Do webhooks have a place in KCP

[maleck13]

Wondering if things like the validating and mutating webhooks have a place in KCP? Maybe they are already present?

[imjasonh]

They're not currently implemented, but we will have to support them, to be able to support the ecosystem of controllers that expect/require them.

We're working through how Services work in a multicluster setup now, and as part of that we'll have to make sure the kcp layer can call those services too as webhooks.

[ncdc]

One option could be to use the url field in the webhook's clientConfig section, instead of service... although that likely wouldn't work out of the box with 99-100% of existing webhook configs out there today that presumably are using service.

[sttts]

Do webhooks have a place in this when we have an embedded programming language for admission?

[ncdc]

Long-term, probably not. But until projects have migrated from validating/mutating webhooks to the embedded language, if they want target running against KCP, KCP will need webhooks.

[maleck13]

Is there any more detail on the embedded language for admission? wondering if it would be something like rego (which can be embedded in go) from open policy agent?

[sttts]

@maleck13 kubernetes/enhancements#2877

[imjasonh]

Do webhooks have a place in this when we have an embedded programming language for admission?

I think so, yes. I'm very excited about KEP-2876, but even though CEL is miles better than JSONschema validation, there are things it's just not practical to do.

For example, Tekton has a bunch of code to validate the DAG of Tasks in a Pipeline, which is really not something I'd want to have to maintain (and utterly fail to write tests for!) in CEL.

CEL is going to replace a lot of webhook validation today, but I don't think it can (or should) replace all of it.

[sttts]

True. Everything that is not self-contained and calls out to other resources or services won't fit into CEL.

[sttts]

Which leads us to a nice problem: if we have our copy of the webhook, it will be based on different resources than the one in the downstream cluster, leading to different answers potentially.

[maleck13]

Example use cases: An ingress controller that wants to control the hosts that can be used for ingress. A controller that wants to ensure some quota / subscription is enabled based on a resource it provides.

[ncdc]

We are adding support for validating and mutating webhooks for full external URLs (not service URLs), at least as step 1.

[shawn-hurley]

Step 1 Implementation is here: #818

[ncdc]

Closing this now that 818 is merged. We can open additional issues if needed