Kustomize ValidatingAdmissionPolicyBinding

This is a workaround for kustomize issue where it does not prefix `ValidatingAdmissionPolicy`'s name in `ValidatingAdmissionPolicyBinding`'s field `spec.policyName`. This results in manifests which can still be applied to a cluster, but the policy will not be working due to broken policy binding. These APIs are now stable in 1.30 so one might expect that Kustomize will eventually support these by default. If this happens - we will be able to remove this change. Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>
operator-framework · Apr 23, 2024 · e59ab41 · e59ab41
1 parent 145a376
commit e59ab41
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/config/admission/kustomization.yaml b/config/admission/kustomization.yaml
@@ -1,2 +1,5 @@
+configurations:
+- kustomizeconfig.yaml
+
 resources:
 - admission.yaml
diff --git a/config/admission/kustomizeconfig.yaml b/config/admission/kustomizeconfig.yaml
@@ -0,0 +1,9 @@
+# This file is for teaching kustomize how to substitute name in ValidatingAdmissionPolicyBinding
+# This might become obsolete depending on the outcome of https://github.com/kubernetes-sigs/kustomize/issues/5674
+nameReference:
+- kind: ValidatingAdmissionPolicy
+  group: admissionregistration.k8s.io
+  fieldSpecs:
+  - kind: ValidatingAdmissionPolicyBinding
+    group: admissionregistration.k8s.io
+    path: spec/policyName