NO-JIRA: Fix continous reconciliation of VAPs due to server-side defaulting

admission-policies/aws/unsupported-aws-spec-fields.yaml

@@ -6,12 +6,14 @@ spec:
   policyName: "openshift-cluster-api-unsupported-aws-spec-fields"
   validationActions: [Deny]
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchExpressions:
       - key: kubernetes.io/metadata.name
         operator: In
         values:
         - openshift-cluster-api
+    objectSelector: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
@@ -20,11 +22,15 @@ metadata:
 spec:
   failurePolicy: Fail
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["infrastructure.cluster.x-k8s.io"]
       apiVersions: ["v1beta2"]
       operations:  ["CREATE", "UPDATE"]
       resources:   ["awsmachines", "awsmachinetemplates"]
+      scope: "*"
   variables:
     - name: machineSpec
       expression: "object.kind == 'AWSMachine' ? object.spec : object.spec.template.spec"

admission-policies/default/authoritative-api-transition-requires-capi-infrastructure-ready.yaml

@@ -4,9 +4,11 @@ metadata:
   name: openshift-mapi-authoritative-api-transition-requires-capi-infrastructure-ready-and-not-deleting
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-cluster-api
     # We 'Allow' here as we don't want to block MAPI Machine
@@ -30,11 +32,15 @@ spec:
     kind: Machine
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["machine.openshift.io"]
       apiVersions: ["v1beta1"]
       operations:  ["UPDATE"]
       resources:   ["machines"]
+      scope: "*"
 
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:

admission-policies/default/cluster-api-machine-set-vap.yaml

@@ -4,9 +4,11 @@ metadata:
   name: cluster-api-machine-set-vap
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-cluster-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-machine-api
     # We 'Allow' here as we don't want to block CAPI Machine functionality
@@ -29,11 +31,15 @@ spec:
     kind: MachineSet
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["cluster.x-k8s.io"]
       apiVersions: ["v1beta2"]
       operations:  ["UPDATE"]
       resources:   ["machinesets"]
+      scope: "*"
 
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:

admission-policies/default/cluster-api-machine-vap.yaml

@@ -4,9 +4,11 @@ metadata:
   name: cluster-api-machine-vap
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-cluster-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-machine-api
     # We 'Allow' here as we don't want to block CAPI Machine functionality
@@ -29,11 +31,15 @@ spec:
     kind: Machine
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["cluster.x-k8s.io"]
       apiVersions: ["v1beta2"]
       operations:  ["UPDATE"]
       resources:   ["machines"]
+      scope: "*"
 
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:

admission-policies/default/machine-api-machine-set-vap.yaml

@@ -4,9 +4,11 @@ metadata:
   name: machine-api-machine-set-vap
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-cluster-api
     # We 'Allow' here as we don't want to block MAPI Machine Set 
@@ -30,11 +32,15 @@ spec:
     kind: MachineSet
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["machine.openshift.io"]
       apiVersions: ["v1beta1"]
       operations:  ["UPDATE"]
       resources:   ["machinesets"]
+      scope: "*"
 
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:

admission-policies/default/machine-api-machine-vap.yaml

@@ -4,9 +4,11 @@ metadata:
   name: machine-api-machine-vap
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-cluster-api
     # We 'Allow' here as we don't want to block MAPI Machine 
@@ -30,11 +32,15 @@ spec:
     kind: Machine
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["machine.openshift.io"]
       apiVersions: ["v1beta1"]
       operations:  ["UPDATE"]
       resources:   ["machines"]
+      scope: "*"
 
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:

admission-policies/default/only-create-mapi-machine-if-authoritative-api-capi.yaml

@@ -10,11 +10,15 @@ spec:
     kind: Machine
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
       - apiGroups: ["machine.openshift.io"]
         apiVersions: ["*"]
         operations: ["CREATE"]
         resources: ["machines"]
+        scope: "*"
 
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:
@@ -32,9 +36,11 @@ metadata:
   name: openshift-only-create-mapi-machine-if-authoritative-api-capi
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-cluster-api
     # We 'Allow' here as we don't want to block MAPI Machine 

admission-policies/default/prevent-authoritative-mapi-machineset-create-when-capi-exists.yaml

@@ -8,11 +8,15 @@ spec:
     apiVersion: cluster.x-k8s.io/v1beta2
     kind: MachineSet
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
       - apiGroups: ["machine.openshift.io"]
         apiVersions: ["*"]
         operations: ["CREATE"]
         resources: ["machinesets"]
+        scope: "*"
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:
     - name: check-param-match
@@ -30,9 +34,11 @@ metadata:
   name: openshift-prevent-authoritative-mapi-machineset-create-when-capi-exists
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-cluster-api
     # We 'Allow' here as we don't want to block MAPI MachineSet

admission-policies/default/prevent-capi-fields-unsupported-by-mapi.yaml

@@ -5,11 +5,15 @@ metadata:
 spec:
   failurePolicy: Fail
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
       - apiGroups: ["cluster.x-k8s.io"]
         apiVersions: ["v1beta2"]
         operations: ["CREATE", "UPDATE"]
         resources: ["machines", "machinesets"]
+        scope: "*"
   variables:
     - name: machineSpec
       expression: "object.kind == 'Machine' ? object.spec : object.spec.template.spec"
@@ -27,9 +31,11 @@ metadata:
   name: openshift-cluster-api-prevent-setting-of-capi-fields-unsupported-by-mapi
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-cluster-api
+    objectSelector: {}
   policyName: openshift-cluster-api-prevent-setting-of-capi-fields-unsupported-by-mapi
   validationActions:
       - Deny

admission-policies/default/prevent-migration-when-machine-updating.yaml

@@ -5,11 +5,15 @@ metadata:
 spec:
   failurePolicy: Fail
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
       - apiGroups: ["machine.openshift.io"]
         apiVersions: ["*"]
         operations: ["UPDATE"]
         resources: ["machines"]
+        scope: "*"
 
   # All validations must evaluate to true
   validations:
@@ -24,9 +28,11 @@ metadata:
   name: openshift-prevent-migration-when-machine-updating
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   policyName: openshift-prevent-migration-when-machine-updating
   validationActions:
       - Deny

admission-policies/default/provide-warning-when-not-synchronized.yaml

@@ -6,11 +6,15 @@ spec:
   failurePolicy: Ignore
 
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
       - apiGroups: ["machine.openshift.io"]
         apiVersions: ["*"]
         operations: ["UPDATE"]
         resources: ["machines"]
+        scope: "*"
   variables:
     - name: syncCond
       expression: >
@@ -39,9 +43,11 @@ metadata:
   name: openshift-provide-warning-when-not-synchronized
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-machine-api
+    objectSelector: {}
   policyName: openshift-provide-warning-when-not-synchronized
   validationActions:
       - Warn

admission-policies/default/validate-capi-machine-creation.yaml

@@ -4,9 +4,11 @@ metadata:
   name: openshift-validate-capi-machine-creation
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-cluster-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-machine-api
     parameterNotFoundAction: Allow
@@ -25,11 +27,15 @@ spec:
     apiVersion: machine.openshift.io/v1beta1
     kind: Machine
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["cluster.x-k8s.io"]
       apiVersions: ["v1beta2"]
       operations:  ["CREATE"]
       resources:   ["machines"]
+      scope: "*"
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:
     - name: check-only-non-service-account-requests

admission-policies/default/validate-capi-machine-set-creation.yaml

@@ -4,9 +4,11 @@ metadata:
   name: openshift-validate-capi-machine-set-creation
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: openshift-cluster-api
+    objectSelector: {}
   paramRef:
     namespace: openshift-machine-api
     parameterNotFoundAction: Allow
@@ -25,11 +27,15 @@ spec:
     apiVersion: machine.openshift.io/v1beta1
     kind: MachineSet
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:   ["cluster.x-k8s.io"]
       apiVersions: ["v1beta2"]
       operations:  ["CREATE"]
       resources:   ["machinesets"]
+      scope: "*"
   # Requests must satisfy every matchCondition to reach the validations
   matchConditions:
     - name: check-only-non-service-account-requests

capi-operator-manifests/aws/manifests.yaml

@@ -4,12 +4,14 @@ metadata:
   name: openshift-cluster-api-unsupported-aws-spec-fields
 spec:
   matchResources:
+    matchPolicy: Equivalent
     namespaceSelector:
       matchExpressions:
       - key: kubernetes.io/metadata.name
         operator: In
         values:
         - openshift-cluster-api
+    objectSelector: {}
   policyName: openshift-cluster-api-unsupported-aws-spec-fields
   validationActions:
   - Deny
@@ -21,6 +23,9 @@ metadata:
 spec:
   failurePolicy: Fail
   matchConstraints:
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
     resourceRules:
     - apiGroups:
       - infrastructure.cluster.x-k8s.io
@@ -32,6 +37,7 @@ spec:
       resources:
       - awsmachines
       - awsmachinetemplates
+      scope: '*'
   validations:
   - expression: '!has(variables.machineSpec.ami.eksLookupType)'
     messageExpression: variables.specPath + '.ami.eksLookupType is a forbidden field'