docs: extend VAP docs with exempt resources

[ghouscht]

Description

Certain resources are (by design) exempt from being targeted by ValidatingAdmissionPolicy and MutatingAdmissionPolicy. Unfortunately there is no clear documentation in the KEP-3488 nor in the official Kubernetes docs which resources are affected by this exemption.

This MR extends the documentation to mention these resources in the official docs. I think this helps other users in the future to not waste a lot of time (like I did) to figure out which resources are exempt.

Im not sure if this is the right approach but I think it is better than no documentation at all. See also these issues/PRs for reference:

• https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control
• CEL in Admission(ValidatingAdmissionPolicy): explicitly excluding resources from validatingadmissionpolicy interception kubernetes#122205
• ValidatingAdmissionPolicy: exclude brink-able resources. kubernetes#123543

I appreciate your feedback on this. Thank you ❤️

Issue

-

[k8s-ci-robot]

Welcome @ghouscht!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	0338db1
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67912bd9f02eb3000821470e
😎 Deploy Preview	https://deploy-preview-49520--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[sftim]

Thanks for this proposed change @ghouscht

We'd like this PR revised to be more aligned with our style guide, but I really like the intent here.

Since #48646 has merged, we should also make sure to make this change - I think almost the exact same change - to https://kubernetes.io/docs/reference/access-authn-authz/mutating-admission-policy/

/sig api-machinery

[sftim]

Please use the API kind names (in UpperCamelCase, eg TokenReviews). No need to mention the API group IMO

Extra credit for making each one a hyperlink to the relevant API reference page, eg https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/

You can use the relref shortcode - but you don't have to - if you want to ensure the links are valid.

[ghouscht]

Will have a look later today 👍🏻

[ghouscht]

applied the suggested change and pluralized the API kind names. I hope that this is ok. There is no reference for MutatingAdmissionPolicies and MutatingAdmissionPolicyBindings yet as far as I have seen, because of that they are missing the links.

[ghouscht]

Thanks for this proposed change @ghouscht

We'd like this PR revised to be more aligned with our style guide, but I really like the intent here.

Since #48646 has merged, we should also make sure to make this change - I think almost the exact same change - to https://kubernetes.io/docs/reference/access-authn-authz/mutating-admission-policy/

/sig api-machinery

Thank you for the review, I really appreciate it. I'll have a look later today and will also take care of the mutating admission policy page.

[ghouscht]

I added more or less the same note to the mutating admission policy page. However I still need to verify in the code that the same resources are exempt. I'll do this at a later point in time.

Thinking out loud: Not sure I should raise an issue/PR to add some logging to the k8s apiserver so that users could see something in the apiserver logs if they try to target an exempt resource with admission policies. As of now you have no chance to figure this out except for following the apiserver code. Maybe some of the sig-apimachinery people that were tagged here can give a hint if this would be something they are willing to add to the apiserver.

[sftim]

This all looks good to me.
/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 12852425282f47573ddbd2674dad3feb54a108f9

[sftim]

Thinking out loud: Not sure I should raise an issue/PR to add some logging to the k8s apiserver so that users could see something in the apiserver logs if they try to target an exempt resource with admission policies. As of now you have no chance to figure this out except for following the apiserver code. Maybe some of the sig-apimachinery people that were tagged here can give a hint if this would be something they are willing to add to the apiserver.

Three places we could surface that:

• audit annotations (I think we can detect the problem early enough, but I haven't thought about it to check)
• logging
• metrics, eg a counter of requests that are rejected for this reason. Could have the targeted API as a label dimension (eg group=authentication.k8s.io / api=subjectaccessreviews)

@ghouscht if you've the time to, please make that suggestion either on Slack or in a new k/k issue

[sftim]

/assign @rayandas

[rayandas]

Thanks!
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rayandas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/docs/OWNERS [rayandas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment