Move permission claim object selectors from APIExport to APIBinding

[embik]

Summary

This PR implements the API changes we wanted to get into v1alpha2 before we cut the release solidifying the API version. It's been mainly discussed on Slack: https://kubernetes.slack.com/archives/C021U8WSAFK/p1749552577773639. I don't think a strong consensus has been reached but the general direction is what this PR proposes.

It removes the all and resourceSelector fields from the PermissionClaim type (i.e. remove the object selector configuration from the APIExport on the service provider side). It instead adds a selector field in AcceptablePermissionClaim (the wrapper type used for permission claims in APIBindings) which allows the API consumer to scope access of an API provider to a specific resource.

Conversions have been added so that if a permission claim in an APIBinding had all: true, it would automatically translate into selector.matchAll: true (and back). To allow API roundtripping without loss of information, permission claims are now stored in an annotation when converting from v1alpha1 to v1alpha2, so that resourceSelector can be restored upon converting back to v1alpha1.

A few more things this PR does:

• Update the usage of APIExport and APIBindings across the code base.
• Split conversion tests in v1alpha2 package into two files.
• Rename PermissionClaim.Equal to PermissionClaim.EqualGRI. Equal is used by cmp to compare objects, so (acceptable) permission claims were only compared partially, which shadowed some bugs in my code early on.
• Switch compared objects in conversion tests so that the diff output was more readable.

What Type of PR Is This?

/kind cleanup
/kind api-change

Related Issue(s)

Fixes #3456

Release Notes

NONE

[kcp-ci-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[embik]

/hold

Since I want to discuss this PR with @xmudrii.

[embik]

/retest

[xmudrii]

This is fine, but we should have a quick test to make sure the behavior around this annotation is correct.

[kcp-ci-bot]

LGTM label has been added.

Git tree hash: 083c7f231252d207ecee3f1cdf903dfcec7ebed2

[mjudeikis]

/hold

I think this is wrong. This moves permission claim responsibility to APIBinding from APIExport. This means that now you can have a need to check " accepted claims and state of them" on each binding. This will put big operational strain on the provider. Meaning on each reconcile loop provider needs to check what is the state of APIBinding and adjust reconciler for this. If user says 'selector=label=foo' provider will need to inject this.

[mjudeikis]

/hold cancel
Plan is to mutate on provider side so should be ok there,

[embik]

/retest

[embik]

/retest

Known flake: #3444

[xrstf]

/approve

[kcp-ci-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xmudrii, xrstf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [xrstf]
• config/crds/OWNERS [xrstf]
• pkg/admission/OWNERS [xrstf]
• sdk/apis/OWNERS [xrstf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mjudeikis]

/lgtm

[kcp-ci-bot]

LGTM label has been added.

Git tree hash: 3b2c2de7032b7d7600be6f7f2c70694e46d26128