CNTRLPLANE-2553: Update the KAS admission plugin for fields to be compilable at admission time

[ShazaAldawamneh]

What type of PR is this?

kind api-change

What this PR does / why we need it:

Extends the existing CEL validation framework in the authentication admission plugin to compile and cost-estimate the new CEL expression fields introduced in openshift/api#2487 and openshift/api#2719: claimMappings.username.expression, claimMappings.groups.expression, claimValidationRules[].cel.expression, and userValidationRules[].expression. This gives users an early feedback loop at admission time rather than discovering invalid expressions at runtime.

Which issue(s) this PR is related to:

CNTRLPLANE-2553

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2553 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

kind api-change

What this PR does / why we need it:

Extends the existing CEL validation framework in the authentication admission plugin to compile and cost-estimate the new CEL expression fields introduced in openshift/api#2487 and openshift/api#2719: claimMappings.username.expression, claimMappings.groups.expression, claimValidationRules[].cel.expression, and userValidationRules[].expression. This gives users an early feedback loop at admission time rather than discovering invalid expressions at runtime.

Which issue(s) this PR is related to:

CNTRLPLANE-2553

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• b0eedae|authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• d813c4e|vendor: bump openshift/api to pick up new authentication CEL expression fields: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updates dependency pins and refactors OIDC CEL validation to compile and propagate per-expression CompilationResults; adds many new CEL validators (username, groups, extras, claim/user rules), email_verified usage checks, AST helpers, and expanded tests covering the new validation behavior.

Changes

Cohort / File(s)	Summary
Dependency manifest updates go.mod, staging/src/k8s.io/apiextensions-apiserver/go.mod	Bumped github.com/openshift/api revision and added google.golang.org/genproto/googleapis/api as a direct require (removed from indirect).
OIDC provider CEL validation logic openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go	Refactored CEL compilation/validation to return and propagate *authenticationcel.CompilationResult per expression; added validators for username, groups, extra claim mappings, claim validation rules, user validation rules, and email_verified usage checks; introduced CEL AST helpers, updated compile/cache result type and cost-estimation wiring, and changed validateOIDCProvider call flow.
Unit tests for authentication validation openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication_test.go	Expanded and renamed tests to exercise new compilation-based workflow and deduplication; added positive and negative cases for username/groups/claim/user CEL expressions and email_verified usage; adjusted mocks and assertions to match compile-returned errors/results.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 34.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: updating the KAS admission plugin to enable CEL field compilation at admission time. It is directly related to the substantial changes in the validation framework for authentication CEL expressions.
Stable And Deterministic Test Names	✅ Passed	Test file uses traditional Go testing with table-driven patterns, not Ginkgo tests; all test case names are static descriptive strings without dynamic values.
Test Structure And Quality	✅ Passed	Test code follows all quality requirements using standard Go table-driven testing pattern with single-responsibility principles, meaningful assertion messages, and consistency with codebase conventions.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; it only updates standard Go unit tests and authentication validation logic.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The changes are limited to admission plugin validation logic and unit tests using standard Go testing framework, not Ginkgo's BDD-style patterns.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains no Ginkgo e2e tests; all changes are unit tests using standard Go testing package.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2553 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

kind api-change

What this PR does / why we need it:

Extends the existing CEL validation framework in the authentication admission plugin to compile and cost-estimate the new CEL expression fields introduced in openshift/api#2487 and openshift/api#2719: claimMappings.username.expression, claimMappings.groups.expression, claimValidationRules[].cel.expression, and userValidationRules[].expression. This gives users an early feedback loop at admission time rather than discovering invalid expressions at runtime.

Which issue(s) this PR is related to:

CNTRLPLANE-2553

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Summary by CodeRabbit

• New Features

• Enhanced validation for OIDC provider configurations, including username and groups claim mappings
• Added validation for claim validation rules and user validation rules
• Introduced email verification usage constraints to ensure consistency in authentication configurations

• Chores

• Updated OpenShift API dependency

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`:
- Around line 518-576: validateEmailVerifiedUsage currently re-runs
validateCELExpression (and records cost) for expressions already validated in
validateClaimMappings and validateClaimValidationRules; change it to reuse
earlier compilation results or perform AST-only checks without touching
costRecorder: modify validateClaimMappings and validateClaimValidationRules to
return the validated AST/results (e.g., a map or struct of expressions ->
AST/validationResult from validateCELExpression) and update
validateEmailVerifiedUsage to accept those precompiled results (or call a new
helper like inspectASTUsesEmail* that only inspects an AST without invoking
validateCELExpression or costRecorder). Ensure references to
validateCELExpression, costRecorder, cel (celStore), validateClaimMappings,
validateClaimValidationRules, and validateEmailVerifiedUsage are updated so no
duplicate costRecorder recordings occur.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5ad82031-bef3-4c8b-a0f7-bd7700cce715

📥 Commits

Reviewing files that changed from the base of the PR and between ac14da2 and d813c4e.

⛔ Files ignored due to path filters (38)

• go.sum is excluded by !**/*.sum
• staging/src/k8s.io/apiextensions-apiserver/go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/project/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• go.mod
• openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go
• openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication_test.go
• staging/src/k8s.io/apiextensions-apiserver/go.mod

[ehearne-redhat]

@ShazaAldawamneh you may want to change this line

https://github.com/ShazaAldawamneh/kubernetes/blob/d813c4eb56e798591ac4706230bea971b59af556/openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication_test.go#L701

to

_, results <- validateCELExpression(context.TODO(), cel, &costRecorder{}, fieldPath, expression)

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_kubernetes/2627/pull-ci-openshift-kubernetes-master-unit/2032246809815945216

=== Errors
openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication_test.go:701:15: multiple-value validateCELExpression(context.TODO(), cel, &costRecorder{}, fieldPath, expression) (value of type ("k8s.io/apiserver/pkg/authentication/cel".CompilationResult, "k8s.io/apimachinery/pkg/util/validation/field".ErrorList)) in single-value context

[ehearne-redhat]

Also, you'll need to run ./hack/update-vendor.sh, ./hack/update-gofmt.sh to fix the errors in https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_kubernetes/2627/pull-ci-openshift-kubernetes-master-verify/2032246812332527616 .

The above comment will address the other errors there too. :)

[ehearne-redhat]

For verify-commits make sure the commits follow this convention e.g. UPSTREAM: 12345: A kube fix .

[ehearne-redhat]

You may also need to re-run the tests. I believe some of them were infrastructure related failures.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 20f395b|UPSTREAM: : vendor: bump openshift/api to pick up new authentication CEL expression fields: does not specify an upstream backport in the commit message
• 95163d2|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2553 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

kind api-change

What this PR does / why we need it:

Extends the existing CEL validation framework in the authentication admission plugin to compile and cost-estimate the new CEL expression fields introduced in openshift/api#2487 and openshift/api#2719: claimMappings.username.expression, claimMappings.groups.expression, claimValidationRules[].cel.expression, and userValidationRules[].expression. This gives users an early feedback loop at admission time rather than discovering invalid expressions at runtime.

Which issue(s) this PR is related to:

CNTRLPLANE-2553

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Summary by CodeRabbit

• New Features

• Enhanced OIDC provider validation: improved username and groups claim mapping checks
• Added validation for claim validation rules and user validation rules
• Enforced email_verified usage constraints across claim mappings and rules

• Tests

• Expanded unit tests covering invalid and valid CEL expressions and related validation scenarios

• Chores

• Bumped OpenShift API dependency and adjusted related module declarations

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go (1)

449-452: ⚠️ Potential issue | 🔴 Critical

Make CEL compilation and cache keys accessor-aware.

Line 474 always calls CompileClaimsExpression, which provides the claims variable in the CEL environment. However, when UserValidationCondition is passed (line 401), it should instead call CompileUserExpression to provide the user variable. Additionally, cache/singleflight keys (lines 449, 451, 506) use only raw expression text, causing different accessor types with identical expressions to incorrectly reuse compilation results compiled for the wrong CEL environment.

🛠️ Proposed fix

+func compileByAccessor(cel *celStore, accessor authenticationcel.ExpressionAccessor) (authenticationcel.CompilationResult, error) {
+	switch accessor.(type) {
+	case *authenticationcel.UserValidationCondition:
+		return cel.compiler.CompileUserExpression(accessor)
+	default:
+		return cel.compiler.CompileClaimsExpression(accessor)
+	}
+}
+
 func validateCELExpression(ctx context.Context, cel *celStore, costRecorder *costRecorder, path *field.Path, accessor authenticationcel.ExpressionAccessor) (authenticationcel.CompilationResult, field.ErrorList) { // if context has been canceled, don't try to compile any expressions
@@
-	result, err, _ := cel.compilingGroup.Do(accessor.GetExpression(), func() (interface{}, error) {
+	cacheKey := fmt.Sprintf("%T:%s", accessor, accessor.GetExpression())
+	result, err, _ := cel.compilingGroup.Do(cacheKey, func() (interface{}, error) {
@@
-		if val, ok := cel.compiledStore.Get(accessor.GetExpression()); ok {
+		if val, ok := cel.compiledStore.Get(cacheKey); ok {
@@
-		compRes, compErr := cel.compiler.CompileClaimsExpression(accessor)
+		compRes, compErr := compileByAccessor(cel, accessor)
@@
-		cel.compiledStore.Add(accessor.GetExpression(), res)
+		cel.compiledStore.Add(cacheKey, res)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`
around lines 449 - 452, The compilation code currently always calls
CompileClaimsExpression and uses the raw expression text as the
singleflight/cache key; update the logic around
cel.compilingGroup.Do(accessor.GetExpression(), ...), the compiledStore lookup
(cel.compiledStore.Get(accessor.GetExpression())), and any further cache keys so
they incorporate the accessor type (e.g., accessor.Type() or
reflect.TypeOf(accessor)) to make keys accessor-aware, and branch on the
accessor kind so that when accessor is a UserValidationCondition you call
CompileUserExpression(accessor.GetExpression()) instead of
CompileClaimsExpression, otherwise call CompileClaimsExpression; ensure both the
singleflight key and compiledStore key use the combined identifier
(accessor-type + expression) and return the corresponding celCompileResult.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`:
- Around line 558-559: Update the error message string in
validate_authentication.go that currently ends with
"claimValidationRules[*].expression" to instead reference the accurate validated
field path "claimValidationRules[*].cel.expression"; locate the message
construction around the claims/email_verified validation (the string passed into
the field error creation where claims.email is mentioned) and replace the
incorrect substring so users see "claimValidationRules[*].cel.expression".

---

Outside diff comments:
In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`:
- Around line 449-452: The compilation code currently always calls
CompileClaimsExpression and uses the raw expression text as the
singleflight/cache key; update the logic around
cel.compilingGroup.Do(accessor.GetExpression(), ...), the compiledStore lookup
(cel.compiledStore.Get(accessor.GetExpression())), and any further cache keys so
they incorporate the accessor type (e.g., accessor.Type() or
reflect.TypeOf(accessor)) to make keys accessor-aware, and branch on the
accessor kind so that when accessor is a UserValidationCondition you call
CompileUserExpression(accessor.GetExpression()) instead of
CompileClaimsExpression, otherwise call CompileClaimsExpression; ensure both the
singleflight key and compiledStore key use the combined identifier
(accessor-type + expression) and return the corresponding celCompileResult.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c5022cb4-c143-4f70-8b4c-bd930a62a359

📥 Commits

Reviewing files that changed from the base of the PR and between d813c4e and 20f395b.

⛔ Files ignored due to path filters (38)

• go.sum is excluded by !**/*.sum
• staging/src/k8s.io/apiextensions-apiserver/go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/project/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• go.mod
• openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go
• openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication_test.go
• staging/src/k8s.io/apiextensions-apiserver/go.mod

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 20f395b|UPSTREAM: : vendor: bump openshift/api to pick up new authentication CEL expression fields: does not specify an upstream backport in the commit message
• 95163d2|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• abc1f3f| UPSTREAM: : authentication: add validateUserCELExpression to use CompileUserExpression for user validation rules: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-2553 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

kind api-change

What this PR does / why we need it:

Extends the existing CEL validation framework in the authentication admission plugin to compile and cost-estimate the new CEL expression fields introduced in openshift/api#2487 and openshift/api#2719: claimMappings.username.expression, claimMappings.groups.expression, claimValidationRules[].cel.expression, and userValidationRules[].expression. This gives users an early feedback loop at admission time rather than discovering invalid expressions at runtime.

Which issue(s) this PR is related to:

CNTRLPLANE-2553

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Summary by CodeRabbit

• New Features

• Enhanced OIDC provider validation with per-expression compilation results and new validators for username, groups, extras, claim validation rules, and email_verified usage checks.

• Tests

• Expanded unit tests covering many valid/invalid CEL expressions and email_verified-related scenarios.

• Chores

• Bumped OpenShift API dependency and adjusted module requirements.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go (1)

528-596: Consider extracting shared logic to reduce duplication.

validateUserCELExpression duplicates ~70 lines from validateCELExpression, differing only in the compiler method call (CompileUserExpression vs CompileClaimsExpression). Consider extracting the common logic into a shared helper that accepts a compile function.

♻️ Suggested refactor approach

type compileFunc func(authenticationcel.ExpressionAccessor) (authenticationcel.CompilationResult, error)

func validateCELExpressionWithCompiler(
    ctx context.Context,
    cel *celStore,
    costRecorder *costRecorder,
    path *field.Path,
    accessor authenticationcel.ExpressionAccessor,
    cachePrefix string,
    compile compileFunc,
) (*authenticationcel.CompilationResult, field.ErrorList) {
    // shared implementation with compile function parameter
    cacheKey := cachePrefix + accessor.GetExpression()
    // ... rest of shared logic using compile(accessor) instead of direct calls
}

func validateCELExpression(...) (*authenticationcel.CompilationResult, field.ErrorList) {
    return validateCELExpressionWithCompiler(ctx, cel, costRecorder, path, accessor, "claims:", cel.compiler.CompileClaimsExpression)
}

func validateUserCELExpression(...) (*authenticationcel.CompilationResult, field.ErrorList) {
    return validateCELExpressionWithCompiler(ctx, cel, costRecorder, path, accessor, "user:", cel.compiler.CompileUserExpression)
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`
around lines 528 - 596, The two functions validateUserCELExpression and
validateCELExpression duplicate compilation/caching logic; extract the shared
behavior into a helper (e.g., validateCELExpressionWithCompiler) that accepts
the celStore, costRecorder, path, accessor, a cache prefix string, and a compile
function (type: func(authenticationcel.ExpressionAccessor)
(authenticationcel.CompilationResult, error)); move the shared steps (ctx.Err
check, compilingGroup.Do wrapper, cache lookup via compiledStore, warning timer,
calling checker.Cost, storing to compiledStore, handling compileErr and
costRecorder.AddRecording) into that helper and replace the direct calls to
cel.compiler.CompileUserExpression / CompileClaimsExpression with the injected
compile function in the helper; then implement validateUserCELExpression and
validateCELExpression as thin wrappers that pass "user:" or "claims:" cache
prefixes and cel.compiler.CompileUserExpression or
cel.compiler.CompileClaimsExpression respectively.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`:
- Around line 614-622: The code calls usesEmailClaim(usernameResult.AST) and
usesEmailVerifiedClaim(usernameResult.AST) without ensuring usernameResult.AST
is non-nil; add a defensive nil check for usernameResult.AST in
validateEmailVerifiedUsage so that you only call usesEmailClaim and
usesEmailVerifiedClaim when usernameResult.AST != nil (otherwise treat those
booleans as false), while keeping the existing
anyUsesEmailVerifiedClaim(extraResults) /
anyUsesEmailVerifiedClaim(claimValidationResults) logic unchanged; reference:
validateEmailVerifiedUsage, usernameResult.AST, usesEmailClaim,
usesEmailVerifiedClaim, anyUsesEmailVerifiedClaim.
- Around line 535-542: The cache key currently uses accessor.GetExpression() for
both claims and user compilation paths which causes collisions; update
validateCELExpression and validateUserCELExpression so the keys passed into
cel.compilingGroup.Do and cel.compiledStore.Get/Add are namespaced by expression
type (e.g. prefix with "claims:" for CompileClaimsExpression and "user:" for
CompileUserExpression) instead of the raw accessor.GetExpression(), and ensure
the same prefixed key is used consistently wherever cel.compilingGroup.Do,
cel.compiledStore.Get, or cel.compiledStore.Add are called.

---

Nitpick comments:
In
`@openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go`:
- Around line 528-596: The two functions validateUserCELExpression and
validateCELExpression duplicate compilation/caching logic; extract the shared
behavior into a helper (e.g., validateCELExpressionWithCompiler) that accepts
the celStore, costRecorder, path, accessor, a cache prefix string, and a compile
function (type: func(authenticationcel.ExpressionAccessor)
(authenticationcel.CompilationResult, error)); move the shared steps (ctx.Err
check, compilingGroup.Do wrapper, cache lookup via compiledStore, warning timer,
calling checker.Cost, storing to compiledStore, handling compileErr and
costRecorder.AddRecording) into that helper and replace the direct calls to
cel.compiler.CompileUserExpression / CompileClaimsExpression with the injected
compile function in the helper; then implement validateUserCELExpression and
validateCELExpression as thin wrappers that pass "user:" or "claims:" cache
prefixes and cel.compiler.CompileUserExpression or
cel.compiler.CompileClaimsExpression respectively.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 203ba4e9-5c1b-47d4-a036-5c1215161fd8

📥 Commits

Reviewing files that changed from the base of the PR and between 20f395b and abc1f3f.

📒 Files selected for processing (1)

• openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 10a80a1|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• 187c7b2|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• 6876095|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• 9436c76|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• e3f9277|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 4205b96|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[ShazaAldawamneh]

/retest-required

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 4205b96|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• eccecd2|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• 97dad8e|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• a7349c7|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[everettraven]

A few comments that I think need to be addressed.

Aside from this, I'm double checking whether or not there are additional things we need to be aware of from a commit ordering / rollup standpoint for the kube rebase process.

[everettraven]

Aside from this, I'm double checking whether or not there are additional things we need to be aware of from a commit ordering / rollup standpoint for the kube rebase process.

Closing the loop - doesn't look like we need to do anything special here.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• 9e24058|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• cd89567|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[everettraven]

Aside from needing to remove a now unnecessary test this LGTM

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• a8fefbc|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• b8aec9b|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• 9d57875|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• b1d357e|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 87f253d|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• 8921b46|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message
• a6b8855|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@ShazaAldawamneh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 0cdaa75|UPSTREAM: : bump openshift/api dependency: does not specify an upstream backport in the commit message
• 6ceaf94|UPSTREAM: : Export email validation functions and use them: does not specify an upstream backport in the commit message
• ea22a27|UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat, ShazaAldawamneh
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ShazaAldawamneh]

/retest

[openshift-ci]

@ShazaAldawamneh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-techpreview-serial-2of2	0cdaa75	link	false	/test e2e-aws-ovn-techpreview-serial-2of2
ci/prow/e2e-aws-ovn-runc	0cdaa75	link	false	/test e2e-aws-ovn-runc
ci/prow/e2e-aws-ovn-techpreview-serial-1of2	0cdaa75	link	false	/test e2e-aws-ovn-techpreview-serial-1of2
ci/prow/e2e-gcp	0cdaa75	link	true	/test e2e-gcp
ci/prow/e2e-aws-ovn-hypershift	0cdaa75	link	true	/test e2e-aws-ovn-hypershift
ci/prow/e2e-aws-ovn-crun	0cdaa75	link	true	/test e2e-aws-ovn-crun

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.