Skip to content

implement Mutating Admission Policy#3781

Draft
olamilekan000 wants to merge 1 commit intokcp-dev:mainfrom
olamilekan000:implemen-mutating-admission-policy
Draft

implement Mutating Admission Policy#3781
olamilekan000 wants to merge 1 commit intokcp-dev:mainfrom
olamilekan000:implemen-mutating-admission-policy

Conversation

@olamilekan000
Copy link
Contributor

@olamilekan000 olamilekan000 commented Jan 8, 2026

Summary

change implements Mutating Admission Policy for both workspace-scoped and inter-workspace mutation

What Type of PR Is This?

/kind feature

Related Issue(s)

Fixes 3291

Release Notes

Added implementation of Mutating Admission Policy

@kcp-ci-bot kcp-ci-bot added dco-signoff: yes Indicates the PR's author has signed the DCO. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Jan 8, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Jan 9, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mjudeikis for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 9, 2026
@olamilekan000 olamilekan000 marked this pull request as draft January 9, 2026 00:00
@kcp-ci-bot kcp-ci-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 9, 2026
@olamilekan000
implement admission policy
6f5a4c0 
Signed-off-by: olalekan odukoya <odukoyaonline@gmail.com>
@olamilekan000 olamilekan000 force-pushed the implemen-mutating-admission-policy branch from 9dc3a44 to 6f5a4c0 Compare January 10, 2026 23:45
@mjudeikis
Copy link
Contributor

mjudeikis commented Jan 19, 2026

Did you manage to find the issue with this on?

@olamilekan000
Copy link
Contributor Author

olamilekan000 commented Jan 19, 2026

Did you manage to find the issue with this on?

Yes, I did leave them as comment in the PR
1: https://github.com/kcp-dev/kcp/pull/3781/changes#diff-6fe5375231e6ece6cd7eafb4e8a2370fcd2059f8026d84de6fc647a641318da9R416-R418
2. https://github.com/kcp-dev/kcp/pull/3781/changes#diff-44c96ee1d9fbbf3da5546d72aefffff897783f90c8911d9ac7695fcb94ab49acR220-R223
3. https://github.com/kcp-dev/kcp/pull/3781/changes#diff-44c96ee1d9fbbf3da5546d72aefffff897783f90c8911d9ac7695fcb94ab49acR220-R223
4. It also disables plugin by default. I have to enable with plugin.SetEnabled(true) it for it "work".

For more contexts, the package for interacting with MutatingAdmissionPolices doesn't seem complete https://pkg.go.dev/k8s.io/apiserver@v0.35.0/pkg/admission/plugin/policy/mutating#pkg-functions. If you compare it wih ValidatingAdmissionPolicy, you'll see that it seems more mature than it.https://pkg.go.dev/k8s.io/apiserver@v0.35.0/pkg/admission/plugin/policy/validating#NewPlugin

Additionally, the package lacks methods like CompilePolicy, which I had to recreate (I feel this is incorrect), and it also fails to start informers automatically.

@mjudeikis
Copy link
Contributor

mjudeikis commented Feb 3, 2026

we decided to put this on ice until 1.35 rebase. Due to MAP being still not fully implemented in upstream

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjudeikis mjudeikis Awaiting requested review from mjudeikis

@gman0 gman0 Awaiting requested review from gman0

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has signed the DCO. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feature: add kcp-aware MutatingAdmissionPolicy plugin

3 participants

@olamilekan000 @kcp-ci-bot @mjudeikis