From 381fbedf21fc457b66e641667c8e9f200541d0b4 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Mon, 4 Sep 2023 13:16:30 +0300
Subject: [PATCH] fix: check if VAPs are registered in the API server or not
 (#8219)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 charts/kyverno/templates/NOTES.txt | 4 ++++
 cmd/kyverno/main.go                | 8 +++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt
index c44e55fc51..f45e54d83d 100644
--- a/charts/kyverno/templates/NOTES.txt
+++ b/charts/kyverno/templates/NOTES.txt
@@ -36,3 +36,7 @@ The following components have been installed in your cluster:
 {{- with .Values.config.matchConditions }}
 ⚠️  WARNING: Match conditions require a Kubernetes 1.27+ cluster with `AdmissionWebhookMatchConditions` feature gate enabled.
 {{- end }}
+
+{{- with .Values.features.generateValidatingAdmissionPolicy.enabled }}
+⚠️  WARNING: Generating validating admission policy requires a Kubernetes 1.26+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
+{{- end }}
\ No newline at end of file
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 698b158c88..e5a42da918 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -44,6 +44,7 @@ import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	kubeinformers "k8s.io/client-go/informers"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -265,10 +266,11 @@ func main() {
 		setup.Logger.Error(errors.New("exiting... tlsSecretName is a required flag"), "exiting... tlsSecretName is a required flag")
 		os.Exit(1)
 	}
-	// check if server version is supported for validating admission policy generation
+	// check if validating admission policies are registered in the API server
 	if generateValidatingAdmissionPolicy {
-		if !kubeutils.HigherThanKubernetesVersion(setup.KubeClient.Discovery(), setup.Logger, 1, 26, 0) {
-			setup.Logger.Error(errors.New("validating admission policy aren't supported"), "validating admission policy aren't supported")
+		groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
+		if _, err := setup.KyvernoDynamicClient.GetKubeClient().Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
+			setup.Logger.Error(err, "validating admission policies aren't supported.")
 			os.Exit(1)
 		}
 	}