Fix Subscription's Channel to use KRefence type (#1326)

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/gregjones/httpcache v0.0.0-20190212212710-3befbb6ad0cc // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.3.1 // indirect
+	github.com/pelletier/go-toml v1.8.0 // indirect
 	github.com/smartystreets/assertions v1.0.0 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/cobra v1.1.3
@@ -21,11 +22,11 @@ require (
 	k8s.io/cli-runtime v0.19.7
 	k8s.io/client-go v0.19.7
 	k8s.io/code-generator v0.19.7
-	knative.dev/eventing v0.23.0
+	knative.dev/eventing v0.23.1-0.20210524085620-e48c80d7f969
 	knative.dev/hack v0.0.0-20210428122153-93ad9129c268
-	knative.dev/networking v0.0.0-20210512050647-ace2d3306f0b
-	knative.dev/pkg v0.0.0-20210510175900-4564797bf3b7
-	knative.dev/serving v0.23.0
+	knative.dev/networking v0.0.0-20210520062317-b2552eca09f7
+	knative.dev/pkg v0.0.0-20210520062216-e749d6a2ad0e
+	knative.dev/serving v0.23.1-0.20210522031118-9cd446ead73f
 	sigs.k8s.io/yaml v1.2.0
 )
 

go.sum

@@ -594,6 +594,7 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.8.0 h1:Keo9qb7iRJs2voHvunFtuuYFsbWeOBh8/P9v/kVMFtw=
 github.com/pelletier/go-toml v1.8.0/go.mod h1:D6yutnOGMveHEPV7VQOuvI/gXY61bv+9bAOTRnLElKs=
+github.com/pelletier/go-toml/v2 v2.0.0-beta.2/go.mod h1:+X+aW6gUj6Hda43TeYHVCIvYNG/jqY/8ZFXAeXXHl+Q=
 github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -727,8 +728,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
@@ -1283,19 +1285,22 @@ k8s.io/legacy-cloud-providers v0.19.7/go.mod h1:dsZk4gH9QIwAtHQ8CK0Ps257xlfgoXE3
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210111153108-fddb29f9d009 h1:0T5IaWHO3sJTEmCP6mUlBvMukxPKUQWqiI/YuiBNMiQ=
 k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-knative.dev/caching v0.0.0-20210512050647-922782660f7c/go.mod h1:d+fIY/LkAZAM6HsRJwmfirNDMCc1+hqGlQctLP1CmzE=
-knative.dev/eventing v0.23.0 h1:0L1bVpll8kjdZNZ0FgNi4T0pPo4MmmDb6UJ06I9yHoM=
-knative.dev/eventing v0.23.0/go.mod h1:vGob3H6BTseZP+/dA5ze89gM+iNHlB2Cez8FFI7A9KM=
+knative.dev/caching v0.0.0-20210518062915-3c39f8fd811a/go.mod h1:d+fIY/LkAZAM6HsRJwmfirNDMCc1+hqGlQctLP1CmzE=
+knative.dev/eventing v0.23.1-0.20210524085620-e48c80d7f969 h1:o1EN/8udcyE1zh1ni1GZsyhFHJfY2sOLgh/wmMSLv8k=
+knative.dev/eventing v0.23.1-0.20210524085620-e48c80d7f969/go.mod h1:4WewoHOfKYH1nGMrFrZzNz4ZXnCy8WThWley770Zyjc=
 knative.dev/hack v0.0.0-20210428122153-93ad9129c268 h1:lBIj9Epd9UQ55NEaHzAdY/UZbuaegCdGPKVC2+Z68Q0=
 knative.dev/hack v0.0.0-20210428122153-93ad9129c268/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
 knative.dev/hack/schema v0.0.0-20210428122153-93ad9129c268/go.mod h1:ffjwmdcrH5vN3mPhO8RrF2KfNnbHeCE2C60A+2cv3U0=
-knative.dev/networking v0.0.0-20210512050647-ace2d3306f0b h1:Ea6ym1Jfd/Hci1EGj+uPaE3d6SS1s/Br+6fFAWdJCeM=
-knative.dev/networking v0.0.0-20210512050647-ace2d3306f0b/go.mod h1:y7RmP2/dHO/DAC1QmpUtgTVF6/Z8whaL+wjgey+HthU=
-knative.dev/pkg v0.0.0-20210510175900-4564797bf3b7 h1:i4P8emOPrLctmbaPHp5eRIOqz+XTOkit7KgZeS+onKs=
+knative.dev/networking v0.0.0-20210519080815-4a780203e35b/go.mod h1:y7RmP2/dHO/DAC1QmpUtgTVF6/Z8whaL+wjgey+HthU=
+knative.dev/networking v0.0.0-20210520062317-b2552eca09f7 h1:CJYvZurqVSzYhAmd2nhFdMOTBIjWmW4cnNGJXpgxZtY=
+knative.dev/networking v0.0.0-20210520062317-b2552eca09f7/go.mod h1:y7RmP2/dHO/DAC1QmpUtgTVF6/Z8whaL+wjgey+HthU=
 knative.dev/pkg v0.0.0-20210510175900-4564797bf3b7/go.mod h1:fIl4l4OmZodkElyaHoT0LCF5wT+3+P/kinawQ4XlLtE=
-knative.dev/reconciler-test v0.0.0-20210512062647-d5adf72546be/go.mod h1:ZHvzjwe5aUnWDx+u5y9EPaZ++5PM9Yapp/IvBDiS+Yk=
-knative.dev/serving v0.23.0 h1:7q2MTUOud7kgLPJsVUyZIEG3g+df5yTwQjc+BsomsS8=
-knative.dev/serving v0.23.0/go.mod h1:hoGG2F9/qfAL/x0x14hAdciD7YxjdsaDqZ0PRNmj1gs=
+knative.dev/pkg v0.0.0-20210518131015-67897f4ec290/go.mod h1:fIl4l4OmZodkElyaHoT0LCF5wT+3+P/kinawQ4XlLtE=
+knative.dev/pkg v0.0.0-20210520062216-e749d6a2ad0e h1:BTHdk8J4PQ1UQIZlpBQaN4sw+vYqap4P97OWP/qytbo=
+knative.dev/pkg v0.0.0-20210520062216-e749d6a2ad0e/go.mod h1:fIl4l4OmZodkElyaHoT0LCF5wT+3+P/kinawQ4XlLtE=
+knative.dev/reconciler-test v0.0.0-20210514214942-8d70771450f1/go.mod h1:ZHvzjwe5aUnWDx+u5y9EPaZ++5PM9Yapp/IvBDiS+Yk=
+knative.dev/serving v0.23.1-0.20210522031118-9cd446ead73f h1:9IhjPLREELrLrRHEtqPQnXZTk2MEzMuCXsrXl/C9jiM=
+knative.dev/serving v0.23.1-0.20210522031118-9cd446ead73f/go.mod h1:ExgWB8J6EdPfCaaVylkdAZkZXskORb9hQ3kq69NbWvc=
 modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
 modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
 modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=

pkg/kn/commands/subscription/subscription_test.go

@@ -19,7 +19,6 @@ package subscription
 import (
 	"bytes"
 
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
@@ -89,15 +88,15 @@ func cleanupSubscriptionMockClient() {
 func createSubscription(name, channel, subscriber, reply, dls string) *messagingv1.Subscription {
 	return clientv1.
 		NewSubscriptionBuilder(name).
-		Channel(createIMCObjectReference(channel)).
+		Channel(createIMCKReference(channel)).
 		Subscriber(createServiceSink(subscriber)).
 		Reply(createBrokerSink(reply)).
 		DeadLetterSink(createBrokerSink(dls)).
 		Build()
 }
 
-func createIMCObjectReference(channel string) *corev1.ObjectReference {
-	return &corev1.ObjectReference{
+func createIMCKReference(channel string) *duckv1.KReference {
+	return &duckv1.KReference{
 		APIVersion: "messaging.knative.dev/v1",
 		Kind:       "InMemoryChannel",
 		Name:       channel,

pkg/kn/flags/channel_types.go

@@ -18,10 +18,11 @@ import (
 	"fmt"
 	"strings"
 
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+
 	messagingv1 "knative.dev/eventing/pkg/apis/messaging/v1"
 
 	"github.com/spf13/pflag"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"knative.dev/client/pkg/kn/config"
@@ -97,22 +98,22 @@ func (i *ChannelRef) Add(f *pflag.FlagSet) {
 }
 
 // Parse parses the CLI value for channel ref flag and populates object reference or return error
-func (i *ChannelRef) Parse() (*corev1.ObjectReference, error) {
+func (i *ChannelRef) Parse() (*duckv1.KReference, error) {
 	parts := strings.Split(i.Cref, ":")
 	switch len(parts) {
 	// if no prefix is given, defer to "messaging.knative.dev/v1:Channel"
 	case 1:
-		return &corev1.ObjectReference{Kind: "Channel", APIVersion: messagingv1.SchemeGroupVersion.String(), Name: parts[0]}, nil
+		return &duckv1.KReference{Kind: "Channel", APIVersion: messagingv1.SchemeGroupVersion.String(), Name: parts[0]}, nil
 	case 2:
 		if typ, ok := ctypeMappings[parts[0]]; ok {
-			return &corev1.ObjectReference{Kind: typ.Kind, APIVersion: typ.GroupVersion().String(), Name: parts[1]}, nil
+			return &duckv1.KReference{Kind: typ.Kind, APIVersion: typ.GroupVersion().String(), Name: parts[1]}, nil
 		}
 		return nil, fmt.Errorf("Error: unknown alias '%s' for '--channel', please configure the alias in kn config or specify in the format '--channel Group:Version:Kind:Name'", parts[0])
 	case 4:
 		if parts[0] == "" || parts[1] == "" || parts[2] == "" || parts[3] == "" {
 			return nil, fmt.Errorf("Error: incorrect value '%s' for '--channel', must be in the format 'Group:Version:Kind:Name' or configure an alias in kn config and refer as: '--channel ALIAS:NAME'", i.Cref)
 		}
-		return &corev1.ObjectReference{Kind: parts[2], APIVersion: parts[0] + "/" + parts[1], Name: parts[3]}, nil
+		return &duckv1.KReference{Kind: parts[2], APIVersion: parts[0] + "/" + parts[1], Name: parts[3]}, nil
 	default:
 		return nil, fmt.Errorf("Error: incorrect value '%s' for '--channel', must be in the format 'Group:Version:Kind:Name' or configure an alias in kn config and refer as: '--channel ALIAS:NAME'", i.Cref)
 	}

pkg/kn/flags/channel_types_test.go

@@ -19,8 +19,9 @@ import (
 
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
 
 type channelTypeFlagsTestCase struct {
@@ -33,7 +34,7 @@ type channelTypeFlagsTestCase struct {
 type channelRefFlagsTestCase struct {
 	name              string
 	arg               string
-	expectedObjectRef *corev1.ObjectReference
+	expectedObjectRef *duckv1.KReference
 	expectedErrText   string
 }
 
@@ -92,19 +93,19 @@ func TestChannelRefFlags(t *testing.T) {
 		{
 			"inbuilt alias 'imc' case",
 			"imc:i2",
-			&corev1.ObjectReference{APIVersion: "messaging.knative.dev/v1", Kind: "InMemoryChannel", Name: "i2"},
+			&duckv1.KReference{APIVersion: "messaging.knative.dev/v1", Kind: "InMemoryChannel", Name: "i2"},
 			"",
 		},
 		{
 			"explicit GVK case",
 			"messaging.knative.dev:v1alpha1:KafkaChannel:k1",
-			&corev1.ObjectReference{APIVersion: "messaging.knative.dev/v1alpha1", Kind: "KafkaChannel", Name: "k1"},
+			&duckv1.KReference{APIVersion: "messaging.knative.dev/v1alpha1", Kind: "KafkaChannel", Name: "k1"},
 			"",
 		},
 		{
 			"default channel type prefix case",
 			"c1",
-			&corev1.ObjectReference{APIVersion: "messaging.knative.dev/v1", Kind: "Channel", Name: "c1"},
+			&duckv1.KReference{APIVersion: "messaging.knative.dev/v1", Kind: "Channel", Name: "c1"},
 			"",
 		},
 		{

pkg/messaging/v1/subscriptions_client.go

@@ -19,7 +19,6 @@ package v1
 import (
 	"context"
 
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
 	messagingv1 "knative.dev/eventing/pkg/apis/messaging/v1"
@@ -149,7 +148,7 @@ func NewSubscriptionBuilderFromExisting(subs *messagingv1.Subscription) *Subscri
 }
 
 // Channel sets the channel reference for this subscription
-func (s *SubscriptionBuilder) Channel(channel *corev1.ObjectReference) *SubscriptionBuilder {
+func (s *SubscriptionBuilder) Channel(channel *duckv1.KReference) *SubscriptionBuilder {
 	if channel == nil {
 		return s
 	}

vendor/knative.dev/eventing/pkg/apis/messaging/v1/subscribable_channelable_validation.go

@@ -17,69 +17,27 @@ limitations under the License.
 package v1
 
 import (
-	"reflect"
+	"context"
 
-	"github.com/google/go-cmp/cmp"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
 
-func isChannelEmpty(f corev1.ObjectReference) bool {
-	return equality.Semantic.DeepEqual(f, corev1.ObjectReference{})
+func isChannelEmpty(f duckv1.KReference) bool {
+	return equality.Semantic.DeepEqual(f, duckv1.KReference{})
 }
 
 // Valid if it is a valid object reference.
-func isValidChannel(f corev1.ObjectReference) *apis.FieldError {
-	return IsValidObjectReference(f)
-}
-
-func IsValidObjectReference(f corev1.ObjectReference) *apis.FieldError {
-	return checkRequiredObjectReferenceFields(f).
-		Also(checkDisallowedObjectReferenceFields(f))
-}
+func isValidChannel(ctx context.Context, f duckv1.KReference) *apis.FieldError {
+	errs := f.Validate(ctx)
 
-// Check the corev1.ObjectReference to make sure it has the required fields. They
-// are not checked for anything more except that they are set.
-func checkRequiredObjectReferenceFields(f corev1.ObjectReference) *apis.FieldError {
-	var errs *apis.FieldError
-	if f.Name == "" {
-		errs = errs.Also(apis.ErrMissingField("name"))
-	}
-	if f.APIVersion == "" {
-		errs = errs.Also(apis.ErrMissingField("apiVersion"))
-	}
-	if f.Kind == "" {
-		errs = errs.Also(apis.ErrMissingField("kind"))
-	}
-	return errs
-}
-
-// Check the corev1.ObjectReference to make sure it only has the following fields set:
-// Name, Kind, APIVersion
-// If any other fields are set and is not the Zero value, returns an apis.FieldError
-// with the fieldpaths for all those fields.
-func checkDisallowedObjectReferenceFields(f corev1.ObjectReference) *apis.FieldError {
-	disallowedFields := []string{}
-	// See if there are any fields that have been set that should not be.
-	// TODO: Hoist this kind of stuff into pkg repository.
-	s := reflect.ValueOf(f)
-	typeOf := s.Type()
-	for i := 0; i < s.NumField(); i++ {
-		field := s.Field(i)
-		fieldName := typeOf.Field(i).Name
-		if fieldName == "Name" || fieldName == "Kind" || fieldName == "APIVersion" {
-			continue
-		}
-		if !cmp.Equal(field.Interface(), reflect.Zero(field.Type()).Interface()) {
-			disallowedFields = append(disallowedFields, fieldName)
-		}
-	}
-	if len(disallowedFields) > 0 {
-		fe := apis.ErrDisallowedFields(disallowedFields...)
+	// Namespace field is disallowed
+	if f.Namespace != "" {
+		fe := apis.ErrDisallowedFields("namespace")
 		fe.Details = "only name, apiVersion and kind are supported fields"
-		return fe
+		errs = errs.Also(fe)
 	}
-	return nil
 
+	return errs
 }

vendor/knative.dev/eventing/pkg/apis/messaging/v1/subscription_types.go

@@ -17,7 +17,6 @@ limitations under the License.
 package v1
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -74,11 +73,11 @@ var (
 // channel --> reply
 type SubscriptionSpec struct {
 	// Reference to a channel that will be used to create the subscription
-	// You can specify only the following fields of the ObjectReference:
+	// You can specify only the following fields of the KReference:
 	//   - Kind
 	//   - APIVersion
 	//   - Name
-	//  The resource pointed by this ObjectReference must meet the
+	// The resource pointed by this KReference must meet the
 	// contract to the ChannelableSpec duck type. If the resource does not
 	// meet this contract it will be reflected in the Subscription's status.
 	//
@@ -89,7 +88,7 @@ type SubscriptionSpec struct {
 	// channel, giving the user more control over what semantics should
 	// be used (drain the channel first, possibly have events dropped,
 	// etc.)
-	Channel corev1.ObjectReference `json:"channel"`
+	Channel duckv1.KReference `json:"channel"`
 
 	// Subscriber is reference to (optional) function for processing events.
 	// Events from the Channel will be delivered here and replies are

vendor/knative.dev/eventing/pkg/apis/messaging/v1/subscription_validation.go

@@ -44,7 +44,7 @@ func (ss *SubscriptionSpec) Validate(ctx context.Context) *apis.FieldError {
 		fe := apis.ErrMissingField("channel")
 		fe.Details = "the Subscription must reference a channel"
 		return fe
-	} else if fe := isValidChannel(ss.Channel); fe != nil {
+	} else if fe := isValidChannel(ctx, ss.Channel); fe != nil {
 		errs = errs.Also(fe.ViaField("channel"))
 	}
 

vendor/knative.dev/pkg/apis/duck/v1beta1/destination.go

@@ -136,10 +136,7 @@ func (dest *Destination) GetRef() *corev1.ObjectReference {
 	if dest.Ref != nil {
 		return dest.Ref
 	}
-	if ref := dest.deprecatedObjectReference(); ref != nil {
-		return ref
-	}
-	return nil
+	return dest.deprecatedObjectReference()
 }
 
 func validateDestinationRef(ref corev1.ObjectReference) *apis.FieldError {

vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go

@@ -594,14 +594,14 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
 	// Allowed fields
 	out.RunAsUser = in.RunAsUser
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
+	out.Capabilities = in.Capabilities
 
 	if config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext != config.Disabled {
 		out.RunAsGroup = in.RunAsGroup
 		out.RunAsNonRoot = in.RunAsNonRoot
 	}
 	// Disallowed
 	// This list is unnecessary, but added here for clarity
-	out.Capabilities = nil
 	out.Privileged = nil
 	out.SELinuxOptions = nil
 	out.AllowPrivilegeEscalation = nil
@@ -610,6 +610,26 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
 	return out
 }
 
+// CapabilitiesMask performs a _shallow_ copy of the Kubernetes Capabilities object to a new
+// Kubernetes Capabilities object bringing over only the fields allowed in the Knative API. This
+// does not validate the contents or the bounds of the provided fields.
+func CapabilitiesMask(in *corev1.Capabilities) *corev1.Capabilities {
+	if in == nil {
+		return nil
+	}
+
+	out := new(corev1.Capabilities)
+
+	// Allowed fields
+	out.Drop = in.Drop
+
+	// Disallowed
+	// This list is unnecessary, but added here for clarity
+	out.Add = nil
+
+	return out
+}
+
 // NamespacedObjectReferenceMask performs a _shallow_ copy of the Kubernetes ObjectReference
 // object to a new Kubernetes ObjectReference object bringing over only the fields allowed in
 // the Knative API. This does not validate the contents or the bounds of the provided fields.

vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go

@@ -447,12 +447,21 @@ func validateResources(resources *corev1.ResourceRequirements) *apis.FieldError
 	return apis.CheckDisallowedFields(*resources, *ResourceRequirementsMask(resources))
 }
 
+func validateCapabilities(cap *corev1.Capabilities) *apis.FieldError {
+	if cap == nil {
+		return nil
+	}
+	return apis.CheckDisallowedFields(*cap, *CapabilitiesMask(cap))
+}
+
 func validateSecurityContext(ctx context.Context, sc *corev1.SecurityContext) *apis.FieldError {
 	if sc == nil {
 		return nil
 	}
 	errs := apis.CheckDisallowedFields(*sc, *SecurityContextMask(ctx, sc))
 
+	errs = errs.Also(validateCapabilities(sc.Capabilities).ViaField("capabilities"))
+
 	if sc.RunAsUser != nil {
 		uid := *sc.RunAsUser
 		if uid < minUserID || uid > maxUserID {