Fix list_type_missing in k8s.io/apiserver

api/api-rules/violation_exceptions.list

@@ -1,15 +1,3 @@
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Event,SourceIPs
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,GroupResources,ResourceNames
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,GroupResources,Resources
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Policy,OmitStages
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Policy,Rules
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Namespaces
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,NonResourceURLs
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,OmitStages
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Resources
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,UserGroups
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Users
-API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Verbs
 API rule violation: list_type_missing,k8s.io/cloud-provider/config/v1alpha1,WebhookConfiguration,Webhooks
 API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,Controllers
 API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,LeaderMigrationConfiguration,ControllerLeaders

staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go

@@ -98,6 +98,7 @@ type Event struct {
 	//    IP in the list up to here (X-Forwarded-For or X-Real-Ip).
 	// Note: All but the last IP can be arbitrarily set by the client.
 	// +optional
+	// +listType=atomic
 	SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"`
 	// UserAgent records the user agent string reported by the client.
 	// Note that the UserAgent is provided by the client, and must not be trusted.
@@ -166,11 +167,13 @@ type Policy struct {
 	// A request may match multiple rules, in which case the FIRST matching rule is used.
 	// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
 	// PolicyRules are strictly ordered.
+	// +listType=atomic
 	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
 
 	// OmitStages is a list of stages for which no events are created. Note that this can also
 	// be specified per rule in which case the union of both are omitted.
 	// +optional
+	// +listType=atomic
 	OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"`
 
 	// OmitManagedFields indicates whether to omit the managed fields of the request
@@ -203,16 +206,19 @@ type PolicyRule struct {
 	// The users (by authenticated user name) this rule applies to.
 	// An empty list implies every user.
 	// +optional
+	// +listType=atomic
 	Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"`
 	// The user groups this rule applies to. A user is considered matching
 	// if it is a member of any of the UserGroups.
 	// An empty list implies every user group.
 	// +optional
+	// +listType=atomic
 	UserGroups []string `json:"userGroups,omitempty" protobuf:"bytes,3,rep,name=userGroups"`
 
 	// The verbs that match this rule.
 	// An empty list implies every verb.
 	// +optional
+	// +listType=atomic
 	Verbs []string `json:"verbs,omitempty" protobuf:"bytes,4,rep,name=verbs"`
 
 	// Rules can apply to API resources (such as "pods" or "secrets"),
@@ -221,11 +227,13 @@ type PolicyRule struct {
 
 	// Resources that this rule matches. An empty list implies all kinds in all API groups.
 	// +optional
+	// +listType=atomic
 	Resources []GroupResources `json:"resources,omitempty" protobuf:"bytes,5,rep,name=resources"`
 	// Namespaces that this rule matches.
 	// The empty string "" matches non-namespaced resources.
 	// An empty list implies every namespace.
 	// +optional
+	// +listType=atomic
 	Namespaces []string `json:"namespaces,omitempty" protobuf:"bytes,6,rep,name=namespaces"`
 
 	// NonResourceURLs is a set of URL paths that should be audited.
@@ -234,12 +242,14 @@ type PolicyRule struct {
 	// - `/metrics` - Log requests for apiserver metrics
 	// - `/healthz*` - Log all health checks
 	// +optional
+	// +listType=atomic
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
 
 	// OmitStages is a list of stages for which no events are created. Note that this can also
 	// be specified policy wide in which case the union of both are omitted.
 	// An empty list means no restrictions will apply.
 	// +optional
+	// +listType=atomic
 	OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
 
 	// OmitManagedFields indicates whether to omit the managed fields of the request
@@ -274,11 +284,13 @@ type GroupResources struct {
 	//
 	// An empty list implies all resources and subresources in this API groups apply.
 	// +optional
+	// +listType=atomic
 	Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
 	// ResourceNames is a list of resource instance names that the policy matches.
 	// Using this field requires Resources to be specified.
 	// An empty list implies that every instance of the resource is matched.
 	// +optional
+	// +listType=atomic
 	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,3,rep,name=resourceNames"`
 }