Docs: Update Kubernetes Admission Controller tutorial to support latest API version

[bsctl]

The OPA example in the kubernetes tutorial is not working with "apiVersion": "admission.k8s.io/v1". It seems OPA is not honouring the requirements of setting the response UID, here.

At a minimum, the response stanza must contain the following fields:
uid, copied from the request.uid sent to the webhook
allowed, either set to true or false

Expected Behavior

Actual Behavior

When I try to create a resource, getting the following error from APIs server

Error from server (InternalError): Internal error occurred: failed calling webhook "tenants.capsule.k8s": expected response.uid="cd9de821-b2b7-4c3e-8b2b-2db653f72960", got ""

Steps to Reproduce the Problem

If this is a bug report please provide as much detail as possible so that we can
reproduce the problem. Examples:

• OPA version openpolicyagent/opa:0.20.5
• Example query, input, data, and policy that OPA was given
• Example output that OPA returned
• For server and CLI, the flags/configuration that you provided to OPA
• For server, any relevant log messages from OPA
• For Go and Wasm, the arguments you invoked OPA with

Additional Info

[patrick-east]

I updated the title. As-is the tutorial does not use that API version, hence no error if you follow the tutorial.

What we should do is update the tutorial to both return the ID and use the newer API version.

[gaga5lala]

I am not familiar with k8s admission api, it may take me few days. Can I take up this issue?

[tsandall]

Sure @gaga5lala. I think this is the change you have to make in the tutorial doc:

diff --git a/docs/content/kubernetes-tutorial.md b/docs/content/kubernetes-tutorial.md
index 27716354..c7d48720 100644
--- a/docs/content/kubernetes-tutorial.md
+++ b/docs/content/kubernetes-tutorial.md
@@ -237,10 +237,13 @@ data:
       "response": response,
     }
 
-    default response = {"allowed": true}
+    default uid = ""
+
+    uid = input.request.uid
 
     response = {
         "allowed": false,
+        "uid": uid,
         "status": {
             "reason": reason,
         },
@@ -248,6 +251,8 @@ data:
         reason = concat(", ", admission.deny)
         reason != ""
     }
+
+    else = {"allowed": true, "uid": uid}

If you can test it out and post your results so we can verify, that would be excellent.

EDIT: fixed to use else.