chore: Add pods/resize subresource to mutating and validating webhooks (#3778)

Signed-off-by: Ian Stanton <ian@stanton.sh>
Co-authored-by: Jaydip Gabani <gabanijaydip@gmail.com>

Author: ianstanton

cmd/build/helmify/replacements.go

@@ -172,6 +172,7 @@ var replacements = map[string]string{
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale
@@ -256,6 +257,7 @@ var replacements = map[string]string{
     - 'pods/proxy'
     - 'pods/attach'
     - 'pods/binding'
+    - 'pods/resize'
     - 'deployments/scale'
     - 'replicasets/scale'
     - 'statefulsets/scale'

config/webhook/manifests.yaml

@@ -83,6 +83,7 @@ webhooks:
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale

manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml

@@ -72,6 +72,7 @@ webhooks:
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale

manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml

@@ -79,6 +79,7 @@ webhooks:
     - 'pods/proxy'
     - 'pods/attach'
     - 'pods/binding'
+    - 'pods/resize'
     - 'deployments/scale'
     - 'replicasets/scale'
     - 'statefulsets/scale'

manifest_staging/deploy/gatekeeper.yaml

@@ -5370,6 +5370,7 @@ webhooks:
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale

pkg/webhook/policy.go

@@ -80,7 +80,7 @@ func init() {
 
 // Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). But include "services/status" for constraints that mitigate CVE-2020-8554.
 // You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("'
-// +kubebuilder:webhook:verbs=create;update,path=/v1/admit,mutating=false,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=validation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact
+// +kubebuilder:webhook:verbs=create;update,path=/v1/admit,mutating=false,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;pods/resize;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=validation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact
 // +kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch
 
 // AddPolicyWebhook registers the policy webhook server with the manager.