Discover served MutatingAdmissionPolicy API version at runtime#4837
Open
caseydavenport wants to merge 11 commits into
Open
Discover served MutatingAdmissionPolicy API version at runtime#4837caseydavenport wants to merge 11 commits into
caseydavenport wants to merge 11 commits into
Conversation
K8s 1.36 promotes MutatingAdmissionPolicy to v1; v1beta1 is scheduled for removal in 1.37. Hardcoding v1beta1 broke operator reconciles on clusters that only serve v1. Use the RESTMapper to pick the served version (prefer v1), and parse/list/sync at that version.
Avoid a per-reconcile RESTMapping call by discovering the served version in main() and threading it through ControllerOptions to the installation controller.
Generalize one-shot API discovery into a small package that controllers can query without hitting the cluster. cmd/main.go pre-resolves the set of GroupKinds we care about and passes a Discovery snapshot through ControllerOptions; lookups are plain map reads.
Fold the new APIDiscovery type into the existing discovery file rather than adding a new package next to it. Cluster-shape helpers move from pkg/controller/utils into pkg/common/discovery alongside the served-API snapshot.
caseydavenport
commented
May 20, 2026
4 tasks
|
A somewhat tangential note: The v3 CRD chart also have v1beta1 MutatingAdmissionPolicy manifests pulled in from here. |
Member
Author
|
@mohag yep, will definitely need to handle those as well (I believe helm can detect API versions and use the correct one, with some tweaks) |
Clusters on k8s 1.32-1.33 with the MutatingAdmissionPolicy alpha feature gate enabled serve only v1alpha1 (v1beta1 doesn't arrive until 1.34). The MAP types are identical in shape across v1alpha1, v1beta1, and v1, so this adds the v1alpha1 case to the existing parse/list/kind-check paths. Runtime discovery already selects v1alpha1 when it's the only served version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The operator hardcoded the use of
admissionregistration.k8s.io/v1beta1for MutatingAdmissionPolicy. K8s 1.36 promoted MutatingAdmissionPolicy tov1and v1beta1 is scheduled for removal in 1.37, so clusters that only serve v1 produced reconcile errors likeno matches for kind "MutatingAdmissionPolicy" in version "admissionregistration.k8s.io/v1beta1"(see projectcalico/calico#6412 (comment)).This PR discovers the served version via the RESTMapper and uses it for parsing, listing, creating, and stale-cleanup. Preference order is v1, then v1beta1. If neither is served the controller reports a degraded condition and skips policy defaulting, same as before.
Split into two commits:
k8s.io/*tov0.36.1andsigs.k8s.io/controller-runtimetov0.24.1so the v1 typed import is available.pkg/imports/admissionandpkg/controller/installation/core_controller.go. The previous staticProvidesMutatingAdmissionPolicyV1Beta1minor-version check is replaced by RESTMapper-based discovery, which is more accurate across forks and feature gates.