UPSTREAM: <squash>: prevent conflict with pre-existing auth annotation

xrstf · gman0 · commit d57c237ff9d0 · 2025-02-12T18:22:05.000+01:00
On-behalf-of: @SAP christoph.mewes@sap.com
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
@@ -55,6 +55,9 @@ import (
 const (
 	// The maximum length of requester-controlled attributes to allow caching.
 	maxControlledAttrCacheSize = 10000
+
+	// ClusterNameKey is the logical cluster name a webhook message originates from.
+	ClusterNameKey = "authorization.kubernetes.io/cluster-name"
 )
 
 // DefaultRetryBackoff returns the default backoff parameters for webhook retry.
@@ -197,12 +200,11 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri
 		}
 	}
 
-	clusterName, err := request.ClusterNameFrom(ctx)
-	if err == nil {
+	if clusterName, err := request.ClusterNameFrom(ctx); err == nil {
 		if r.Spec.Extra == nil {
 			r.Spec.Extra = map[string]authorizationv1.ExtraValue{}
 		}
-		r.Spec.Extra["authentication.kubernetes.io/cluster-name"] = authorizationv1.ExtraValue{clusterName.Path().String()}
+		r.Spec.Extra[ClusterNameKey] = authorizationv1.ExtraValue{clusterName.Path().String()}
 	}
 
 	if attr.IsResourceRequest() {

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,9 @@ import (`
`55`	`55`	`const (`
`56`	`56`	`// The maximum length of requester-controlled attributes to allow caching.`
`57`	`57`	`maxControlledAttrCacheSize = 10000`
	`58`	`+`
	`59`	`+ // ClusterNameKey is the logical cluster name a webhook message originates from.`
	`60`	`+ ClusterNameKey = "authorization.kubernetes.io/cluster-name"`
`58`	`61`	`)`
`59`	`62`
`60`	`63`	`// DefaultRetryBackoff returns the default backoff parameters for webhook retry.`
`@@ -197,12 +200,11 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri`
`197`	`200`	`}`
`198`	`201`	`}`
`199`	`202`
`200`		`- clusterName, err := request.ClusterNameFrom(ctx)`
`201`		`- if err == nil {`
	`203`	`+ if clusterName, err := request.ClusterNameFrom(ctx); err == nil {`
`202`	`204`	`if r.Spec.Extra == nil {`
`203`	`205`	`r.Spec.Extra = map[string]authorizationv1.ExtraValue{}`
`204`	`206`	`}`
`205`		`- r.Spec.Extra["authentication.kubernetes.io/cluster-name"] = authorizationv1.ExtraValue{clusterName.Path().String()}`
	`207`	`+ r.Spec.Extra[ClusterNameKey] = authorizationv1.ExtraValue{clusterName.Path().String()}`
`206`	`208`	`}`
`207`	`209`
`208`	`210`	`if attr.IsResourceRequest() {`