Cannot install moco 0.25.0 without admissionregistration.k8s.io/v1beta1=true for k8s 1.30 or above #759
Description
Describe the bug
#751 introduces ValidatingAdmissionPolicy. This feature is GA in Kubernetes 1.30.
https://kubernetes.io/blog/2024/04/24/validating-admission-policy-ga/
Kubernetes 1.30 or above only accepts admissionregistration.k8s.io/v1, not admissionregistration.k8s.io/v1beta1 by default.
Environments
- Version: 0.25.0
- K8s: 1.30.6
To Reproduce
kind create cluster --name moco --image kindest/node:v1.30.6
curl -fsL https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml | kubectl apply -f -
helm install --create-namespace --namespace moco-system moco moco/mocoFollowing errors are shown:
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "moco-delete-validator" namespace: "" from "": no matches for kind "ValidatingAdmissionPolicy" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "moco-delete-validator" namespace: "" from "": no matches for kind "ValidatingAdmissionPolicyBinding" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first]
Expected behavior
moco 0.25.0 can be installed for any supported kubernetes versions.
Additional context
K8s cluster used in E2E Test enables the admissionregistration.k8s.io/v1beta1.
Lines 3 to 6 in 389ae12
So the tests passed, but installation fails for the cluster with default configuration.
Replace admissionregistration.k8s.io/v1beta1 with admissionregistration.k8s.io/v1, then it can be installed without any configuration.
helm template --namespace moco-system moco moco/moco > manifests.yaml
kubectl create ns moco-system
sed s%admissionregistration.k8s.io/v1beta1%admissionregistration.k8s.io/v1%g manifests.yaml | kubectl apply -f -❯ sed s%admissionregistration.k8s.io/v1beta1%admissionregistration.k8s.io/v1%g manifests.yaml | kubectl apply -f -
serviceaccount/moco-controller-manager created
customresourcedefinition.apiextensions.k8s.io/backuppolicies.moco.cybozu.com created
customresourcedefinition.apiextensions.k8s.io/mysqlclusters.moco.cybozu.com created
clusterrole.rbac.authorization.k8s.io/moco-backuppolicy-editor-role created
clusterrole.rbac.authorization.k8s.io/moco-backuppolicy-viewer-role created
clusterrole.rbac.authorization.k8s.io/moco-manager-role created
clusterrole.rbac.authorization.k8s.io/moco-mysqlcluster-editor-role created
clusterrole.rbac.authorization.k8s.io/moco-mysqlcluster-viewer-role created
clusterrolebinding.rbac.authorization.k8s.io/moco-manager-rolebinding created
role.rbac.authorization.k8s.io/moco-leader-election-role created
rolebinding.rbac.authorization.k8s.io/moco-leader-election-rolebinding created
service/moco-webhook-service created
deployment.apps/moco-controller created
certificate.cert-manager.io/moco-controller-grpc created
certificate.cert-manager.io/moco-grpc-ca created
certificate.cert-manager.io/moco-serving-cert created
issuer.cert-manager.io/moco-grpc-issuer created
issuer.cert-manager.io/moco-selfsigned-issuer created
mutatingwebhookconfiguration.admissionregistration.k8s.io/moco-mutating-webhook-configuration created
validatingadmissionpolicy.admissionregistration.k8s.io/moco-delete-validator created
validatingadmissionpolicybinding.admissionregistration.k8s.io/moco-delete-validator created
validatingwebhookconfiguration.admissionregistration.k8s.io/moco-validating-webhook-configuration created
❯ kubectl get po -n moco-system
NAME READY STATUS RESTARTS AGE
moco-controller-6d7867d984-gl8n8 1/1 Running 0 29s
moco-controller-6d7867d984-gwrdk 1/1 Running 0 29s
❯ kubectl get validatingadmissionpolicy
NAME VALIDATIONS PARAMKIND AGE
moco-delete-validator 1 <unset> 60s
❯ kubectl get validatingadmissionpolicybinding
NAME POLICYNAME PARAMREF AGE
moco-delete-validator moco-delete-validator <unset> 78s
If additional FeatureGates are required for installation, it should be documented.
ValidatingAdmissionPolicy is not available in K8s 1.29 by default.