adding a new admission plugin to handle api bindings and all validati…

…ng webhooks
kcp-dev · Apr 20, 2022 · 0a26674 · 0a26674
1 parent 7cc664a
commit 0a26674
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 16 deletions.
diff --git a/pkg/admission/plugins.go b/pkg/admission/plugins.go
@@ -22,7 +22,6 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
 	"k8s.io/apiserver/pkg/admission/plugin/resourcequota"
 	mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
-	validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
 	kubeapiserveroptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 	certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
 	certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"
@@ -45,6 +44,7 @@ import (
 	"github.com/kcp-dev/kcp/pkg/admission/clusterworkspaceshard"
 	"github.com/kcp-dev/kcp/pkg/admission/clusterworkspacetype"
 	"github.com/kcp-dev/kcp/pkg/admission/clusterworkspacetypeexists"
+	kcpvalidatingwebhook "github.com/kcp-dev/kcp/pkg/admission/validatingwebhook"
 )
 
 // AllOrderedPlugins is the list of all the plugins in order.
@@ -55,7 +55,7 @@ var AllOrderedPlugins = beforeWebhooks(kubeapiserveroptions.AllOrderedPlugins,
 	clusterworkspacetype.PluginName,
 	clusterworkspacetypeexists.PluginName,
 	apibinding.PluginName,
-	validatingwebhook.PluginName,
+	kcpvalidatingwebhook.PluginName,
 )
 
 func beforeWebhooks(recommended []string, plugins ...string) []string {
@@ -79,14 +79,14 @@ func RegisterAllKcpAdmissionPlugins(plugins *admission.Plugins) {
 	clusterworkspacetypeexists.Register(plugins)
 	apiresourceschema.Register(plugins)
 	apibinding.Register(plugins)
-	validatingwebhook.Register(plugins)
+	kcpvalidatingwebhook.Register(plugins)
 }
 
 var defaultOnPluginsInKcp = sets.NewString(
-	lifecycle.PluginName,              // NamespaceLifecycle
-	limitranger.PluginName,            // LimitRanger
-	mutatingwebhook.PluginName,        // MutatingAdmissionWebhook
-	validatingwebhook.PluginName,      // ValidatingAdmissionWebhook
+	lifecycle.PluginName,   // NamespaceLifecycle
+	limitranger.PluginName, // LimitRanger
+	// mutatingwebhook.PluginName,        // MutatingAdmissionWebhook
+	// validatingwebhook.PluginName,      // ValidatingAdmissionWebhook
 	certapproval.PluginName,           // CertificateApproval
 	certsigning.PluginName,            // CertificateSigning
 	certsubjectrestriction.PluginName, // CertificateSubjectRestriction
@@ -98,7 +98,7 @@ var defaultOnPluginsInKcp = sets.NewString(
 	clusterworkspacetypeexists.PluginName,
 	apiresourceschema.PluginName,
 	apibinding.PluginName,
-	validatingwebhook.PluginName,
+	kcpvalidatingwebhook.PluginName,
 )
 
 // defaultOnKubePluginsInKube is a copy of kubeapiserveroptions.defaultOnKubePlugins.

diff --git a/pkg/admission/validatingwebhook/plugin.go b/pkg/admission/validatingwebhook/plugin.go
@@ -48,6 +48,7 @@ const (
 type Plugin struct {
 	// Using validating plugin, for the dispatcher to use.
 	// This plugins admit function will never be called.
+	*admission.Handler
 	validating.Plugin
 	dipatcher        generic.Dispatcher
 	hookSource       generic.Source
@@ -56,8 +57,9 @@ type Plugin struct {
 }
 
 func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) {
-	p := &Plugin{}
+	p := &Plugin{Plugin: validating.Plugin{Webhook: &generic.Webhook{}}}
 	p.Handler = admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update)
+
 	dispatcherFactory := validating.NewValidatingDispatcher(&p.Plugin)
 
 	// Making our own dispatcher so that we can control the webhook accessors.
@@ -85,7 +87,8 @@ func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) {
 	cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver())
 
 	p.dipatcher = dispatcherFactory(&cm)
-
+	// Need to do this, to make sure that the underlying objects for the call to ShouldCallHook have the right values
+	p.Plugin.Webhook, err = generic.NewWebhook(p.Handler, configfile, configuration.NewValidatingWebhookConfigurationManager, dispatcherFactory)
 	if err != nil {
 		return nil, err
 	}
@@ -98,7 +101,8 @@ func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) {
 		}
 		return false
 	})
-	klog.Infof("HEREREER~!")
+	klog.V(0).Infof("HEREREER~!")
+	fmt.Printf("HERE!!!!")
 	return p, nil
 }
 
@@ -113,7 +117,6 @@ func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admi
 }
 
 func (p *Plugin) Dispatch(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error {
-	klog.Infof("HEREREER~!")
 	if rules.IsWebhookConfigurationResource(attr) {
 		return nil
 	}
@@ -159,7 +162,7 @@ func (p *Plugin) getAPIBindingWorkspace(attr admission.Attributes, lc logicalclu
 func (p *Plugin) restrictToLogicalCluster(hooks []webhook.WebhookAccessor, lc logicalcluster.LogicalCluster) []webhook.WebhookAccessor {
 	wh := []webhook.WebhookAccessor{}
 	for _, hook := range hooks {
-		if hook.GetLogicalCluster() != lc {
+		if hook.GetLogicalCluster() == lc {
 			wh = append(wh, hook)
 		}
 	}

diff --git a/test/e2e/conformance/webhook_test.go b/test/e2e/conformance/webhook_test.go
@@ -174,9 +174,6 @@ func TestWebhookInWorkspace(t *testing.T) {
 	require.Eventually(t, func() bool {
 		return testWebhook.Calls == 1
 	}, wait.ForeverTestTimeout, 100*time.Millisecond)
-	fmt.Printf("\nCALLS :%v", testWebhook.Calls)
-	t.Fail()
-
 }
 
 type testWebhookServer struct {