API-1863: Rebase 1.31

hack/openapi-violation.list

@@ -85,9 +85,6 @@ API rule violation: list_type_missing,github.com/openshift/api/config/v1,Feature
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,GenericAPIServerConfig,CORSAllowedOrigins
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,GitHubIdentityProvider,Organizations
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,GitHubIdentityProvider,Teams
-API rule violation: list_type_missing,github.com/openshift/api/config/v1,ImageSpec,AllowedRegistriesForImport
-API rule violation: list_type_missing,github.com/openshift/api/config/v1,ImageSpec,ExternalRegistryHostnames
-API rule violation: list_type_missing,github.com/openshift/api/config/v1,ImageStatus,ExternalRegistryHostnames
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,IngressSpec,RequiredHSTSPolicies
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,LDAPAttributeMapping,Email
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,LDAPAttributeMapping,ID
@@ -98,9 +95,6 @@ API rule violation: list_type_missing,github.com/openshift/api/config/v1,OpenIDI
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,OperatorHubSpec,Sources
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,OperatorHubStatus,Sources
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,ProxySpec,ReadinessEndpoints
-API rule violation: list_type_missing,github.com/openshift/api/config/v1,RegistrySources,AllowedRegistries
-API rule violation: list_type_missing,github.com/openshift/api/config/v1,RegistrySources,BlockedRegistries
-API rule violation: list_type_missing,github.com/openshift/api/config/v1,RegistrySources,InsecureRegistries
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,RequestHeaderIdentityProvider,ClientCommonNames
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,RequestHeaderIdentityProvider,EmailHeaders
 API rule violation: list_type_missing,github.com/openshift/api/config/v1,RequestHeaderIdentityProvider,Headers
@@ -329,31 +323,16 @@ API rule violation: list_type_missing,github.com/openshift/api/osin/v1,RequestHe
 API rule violation: list_type_missing,github.com/openshift/api/osin/v1,SessionSecrets,Secrets
 API rule violation: list_type_missing,github.com/openshift/api/project/v1,ProjectSpec,Finalizers
 API rule violation: list_type_missing,github.com/openshift/api/project/v1,ProjectStatus,Conditions
-API rule violation: list_type_missing,github.com/openshift/api/route/v1,RouteIngress,Conditions
-API rule violation: list_type_missing,github.com/openshift/api/route/v1,RouteSpec,AlternateBackends
-API rule violation: list_type_missing,github.com/openshift/api/route/v1,RouteStatus,Ingress
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigSpec,Architectures
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigSpec,SkippedImagestreams
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigSpec,SkippedTemplates
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigStatus,Architectures
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigStatus,Conditions
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigStatus,SkippedImagestreams
 API rule violation: list_type_missing,github.com/openshift/api/samples/v1,ConfigStatus,SkippedTemplates
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,FSGroupStrategyOptions,Ranges
 API rule violation: list_type_missing,github.com/openshift/api/security/v1,PodSecurityPolicyReviewSpec,ServiceAccountNames
 API rule violation: list_type_missing,github.com/openshift/api/security/v1,PodSecurityPolicyReviewStatus,AllowedServiceAccounts
 API rule violation: list_type_missing,github.com/openshift/api/security/v1,PodSecurityPolicySubjectReviewSpec,Groups
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,AllowedCapabilities
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,AllowedFlexVolumes
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,AllowedUnsafeSysctls
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,DefaultAddCapabilities
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,ForbiddenSysctls
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,Groups
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,RequiredDropCapabilities
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,SeccompProfiles
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,Users
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SecurityContextConstraints,Volumes
-API rule violation: list_type_missing,github.com/openshift/api/security/v1,SupplementalGroupsStrategyOptions,Ranges
 API rule violation: list_type_missing,github.com/openshift/api/sharedresource/v1alpha1,SharedConfigMapStatus,Conditions
 API rule violation: list_type_missing,github.com/openshift/api/sharedresource/v1alpha1,SharedSecretStatus,Conditions
 API rule violation: list_type_missing,github.com/openshift/api/template/v1,BrokerTemplateInstanceSpec,BindingIDs
@@ -519,6 +498,7 @@ API rule violation: names_match,github.com/openshift/api/machine/v1alpha1,Subnet
 API rule violation: names_match,github.com/openshift/api/machine/v1alpha1,SubnetFilter,ProjectID
 API rule violation: names_match,github.com/openshift/api/machine/v1alpha1,SubnetFilter,SubnetPoolID
 API rule violation: names_match,github.com/openshift/api/machine/v1alpha1,SubnetFilter,TenantID
+API rule violation: names_match,github.com/openshift/api/machine/v1beta1,AWSMachineProviderConfig,CapacityReservationID
 API rule violation: names_match,github.com/openshift/api/machine/v1beta1,AWSMachineProviderConfig,PublicIP
 API rule violation: names_match,github.com/openshift/api/machine/v1beta1,AWSMachineProviderStatus,InstanceID
 API rule violation: names_match,github.com/openshift/api/machine/v1beta1,AzureMachineProviderStatus,VMID
@@ -547,6 +527,7 @@ API rule violation: names_match,github.com/openshift/api/operator/v1,NodeDisrupt
 API rule violation: names_match,github.com/openshift/api/operator/v1,OVNKubernetesConfig,IPsecConfig
 API rule violation: names_match,github.com/openshift/api/operator/v1,OVNKubernetesConfig,IPv4
 API rule violation: names_match,github.com/openshift/api/operator/v1,OVNKubernetesConfig,IPv6
+API rule violation: names_match,github.com/openshift/api/operator/v1,ProviderLoadBalancerParameters,OpenStack
 API rule violation: names_match,github.com/openshift/api/operator/v1,StorageSpec,VSphereStorageDriver
 API rule violation: names_match,github.com/openshift/api/operator/v1alpha1,OperatorStatus,CurrentAvailability
 API rule violation: names_match,github.com/openshift/api/operator/v1alpha1,OperatorStatus,TargetAvailability
@@ -585,13 +566,11 @@ API rule violation: names_match,k8s.io/api/core/v1,RBDVolumeSource,RadosUser
 API rule violation: names_match,k8s.io/api/core/v1,VolumeSource,CephFS
 API rule violation: names_match,k8s.io/api/core/v1,VolumeSource,StorageOS
 API rule violation: names_match,k8s.io/api/networking/v1alpha1,ServiceCIDRSpec,CIDRs
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,BoolValue
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,IntSliceValue
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,IntValue
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,QuantityValue
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,StringSliceValue
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,StringValue
-API rule violation: names_match,k8s.io/api/resource/v1alpha2,NamedResourcesAttributeValue,VersionValue
+API rule violation: names_match,k8s.io/api/networking/v1beta1,ServiceCIDRSpec,CIDRs
+API rule violation: names_match,k8s.io/api/resource/v1alpha3,DeviceAttribute,BoolValue
+API rule violation: names_match,k8s.io/api/resource/v1alpha3,DeviceAttribute,IntValue
+API rule violation: names_match,k8s.io/api/resource/v1alpha3,DeviceAttribute,StringValue
+API rule violation: names_match,k8s.io/api/resource/v1alpha3,DeviceAttribute,VersionValue
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Ref
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Schema
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XEmbeddedResource

pkg/api/validation/validation_test.go

@@ -10,6 +10,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ktypes "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
@@ -39,12 +40,17 @@ func TestNilPath(t *testing.T) {
 }
 
 func TestNameFunc(t *testing.T) {
+	emptyObjectMetaRequired := EmptyObjectMetaRequired()
 	const nameRulesMessage = `a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')`
 
 	for apiType, validationInfo := range Validator.typeToValidator {
 		if !validationInfo.HasObjectMeta {
 			continue
 		}
+		if emptyObjectMetaRequired.Has(apiType.Elem().String()) {
+			// tested in TestObjectMeta
+			continue
+		}
 
 		apiValue := reflect.New(apiType.Elem())
 		apiObjectMeta := apiValue.Elem().FieldByName("ObjectMeta")
@@ -125,6 +131,8 @@ func TestNameFunc(t *testing.T) {
 }
 
 func TestObjectMeta(t *testing.T) {
+	emptyObjectMetaRequired := EmptyObjectMetaRequired()
+
 	for apiType, validationInfo := range Validator.typeToValidator {
 		if !validationInfo.HasObjectMeta {
 			continue
@@ -140,7 +148,12 @@ func TestObjectMeta(t *testing.T) {
 		}
 
 		errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
-		requiredErrors := validation.ValidateObjectMeta(apiObjectMeta.Addr().Interface().(*metav1.ObjectMeta), validationInfo.IsNamespaced, path.ValidatePathSegmentName, field.NewPath("metadata"))
+		var requiredErrors field.ErrorList
+		if emptyObjectMetaRequired.Has(apiType.Elem().String()) {
+			requiredErrors = append(requiredErrors, field.Invalid(field.NewPath("metadata"), apiObjectMeta.Addr().Interface(), `must be empty`))
+		} else {
+			requiredErrors = validation.ValidateObjectMeta(apiObjectMeta.Addr().Interface().(*metav1.ObjectMeta), validationInfo.IsNamespaced, path.ValidatePathSegmentName, field.NewPath("metadata"))
+		}
 
 		if len(errList) == 0 {
 			t.Errorf("expected errors %v in %v not found amongst %v.  You probably need to call kube/validation.ValidateObjectMeta in your validator.", requiredErrors, apiType.Elem(), errList)
@@ -165,6 +178,36 @@ func TestObjectMeta(t *testing.T) {
 	}
 }
 
+func TestEmptyObjectMetaNamespace(t *testing.T) {
+	emptyObjectMetaRequired := EmptyObjectMetaRequired()
+
+	for apiType, validationInfo := range Validator.typeToValidator {
+		if !validationInfo.HasObjectMeta || !emptyObjectMetaRequired.Has(apiType.Elem().String()) {
+			continue
+		}
+
+		apiValue := reflect.New(apiType.Elem())
+		apiObjectMeta := apiValue.Elem().FieldByName("ObjectMeta")
+
+		if validationInfo.IsNamespaced {
+			apiObjectMeta.Set(reflect.ValueOf(metav1.ObjectMeta{Namespace: metav1.NamespaceDefault}))
+		} else {
+			apiObjectMeta.Set(reflect.ValueOf(metav1.ObjectMeta{}))
+		}
+
+		errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
+		invalidError := field.Invalid(field.NewPath("metadata"), apiObjectMeta.Addr().Interface(), `must be empty`)
+
+		for _, err := range errList {
+			validationError := err
+			if fmt.Sprintf("%v", validationError) == fmt.Sprintf("%v", invalidError) {
+				t.Errorf("expected 0 metadata must be empty errors in %v, found %v. Objects with required empty meta should accept a namespace.", apiType.Elem(), errList)
+				break
+			}
+		}
+	}
+}
+
 func getValidName(apiType reflect.Type) string {
 	apiValue := reflect.New(apiType.Elem())
 	obj := apiValue.Interface().(runtime.Object)
@@ -229,6 +272,7 @@ func TestObjectMetaUpdate(t *testing.T) {
 }
 
 func TestPodSpecNodeSelectorUpdateDisallowed(t *testing.T) {
+	defaultGracePeriod := int64(30)
 	oldPod := &kapi.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			ResourceVersion: "1",
@@ -249,6 +293,7 @@ func TestPodSpecNodeSelectorUpdateDisallowed(t *testing.T) {
 			NodeSelector: map[string]string{
 				"foo": "bar",
 			},
+			TerminationGracePeriodSeconds: &defaultGracePeriod,
 		},
 	}
 
@@ -265,3 +310,17 @@ func TestPodSpecNodeSelectorUpdateDisallowed(t *testing.T) {
 		t.Fatal("expected at least 1 error")
 	}
 }
+
+func EmptyObjectMetaRequired() sets.Set[string] {
+	return sets.New(
+		"authorization.SelfSubjectRulesReview",
+		"authorization.SubjectRulesReview",
+		"authorization.ResourceAccessReview",
+		"authorization.SubjectAccessReview",
+		"authorization.LocalResourceAccessReview",
+		"authorization.LocalSubjectAccessReview",
+		"security.PodSecurityPolicySubjectReview",
+		"security.PodSecurityPolicySelfSubjectReview",
+		"security.PodSecurityPolicyReview",
+	)
+}