Drop locked StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates

Kubernetes-commit: bd11e52bfc10b9b08edbc43cd0c83458f38634f2

Author: liggitt

pkg/admission/plugin/cel/compile.go

@@ -229,18 +229,19 @@ func mustBuildEnvs(baseEnv *environment.EnvSet) variableDeclEnvs {
 for _, hasParams := range []bool{false, true} {
 for _, hasAuthorizer := range []bool{false, true} {
 var err error
-for _, strictCost := range []bool{false, true} {
-decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, StrictCost: strictCost}
+{
+decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer}
 envs[decl], err = createEnvForOpts(baseEnv, namespaceType, requestType, decl)
 if err != nil {
 panic(err)
 }
 }
-// We only need this ObjectTypes where strict cost is true
-decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, StrictCost: true, HasPatchTypes: true}
-envs[decl], err = createEnvForOpts(baseEnv, namespaceType, requestType, decl)
-if err != nil {
-panic(err)
+{
+decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, HasPatchTypes: true}
+envs[decl], err = createEnvForOpts(baseEnv, namespaceType, requestType, decl)
+if err != nil {
+panic(err)
+}
 }
 }
 }
@@ -274,16 +275,11 @@ func createEnvForOpts(baseEnv *environment.EnvSet, namespaceType *apiservercel.D
 requestType,
 },
 },
+environment.StrictCostOpt,
 )
 if err != nil {
 return nil, fmt.Errorf("environment misconfigured: %w", err)
 }
-if opts.StrictCost {
-extended, err = extended.Extend(environment.StrictCostOpt)
-if err != nil {
-return nil, fmt.Errorf("environment misconfigured: %w", err)
-}
-}
 
 if opts.HasPatchTypes {
 extended, err = extended.Extend(hasPatchTypes)

pkg/admission/plugin/cel/compile_test.go

@@ -178,7 +178,7 @@ func TestCompileValidatingPolicyExpression(t *testing.T) {
 }
 
 // Include the test library, which includes the test() function in the storage environment during test
-base := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true)
+base := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 extended, err := base.Extend(environment.VersionedOptions{
 IntroducedVersion: version.MajorMinor(1, 999),
 EnvOptions: []celgo.EnvOption{library.Test()},
@@ -254,7 +254,7 @@ func TestCompileValidatingPolicyExpression(t *testing.T) {
 }
 
 func BenchmarkCompile(b *testing.B) {
-compiler := NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+compiler := NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 b.ResetTimer()
 for i := 0; i < b.N; i++ {
 options := OptionalVariableDeclarations{HasParams: rand.Int()%2 == 0, HasAuthorizer: rand.Int()%2 == 0}

pkg/admission/plugin/cel/composition_test.go

@@ -48,15 +48,14 @@ func (t *testVariable) GetName() string {
 
 func TestCompositedPolicies(t *testing.T) {
 cases := []struct {
-name string
-variables []NamedExpressionAccessor
-expression string
-attributes admission.Attributes
-expectedResult any
-expectErr bool
-expectedErrorMessage string
-runtimeCostBudget int64
-strictCostEnforcement bool
+name string
+variables []NamedExpressionAccessor
+expression string
+attributes admission.Attributes
+expectedResult any
+expectErr bool
+expectedErrorMessage string
+runtimeCostBudget int64
 }{
 {
 name: "simple",
@@ -187,44 +186,29 @@ func TestCompositedPolicies(t *testing.T) {
 expectedErrorMessage: "found no matching overload for '_==_' applied to '(string, int)'",
 },
 {
-name: "with strictCostEnforcement on: exceeds cost budget",
+name: "exceeds cost budget",
 variables: []NamedExpressionAccessor{
 &testVariable{
 name: "dict",
 expression: "'abc 123 def 123'.split(' ')",
 },
 },
-attributes: endpointCreateAttributes(),
-expression: "size(variables.dict) > 0",
-expectErr: true,
-expectedErrorMessage: "validation failed due to running out of cost budget, no further validation rules will be run",
-runtimeCostBudget: 5,
-strictCostEnforcement: true,
-},
-{
-name: "with strictCostEnforcement off: not exceed cost budget",
-variables: []NamedExpressionAccessor{
-&testVariable{
-name: "dict",
-expression: "'abc 123 def 123'.split(' ')",
-},
-},
-attributes: endpointCreateAttributes(),
-expression: "size(variables.dict) > 0",
-expectedResult: true,
-runtimeCostBudget: 5,
-strictCostEnforcement: false,
+attributes: endpointCreateAttributes(),
+expression: "size(variables.dict) > 0",
+expectErr: true,
+expectedErrorMessage: "validation failed due to running out of cost budget, no further validation rules will be run",
+runtimeCostBudget: 5,
 },
 }
 for _, tc := range cases {
 t.Run(tc.name, func(t *testing.T) {
-compiler, err := NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), tc.strictCostEnforcement))
+compiler, err := NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 if err != nil {
 t.Fatal(err)
 }
-compiler.CompileAndStoreVariables(tc.variables, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false, StrictCost: tc.strictCostEnforcement}, environment.NewExpressions)
+compiler.CompileAndStoreVariables(tc.variables, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false}, environment.NewExpressions)
 validations := []ExpressionAccessor{&testCondition{Expression: tc.expression}}
-f := compiler.CompileCondition(validations, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false, StrictCost: tc.strictCostEnforcement}, environment.NewExpressions)
+f := compiler.CompileCondition(validations, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false}, environment.NewExpressions)
 versionedAttr, err := admission.NewVersionedAttributes(tc.attributes, tc.attributes.GetKind(), newObjectInterfacesForTest())
 if err != nil {
 t.Fatal(err)