pepr 0.36.0 → 0.37.1

package/src/lib/helpers.ts

@@ -6,6 +6,39 @@ import { K8s, KubernetesObject, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { Binding, CapabilityExport } from "./types";
 import { sanitizeResourceName } from "../sdk/sdk";
+import {
+  carriedAnnotations,
+  carriedLabels,
+  carriedName,
+  carriedNamespace,
+  carriesIgnoredNamespace,
+  definedAnnotations,
+  definedLabels,
+  definedName,
+  definedNameRegex,
+  definedNamespaces,
+  definedNamespaceRegexes,
+  misboundNamespace,
+  mismatchedAnnotations,
+  mismatchedDeletionTimestamp,
+  mismatchedLabels,
+  mismatchedName,
+  mismatchedNameRegex,
+  mismatchedNamespace,
+  mismatchedNamespaceRegex,
+  unbindableNamespaces,
+  uncarryableNamespace,
+} from "./adjudicators";
+
+export function matchesRegex(pattern: string, testString: string): boolean {
+  // edge-case
+  if (!pattern) {
+    return false;
+  }
+
+  const regex = new RegExp(pattern);
+  return regex.test(testString);
+}
 
 export class ValidationError extends Error {}
 
@@ -35,36 +68,6 @@ type RBACMap = {
   };
 };
 
-// check for overlap with labels and annotations between bindings and kubernetes objects
-export function checkOverlap(bindingFilters: Record<string, string>, objectFilters: Record<string, string>): boolean {
-  // True if labels/annotations are empty
-  if (Object.keys(bindingFilters).length === 0) {
-    return true;
-  }
-
-  let matchCount = 0;
-
-  for (const key in bindingFilters) {
-    // object must have label/annotation
-    if (Object.prototype.hasOwnProperty.call(objectFilters, key)) {
-      const val1 = bindingFilters[key];
-      const val2 = objectFilters[key];
-
-      // If bindingFilter has empty value for this key, only need to ensure objectFilter has this key
-      if (val1 === "" && key in objectFilters) {
-        matchCount++;
-      }
-      // If bindingFilter has a value, it must match the value in objectFilter
-      else if (val1 !== "" && val1 === val2) {
-        matchCount++;
-      }
-    }
-  }
-
-  // For single-key objects in bindingFilter or matching all keys in multiple-keys scenario
-  return matchCount === Object.keys(bindingFilters).length;
-}
-
 /**
  * Decide to run callback after the event comes back from API Server
  **/
@@ -72,76 +75,72 @@ export function filterNoMatchReason(
   binding: Partial<Binding>,
   obj: Partial<KubernetesObject>,
   capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
 ): string {
-  // binding deletionTimestamp filter and object deletionTimestamp dont match
-  if (binding.filters?.deletionTimestamp && !obj.metadata?.deletionTimestamp) {
-    return `Ignoring Watch Callback: Object does not have a deletion timestamp.`;
-  }
-
-  // binding kind is namespace with a InNamespace filter
-  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
-    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
-  }
-
-  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== undefined && binding.filters) {
-    // binding labels and object labels dont match
-    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
-      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
-        binding.filters.labels,
-      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
-    }
-
-    // binding annotations and object annotations dont match
-    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
-      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
-        binding.filters.annotations,
-      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
-    }
-  }
-
-  // Check object is in the capability namespace
-  if (
-    Array.isArray(capabilityNamespaces) &&
-    capabilityNamespaces.length > 0 &&
-    obj.metadata &&
-    obj.metadata.namespace &&
-    !capabilityNamespaces.includes(obj.metadata.namespace)
-  ) {
-    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
-      ", ",
-    )}, Object namespace: ${obj.metadata.namespace}.`;
-  }
-
-  // chceck every filter namespace is a capability namespace
-  if (
-    Array.isArray(capabilityNamespaces) &&
-    capabilityNamespaces.length > 0 &&
-    binding.filters &&
-    Array.isArray(binding.filters.namespaces) &&
-    binding.filters.namespaces.length > 0 &&
-    !binding.filters.namespaces.every(ns => capabilityNamespaces.includes(ns))
-  ) {
-    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
-      ", ",
-    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
-  }
-
-  // filter namespace is not the same of object namespace
-  if (
-    binding.filters &&
-    Array.isArray(binding.filters.namespaces) &&
-    binding.filters.namespaces.length > 0 &&
-    obj.metadata &&
-    obj.metadata.namespace &&
-    !binding.filters.namespaces.includes(obj.metadata.namespace)
-  ) {
-    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
-      ", ",
-    )}, Object namespace: ${obj.metadata.namespace}.`;
-  }
-
-  // no problems
-  return "";
+  const prefix = "Ignoring Watch Callback:";
+
+  // prettier-ignore
+  return (
+    mismatchedDeletionTimestamp(binding, obj) ?
+      `${prefix} Binding defines deletionTimestamp but Object does not carry it.` :
+
+    mismatchedName(binding, obj) ?
+      `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` :
+
+    misboundNamespace(binding) ?
+      `${prefix} Cannot use namespace filter on a namespace object.` :
+
+    mismatchedLabels(binding, obj) ?
+      (
+        `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' ` +
+        `but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
+      ) :
+
+    mismatchedAnnotations(binding, obj) ?
+      (
+        `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' ` +
+        `but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
+      ) :
+
+    uncarryableNamespace(capabilityNamespaces, obj) ?
+      (
+        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
+    unbindableNamespaces(capabilityNamespaces, binding) ?
+      (
+        `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
+    mismatchedNamespace(binding, obj) ?
+      (
+        `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' ` +
+        `but Object carries '${carriedNamespace(obj)}'.`
+      ) :
+
+    mismatchedNamespaceRegex(binding, obj) ?
+      (
+        `${prefix} Binding defines namespace regexes ` +
+        `'${JSON.stringify(definedNamespaceRegexes(binding))}' ` +
+        `but Object carries '${carriedNamespace(obj)}'.`
+      ) :
+
+    mismatchedNameRegex(binding, obj) ?
+      (
+        `${prefix} Binding defines name regex '${definedNameRegex(binding)}' ` +
+        `but Object carries '${carriedName(obj)}'.`
+      ) :
+
+    carriesIgnoredNamespace(ignoredNamespaces, obj) ?
+      (
+        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
+        `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
+      ) :
+
+    ""
+  );
 }
 
 export function addVerbIfNotExists(verbs: string[], verb: string) {
@@ -244,7 +243,8 @@ export function generateWatchNamespaceError(
 // namespaceComplianceValidator ensures that capability bindinds respect ignored and capability namespaces
 export function namespaceComplianceValidator(capability: CapabilityExport, ignoredNamespaces?: string[]) {
   const { namespaces: capabilityNamespaces, bindings, name } = capability;
-  const bindingNamespaces = bindings.flatMap(binding => binding.filters.namespaces);
+  const bindingNamespaces = bindings.flatMap((binding: Binding) => binding.filters.namespaces);
+  const bindingRegexNamespaces = bindings.flatMap((binding: Binding) => binding.filters.regexNamespaces || []);
 
   const namespaceError = generateWatchNamespaceError(
     ignoredNamespaces ? ignoredNamespaces : [],
@@ -256,6 +256,47 @@ export function namespaceComplianceValidator(capability: CapabilityExport, ignor
       `Error in ${name} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`,
     );
   }
+
+  // Ensure that each regexNamespace matches a capabilityNamespace
+
+  if (
+    bindingRegexNamespaces &&
+    bindingRegexNamespaces.length > 0 &&
+    capabilityNamespaces &&
+    capabilityNamespaces.length > 0
+  ) {
+    for (const regexNamespace of bindingRegexNamespaces) {
+      let matches = false;
+      for (const capabilityNamespace of capabilityNamespaces) {
+        if (regexNamespace !== "" && matchesRegex(regexNamespace, capabilityNamespace)) {
+          matches = true;
+          break;
+        }
+      }
+      if (!matches) {
+        throw new Error(
+          `Ignoring Watch Callback: Object namespace does not match any capability namespace with regex ${regexNamespace}.`,
+        );
+      }
+    }
+  }
+  // ensure regexNamespaces do not match ignored ns
+  if (
+    bindingRegexNamespaces &&
+    bindingRegexNamespaces.length > 0 &&
+    ignoredNamespaces &&
+    ignoredNamespaces.length > 0
+  ) {
+    for (const regexNamespace of bindingRegexNamespaces) {
+      for (const ignoredNS of ignoredNamespaces) {
+        if (matchesRegex(regexNamespace, ignoredNS)) {
+          throw new Error(
+            `Ignoring Watch Callback: Regex namespace: ${regexNamespace}, is an ignored namespace: ${ignoredNS}.`,
+          );
+        }
+      }
+    }
+  }
 }
 
 // check to see if all replicas are ready for all deployments in the pepr-system namespace

package/src/lib/k8s.ts

@@ -3,6 +3,7 @@
 
 import { GenericKind, GroupVersionKind, KubernetesObject, RegisterKind } from "kubernetes-fluent-client";
 
+// DEPRECATED: Use Operation in types.ts instead
 export enum Operation {
   CREATE = "CREATE",
   UPDATE = "UPDATE",
@@ -27,6 +28,7 @@ export const peprStoreGVK = {
 
 RegisterKind(PeprStore, peprStoreGVK);
 
+// DEPRECATED: Use Operation in types.ts instead
 /**
  * GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion
  * to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling
@@ -37,6 +39,8 @@ export interface GroupVersionResource {
   readonly resource: string;
 }
 
+// DEPRECATED: Use Operation in types.ts instead
+
 /**
  * A Kubernetes admission request to be processed by a capability.
  */

package/src/lib/module.ts

@@ -4,8 +4,8 @@ import { clone } from "ramda";
 import { Capability } from "./capability";
 import { Controller } from "./controller";
 import { ValidateError } from "./errors";
-import { AdmissionRequest, MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
-import { CapabilityExport } from "./types";
+import { MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
+import { CapabilityExport, AdmissionRequest } from "./types";
 import { setupWatch } from "./watch-processor";
 import { Log } from "../lib";
 
@@ -108,7 +108,7 @@ export class PeprModule {
       // Wait for the controller to be ready before setting up watches
       if (isWatchMode() || isDevMode()) {
         try {
-          setupWatch(capabilities);
+          setupWatch(capabilities, pepr?.alwaysIgnore?.namespaces);
         } catch (e) {
           Log.error(e, "Error setting up watch");
           process.exit(1);

package/src/lib/mutate-processor.ts

@@ -7,7 +7,8 @@ import { kind } from "kubernetes-fluent-client";
 import { Capability } from "./capability";
 import { Errors } from "./errors";
 import { shouldSkipRequest } from "./filter";
-import { MutateResponse, AdmissionRequest } from "./k8s";
+import { MutateResponse } from "./k8s";
+import { AdmissionRequest } from "./types";
 import Log from "./logger";
 import { ModuleConfig } from "./module";
 import { PeprMutateRequest } from "./mutate-request";
@@ -42,7 +43,6 @@ export async function mutateProcessor(
 
   for (const { name, bindings, namespaces } of capabilities) {
     const actionMetadata = { ...reqMetadata, name };
-
     for (const action of bindings) {
       // Skip this action if it's not a mutate action
       if (!action.mutateCallback) {
@@ -50,13 +50,12 @@ export async function mutateProcessor(
       }
 
       // Continue to the next action without doing anything if this one should be skipped
-      if (shouldSkipRequest(action, req, namespaces)) {
+      if (shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces)) {
         continue;
       }
 
       const label = action.mutateCallback.name;
       Log.info(actionMetadata, `Processing mutation action (${label})`);
-
       matchedAction = true;
 
       // Add annotations to the request to indicate that the capability started processing
@@ -79,6 +78,7 @@ export async function mutateProcessor(
         // Run the action
         await action.mutateCallback(wrapped);
 
+        // Log on success
         Log.info(actionMetadata, `Mutation action succeeded (${label})`);
 
         // Add annotations to the request to indicate that the capability succeeded
@@ -99,6 +99,7 @@ export async function mutateProcessor(
           errorMessage = "An error occurred with the mutate action.";
         }
 
+        // Log on failure
         Log.error(actionMetadata, `Action failed: ${errorMessage}`);
         response.warnings.push(`Action failed: ${errorMessage}`);
 

package/src/lib/mutate-request.test.ts

@@ -3,8 +3,7 @@
 
 import { beforeEach, describe, expect, it } from "@jest/globals";
 import { KubernetesObject } from "kubernetes-fluent-client";
-
-import { Operation, AdmissionRequest } from "./k8s";
+import { Operation, AdmissionRequest } from "./types";
 import { PeprMutateRequest } from "./mutate-request";
 
 describe("PeprMutateRequest", () => {

package/src/lib/mutate-request.ts

@@ -3,9 +3,7 @@
 
 import { KubernetesObject } from "kubernetes-fluent-client";
 import { clone, mergeDeepRight } from "ramda";
-
-import { AdmissionRequest, Operation } from "./k8s";
-import { DeepPartial } from "./types";
+import { Operation, AdmissionRequest, DeepPartial } from "./types";
 
 /**
  * The RequestWrapper class provides methods to modify Kubernetes objects in the context

package/src/lib/schedule.ts

@@ -3,7 +3,7 @@
 
 import { PeprStore } from "./storage";
 
-type Unit = "seconds" | "second" | "minute" | "minutes" | "hours" | "hour";
+export type Unit = "seconds" | "second" | "minute" | "minutes" | "hours" | "hour";
 
 export interface Schedule {
   /**

package/src/lib/storage.ts

@@ -2,7 +2,6 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { clone } from "ramda";
-import Log from "./logger";
 import pointer from "json-pointer";
 export type DataOp = "add" | "remove";
 export type DataStore = Record<string, string>;
@@ -86,7 +85,6 @@ export class Storage implements PeprStore {
   };
 
   receive = (data: DataStore) => {
-    Log.debug(data, `Pepr store data received`);
     this.#store = data || {};
 
     this.#onReady();
@@ -107,10 +105,11 @@ export class Storage implements PeprStore {
   };
 
   clear = () => {
-    this.#dispatchUpdate(
-      "remove",
-      Object.keys(this.#store).map(key => pointer.escape(key)),
-    );
+    Object.keys(this.#store).length > 0 &&
+      this.#dispatchUpdate(
+        "remove",
+        Object.keys(this.#store).map(key => pointer.escape(key)),
+      );
   };
 
   removeItem = (key: string) => {

package/src/lib/types.ts

@@ -2,11 +2,20 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { GenericClass, GroupVersionKind, KubernetesObject } from "kubernetes-fluent-client";
-import { WatchAction } from "kubernetes-fluent-client/dist/fluent/types";
+
+import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 
 import { PeprMutateRequest } from "./mutate-request";
 import { PeprValidateRequest } from "./validate-request";
 
+import { Logger } from "pino";
+
+export enum Operation {
+  CREATE = "CREATE",
+  UPDATE = "UPDATE",
+  DELETE = "DELETE",
+  CONNECT = "CONNECT",
+}
 /**
  * Specifically for deploying images with a private registry
  */
@@ -80,25 +89,33 @@ export type WhenSelector<T extends GenericClass> = {
   /** Register an action to be executed when a Kubernetes resource is deleted. */
   IsDeleted: () => BindingAll<T>;
 };
-
+export interface RegExpFilter {
+  obj: RegExp;
+  source: string;
+}
 export type Binding = {
   event: Event;
   isMutate?: boolean;
   isValidate?: boolean;
   isWatch?: boolean;
   isQueue?: boolean;
+  isFinalize?: boolean;
   readonly model: GenericClass;
   readonly kind: GroupVersionKind;
   readonly filters: {
     name: string;
+    regexName: string;
     namespaces: string[];
+    regexNamespaces: string[];
     labels: Record<string, string>;
     annotations: Record<string, string>;
     deletionTimestamp: boolean;
   };
+  alias?: string;
   readonly mutateCallback?: MutateAction<GenericClass, InstanceType<GenericClass>>;
   readonly validateCallback?: ValidateAction<GenericClass, InstanceType<GenericClass>>;
-  readonly watchCallback?: WatchAction<GenericClass, InstanceType<GenericClass>>;
+  readonly watchCallback?: WatchLogAction<GenericClass, InstanceType<GenericClass>>;
+  readonly finalizeCallback?: FinalizeAction<GenericClass, InstanceType<GenericClass>>;
 };
 
 export type BindingFilter<T extends GenericClass> = CommonActionChain<T> & {
@@ -145,11 +162,15 @@ export type BindingFilter<T extends GenericClass> = CommonActionChain<T> & {
 export type BindingWithName<T extends GenericClass> = BindingFilter<T> & {
   /** Only apply the action if the resource name matches the specified name. */
   WithName: (name: string) => BindingFilter<T>;
+  /** Only apply the action if the resource name matches the specified regex name. */
+  WithNameRegex: (name: RegExp) => BindingFilter<T>;
 };
 
 export type BindingAll<T extends GenericClass> = BindingWithName<T> & {
   /** Only apply the action if the resource is in one of the specified namespaces.*/
   InNamespace: (...namespaces: string[]) => BindingWithName<T>;
+  /** Only apply the action if the resource is in one of the specified regex namespaces.*/
+  InNamespaceRegex: (...namespaces: RegExp[]) => BindingWithName<T>;
 };
 
 export type CommonActionChain<T extends GenericClass> = MutateActionChain<T> & {
@@ -162,6 +183,7 @@ export type CommonActionChain<T extends GenericClass> = MutateActionChain<T> & {
    * @param action The action to be executed when the Kubernetes resource is processed by the AdmissionController.
    */
   Mutate: (action: MutateAction<T, InstanceType<T>>) => MutateActionChain<T>;
+  Alias: (alias: string) => BindingFilter<T>;
 };
 
 export type ValidateActionChain<T extends GenericClass> = {
@@ -176,7 +198,8 @@ export type ValidateActionChain<T extends GenericClass> = {
    * @param action
    * @returns
    */
-  Watch: (action: WatchAction<T, InstanceType<T>>) => void;
+
+  Watch: (action: WatchLogAction<T, InstanceType<T>>) => FinalizeActionChain<T>;
 
   /**
    * Establish a reconcile for the specified resource. The callback function will be executed after the admission controller has
@@ -189,7 +212,8 @@ export type ValidateActionChain<T extends GenericClass> = {
    * @param action
    * @returns
    */
-  Reconcile: (action: WatchAction<T, InstanceType<T>>) => void;
+
+  Reconcile: (action: WatchLogAction<T, InstanceType<T>>) => FinalizeActionChain<T>;
 };
 
 export type MutateActionChain<T extends GenericClass> = ValidateActionChain<T> & {
@@ -219,14 +243,133 @@ export type MutateActionChain<T extends GenericClass> = ValidateActionChain<T> &
 
 export type MutateAction<T extends GenericClass, K extends KubernetesObject = InstanceType<T>> = (
   req: PeprMutateRequest<K>,
+  logger?: Logger,
 ) => Promise<void> | void | Promise<PeprMutateRequest<K>> | PeprMutateRequest<K>;
 
 export type ValidateAction<T extends GenericClass, K extends KubernetesObject = InstanceType<T>> = (
   req: PeprValidateRequest<K>,
+  logger?: Logger,
 ) => Promise<ValidateActionResponse> | ValidateActionResponse;
 
+// Define WatchLogAction by adding an optional logger parameter to the WatchAction
+export type WatchLogAction<T extends GenericClass, K extends KubernetesObject = InstanceType<T>> = (
+  update: K,
+  phase: WatchPhase,
+  logger?: Logger,
+) => Promise<void> | void;
+
 export type ValidateActionResponse = {
   allowed: boolean;
   statusCode?: number;
   statusMessage?: string;
 };
+
+export type FinalizeAction<T extends GenericClass, K extends KubernetesObject = InstanceType<T>> = (
+  update: K,
+  logger?: Logger,
+) => Promise<void> | void;
+
+export type FinalizeActionChain<T extends GenericClass> = {
+  /**
+   * Establish a finalizer for the specified resource. The callback given will be executed by the watch
+   * controller after it has received notification of an update adding a deletionTimestamp.
+   *
+   * **Beta Function**: This method is still in early testing and edge cases may still exist.
+   *
+   * @since 0.35.0
+   *
+   * @param action
+   * @returns
+   */
+  Finalize: (action: FinalizeAction<T, InstanceType<T>>) => void;
+};
+
+/**
+ * A Kubernetes admission request to be processed by a capability.
+ */
+export interface AdmissionRequest<T = KubernetesObject> {
+  /** UID is an identifier for the individual request/response. */
+  readonly uid: string;
+
+  /** Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) */
+  readonly kind: GroupVersionKind;
+
+  /** Resource is the fully-qualified resource being requested (for example, v1.pods) */
+  readonly resource: GroupVersionResource;
+
+  /** SubResource is the sub-resource being requested, if any (for example, "status" or "scale") */
+  readonly subResource?: string;
+
+  /** RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). */
+  readonly requestKind?: GroupVersionKind;
+
+  /** RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). */
+  readonly requestResource?: GroupVersionResource;
+
+  /** RequestSubResource is the sub-resource of the original API request, if any (for example, "status" or "scale"). */
+  readonly requestSubResource?: string;
+
+  /**
+   * Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
+   * rely on the server to generate the name. If that is the case, this method will return the empty string.
+   */
+  readonly name: string;
+
+  /** Namespace is the namespace associated with the request (if any). */
+  readonly namespace?: string;
+
+  /**
+   * Operation is the operation being performed. This may be different than the operation
+   * requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+   */
+  readonly operation: Operation;
+
+  /** UserInfo is information about the requesting user */
+  readonly userInfo: {
+    /** The name that uniquely identifies this user among all active users. */
+    username?: string;
+
+    /**
+     * A unique value that identifies this user across time. If this user is deleted
+     * and another user by the same name is added, they will have different UIDs.
+     */
+    uid?: string;
+
+    /** The names of groups this user is a part of. */
+    groups?: string[];
+
+    /** Any additional information provided by the authenticator. */
+    extra?: {
+      [key: string]: string[];
+    };
+  };
+
+  /** Object is the object from the incoming request prior to default values being applied */
+  readonly object: T;
+
+  /** OldObject is the existing object. Only populated for UPDATE or DELETE requests. */
+  readonly oldObject?: T;
+
+  /** DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false. */
+  readonly dryRun?: boolean;
+
+  /**
+   * Options contains the options for the operation being performed.
+   * e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+   * different than the options the caller provided. e.g. for a patch request the performed
+   * Operation might be a CREATE, in which case the Options will a
+   * `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+   */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  readonly options?: any;
+}
+
+/**
+ * GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion
+ * to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling
+ */
+export interface GroupVersionResource {
+  readonly group: string;
+  readonly version: string;
+  readonly resource: string;
+}