update openshift/api related dependencies and Go version

Author: feichashao

build/Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.23-openshift-4.19
+ARG BASE_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.24-openshift-4.20
 FROM ${BASE_IMAGE} AS builder
 
 RUN mkdir -p /workdir

build/selectorsyncset.yaml

@@ -1,13 +1,11 @@
 apiVersion: template.openshift.io/v1
 kind: Template
 metadata:
-  creationTimestamp: null
   name: selectorsyncset-template
 objects:
 - apiVersion: hive.openshift.io/v1
   kind: SelectorSyncSet
   metadata:
-    creationTimestamp: null
     labels:
       managed.openshift.io/gitHash: ${IMAGE_TAG}
       managed.openshift.io/gitRepoName: ${REPO_NAME}
@@ -22,7 +20,6 @@ objects:
     - apiVersion: v1
       kind: Namespace
       metadata:
-        creationTimestamp: null
         labels:
           openshift.io/cluster-monitoring: "true"
         name: openshift-validation-webhook
@@ -31,13 +28,11 @@ objects:
     - apiVersion: v1
       kind: ServiceAccount
       metadata:
-        creationTimestamp: null
         name: validation-webhook
         namespace: openshift-validation-webhook
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: Role
       metadata:
-        creationTimestamp: null
         name: validation-webhook
         namespace: openshift-validation-webhook
       rules:
@@ -56,7 +51,6 @@ objects:
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: RoleBinding
       metadata:
-        creationTimestamp: null
         name: validation-webhook:validation-webhook
         namespace: openshift-validation-webhook
       roleRef:
@@ -70,7 +64,6 @@ objects:
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRole
       metadata:
-        creationTimestamp: null
         name: validation-webhook
       rules:
       - apiGroups:
@@ -82,7 +75,6 @@ objects:
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRoleBinding
       metadata:
-        creationTimestamp: null
         name: validation-webhook:validation-webhook
       roleRef:
         apiGroup: rbac.authorization.k8s.io
@@ -95,7 +87,6 @@ objects:
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: Role
       metadata:
-        creationTimestamp: null
         name: prometheus-k8s
         namespace: openshift-validation-webhook
       rules:
@@ -112,7 +103,6 @@ objects:
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: RoleBinding
       metadata:
-        creationTimestamp: null
         name: prometheus-k8s
         namespace: openshift-validation-webhook
       roleRef:
@@ -126,7 +116,6 @@ objects:
     - apiVersion: monitoring.coreos.com/v1
       kind: ServiceMonitor
       metadata:
-        creationTimestamp: null
         name: validating-webhook-metrics
         namespace: openshift-validation-webhook
       spec:
@@ -145,15 +134,13 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: webhook-cert
         namespace: openshift-validation-webhook
     - apiVersion: v1
       kind: Service
       metadata:
         annotations:
           service.beta.openshift.io/serving-cert-secret-name: webhook-cert
-        creationTimestamp: null
         labels:
           hypershift.openshift.io/allow-guest-webhooks: "true"
           name: validation-webhook
@@ -173,7 +160,6 @@ objects:
     - apiVersion: apps/v1
       kind: DaemonSet
       metadata:
-        creationTimestamp: null
         labels:
           app: validation-webhook
         name: validation-webhook
@@ -184,7 +170,6 @@ objects:
             app: validation-webhook
         template:
           metadata:
-            creationTimestamp: null
             labels:
               app: validation-webhook
           spec:
@@ -249,7 +234,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-clusterrolebindings-validation
       webhooks:
       - admissionReviewVersions:
@@ -279,7 +263,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-clusterroles-validation
       webhooks:
       - admissionReviewVersions:
@@ -309,7 +292,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-customresourcedefinitions-validation
       webhooks:
       - admissionReviewVersions:
@@ -341,7 +323,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-hiveownership-validation
       webhooks:
       - admissionReviewVersions:
@@ -375,7 +356,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-imagecontentpolicies-validation
       webhooks:
       - admissionReviewVersions:
@@ -417,7 +397,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-ingress-config-validation
       webhooks:
       - admissionReviewVersions:
@@ -449,7 +428,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-namespace-validation
       webhooks:
       - admissionReviewVersions:
@@ -481,7 +459,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-networkpolicies-validation
       webhooks:
       - admissionReviewVersions:
@@ -513,7 +490,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-node-validation-osd
       webhooks:
       - admissionReviewVersions:
@@ -546,7 +522,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-pod-validation
       webhooks:
       - admissionReviewVersions:
@@ -576,7 +551,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-prometheusrule-validation
       webhooks:
       - admissionReviewVersions:
@@ -608,7 +582,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-regular-user-validation
       webhooks:
       - admissionReviewVersions:
@@ -720,7 +693,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-scc-validation
       webhooks:
       - admissionReviewVersions:
@@ -751,7 +723,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-sdn-migration-validation
       webhooks:
       - admissionReviewVersions:
@@ -781,7 +752,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-serviceaccount-validation
       webhooks:
       - admissionReviewVersions:
@@ -811,7 +781,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-techpreviewnoupgrade-validation
       webhooks:
       - admissionReviewVersions:
@@ -841,7 +810,6 @@ objects:
 - apiVersion: hive.openshift.io/v1
   kind: SelectorSyncSet
   metadata:
-    creationTimestamp: null
     labels:
       managed.openshift.io/gitHash: ${IMAGE_TAG}
       managed.openshift.io/gitRepoName: ${REPO_NAME}
@@ -865,7 +833,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-clusterlogging-validation
       webhooks:
       - admissionReviewVersions:
@@ -895,7 +862,6 @@ objects:
 - apiVersion: hive.openshift.io/v1
   kind: SelectorSyncSet
   metadata:
-    creationTimestamp: null
     labels:
       managed.openshift.io/gitHash: ${IMAGE_TAG}
       managed.openshift.io/gitRepoName: ${REPO_NAME}
@@ -917,7 +883,6 @@ objects:
       metadata:
         annotations:
           service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
         name: sre-ingresscontroller-validation
       webhooks:
       - admissionReviewVersions:

docs/webhooks-short.json

@@ -7,6 +7,10 @@
     "webhookName": "clusterrolebindings-validation",
     "documentString": "Managed OpenShift Customers may not delete the cluster role bindings under the managed namespaces: (^openshift-.*|kube-system)"
   },
+  {
+    "webhookName": "clusterroles-validation",
+    "documentString": "Managed OpenShift Customers may not delete protected ClusterRoles including cluster-admin, view, edit, admin, specific system roles (system:admin, system:node, system:node-proxier, system:kube-scheduler, system:kube-controller-manager), and backplane-* roles"
+  },
   {
     "webhookName": "customresourcedefinitions-validation",
     "documentString": "Managed OpenShift Customers may not change CustomResourceDefinitions managed by Red Hat."
@@ -25,7 +29,7 @@
   },
   {
     "webhookName": "ingresscontroller-validation",
-    "documentString": "Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes."
+    "documentString": "Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on master nodes."
   },
   {
     "webhookName": "namespace-validation",
@@ -43,13 +47,17 @@
     "webhookName": "pod-validation",
     "documentString": "Managed OpenShift Customers may use tolerations on Pods that could cause those Pods to be scheduled on infra or master nodes."
   },
+  {
+    "webhookName": "podimagespec-mutation",
+    "documentString": "OpenShift debugging tools on Managed OpenShift clusters must be available even if internal image registry is removed."
+  },
   {
     "webhookName": "prometheusrule-validation",
     "documentString": "Managed OpenShift Customers may not create PrometheusRule in namespaces managed by Red Hat."
   },
   {
     "webhookName": "regular-user-validation",
-    "documentString": "Managed OpenShift customers may not manage any objects in the following APIGroups [admissionregistration.k8s.io managed.openshift.io addons.managed.openshift.io ocmagent.managed.openshift.io upgrade.managed.openshift.io config.openshift.io operator.openshift.io network.openshift.io cloudcredential.openshift.io machine.openshift.io splunkforwarder.managed.openshift.io autoscaling.openshift.io cloudingress.managed.openshift.io machineconfiguration.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
+    "documentString": "Managed OpenShift customers may not manage any objects in the following APIGroups [upgrade.managed.openshift.io config.openshift.io operator.openshift.io network.openshift.io admissionregistration.k8s.io addons.managed.openshift.io cloudingress.managed.openshift.io managed.openshift.io splunkforwarder.managed.openshift.io autoscaling.openshift.io machineconfiguration.openshift.io cloudcredential.openshift.io machine.openshift.io ocmagent.managed.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
   },
   {
     "webhookName": "scc-validation",

docs/webhooks.json

@@ -42,6 +42,27 @@
     ],
     "documentString": "Managed OpenShift Customers may not delete the cluster role bindings under the managed namespaces: (^openshift-.*|kube-system)"
   },
+  {
+    "webhookName": "clusterroles-validation",
+    "rules": [
+      {
+        "operations": [
+          "DELETE"
+        ],
+        "apiGroups": [
+          "rbac.authorization.k8s.io"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "clusterroles"
+        ],
+        "scope": "Cluster"
+      }
+    ],
+    "documentString": "Managed OpenShift Customers may not delete protected ClusterRoles including cluster-admin, view, edit, admin, specific system roles (system:admin, system:node, system:node-proxier, system:kube-scheduler, system:kube-controller-manager), and backplane-* roles"
+  },
   {
     "webhookName": "customresourcedefinitions-validation",
     "rules": [
@@ -175,7 +196,7 @@
         "scope": "Namespaced"
       }
     ],
-    "documentString": "Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes."
+    "documentString": "Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on master nodes."
   },
   {
     "webhookName": "namespace-validation",
@@ -268,6 +289,27 @@
     ],
     "documentString": "Managed OpenShift Customers may use tolerations on Pods that could cause those Pods to be scheduled on infra or master nodes."
   },
+  {
+    "webhookName": "podimagespec-mutation",
+    "rules": [
+      {
+        "operations": [
+          "CREATE"
+        ],
+        "apiGroups": [
+          ""
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "pods"
+        ],
+        "scope": "Namespaced"
+      }
+    ],
+    "documentString": "OpenShift debugging tools on Managed OpenShift clusters must be available even if internal image registry is removed."
+  },
   {
     "webhookName": "prometheusrule-validation",
     "rules": [
@@ -434,7 +476,7 @@
         "scope": "*"
       }
     ],
-    "documentString": "Managed OpenShift customers may not manage any objects in the following APIGroups [autoscaling.openshift.io network.openshift.io machine.openshift.io admissionregistration.k8s.io addons.managed.openshift.io cloudingress.managed.openshift.io splunkforwarder.managed.openshift.io upgrade.managed.openshift.io managed.openshift.io ocmagent.managed.openshift.io config.openshift.io machineconfiguration.openshift.io operator.openshift.io cloudcredential.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
+    "documentString": "Managed OpenShift customers may not manage any objects in the following APIGroups [splunkforwarder.managed.openshift.io autoscaling.openshift.io ocmagent.managed.openshift.io upgrade.managed.openshift.io config.openshift.io machineconfiguration.openshift.io operator.openshift.io network.openshift.io cloudcredential.openshift.io machine.openshift.io admissionregistration.k8s.io addons.managed.openshift.io cloudingress.managed.openshift.io managed.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
   },
   {
     "webhookName": "scc-validation",