diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 576661298..2ab3a344a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: id: vars run: | echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT - echo "min_k8s_version=1.23.17" >> $GITHUB_OUTPUT + echo "min_k8s_version=1.25.16" >> $GITHUB_OUTPUT - name: Check if go.mod and go.sum are up to date run: go mod tidy && git diff --exit-code -- go.mod go.sum diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 86b974718..983e070b4 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -126,7 +126,6 @@ jobs: ngf_prefix=ghcr.io/nginxinc/nginx-gateway-fabric ngf_tag=${{ steps.ngf-meta.outputs.version }} if [ ${{ github.event_name }} == "schedule" ]; then export GW_API_VERSION=main; fi - if [ ${{ startsWith(inputs.k8s-version, '1.23') || startsWith(inputs.k8s-version, '1.24') }} == "true" ]; then export INSTALL_WEBHOOK=true; fi if [ ${{ inputs.enable-experimental }} == "true" ]; then export ENABLE_EXPERIMENTAL=true; fi make install-ngf-local-no-build${{ inputs.image == 'plus' && '-with-plus' || ''}} PREFIX=${ngf_prefix} TAG=${ngf_tag} working-directory: ./conformance diff --git a/Makefile b/Makefile index 1396373f6..83d51b249 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,6 @@ TELEMETRY_ENDPOINT=# if empty, NGF will report telemetry in its logs at debug le TELEMETRY_ENDPOINT_INSECURE = false GW_API_VERSION = 1.0.0 -INSTALL_WEBHOOK = false NODE_VERSION = $(shell cat .nvmrc) # go build flags - should not be overridden by the user @@ -193,12 +192,12 @@ install-ngf-local-build-with-plus: build-images-with-plus load-images-with-plus .PHONY: helm-install-local helm-install-local: ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. - ./conformance/scripts/install-gateway.sh $(GW_API_VERSION) $(INSTALL_WEBHOOK) + ./conformance/scripts/install-gateway.sh $(GW_API_VERSION) helm install dev $(CHART_DIR) --create-namespace --wait --set service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=$(NGINX_PREFIX) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=Never -n nginx-gateway .PHONY: helm-install-local-with-plus helm-install-local-with-plus: ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. - ./conformance/scripts/install-gateway.sh $(GW_API_VERSION) $(INSTALL_WEBHOOK) + ./conformance/scripts/install-gateway.sh $(GW_API_VERSION) helm install dev $(CHART_DIR) --create-namespace --wait --set service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=$(NGINX_PLUS_PREFIX) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=Never --set nginx.plus=true -n nginx-gateway # Debug Targets diff --git a/README.md b/README.md index e1e59d0ea..be4f85a05 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,7 @@ The following table lists the software versions NGINX Gateway Fabric supports. | NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus | | -------------------- | ----------- | ---------- | --------- | ---------- | -| Edge | 1.0.0 | 1.23+ | 1.25.4 | R31 | +| Edge | 1.0.0 | 1.25+ | 1.25.5 | R31 | | 1.2.0 | 1.0.0 | 1.23+ | 1.25.4 | R31 | | 1.1.0 | 1.0.0 | 1.23+ | 1.25.3 | n/a | | 1.0.0 | 0.8.1 | 1.23+ | 1.25.2 | n/a | diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md index 02bbf785c..bc6871d5e 100644 --- a/charts/nginx-gateway-fabric/README.md +++ b/charts/nginx-gateway-fabric/README.md @@ -43,18 +43,6 @@ This chart deploys the NGINX Gateway Fabric in your Kubernetes cluster. kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml ``` - If you are running on Kubernetes 1.23 or 1.24, you also need to install the validating webhook. To do so, run: - - ```shell - kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml - ``` - -> **Important** -> -> The validating webhook is not needed if you are running Kubernetes 1.25+. Validation is done using CEL on the -> CRDs. See the [resource validation doc](https://docs.nginx.com/nginx-gateway-fabric/overview/resource-validation/) -> for more information. - ## Installing the Chart ### Installing the Chart from the OCI Registry @@ -143,19 +131,6 @@ To upgrade the Gateway CRDs from [the Gateway API repo](https://github.com/kuber kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml ``` -If you are running on Kubernetes 1.23 or 1.24, you also need to update the validating webhook. To do so, run: - -```shell -kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml -``` - -If you are running on Kubernetes 1.25 or newer and have the validating webhook installed, you should remove the -webhook. To do so, run: - -```shell -kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml -``` - ### Upgrading the CRDs Helm does not upgrade the NGINX Gateway Fabric CRDs during a release upgrade. Before you upgrade a release, you @@ -266,12 +241,6 @@ To delete the Gateway API CRDs from [the Gateway API repo](https://github.com/ku kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml ``` -If you are running on Kubernetes 1.23 or 1.24, you also need to delete the validating webhook. To do so, run: - -```shell -kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml -``` - ## Configuration The following tables lists the configurable parameters of the NGINX Gateway Fabric chart and their default values. diff --git a/conformance/Makefile b/conformance/Makefile index 1a3d7c482..b7a362792 100644 --- a/conformance/Makefile +++ b/conformance/Makefile @@ -14,7 +14,6 @@ NGF_MANIFEST=../deploy/manifests/nginx-gateway.yaml CRDS=../deploy/manifests/crds/ STATIC_MANIFEST=provisioner/static-deployment.yaml PROVISIONER_MANIFEST=provisioner/provisioner.yaml -INSTALL_WEBHOOK ?= false ENABLE_EXPERIMENTAL ?= false .DEFAULT_GOAL := help @@ -62,13 +61,13 @@ load-images-with-plus: ## Load NGF and NGINX Plus images on configured kind clus .PHONY: prepare-ngf-dependencies prepare-ngf-dependencies: update-ngf-manifest ## Install NGF dependencies on configured kind cluster - ./scripts/install-gateway.sh $(GW_API_VERSION) $(INSTALL_WEBHOOK) $(ENABLE_EXPERIMENTAL) + ./scripts/install-gateway.sh $(GW_API_VERSION) $(ENABLE_EXPERIMENTAL) kubectl apply -f $(CRDS) kubectl apply -f $(NGF_MANIFEST) .PHONY: prepare-ngf-dependencies-with-plus prepare-ngf-dependencies-with-plus: update-ngf-manifest-with-plus ## Install NGF dependencies with Plus on configured kind cluster - ./scripts/install-gateway.sh $(GW_API_VERSION) $(INSTALL_WEBHOOK) + ./scripts/install-gateway.sh $(GW_API_VERSION) kubectl apply -f $(CRDS) kubectl apply -f $(NGF_MANIFEST) @@ -120,7 +119,7 @@ uninstall-ngf: uninstall-k8s-components undo-manifests-update ## Uninstall NGF o .PHONY: uninstall-k8s-components uninstall-k8s-components: ## Uninstall installed components on configured kind cluster -kubectl delete -f $(NGF_MANIFEST) - ./scripts/uninstall-gateway.sh $(GW_API_VERSION) $(INSTALL_WEBHOOK) $(ENABLE_EXPERIMENTAL) + ./scripts/uninstall-gateway.sh $(GW_API_VERSION) $(ENABLE_EXPERIMENTAL) kubectl delete clusterrole nginx-gateway-provisioner kubectl delete clusterrolebinding nginx-gateway-provisioner diff --git a/conformance/README.md b/conformance/README.md index 87c06d438..bd3f13e82 100644 --- a/conformance/README.md +++ b/conformance/README.md @@ -60,7 +60,6 @@ update-ngf-manifest Update the NGF deployment manifest image na | SERVICE_MANIFEST | ../deploy/manifests/service/nodeport.yaml | The location of the NGF Service manifest | | STATIC_MANIFEST | provisioner/static-deployment.yaml | The location of the NGF static deployment manifest | | PROVISIONER_MANIFEST | provisioner/provisioner.yaml | The location of the NGF provisioner manifest | -| INSTALL_WEBHOOK | false | Install the Gateway API Validating Webhook. Necessary for Kubernetes versions < 1.25. | | ENABLE_EXPERIMENTAL | false | Enable experimental features. Installs the Gateway APIs from the experimental channel and enables any supported experimental features in NGF. | ### Step 1 - Create a kind Cluster diff --git a/conformance/scripts/install-gateway.sh b/conformance/scripts/install-gateway.sh index 641567d98..d2c942dba 100755 --- a/conformance/scripts/install-gateway.sh +++ b/conformance/scripts/install-gateway.sh @@ -5,33 +5,20 @@ if [ -z $1 ]; then exit 1 fi -if [ -z $2 ]; then - echo "install webhook argument not set; exiting" - exit 1 -fi - if [ $1 == "main" ]; then temp_dir=$(mktemp -d) cd ${temp_dir} curl -s https://codeload.github.com/kubernetes-sigs/gateway-api/tar.gz/main | tar -xz --strip=2 gateway-api-main/config - if [ $3 == "true" ]; then + if [ $2 == "true" ]; then kubectl apply -f crd/experimental else kubectl apply -f crd/standard fi - if [ $2 == "true" ]; then - kubectl apply -f webhook - kubectl wait --for=condition=available --timeout=60s deployment gateway-api-admission-server -n gateway-system - fi rm -rf ${temp_dir} else - if [ $3 == "true" ]; then + if [ $2 == "true" ]; then kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$1/experimental-install.yaml else kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$1/standard-install.yaml fi - if [ $2 == "true" ]; then - kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$1/webhook-install.yaml - kubectl wait --for=condition=available --timeout=60s deployment gateway-api-admission-server -n gateway-system - fi fi diff --git a/conformance/scripts/uninstall-gateway.sh b/conformance/scripts/uninstall-gateway.sh index f6f26c2c0..74f5d6a29 100755 --- a/conformance/scripts/uninstall-gateway.sh +++ b/conformance/scripts/uninstall-gateway.sh @@ -5,31 +5,21 @@ if [ -z $1 ]; then exit 1 fi -if [ -z $2 ]; then - echo "install webhook argument not set; exiting" - exit 1 -fi if [ $1 == "main" ]; then temp_dir=$(mktemp -d) cd ${temp_dir} curl -s https://codeload.github.com/kubernetes-sigs/gateway-api/tar.gz/main | tar -xz --strip=2 gateway-api-main/config - if [ $3 == "true" ]; then + if [ $2 == "true" ]; then kubectl delete -f crd/experimental else kubectl delete -f crd/standard fi - if [ $2 == "true" ]; then - kubectl delete -f webhook - fi rm -rf ${temp_dir} else - if [ $3 == "true" ]; then + if [ $2 == "true" ]; then kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$1/experimental-install.yaml else kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$1/standard-install.yaml fi - if [ $2 == "true" ]; then - kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$1/webhook-install.yaml - fi fi diff --git a/design/resource-validation.md b/design/resource-validation.md index de3dd054b..24d7ffac9 100644 --- a/design/resource-validation.md +++ b/design/resource-validation.md @@ -37,27 +37,6 @@ To help the implementations with the validation, the Gateway API already include OpenAPI schema validation. For example, the field X must be specified when type is set to Y; or X must be nil if Y is not Z. Note: Kubernetes API server enforces this validation. To bypass it, a user needs to change the CRDs. -#### For Kubernetes 1.23 and 1.24 - -- *The webhook validation*. This validation is written in go and ran as part of the webhook, which is included in the - Gateway API installation files. The validation covers additional logic, not possible to implement in the OpenAPI - schema validation. - It does not repeat the OpenAPI schema validation from the CRDs. Note: a user can bypass this validation if the webhook - is not installed. - -However, the built-in validation rules do not cover all validation needs of NGF: - -- The rules are not enough for NGINX. For example, the validation rule for the - `value` of the path in a path-based routing rule allows symbols like `;`, `{` - and `}`, which can break NGINX configuration for the - corresponding [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) block. -- The rules don't cover unsupported field cases. For example, the webhook does not know which filters are implemented by - NGF, thus it cannot generate an appropriate error for NGF. - -Additionally, as mentioned in [GEP-922](https://gateway-api.sigs.k8s.io/geps/gep-922/#implementers), -"implementers must not rely on webhook or CRD validation as a security mechanism. If field values need to be escaped to -secure an implementation, both webhook and CRD validation can be bypassed and cannot be relied on." - ## Requirements Design a validation mechanism for Gateway API resources. @@ -120,16 +99,6 @@ following methods in order of their appearance in the table. | CRD validation | OpenAPI and CEL validation | Kubernetes API server | Structure, field values | Kubernetes API server returns any errors a response for an API call. | Yes, if the CRDs are modified. | | NGF-specific validation | Go code | NGF control plane | Field values | Errors are reported in the status of a resource after its creation/modification. | No | - -#### For Kubernetes 1.23 and 1.24 - -| Name | Type | Component | Scope | Feedback loop for errors | Can be bypassed? | -|------------------------------|---------|-----------------------|-------------------------|----------------------------------------------------------------------------------|--------------------------------------------------------------------------------------| -| CRD validation | OpenAPI | Kubernetes API server | Structure, field values | Kubernetes API server returns any errors a response for an API call. | Yes, if the CRDs are modified. | -| Webhook validation | Go code | Gateway API webhook | Field values | Kubernetes API server returns any errors a response for an API call. | Yes, if the webhook is not installed, misconfigured, or running a different version. | -| NGF-specific validation | Go code | NGF control plane | Field values | Errors are reported in the status of a resource after its creation/modification. | No | - - Notes: - The amount and the extent of the validation should allow multiple application developers to share a single NGF (User diff --git a/site/content/includes/installation/install-gateway-api-resources.md b/site/content/includes/installation/install-gateway-api-resources.md index 75585d846..c5c25fe92 100644 --- a/site/content/includes/installation/install-gateway-api-resources.md +++ b/site/content/includes/installation/install-gateway-api-resources.md @@ -16,11 +16,3 @@ additional features provided by the experimental channel. To install from the ex ```shell kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml ``` - -If you are running on Kubernetes 1.23 or 1.24, you also need to install the validating webhook. To do so, run: - -```shell -kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml -``` - -{{< important >}}The validating webhook is not needed if you are running Kubernetes 1.25+. Validation is done using CEL on the CRDs. See the [resource validation doc]({{< relref "/overview/resource-validation.md" >}}) for more information.{{< /important >}} diff --git a/site/content/includes/installation/uninstall-gateway-api-resources.md b/site/content/includes/installation/uninstall-gateway-api-resources.md index 64961e23c..453b26359 100644 --- a/site/content/includes/installation/uninstall-gateway-api-resources.md +++ b/site/content/includes/installation/uninstall-gateway-api-resources.md @@ -15,9 +15,3 @@ docs: "DOCS-1436" ```shell kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml ``` - - If you are running on Kubernetes 1.23 or 1.24, you also need to delete the validating webhook. To do so, run: - - ```shell - kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml - ``` diff --git a/site/content/installation/installing-ngf/manifests.md b/site/content/installation/installing-ngf/manifests.md index a50c585c9..efa8b9982 100644 --- a/site/content/installation/installing-ngf/manifests.md +++ b/site/content/installation/installing-ngf/manifests.md @@ -147,19 +147,6 @@ To upgrade NGINX Gateway Fabric and get the latest features and improvements, ta kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml ``` - - If you are running on Kubernetes 1.23 or 1.24, you also need to update the validating webhook: - - ```shell - kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml - ``` - - - If you are running on Kubernetes 1.25 or newer and have the validating webhook installed, you should remove the - webhook: - - ```shell - kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/webhook-install.yaml - ``` - 1. **Upgrade NGINX Gateway Fabric CRDs:** - To upgrade the Custom Resource Definitions (CRDs), run: diff --git a/site/content/overview/resource-validation.md b/site/content/overview/resource-validation.md index 317504e08..2483ef015 100644 --- a/site/content/overview/resource-validation.md +++ b/site/content/overview/resource-validation.md @@ -33,36 +33,20 @@ The HTTPRoute "coffee" is invalid: spec.hostnames[0]: Invalid value: "cafe.!@#$% {{< note >}}While unlikely, bypassing this validation step is possible if the Gateway API CRDs are modified to remove the validation. If this happens, Step 4 will reject any invalid values (from NGINX perspective).{{< /note >}} -### Step 2 - CEL or Webhook validation by Kubernetes +### Step 2 - CEL validation by Kubernetes API Server -- **Kubernetes 1.25 and later - CEL validation by Kubernetes API Server** +The Kubernetes API server validates Gateway API resources using CEL validation embedded in the Gateway API CRDs. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the CEL validation will reject it with the following error: - The Kubernetes API server validates Gateway API resources using CEL validation embedded in the Gateway API CRDs. It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the CEL validation will reject it with the following error: - - ```shell - kubectl apply -f some-gateway.yaml - ``` - - ```text - The Gateway "some-gateway" is invalid: spec.listeners: Invalid value: "array": hostname must not be specified for protocols ['TCP', 'UDP'] - ``` - - More information on CEL in Kubernetes can be found [here](https://kubernetes.io/docs/reference/using-api/cel/). - - -- **Kubernetes 1.23 and 1.24 - Webhook validation by Gateway API Webhook** - - The validating webhook must be [installed for these Kubernetes versions]({{< relref "installation/installing-ngf/helm.md#installing-the-gateway-api-resources" >}}). It validates Gateway API resources using advanced rules unavailable in the OpenAPI schema validation. For example, if you create a Gateway resource with a TCP listener that configures a hostname, the webhook will reject it with the following error: +```shell +kubectl apply -f some-gateway.yaml +``` - ```shell - kubectl apply -f some-gateway.yaml - ``` +```text +The Gateway "some-gateway" is invalid: spec.listeners: Invalid value: "array": hostname must not be specified for protocols ['TCP', 'UDP'] +``` - ```text - Error from server: error when creating "some-gateway.yaml": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.listeners[1].hostname: Forbidden: should be empty for protocol TCP - ``` +More information on CEL in Kubernetes can be found [here](https://kubernetes.io/docs/reference/using-api/cel/). -{{< note >}}Bypassing this validation step is possible if the webhook is not running in the cluster. If this happens, Step 3 will reject the invalid values.{{< /note >}} ### Step 3 - Validation by NGINX Gateway Fabric diff --git a/tests/framework/ngf.go b/tests/framework/ngf.go index 6eb048b71..162fb35bd 100644 --- a/tests/framework/ngf.go +++ b/tests/framework/ngf.go @@ -8,13 +8,10 @@ import ( "strings" "time" - apps "k8s.io/api/apps/v1" core "k8s.io/api/core/v1" apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/wait" "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -46,42 +43,6 @@ func InstallGatewayAPI( return output, err } - if webhookRequired(k8sVersion) { - webhookPath := fmt.Sprintf("%s/v%s/webhook-install.yaml", gwInstallBasePath, apiVersion) - - if output, err := exec.Command("kubectl", "apply", "-f", webhookPath).CombinedOutput(); err != nil { - return output, err - } - - ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) - defer cancel() - - if err := wait.PollUntilContextCancel( - ctx, - 500*time.Millisecond, - true, /* poll immediately */ - func(ctx context.Context) (bool, error) { - var deployment apps.Deployment - key := types.NamespacedName{ - Namespace: "gateway-system", - Name: "gateway-api-admission-server", - } - - if err := k8sClient.Get(ctx, key, &deployment); err != nil { - return false, err - } - - if deployment.Status.ReadyReplicas == 1 { - return true, nil - } - - return false, nil - }, - ); err != nil { - return nil, err - } - } - return nil, nil } @@ -89,14 +50,6 @@ func InstallGatewayAPI( func UninstallGatewayAPI(apiVersion, k8sVersion string) ([]byte, error) { apiPath := fmt.Sprintf("%s/v%s/standard-install.yaml", gwInstallBasePath, apiVersion) - if webhookRequired(k8sVersion) { - webhookPath := fmt.Sprintf("%s/v%s/webhook-install.yaml", gwInstallBasePath, apiVersion) - - if output, err := exec.Command("kubectl", "delete", "-f", webhookPath).CombinedOutput(); err != nil { - return output, err - } - } - output, err := exec.Command("kubectl", "delete", "-f", apiPath).CombinedOutput() if err != nil && !strings.Contains(string(output), "not found") { return output, err @@ -220,18 +173,3 @@ func setImageArgs(cfg InstallationConfig) []string { func formatValueSet(key, value string) []string { return []string{"--set", fmt.Sprintf("%s=%s", key, value)} } - -// webhookRequired returns true if the k8s version is less than 1.25. -func webhookRequired(k8sVersion string) bool { - // contains the supported versions of K8s that require the gateway webhook - webhookK8sVersions := map[string]struct{}{ - "1.23": {}, - "1.24": {}, - } - - if _, ok := webhookK8sVersions[k8sVersion]; ok { - return ok - } - - return false -}