possible. + // The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library. + StrictCostEnforcementForVAP featuregate.Feature = "StrictCostEnforcementForVAP" + + // owner: @cici37 + // alpha: v1.30 + // + // StrictCostEnforcementForWebhooks is used to apply strict CEL cost validation for matchConditions in Webhooks. + // It will be set to off by default for certain time of period to prevent the impact on the existing users. + // It is strongly recommended to enable this feature gate as early as possible. + // The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library. + StrictCostEnforcementForWebhooks featuregate.Feature = "StrictCostEnforcementForWebhooks" + // owner: @caesarxuchao @roycaihw // alpha: v1.20 // @@ -347,6 +365,10 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS StorageVersionHash: {Default: true, PreRelease: featuregate.Beta}, + StrictCostEnforcementForVAP: {Default: false, PreRelease: featuregate.Beta}, + + StrictCostEnforcementForWebhooks: {Default: false, PreRelease: featuregate.Beta}, + StructuredAuthenticationConfiguration: {Default: true, PreRelease: featuregate.Beta}, StructuredAuthorizationConfiguration: {Default: true, PreRelease: featuregate.Beta}, diff --git a/vendor/modules.txt b/vendor/modules.txt index afabe0c34a..22fad0e66f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1021,7 +1021,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v0.30.1 +# k8s.io/apiextensions-apiserver v0.30.2 ## explicit; go 1.22.0 k8s.io/apiextensions-apiserver/pkg/apihelpers k8s.io/apiextensions-apiserver/pkg/apis/apiextensions @@ -1108,7 +1108,7 @@ k8s.io/apimachinery/pkg/version k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.30.1 +# k8s.io/apiserver v0.30.2 ## explicit; go 1.22.0 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1657,13 +1657,13 @@ k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler k8s.io/klog/v2/internal/verbosity k8s.io/klog/v2/textlogger -# k8s.io/kms v0.30.1 +# k8s.io/kms v0.30.2 ## explicit; go 1.22.0 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 k8s.io/kms/pkg/service k8s.io/kms/pkg/util -# k8s.io/kube-aggregator v0.30.1 +# k8s.io/kube-aggregator v0.30.2 ## explicit; go 1.22.0 k8s.io/kube-aggregator/pkg/apis/apiregistration k8s.io/kube-aggregator/pkg/apis/apiregistration/v1