Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validation: remove CEL for PolicyTargetRef to allow vendor extensions #3414

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Validation: remove CEL for PolicyTargetRef to allow vendor extensions #3414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
49d607d
Validation: CEL adjusted to allow PolicyTargetReference to target gtw…
ilrudie Jan 16, 2025
3a8d5e0
adding releasenote
ilrudie Jan 16, 2025
d6e7ae6
remove CEL validations for PolicyTargetRef to allow vendor extensions
ilrudie Jan 16, 2025
0998896
remove centralized group/kind detail and move to where targetRef is u…
ilrudie Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions extensions/v1alpha1/wasm.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions extensions/v1alpha1/wasm.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions extensions/v1alpha1/wasm.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,9 @@ message WasmPlugin {
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
// * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.
Expand Down
90 changes: 0 additions & 90 deletions kubernetes/customresourcedefinitions.gen.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions networking/v1alpha3/envoy_filter.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions networking/v1alpha3/envoy_filter.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions networking/v1alpha3/envoy_filter.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -856,7 +856,9 @@ message EnvoyFilter {
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.
Expand Down
8 changes: 8 additions & 0 deletions releasenotes/notes/3412.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: release-notes/v2
kind: feature
area: traffic-management
issue:
- https://github.com/istio/istio/issues/54696
releaseNotes:
- |
**Removed** CEL validation of group/kind for PolicyTargetReference to enable vendor extensions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're removing the CEL validation, should we add this to the OSS ValidatingWebhook?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe status, "you tried to bind to a beep.boop.bop.io/beepboop and Istiod has not honored this"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that would work; just some indication since CEL isn't going to be enforcing it now

2 changes: 2 additions & 0 deletions security/v1beta1/authorization_policy.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions security/v1beta1/authorization_policy.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions security/v1beta1/authorization_policy.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,9 @@ message AuthorizationPolicy {
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
// * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.
Expand Down
2 changes: 2 additions & 0 deletions security/v1beta1/request_authentication.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions security/v1beta1/request_authentication.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions security/v1beta1/request_authentication.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,9 @@ message RequestAuthentication {
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
// * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.
Expand Down
2 changes: 2 additions & 0 deletions telemetry/v1alpha1/telemetry.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions telemetry/v1alpha1/telemetry.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions telemetry/v1alpha1/telemetry.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,9 @@ message Telemetry {
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
// * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.
Expand Down
Loading