update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>

vendor/k8s.io/apiserver/pkg/cel/environment/base.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"strconv"
 	"sync"
+	"sync/atomic"
 
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/checker"
@@ -30,23 +31,34 @@ import (
 	"k8s.io/apimachinery/pkg/util/version"
 	celconfig "k8s.io/apiserver/pkg/apis/cel"
 	"k8s.io/apiserver/pkg/cel/library"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	utilversion "k8s.io/apiserver/pkg/util/version"
 )
 
 // DefaultCompatibilityVersion returns a default compatibility version for use with EnvSet
 // that guarantees compatibility with CEL features/libraries/parameters understood by
-// an n-1 version
+// the api server min compatibility version
 //
-// This default will be set to no more than n-1 the current Kubernetes major.minor version.
+// This default will be set to no more than the current Kubernetes major.minor version.
 //
-// Note that a default version number less than n-1 indicates a wider range of version
-// compatibility than strictly required for rollback. A wide range of compatibility is
-// desirable because it means that CEL expressions are portable across a wider range
-// of Kubernetes versions.
+// Note that a default version number less than n-1 the current Kubernetes major.minor version
+// indicates a wider range of version compatibility than strictly required for rollback.
+// A wide range of compatibility is desirable because it means that CEL expressions are portable
+// across a wider range of Kubernetes versions.
+// A default version number equal to the current Kubernetes major.minor version
+// indicates fast forward CEL features that can be used when rollback is no longer needed.
 func DefaultCompatibilityVersion() *version.Version {
-	return version.MajorMinor(1, 28)
+	effectiveVer := utilversion.DefaultComponentGlobalsRegistry.EffectiveVersionFor(utilversion.DefaultKubeComponent)
+	if effectiveVer == nil {
+		effectiveVer = utilversion.DefaultKubeEffectiveVersion()
+	}
+	return effectiveVer.MinCompatibilityVersion()
 }
 
-var baseOpts = []VersionedOptions{
+var baseOpts = append(baseOptsWithoutStrictCost, StrictCostOpt)
+
+var baseOptsWithoutStrictCost = []VersionedOptions{
 	{
 		// CEL epoch was actually 1.23, but we artificially set it to 1.0 because these
 		// options should always be present.
@@ -123,6 +135,60 @@ var baseOpts = []VersionedOptions{
 			ext.Sets(),
 		},
 	},
+	{
+		IntroducedVersion: version.MajorMinor(1, 30),
+		EnvOptions: []cel.EnvOption{
+			library.IP(),
+			library.CIDR(),
+		},
+	},
+	// Format Library
+	{
+		IntroducedVersion: version.MajorMinor(1, 31),
+		EnvOptions: []cel.EnvOption{
+			library.Format(),
+		},
+	},
+	// Authz selectors
+	{
+		IntroducedVersion: version.MajorMinor(1, 31),
+		FeatureEnabled: func() bool {
+			enabled := utilfeature.DefaultFeatureGate.Enabled(genericfeatures.AuthorizeWithSelectors)
+			authzSelectorsLibraryInit.Do(func() {
+				// Record the first time feature enablement was checked for this library.
+				// This is checked from integration tests to ensure no cached cel envs
+				// are constructed before feature enablement is effectively set.
+				authzSelectorsLibraryEnabled.Store(enabled)
+				// Uncomment to debug where the first initialization is coming from if needed.
+				// debug.PrintStack()
+			})
+			return enabled
+		},
+		EnvOptions: []cel.EnvOption{
+			library.AuthzSelectors(),
+		},
+	},
+}
+
+var (
+	authzSelectorsLibraryInit    sync.Once
+	authzSelectorsLibraryEnabled atomic.Value
+)
+
+// AuthzSelectorsLibraryEnabled returns whether the AuthzSelectors library was enabled when it was constructed.
+// If it has not been contructed yet, this returns `false, false`.
+// This is solely for the benefit of the integration tests making sure feature gates get correctly parsed before AuthzSelector ever has to check for enablement.
+func AuthzSelectorsLibraryEnabled() (enabled, constructed bool) {
+	enabled, constructed = authzSelectorsLibraryEnabled.Load().(bool)
+	return
+}
+
+var StrictCostOpt = VersionedOptions{
+	// This is to configure the cost calculation for extended libraries
+	IntroducedVersion: version.MajorMinor(1, 0),
+	ProgramOptions: []cel.ProgramOption{
+		cel.CostTracking(&library.CostEstimator{}),
+	},
 }
 
 // MustBaseEnvSet returns the common CEL base environments for Kubernetes for Version, or panics
@@ -134,7 +200,8 @@ var baseOpts = []VersionedOptions{
 // The returned environment contains no CEL variable definitions or custom type declarations and
 // should be extended to construct environments with the appropriate variable definitions,
 // type declarations and any other needed configuration.
-func MustBaseEnvSet(ver *version.Version) *EnvSet {
+// strictCost is used to determine whether to enforce strict cost calculation for CEL expressions.
+func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet {
 	if ver == nil {
 		panic("version must be non-nil")
 	}
@@ -142,19 +209,33 @@ func MustBaseEnvSet(ver *version.Version) *EnvSet {
 		panic(fmt.Sprintf("version must contain an major and minor component, but got: %s", ver.String()))
 	}
 	key := strconv.FormatUint(uint64(ver.Major()), 10) + "." + strconv.FormatUint(uint64(ver.Minor()), 10)
-	if entry, ok := baseEnvs.Load(key); ok {
-		return entry.(*EnvSet)
+	var entry interface{}
+	if strictCost {
+		if entry, ok := baseEnvs.Load(key); ok {
+			return entry.(*EnvSet)
+		}
+		entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) {
+			entry := mustNewEnvSet(ver, baseOpts)
+			baseEnvs.Store(key, entry)
+			return entry, nil
+		})
+	} else {
+		if entry, ok := baseEnvsWithOption.Load(key); ok {
+			return entry.(*EnvSet)
+		}
+		entry, _, _ = baseEnvsWithOptionSingleflight.Do(key, func() (interface{}, error) {
+			entry := mustNewEnvSet(ver, baseOptsWithoutStrictCost)
+			baseEnvsWithOption.Store(key, entry)
+			return entry, nil
+		})
 	}
 
-	entry, _, _ := baseEnvsSingleflight.Do(key, func() (interface{}, error) {
-		entry := mustNewEnvSet(ver, baseOpts)
-		baseEnvs.Store(key, entry)
-		return entry, nil
-	})
 	return entry.(*EnvSet)
 }
 
 var (
-	baseEnvs             = sync.Map{}
-	baseEnvsSingleflight = &singleflight.Group{}
+	baseEnvs                       = sync.Map{}
+	baseEnvsWithOption             = sync.Map{}
+	baseEnvsSingleflight           = &singleflight.Group{}
+	baseEnvsWithOptionSingleflight = &singleflight.Group{}
 )

vendor/k8s.io/apiserver/pkg/cel/environment/environment.go

@@ -175,7 +175,15 @@ type VersionedOptions struct {
 	//
 	// Optional.
 	RemovedVersion *version.Version
-
+	// FeatureEnabled returns true if these options are enabled by feature gates,
+	// and returns false if these options are not enabled due to feature gates.
+	//
+	// This takes priority over IntroducedVersion / RemovedVersion for the NewExpressions environment.
+	//
+	// The StoredExpressions environment ignores this function.
+	//
+	// Optional.
+	FeatureEnabled func() bool
 	// EnvOptions provides CEL EnvOptions. This may be used to add a cel.Variable, a
 	// cel.Library, or to enable other CEL EnvOptions such as language settings.
 	//
@@ -210,7 +218,7 @@ type VersionedOptions struct {
 //     making multiple calls to Extend.
 func (e *EnvSet) Extend(options ...VersionedOptions) (*EnvSet, error) {
 	if len(options) > 0 {
-		newExprOpts, err := e.filterAndBuildOpts(e.newExpressions, e.compatibilityVersion, options)
+		newExprOpts, err := e.filterAndBuildOpts(e.newExpressions, e.compatibilityVersion, true, options)
 		if err != nil {
 			return nil, err
 		}
@@ -218,7 +226,7 @@ func (e *EnvSet) Extend(options ...VersionedOptions) (*EnvSet, error) {
 		if err != nil {
 			return nil, err
 		}
-		storedExprOpt, err := e.filterAndBuildOpts(e.storedExpressions, version.MajorMinor(math.MaxUint, math.MaxUint), options)
+		storedExprOpt, err := e.filterAndBuildOpts(e.storedExpressions, version.MajorMinor(math.MaxUint, math.MaxUint), false, options)
 		if err != nil {
 			return nil, err
 		}
@@ -231,13 +239,26 @@ func (e *EnvSet) Extend(options ...VersionedOptions) (*EnvSet, error) {
 	return e, nil
 }
 
-func (e *EnvSet) filterAndBuildOpts(base *cel.Env, compatVer *version.Version, opts []VersionedOptions) (cel.EnvOption, error) {
+func (e *EnvSet) filterAndBuildOpts(base *cel.Env, compatVer *version.Version, honorFeatureGateEnablement bool, opts []VersionedOptions) (cel.EnvOption, error) {
 	var envOpts []cel.EnvOption
 	var progOpts []cel.ProgramOption
 	var declTypes []*apiservercel.DeclType
 
 	for _, opt := range opts {
+		var allowedByFeatureGate, allowedByVersion bool
+		if opt.FeatureEnabled != nil && honorFeatureGateEnablement {
+			// Feature-gate-enabled libraries must follow compatible default feature enablement.
+			// Enabling alpha features in their first release enables libraries the previous API server is unaware of.
+			allowedByFeatureGate = opt.FeatureEnabled()
+			if !allowedByFeatureGate {
+				continue
+			}
+		}
 		if compatVer.AtLeast(opt.IntroducedVersion) && (opt.RemovedVersion == nil || compatVer.LessThan(opt.RemovedVersion)) {
+			allowedByVersion = true
+		}
+
+		if allowedByFeatureGate || allowedByVersion {
 			envOpts = append(envOpts, opt.EnvOptions...)
 			progOpts = append(progOpts, opt.ProgramOptions...)
 			declTypes = append(declTypes, opt.DeclTypes...)
@@ -246,7 +267,10 @@ func (e *EnvSet) filterAndBuildOpts(base *cel.Env, compatVer *version.Version, o
 
 	if len(declTypes) > 0 {
 		provider := apiservercel.NewDeclTypeProvider(declTypes...)
-		providerOpts, err := provider.EnvOptions(base.TypeProvider())
+		if compatVer.AtLeast(version.MajorMinor(1, 31)) {
+			provider.SetRecognizeKeywordAsFieldName(true)
+		}
+		providerOpts, err := provider.EnvOptions(base.CELTypeProvider())
 		if err != nil {
 			return nil, err
 		}