Merge pull request #74477 from liggitt/webhook-admission-scope

Webhook admission scope

api/openapi-spec/swagger.json

@@ -99,6 +99,10 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "scope": {
+          "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
+          "type": "string"
         }
       },
       "type": "object"

pkg/apis/admissionregistration/fuzzer/fuzzer.go

@@ -26,6 +26,13 @@ import (
 // Funcs returns the fuzzer functions for the admissionregistration api group.
 var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 	return []interface{}{
+		func(obj *admissionregistration.Rule, c fuzz.Continue) {
+			c.FuzzNoCustom(obj) // fuzz self without calling this function again
+			if obj.Scope == nil {
+				s := admissionregistration.AllScopes
+				obj.Scope = &s
+			}
+		},
 		func(obj *admissionregistration.Webhook, c fuzz.Continue) {
 			c.FuzzNoCustom(obj) // fuzz self without calling this function again
 			p := admissionregistration.FailurePolicyType("Fail")

pkg/apis/admissionregistration/types.go

@@ -49,8 +49,32 @@ type Rule struct {
 	// Depending on the enclosing object, subresources might not be allowed.
 	// Required.
 	Resources []string
+
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	//
+	// +optional
+	Scope *ScopeType
 }
 
+type ScopeType string
+
+const (
+	// ClusterScope means that scope is limited to cluster-scoped objects.
+	// Namespace objects are cluster-scoped.
+	ClusterScope ScopeType = "Cluster"
+	// NamespacedScope means that scope is limited to namespaced objects.
+	NamespacedScope ScopeType = "Namespaced"
+	// AllScopes means that all scopes are included.
+	AllScopes ScopeType = "*"
+)
+
 type FailurePolicyType string
 
 const (

pkg/apis/admissionregistration/v1beta1/defaults.go

@@ -45,3 +45,10 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) {
 		*obj.TimeoutSeconds = 30
 	}
 }
+
+func SetDefaults_Rule(obj *admissionregistrationv1beta1.Rule) {
+	if obj.Scope == nil {
+		s := admissionregistrationv1beta1.AllScopes
+		obj.Scope = &s
+	}
+}

pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go

@@ -178,6 +178,7 @@ func autoConvert_v1beta1_Rule_To_admissionregistration_Rule(in *v1beta1.Rule, ou
 	out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups))
 	out.APIVersions = *(*[]string)(unsafe.Pointer(&in.APIVersions))
 	out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources))
+	out.Scope = (*admissionregistration.ScopeType)(unsafe.Pointer(in.Scope))
 	return nil
 }
 
@@ -190,6 +191,7 @@ func autoConvert_admissionregistration_Rule_To_v1beta1_Rule(in *admissionregistr
 	out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups))
 	out.APIVersions = *(*[]string)(unsafe.Pointer(&in.APIVersions))
 	out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources))
+	out.Scope = (*v1beta1.ScopeType)(unsafe.Pointer(in.Scope))
 	return nil
 }
 

pkg/apis/admissionregistration/v1beta1/zz_generated.defaults.go

@@ -48,6 +48,10 @@ func SetObjectDefaults_MutatingWebhookConfiguration(in *v1beta1.MutatingWebhookC
 	for i := range in.Webhooks {
 		a := &in.Webhooks[i]
 		SetDefaults_Webhook(a)
+		for j := range a.Rules {
+			b := &a.Rules[j]
+			SetDefaults_Rule(&b.Rule)
+		}
 	}
 }
 
@@ -62,6 +66,10 @@ func SetObjectDefaults_ValidatingWebhookConfiguration(in *v1beta1.ValidatingWebh
 	for i := range in.Webhooks {
 		a := &in.Webhooks[i]
 		SetDefaults_Webhook(a)
+		for j := range a.Rules {
+			b := &a.Rules[j]
+			SetDefaults_Rule(&b.Rule)
+		}
 	}
 }
 

pkg/apis/admissionregistration/validation/validation.go

@@ -113,6 +113,12 @@ func validateResourcesNoSubResources(resources []string, fldPath *field.Path) fi
 	return allErrors
 }
 
+var validScopes = sets.NewString(
+	string(admissionregistration.ClusterScope),
+	string(admissionregistration.NamespacedScope),
+	string(admissionregistration.AllScopes),
+)
+
 func validateRule(rule *admissionregistration.Rule, fldPath *field.Path, allowSubResource bool) field.ErrorList {
 	var allErrors field.ErrorList
 	if len(rule.APIGroups) == 0 {
@@ -138,6 +144,9 @@ func validateRule(rule *admissionregistration.Rule, fldPath *field.Path, allowSu
 	} else {
 		allErrors = append(allErrors, validateResourcesNoSubResources(rule.Resources, fldPath.Child("resources"))...)
 	}
+	if rule.Scope != nil && !validScopes.Has(string(*rule.Scope)) {
+		allErrors = append(allErrors, field.NotSupported(fldPath.Child("scope"), *rule.Scope, validScopes.List()))
+	}
 	return allErrors
 }
 

pkg/apis/admissionregistration/zz_generated.deepcopy.go

@@ -109,6 +109,11 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(ScopeType)
+		**out = **in
+	}
 	return
 }
 

staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go

@@ -249,6 +249,12 @@ func (m *Rule) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if m.Scope != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Scope)))
+		i += copy(dAtA[i:], *m.Scope)
+	}
 	return i, nil
 }
 
@@ -568,6 +574,10 @@ func (m *Rule) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if m.Scope != nil {
+		l = len(*m.Scope)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -719,6 +729,7 @@ func (this *Rule) String() string {
 		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
 		`APIVersions:` + fmt.Sprintf("%v", this.APIVersions) + `,`,
 		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`Scope:` + valueToStringGenerated(this.Scope) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -1142,6 +1153,36 @@ func (m *Rule) Unmarshal(dAtA []byte) error {
 			}
 			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Scope", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := ScopeType(dAtA[iNdEx:postIndex])
+			m.Scope = &s
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -2139,64 +2180,66 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 936 bytes of a gzipped FileDescriptorProto
+	// 962 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x55, 0x41, 0x8f, 0xdb, 0x44,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x55, 0xcf, 0x8f, 0xdb, 0x44,
-	0x14, 0x5e, 0x37, 0x59, 0x92, 0x4c, 0x92, 0xb6, 0x3b, 0x80, 0x64, 0xaa, 0xca, 0x8e, 0x72, 0x40,
+	0x14, 0x5e, 0x37, 0x09, 0x89, 0x27, 0xbb, 0x6d, 0x77, 0xf8, 0x21, 0xb3, 0xaa, 0xec, 0x28, 0x07,
-	0x91, 0x50, 0x6d, 0xb2, 0x20, 0x84, 0x2a, 0x10, 0x5a, 0x2f, 0x14, 0x56, 0xda, 0xb6, 0x61, 0x52,
+	0x14, 0x09, 0x6a, 0xb3, 0x0b, 0x42, 0xa8, 0x02, 0xa1, 0xf5, 0x42, 0x61, 0xa5, 0x6d, 0xbb, 0x4c,
-	0x5a, 0x09, 0x71, 0x60, 0xe2, 0xbc, 0x24, 0x43, 0x1c, 0x8f, 0xe5, 0x19, 0xa7, 0xec, 0x0d, 0x89,
+	0x4a, 0x2b, 0x21, 0x0e, 0x4c, 0x9c, 0x97, 0x64, 0x88, 0xe3, 0xb1, 0x3c, 0xe3, 0x94, 0xbd, 0x21,
-	0x3f, 0x80, 0xc4, 0x8f, 0xe0, 0x57, 0x70, 0xdf, 0x63, 0x39, 0x20, 0x7a, 0xb2, 0x58, 0x73, 0xe6,
+	0xf1, 0x0f, 0xf0, 0x5f, 0xf0, 0x57, 0x70, 0xe0, 0xb6, 0xc7, 0x72, 0x40, 0xf4, 0x64, 0xb1, 0xe6,
-	0xc0, 0x75, 0x4f, 0x68, 0x6c, 0x27, 0x4e, 0x36, 0xdd, 0x6d, 0x7a, 0xe1, 0xc0, 0x2d, 0xf3, 0xbd,
+	0xcc, 0x81, 0xeb, 0x9e, 0xd0, 0xd8, 0x4e, 0x9c, 0x6c, 0xba, 0xdb, 0xf4, 0xc2, 0x81, 0x9b, 0xe7,
-	0xf7, 0x7d, 0xef, 0x7d, 0xcf, 0xf3, 0x26, 0xe8, 0xcb, 0xe9, 0x87, 0xc2, 0x62, 0xdc, 0x9e, 0x46,
+	0x7b, 0xef, 0xfb, 0xde, 0xfb, 0x66, 0xe6, 0x8d, 0xd1, 0x97, 0xe3, 0x0f, 0x85, 0xcd, 0xb8, 0x33,
-	0x03, 0x08, 0x7d, 0x90, 0x20, 0xec, 0x39, 0xf8, 0x43, 0x1e, 0xda, 0x79, 0x80, 0x06, 0xcc, 0xa6,
+	0x8e, 0x7b, 0x10, 0x05, 0x20, 0x41, 0x38, 0x53, 0x08, 0xfa, 0x3c, 0x72, 0x8a, 0x00, 0x0d, 0x99,
-	0xc3, 0x19, 0x13, 0x82, 0x71, 0x3f, 0x84, 0x31, 0x13, 0x32, 0xa4, 0x92, 0x71, 0xdf, 0x9e, 0x77,
+	0x43, 0xfb, 0x13, 0x26, 0x04, 0xe3, 0x41, 0x04, 0x43, 0x26, 0x64, 0x44, 0x25, 0xe3, 0x81, 0x33,
-	0x07, 0x20, 0x69, 0xd7, 0x1e, 0x83, 0x0f, 0x21, 0x95, 0x30, 0xb4, 0x82, 0x90, 0x4b, 0x8e, 0x3b,
+	0xdd, 0xed, 0x81, 0xa4, 0xbb, 0xce, 0x10, 0x02, 0x88, 0xa8, 0x84, 0xbe, 0x1d, 0x46, 0x5c, 0x72,
-	0x19, 0xd3, 0xa2, 0x01, 0xb3, 0x5e, 0xc8, 0xb4, 0x72, 0xe6, 0xad, 0x3b, 0x63, 0x26, 0x27, 0xd1,
+	0xdc, 0xc9, 0x99, 0x36, 0x0d, 0x99, 0xfd, 0x5c, 0xa6, 0x5d, 0x30, 0x77, 0x6e, 0x0f, 0x99, 0x1c,
-	0xc0, 0x72, 0xf9, 0xcc, 0x1e, 0xf3, 0x31, 0xb7, 0x53, 0x81, 0x41, 0x34, 0x4a, 0x4f, 0xe9, 0x21,
+	0xc5, 0x3d, 0xdb, 0xe3, 0x13, 0x67, 0xc8, 0x87, 0xdc, 0xc9, 0x04, 0x7a, 0xf1, 0x20, 0x5b, 0x65,
-	0xfd, 0x95, 0x09, 0xdf, 0x7a, 0xbf, 0x68, 0x69, 0x46, 0xdd, 0x09, 0xf3, 0x21, 0x3c, 0xb1, 0x83,
+	0x8b, 0xec, 0x2b, 0x17, 0xde, 0x79, 0xbf, 0x6c, 0x69, 0x42, 0xbd, 0x11, 0x0b, 0x20, 0x3a, 0x71,
-	0xe9, 0x58, 0x01, 0xc2, 0x9e, 0x81, 0xa4, 0xf6, 0x7c, 0xa3, 0x9d, 0x5b, 0xf6, 0x65, 0xac, 0x30,
+	0xc2, 0xf1, 0x50, 0x01, 0xc2, 0x99, 0x80, 0xa4, 0xce, 0x74, 0xa5, 0x9d, 0x1d, 0xe7, 0x32, 0x56,
-	0xf2, 0x25, 0x9b, 0xc1, 0x06, 0xe1, 0x83, 0x97, 0x11, 0x84, 0x3b, 0x81, 0x19, 0xbd, 0xc8, 0x6b,
+	0x14, 0x07, 0x92, 0x4d, 0x60, 0x85, 0xf0, 0xc1, 0x8b, 0x08, 0xc2, 0x1b, 0xc1, 0x84, 0x5e, 0xe4,
-	0xff, 0xae, 0xa1, 0xdb, 0xf7, 0x23, 0x49, 0x25, 0xf3, 0xc7, 0x4f, 0x60, 0x30, 0xe1, 0x7c, 0x7a,
+	0xb5, 0x7f, 0xd7, 0xd0, 0xad, 0x7b, 0xb1, 0xa4, 0x92, 0x05, 0xc3, 0xc7, 0xd0, 0x1b, 0x71, 0x3e,
-	0xc8, 0xfd, 0x11, 0x1b, 0x47, 0x99, 0x6d, 0xfc, 0x2d, 0xaa, 0xaa, 0x26, 0x87, 0x54, 0x52, 0x5d,
+	0x3e, 0xe0, 0xc1, 0x80, 0x0d, 0xe3, 0xdc, 0x36, 0xfe, 0x16, 0x35, 0x54, 0x93, 0x7d, 0x2a, 0xa9,
-	0x6b, 0x69, 0x9d, 0xfa, 0xfe, 0xbb, 0x56, 0x31, 0xab, 0x65, 0x2d, 0x2b, 0x98, 0x8e, 0x15, 0x20,
+	0xa1, 0xb5, 0xb4, 0x4e, 0x73, 0xef, 0x5d, 0xbb, 0xdc, 0xab, 0x79, 0x2d, 0x3b, 0x1c, 0x0f, 0x15,
-	0x2c, 0x95, 0x6d, 0xcd, 0xbb, 0xd6, 0xc3, 0xc1, 0x77, 0xe0, 0xca, 0xfb, 0x20, 0xa9, 0x83, 0x4f,
+	0x20, 0x6c, 0x95, 0x6d, 0x4f, 0x77, 0xed, 0x07, 0xbd, 0xef, 0xc0, 0x93, 0xf7, 0x40, 0x52, 0x17,
-	0x63, 0x73, 0x27, 0x89, 0x4d, 0x54, 0x60, 0x64, 0xa9, 0x8a, 0xfb, 0xa8, 0x9a, 0x57, 0x16, 0xfa,
+	0x9f, 0x26, 0xd6, 0x46, 0x9a, 0x58, 0xa8, 0xc4, 0xc8, 0x5c, 0x15, 0x77, 0x51, 0xa3, 0xa8, 0x2c,
-	0xb5, 0x56, 0xa9, 0x53, 0xdf, 0xef, 0x5a, 0xdb, 0x7e, 0x0d, 0x2b, 0x67, 0x3a, 0x65, 0x55, 0x82,
+	0x8c, 0x6b, 0xad, 0x4a, 0xa7, 0xb9, 0xb7, 0x6b, 0xaf, 0x7b, 0x1a, 0x76, 0xc1, 0x74, 0xab, 0xaa,
-	0x54, 0x9f, 0xe6, 0x42, 0xed, 0xbf, 0x35, 0xd4, 0xba, 0xca, 0xd7, 0x31, 0x13, 0x12, 0x7f, 0xb3,
+	0x04, 0x69, 0x3c, 0x29, 0x84, 0xda, 0x7f, 0x6b, 0xa8, 0x75, 0x95, 0xaf, 0x23, 0x26, 0x24, 0xfe,
-	0xe1, 0xcd, 0xda, 0xce, 0x9b, 0x62, 0xa7, 0xce, 0x6e, 0xe6, 0xce, 0xaa, 0x0b, 0x64, 0xc5, 0xd7,
+	0x66, 0xc5, 0x9b, 0xbd, 0x9e, 0x37, 0xc5, 0xce, 0x9c, 0xdd, 0x2c, 0x9c, 0x35, 0x66, 0xc8, 0x82,
-	0x14, 0xed, 0x32, 0x09, 0xb3, 0x85, 0xa9, 0x7b, 0xdb, 0x9b, 0xba, 0xaa, 0x71, 0xa7, 0x99, 0x97,
+	0xaf, 0x31, 0xaa, 0x31, 0x09, 0x93, 0x99, 0xa9, 0xbb, 0xeb, 0x9b, 0xba, 0xaa, 0x71, 0x77, 0xab,
-	0xdc, 0x3d, 0x52, 0xe2, 0x24, 0xab, 0xd1, 0xfe, 0x59, 0x43, 0x65, 0x12, 0x79, 0x80, 0xdf, 0x41,
+	0x28, 0x59, 0x3b, 0x54, 0xe2, 0x24, 0xaf, 0xd1, 0xfe, 0x55, 0x43, 0x55, 0x12, 0xfb, 0x80, 0xdf,
-	0x35, 0x1a, 0xb0, 0xcf, 0x43, 0x1e, 0x05, 0x42, 0xd7, 0x5a, 0xa5, 0x4e, 0xcd, 0x69, 0x26, 0xb1,
+	0x46, 0x3a, 0x0d, 0xd9, 0xe7, 0x11, 0x8f, 0x43, 0x61, 0x68, 0xad, 0x4a, 0x47, 0x77, 0xb7, 0xd2,
-	0x59, 0x3b, 0xe8, 0x1d, 0x65, 0x20, 0x29, 0xe2, 0xb8, 0x8b, 0xea, 0x34, 0x60, 0x8f, 0x21, 0x54,
+	0xc4, 0xd2, 0xf7, 0x8f, 0x0f, 0x73, 0x90, 0x94, 0x71, 0xbc, 0x8b, 0x9a, 0x34, 0x64, 0x8f, 0x20,
-	0xad, 0x64, 0x8d, 0xd6, 0x9c, 0x1b, 0x49, 0x6c, 0xd6, 0x0f, 0x7a, 0x47, 0x0b, 0x98, 0xac, 0xe6,
+	0x52, 0xad, 0xe4, 0x8d, 0xea, 0xee, 0x8d, 0x34, 0xb1, 0x9a, 0xfb, 0xc7, 0x87, 0x33, 0x98, 0x2c,
-	0x28, 0xfd, 0x10, 0x04, 0x8f, 0x42, 0x17, 0x84, 0x5e, 0x2a, 0xf4, 0xc9, 0x02, 0x24, 0x45, 0xbc,
+	0xe6, 0x28, 0xfd, 0x08, 0x04, 0x8f, 0x23, 0x0f, 0x84, 0x51, 0x29, 0xf5, 0xc9, 0x0c, 0x24, 0x65,
-	0xfd, 0x8b, 0x86, 0xb0, 0xea, 0xea, 0x09, 0x93, 0x93, 0x87, 0x01, 0x64, 0x0e, 0x04, 0xfe, 0x04,
+	0x1c, 0xbf, 0x83, 0x6a, 0xc2, 0xe3, 0x21, 0x18, 0xd5, 0x96, 0xd6, 0xd1, 0xdd, 0x37, 0x54, 0xdb,
-	0x21, 0xbe, 0x3c, 0xe5, 0x4d, 0x9a, 0xe9, 0xfd, 0x58, 0xa2, 0xe7, 0xb1, 0xd9, 0x5c, 0x9e, 0x1e,
+	0x5d, 0x05, 0x9c, 0x27, 0x96, 0x9e, 0x7d, 0x3c, 0x3c, 0x09, 0x81, 0xe4, 0x49, 0xed, 0x9f, 0x35,
-	0x9d, 0x04, 0x40, 0x56, 0x28, 0xb8, 0x87, 0xca, 0x61, 0xe4, 0x81, 0x7e, 0x6d, 0xe3, 0xa3, 0xbd,
+	0x84, 0x95, 0x87, 0xc7, 0x4c, 0x8e, 0x1e, 0x84, 0x90, 0xfb, 0x15, 0xf8, 0x13, 0x84, 0xf8, 0x7c,
-	0x64, 0xb2, 0xaa, 0x19, 0xa7, 0x91, 0x4f, 0x30, 0x1d, 0x18, 0x49, 0x95, 0xda, 0x3f, 0x6a, 0xe8,
+	0x55, 0x58, 0xb2, 0xb2, 0xdb, 0x34, 0x47, 0xcf, 0x13, 0x6b, 0x6b, 0xbe, 0xca, 0x24, 0x17, 0x28,
-	0x66, 0x1f, 0xc2, 0x39, 0x73, 0x81, 0xc0, 0x08, 0x42, 0xf0, 0x5d, 0xc0, 0x36, 0xaa, 0xf9, 0x74,
+	0xf8, 0x18, 0x55, 0xa3, 0xd8, 0x07, 0xe3, 0xda, 0xca, 0x11, 0xbf, 0xe0, 0x1c, 0x54, 0x33, 0xee,
-	0x06, 0x22, 0xa0, 0x2e, 0xa4, 0x17, 0xa4, 0xe6, 0xec, 0xe5, 0xdc, 0xda, 0x83, 0x45, 0x80, 0x14,
+	0x66, 0xb1, 0xdf, 0xd9, 0xf6, 0x92, 0x4c, 0xa9, 0xfd, 0xa3, 0x86, 0x6e, 0x76, 0x21, 0x9a, 0x32,
-	0x39, 0xb8, 0x85, 0xca, 0xea, 0x90, 0xf6, 0x55, 0x2b, 0xea, 0xa8, 0x5c, 0x92, 0x46, 0xf0, 0x6d,
+	0x0f, 0x08, 0x0c, 0x20, 0x82, 0xc0, 0x03, 0xec, 0x20, 0x3d, 0xa0, 0x13, 0x10, 0x21, 0xf5, 0x20,
-	0x54, 0x0e, 0xa8, 0x9c, 0xe8, 0xa5, 0x34, 0xa3, 0xaa, 0xa2, 0x3d, 0x2a, 0x27, 0x24, 0x45, 0xdb,
+	0xbb, 0x4e, 0xba, 0xbb, 0x5d, 0x70, 0xf5, 0xfb, 0xb3, 0x00, 0x29, 0x73, 0x70, 0x0b, 0x55, 0xd5,
-	0x7f, 0x68, 0xc8, 0x78, 0x4c, 0x3d, 0x36, 0xfc, 0xdf, 0xed, 0xe3, 0x3f, 0x1a, 0x6a, 0x5f, 0xed,
+	0x22, 0xeb, 0x4b, 0x2f, 0xeb, 0xa8, 0x5c, 0x92, 0x45, 0xf0, 0x2d, 0x54, 0x0d, 0xa9, 0x1c, 0x19,
-	0xec, 0x3f, 0xd8, 0xc8, 0xd9, 0xfa, 0x46, 0x7e, 0xb1, 0xbd, 0xad, 0xab, 0x5b, 0xbf, 0x64, 0x27,
+	0x95, 0x2c, 0xa3, 0xa1, 0xa2, 0xc7, 0x54, 0x8e, 0x48, 0x86, 0xb6, 0xff, 0xd0, 0x90, 0xf9, 0x88,
-	0x7f, 0x2b, 0xa3, 0x4a, 0x9e, 0xbe, 0xbc, 0x19, 0xda, 0xa5, 0x37, 0xe3, 0x29, 0x6a, 0xb8, 0x1e,
+	0xfa, 0xac, 0xff, 0xbf, 0x9b, 0xde, 0x7f, 0x34, 0xd4, 0xbe, 0xda, 0xd9, 0x7f, 0x30, 0xbf, 0x93,
-	0x03, 0x5f, 0x66, 0xd2, 0xf9, 0xdd, 0xfe, 0xf8, 0x95, 0x47, 0x7f, 0xb8, 0x22, 0xe2, 0xbc, 0x91,
+	0xe5, 0xf9, 0xfd, 0x62, 0x7d, 0x5b, 0x57, 0xb7, 0x7e, 0xc9, 0x04, 0xff, 0x56, 0x45, 0xf5, 0x22,
-	0x17, 0x6a, 0xac, 0xa2, 0x64, 0xad, 0x10, 0xa6, 0x68, 0x57, 0xad, 0x40, 0xb6, 0xcd, 0xf5, 0xfd,
+	0x7d, 0x7e, 0x33, 0xb4, 0x4b, 0x6f, 0xc6, 0x13, 0xb4, 0xe9, 0xf9, 0x0c, 0x02, 0x99, 0x4b, 0x17,
-	0x8f, 0x5e, 0x6d, 0x9b, 0xd6, 0x57, 0xbb, 0x98, 0x84, 0x8a, 0x09, 0x92, 0x29, 0xe3, 0x63, 0xd4,
+	0x77, 0xfb, 0xe3, 0x97, 0xde, 0xfa, 0x83, 0x05, 0x11, 0xf7, 0xb5, 0xa2, 0xd0, 0xe6, 0x22, 0x4a,
-	0x1c, 0x51, 0xe6, 0x45, 0x21, 0xf4, 0xb8, 0xc7, 0xdc, 0x13, 0xbd, 0x9c, 0x8e, 0xe1, 0xed, 0x24,
+	0x96, 0x0a, 0x61, 0x8a, 0x6a, 0x6a, 0x04, 0xf2, 0xd9, 0x6f, 0xee, 0x7d, 0xf4, 0x72, 0xd3, 0xb4,
-	0x36, 0x9b, 0xf7, 0x56, 0x03, 0xe7, 0xb1, 0xb9, 0xb7, 0x06, 0xa4, 0xab, 0xbf, 0x4e, 0xc6, 0xdf,
+	0x3c, 0xda, 0xe5, 0x4e, 0xa8, 0x98, 0x20, 0xb9, 0x32, 0x3e, 0x42, 0x5b, 0x03, 0xca, 0xfc, 0x38,
-	0xa3, 0xbd, 0xe5, 0xca, 0xf5, 0xc1, 0x03, 0x57, 0xf2, 0x50, 0xdf, 0x4d, 0xc7, 0xf5, 0xde, 0x96,
+	0x82, 0x63, 0xee, 0x33, 0xef, 0xa4, 0x78, 0x3d, 0xde, 0x4a, 0x13, 0x6b, 0xeb, 0xee, 0x62, 0xe0,
-	0xb7, 0x85, 0x0e, 0xc0, 0x5b, 0x50, 0x9d, 0x37, 0x93, 0xd8, 0xdc, 0x7b, 0x70, 0x51, 0x91, 0x6c,
+	0x3c, 0xb1, 0xb6, 0x97, 0x80, 0x6c, 0xf4, 0x97, 0xc9, 0xf8, 0x7b, 0xb4, 0x3d, 0x1f, 0xb9, 0x2e,
-	0x16, 0xc1, 0x9f, 0xa2, 0xba, 0x60, 0x43, 0xf8, 0x6c, 0x34, 0x02, 0x57, 0x0a, 0xfd, 0xb5, 0xd4,
+	0xf8, 0xe0, 0x49, 0x1e, 0x19, 0xb5, 0x6c, 0xbb, 0xde, 0x5b, 0xf3, 0xb6, 0xd0, 0x1e, 0xf8, 0x33,
-	0x45, 0x5b, 0xbd, 0x97, 0xfd, 0x02, 0x3e, 0x8f, 0xcd, 0x1b, 0xc5, 0xf1, 0xd0, 0xa3, 0x42, 0x90,
+	0xaa, 0xfb, 0x7a, 0x9a, 0x58, 0xdb, 0xf7, 0x2f, 0x2a, 0x92, 0xd5, 0x22, 0xf8, 0x53, 0xd4, 0x14,
-	0x55, 0x1a, 0xbe, 0x8b, 0xae, 0xab, 0xbf, 0x64, 0x1e, 0xc9, 0x3e, 0xb8, 0xdc, 0x1f, 0x0a, 0xbd,
+	0xac, 0x0f, 0x9f, 0x0d, 0x06, 0xe0, 0x49, 0x61, 0xbc, 0x92, 0xb9, 0x68, 0xab, 0xd7, 0xb5, 0x5b,
-	0xd2, 0xd2, 0x3a, 0xbb, 0x0e, 0x4e, 0x62, 0xf3, 0xfa, 0xa3, 0xb5, 0x08, 0xb9, 0x90, 0xd9, 0xfe,
+	0xc2, 0xe7, 0x89, 0x75, 0xa3, 0x5c, 0x1e, 0xf8, 0x54, 0x08, 0xb2, 0x48, 0xc3, 0x77, 0xd0, 0x75,
-	0x55, 0x43, 0xaf, 0xbf, 0xe0, 0x43, 0x63, 0x8a, 0x2a, 0x22, 0x7b, 0xbe, 0xf2, 0xbd, 0xb9, 0xbb,
+	0xf5, 0x03, 0xe7, 0xb1, 0xec, 0x82, 0xc7, 0x83, 0xbe, 0x30, 0xea, 0x2d, 0xad, 0x53, 0x73, 0x71,
-	0xfd, 0x67, 0xbc, 0xf8, 0xee, 0x39, 0xf5, 0x24, 0x36, 0x2b, 0x0b, 0x74, 0xa1, 0x8b, 0x3b, 0xa8,
+	0x9a, 0x58, 0xd7, 0x1f, 0x2e, 0x45, 0xc8, 0x85, 0xcc, 0xf6, 0x2f, 0x1a, 0x7a, 0xf5, 0x39, 0x07,
-	0xea, 0x52, 0x27, 0xf2, 0x87, 0xf9, 0xc3, 0xdb, 0x70, 0x1a, 0x6a, 0xcf, 0x0e, 0x0f, 0x32, 0x8c,
+	0x8d, 0x29, 0xaa, 0x8b, 0xfc, 0xf9, 0x2a, 0xe6, 0xe6, 0xce, 0xfa, 0xc7, 0x78, 0xf1, 0xdd, 0x73,
-	0x2c, 0xa3, 0xf8, 0x2d, 0x54, 0x8a, 0x42, 0x2f, 0x7f, 0xe3, 0x2a, 0x49, 0x6c, 0x96, 0xbe, 0x22,
+	0x9b, 0x69, 0x62, 0xd5, 0x67, 0xe8, 0x4c, 0x17, 0x77, 0x50, 0xc3, 0xa3, 0x6e, 0x1c, 0xf4, 0x8b,
-	0xc7, 0x44, 0x61, 0xce, 0x9d, 0xd3, 0x33, 0x63, 0xe7, 0xd9, 0x99, 0xb1, 0xf3, 0xfc, 0xcc, 0xd8,
+	0x87, 0x77, 0xd3, 0xdd, 0x54, 0x73, 0x76, 0xb0, 0x9f, 0x63, 0x64, 0x1e, 0xc5, 0x6f, 0xa2, 0x4a,
-	0xf9, 0x21, 0x31, 0xb4, 0xd3, 0xc4, 0xd0, 0x9e, 0x25, 0x86, 0xf6, 0x3c, 0x31, 0xb4, 0x3f, 0x13,
+	0x1c, 0xf9, 0xc5, 0x1b, 0x57, 0x4f, 0x13, 0xab, 0xf2, 0x15, 0x39, 0x22, 0x0a, 0x73, 0x6f, 0x9f,
-	0x43, 0xfb, 0xe9, 0x2f, 0x63, 0xe7, 0xeb, 0x4a, 0xde, 0xda, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff,
+	0x9e, 0x99, 0x1b, 0x4f, 0xcf, 0xcc, 0x8d, 0x67, 0x67, 0xe6, 0xc6, 0x0f, 0xa9, 0xa9, 0x9d, 0xa6,
-	0x85, 0xc4, 0x5b, 0xa6, 0xea, 0x09, 0x00, 0x00,
+	0xa6, 0xf6, 0x34, 0x35, 0xb5, 0x67, 0xa9, 0xa9, 0xfd, 0x99, 0x9a, 0xda, 0x4f, 0x7f, 0x99, 0x1b,
+	0x5f, 0xd7, 0x8b, 0xd6, 0xfe, 0x0d, 0x00, 0x00, 0xff, 0xff, 0xbb, 0xeb, 0xd8, 0xb0, 0x18, 0x0a,
+	0x00, 0x00,
 }

staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto

@@ -81,6 +81,18 @@ message Rule {
   // Depending on the enclosing object, subresources might not be allowed.
   // Required.
   repeated string resources = 3;
+
+  // scope specifies the scope of this rule.
+  // Valid values are "Cluster", "Namespaced", and "*"
+  // "Cluster" means that only cluster-scoped resources will match this rule.
+  // Namespace API objects are cluster-scoped.
+  // "Namespaced" means that only namespaced resources will match this rule.
+  // "*" means that there are no scope restrictions.
+  // Subresources match the scope of their parent resource.
+  // Default is "*".
+  //
+  // +optional
+  optional string scope = 4;
 }
 
 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make

staging/src/k8s.io/api/admissionregistration/v1beta1/types.go

@@ -49,8 +49,32 @@ type Rule struct {
 	// Depending on the enclosing object, subresources might not be allowed.
 	// Required.
 	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	//
+	// +optional
+	Scope *ScopeType `json:"scope,omitempty" protobuf:"bytes,4,rep,name=scope"`
 }
 
+type ScopeType string
+
+const (
+	// ClusterScope means that scope is limited to cluster-scoped objects.
+	// Namespace objects are cluster-scoped.
+	ClusterScope ScopeType = "Cluster"
+	// NamespacedScope means that scope is limited to namespaced objects.
+	NamespacedScope ScopeType = "Namespaced"
+	// AllScopes means that all scopes are included.
+	AllScopes ScopeType = "*"
+)
+
 type FailurePolicyType string
 
 const (

staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go

@@ -52,6 +52,7 @@ var map_Rule = map[string]string{
 	"apiGroups":   "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.",
 	"apiVersions": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.",
 	"resources":   "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.",
+	"scope":       "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
 }
 
 func (Rule) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go

@@ -109,6 +109,11 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(ScopeType)
+		**out = **in
+	}
 	return
 }
 

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/rules/BUILD

@@ -8,6 +8,8 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
     ],
 )
@@ -19,6 +21,7 @@ go_test(
     deps = [
         "//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
     ],
 )

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/rules/rules.go

@@ -20,6 +20,8 @@ import (
 	"strings"
 
 	"k8s.io/api/admissionregistration/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
 )
 
@@ -31,7 +33,8 @@ type Matcher struct {
 
 // Matches returns if the Attr matches the Rule.
 func (r *Matcher) Matches() bool {
-	return r.operation() &&
+	return r.scope() &&
+		r.operation() &&
 		r.group() &&
 		r.version() &&
 		r.resource()
@@ -50,6 +53,25 @@ func exactOrWildcard(items []string, requested string) bool {
 	return false
 }
 
+var namespaceResource = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"}
+
+func (r *Matcher) scope() bool {
+	if r.Rule.Scope == nil || *r.Rule.Scope == v1beta1.AllScopes {
+		return true
+	}
+	// attr.GetNamespace() is set to the name of the namespace for requests of the namespace object itself.
+	switch *r.Rule.Scope {
+	case v1beta1.NamespacedScope:
+		// first make sure that we are not requesting a namespace object (namespace objects are cluster-scoped)
+		return r.Attr.GetResource() != namespaceResource && r.Attr.GetNamespace() != metav1.NamespaceNone
+	case v1beta1.ClusterScope:
+		// also return true if the request is for a namespace object (namespace objects are cluster-scoped)
+		return r.Attr.GetResource() == namespaceResource || r.Attr.GetNamespace() == metav1.NamespaceNone
+	default:
+		return false
+	}
+}
+
 func (r *Matcher) group() bool {
 	return exactOrWildcard(r.Rule.APIGroups, r.Attr.GetResource().Group)
 }

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/rules/rules_test.go

@@ -17,10 +17,12 @@ limitations under the License.
 package rules
 
 import (
+	"fmt"
 	"testing"
 
 	adreg "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
 )
 
@@ -43,6 +45,30 @@ func a(group, version, resource, subresource, name string, operation admission.O
 	)
 }
 
+func namespacedAttributes(group, version, resource, subresource, name string, operation admission.Operation) admission.Attributes {
+	return admission.NewAttributesRecord(
+		nil, nil,
+		schema.GroupVersionKind{Group: group, Version: version, Kind: "k" + resource},
+		"ns", name,
+		schema.GroupVersionResource{Group: group, Version: version, Resource: resource}, subresource,
+		operation,
+		false,
+		nil,
+	)
+}
+
+func clusterScopedAttributes(group, version, resource, subresource, name string, operation admission.Operation) admission.Attributes {
+	return admission.NewAttributesRecord(
+		nil, nil,
+		schema.GroupVersionKind{Group: group, Version: version, Kind: "k" + resource},
+		"", name,
+		schema.GroupVersionResource{Group: group, Version: version, Resource: resource}, subresource,
+		operation,
+		false,
+		nil,
+	)
+}
+
 func attrList(a ...admission.Attributes) []admission.Attributes {
 	return a
 }
@@ -299,3 +325,93 @@ func TestResource(t *testing.T) {
 		}
 	}
 }
+
+func TestScope(t *testing.T) {
+	cluster := adreg.ClusterScope
+	namespace := adreg.NamespacedScope
+	allscopes := adreg.AllScopes
+	table := tests{
+		"cluster scope": {
+			rule: adreg.RuleWithOperations{
+				Rule: adreg.Rule{
+					Resources: []string{"*"},
+					Scope:     &cluster,
+				},
+			},
+			match: attrList(
+				clusterScopedAttributes("g", "v", "r", "", "name", admission.Create),
+				clusterScopedAttributes("g", "v", "r", "exec", "name", admission.Create),
+				clusterScopedAttributes("", "v1", "namespaces", "", "ns", admission.Create),
+				clusterScopedAttributes("", "v1", "namespaces", "finalize", "ns", admission.Create),
+				namespacedAttributes("", "v1", "namespaces", "", "ns", admission.Create),
+				namespacedAttributes("", "v1", "namespaces", "finalize", "ns", admission.Create),
+			),
+			noMatch: attrList(
+				namespacedAttributes("g", "v", "r", "", "name", admission.Create),
+				namespacedAttributes("g", "v", "r", "exec", "name", admission.Create),
+			),
+		},
+		"namespace scope": {
+			rule: adreg.RuleWithOperations{
+				Rule: adreg.Rule{
+					Resources: []string{"*"},
+					Scope:     &namespace,
+				},
+			},
+			match: attrList(
+				namespacedAttributes("g", "v", "r", "", "name", admission.Create),
+				namespacedAttributes("g", "v", "r", "exec", "name", admission.Create),
+			),
+			noMatch: attrList(
+				clusterScopedAttributes("", "v1", "namespaces", "", "ns", admission.Create),
+				clusterScopedAttributes("", "v1", "namespaces", "finalize", "ns", admission.Create),
+				namespacedAttributes("", "v1", "namespaces", "", "ns", admission.Create),
+				namespacedAttributes("", "v1", "namespaces", "finalize", "ns", admission.Create),
+				clusterScopedAttributes("g", "v", "r", "", "name", admission.Create),
+				clusterScopedAttributes("g", "v", "r", "exec", "name", admission.Create),
+			),
+		},
+		"all scopes": {
+			rule: adreg.RuleWithOperations{
+				Rule: adreg.Rule{
+					Resources: []string{"*"},
+					Scope:     &allscopes,
+				},
+			},
+			match: attrList(
+				namespacedAttributes("g", "v", "r", "", "name", admission.Create),
+				namespacedAttributes("g", "v", "r", "exec", "name", admission.Create),
+				clusterScopedAttributes("g", "v", "r", "", "name", admission.Create),
+				clusterScopedAttributes("g", "v", "r", "exec", "name", admission.Create),
+				clusterScopedAttributes("", "v1", "namespaces", "", "ns", admission.Create),
+				clusterScopedAttributes("", "v1", "namespaces", "finalize", "ns", admission.Create),
+				namespacedAttributes("", "v1", "namespaces", "", "ns", admission.Create),
+				namespacedAttributes("", "v1", "namespaces", "finalize", "ns", admission.Create),
+			),
+			noMatch: attrList(),
+		},
+	}
+	keys := sets.NewString()
+	for name := range table {
+		keys.Insert(name)
+	}
+	for _, name := range keys.List() {
+		tt := table[name]
+		for i, m := range tt.match {
+			t.Run(fmt.Sprintf("%s_match_%d", name, i), func(t *testing.T) {
+				r := Matcher{tt.rule, m}
+				if !r.scope() {
+					t.Errorf("%v: expected match %#v", name, m)
+				}
+			})
+		}
+		for i, m := range tt.noMatch {
+			t.Run(fmt.Sprintf("%s_nomatch_%d", name, i), func(t *testing.T) {
+				r := Matcher{tt.rule, m}
+				if r.scope() {
+					t.Errorf("%v: expected no match %#v", name, m)
+				}
+			})
+		}
+	}
+}