Usage of namePrefix
or nameSuffix
with Validating Admission Policy results in a silently broken ValidatingAdmissionPolicyBinding
#5674
Labels
kind/bug
Categorizes issue or PR as related to a bug.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
What happened?
Validating Admission Policy APIs do not seem to be supported at the moment by
namePrefix
andnameSuffix
fields.As a result manifests that contain
ValidatingAdmissionPolicy
andValidatingAdmissionPolicyBinding
pair are being partially transformed: their names are being changed howeverValidatingAdmissionPolicyBinding
ends up referencingValidatingAdmissionPolicy
without the prefix/suffix in.spec.policyName
field.Resulting
ValidatingAdmissionPolicy
andValidatingAdmissionPolicyBinding
can still be applied to the cluster, but they will have no effect on admission.What did you expect to happen?
Name reference in
.spec.policyName
gets updated.How can we reproduce it (as minimally and precisely as possible)?
Consider the following
kustomization.yaml
:And
admission.yaml
:Expected output
Actual output
After
kustomize build
this results in the following:Note: this output is still can be applied to the cluster without any errors. But the admission policy will not have any effect. This can be tested with this deployment (policy denies deployments prefixed with
my-
):Kustomize version
v5.4.1
Operating system
MacOS
The text was updated successfully, but these errors were encountered: