Skip to content

Import MutatingAdmissionPolicies from Calico#4457

Open
caseydavenport wants to merge 11 commits intotigera:masterfrom
caseydavenport:casey-import-maps
Open

Import MutatingAdmissionPolicies from Calico#4457
caseydavenport wants to merge 11 commits intotigera:masterfrom
caseydavenport:casey-import-maps

Conversation

@caseydavenport
Copy link
Member

@caseydavenport caseydavenport commented Feb 19, 2026

Description

When using v3 CRDs, we need to manage MutatingAdmissionPolicies. These files live in the Calico repository alongside CRDs, so we should import them in much the same way.

This refactors the codebase to include a new pkg/imports/crds and
pkg/imports/admission instead of a singular pkg/crds, and adds the
necessary logic to the operator to manage these new objects.

Release Note

TBD

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@caseydavenport caseydavenport requested a review from a team as a code owner February 19, 2026 22:42
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Feb 19, 2026
tmjd
tmjd reviewed Feb 25, 2026
View reviewed changes
cmd/main.go
os.Exit(1)
}

if err := admission.Ensure(mgr.GetClient(), variant, v3CRDs, setupLog); err != nil {
Copy link
Member

@tmjd tmjd Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be more obvious if we didn't pass the v3CRDs into this function and the one above and just call the appropriate one depending on its value?

Copy link
Member

@tmjd tmjd Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But maybe not including that condition at this level pushes the context down a level, maybe that is better?

Copy link
Member Author

@caseydavenport caseydavenport Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I had the same back and forth. I think I like it better pushing the context inside the Ensure function to keep that complexity out of main?

pkg/common/kubernetes_version.go
return false
}

// ProvidesMutatingAdmissionPolicyV1Beta1 returns if admissionregistration.k8s.io/v1beta1 MutatingAdmissionPolicy
Copy link
Member

@tmjd tmjd Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be a call to this in main also?

Copy link
Member Author

@caseydavenport caseydavenport Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, perhaps - right now, if the cluster doesn't support it, the operator will skip MAPs and then get to the core controller where it will set degraded.

If we did this check in main, what would the desired behavior be in the case of failure? Just logging an error? Or exiting?

tmjd
tmjd reviewed Feb 25, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmjd tmjd tmjd left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-not-required release-note-not-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

3 participants

@caseydavenport @tmjd @marvin-tigera