Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling Validating and Mutating Webhook's for KCP #818

Merged
merged 4 commits into from
Apr 30, 2022
Merged

Enabling Validating and Mutating Webhook's for KCP #818

merged 4 commits into from
Apr 30, 2022

Conversation

shawn-hurley
Copy link

Summary

Adding a conformance test to prove kcp-dev/kubernetes#52 is working as expected

Another follow on PR is going to need to test this using the APIBindings type to pass webhooks along.

Related issue(s)

Fixes #

@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch 2 times, most recently from b0b3fc0 to 16b708f Compare April 4, 2022 17:53
@shawn-hurley shawn-hurley changed the title [WIP] Adding a test case for validating webhook Adding a test case for validating webhook Apr 4, 2022
ncdc
ncdc reviewed Apr 6, 2022
View reviewed changes
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
test/e2e/conformance/webhook_test.go Outdated Show resolved Hide resolved
@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch 3 times, most recently from e139ced to 9fe6e2d Compare April 7, 2022 17:17
@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch from 9fe6e2d to 0a26674 Compare April 20, 2022 12:56
sttts
sttts reviewed Apr 20, 2022
View reviewed changes
pkg/admission/validatingwebhook/plugin.go Outdated
// Determine the type of request, is it api binding or not.
if workspace, isAPIBinding := p.getAPIBindingWorkspace(attr, lcluster); isAPIBinding {
wh := p.restrictToLogicalCluster(hooks, workspace)
whAccessor = append(whAccessor, wh...)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to replace the hooks with wh, not just add them, at least that's true for status updates (= status subresource). cc @ncdc

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a cluster-admin couldn't have a webhook for a bound resource in their cluster then? at least that was the use case that I was thinking of

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is a use case we'd want to enable, at least not without further discussion (i.e. let's get this PR ready + merged without this, and consider it for the future).

In the typical (non admin) use case, an API provider provides APIs, and that includes validating + mutating webhooks. API consumers must not be able to change validating/mutating behaviors, or at least I don't think they should be able to (?). Allowing cluster-admins to do so would make things much harder for the API provider to debug when things go wrong.

@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch 2 times, most recently from e280866 to 4d14315 Compare April 25, 2022 13:59
@shawn-hurley shawn-hurley changed the title Adding a test case for validating webhook Enabling Validating and Mutating Webhook's for KCP Apr 25, 2022
@shawn-hurley shawn-hurley mentioned this pull request Apr 25, 2022
Closed
@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch 4 times, most recently from 9f138df to e0c9fca Compare April 25, 2022 16:07
shawn-hurley
shawn-hurley commented Apr 27, 2022
View reviewed changes
pkg/admission/webhook/generic_webhook.go Show resolved Hide resolved
pkg/admission/webhook/generic_webhook.go Show resolved Hide resolved
pkg/admission/plugins.go Outdated Show resolved Hide resolved
@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch 3 times, most recently from 66404b9 to 0414709 Compare April 27, 2022 17:59
sttts
sttts reviewed Apr 27, 2022
View reviewed changes
go.mod Outdated Show resolved Hide resolved
sttts
sttts reviewed Apr 29, 2022
View reviewed changes
test/e2e/conformance/webhook_test.go Outdated
}, wait.ForeverTestTimeout, 100*time.Millisecond)

//Avoid race condition where webhook informer is not updated before the call to create was made.
t.Log("Verify webhook is eventually called")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we also have the race about the two eventually calls.

@sttts
Copy link
Member

sttts commented Apr 29, 2022

For this to land, also for @ncdc to pick this up in review later today:

  1. rebase to non-private kube branch
  2. merge Simplify webhook and fix zero calls check shawn-hurley/kcp#1
  3. sort out https://github.com/kcp-dev/kcp/pull/818/files#r861929387
  4. bonus: either get rid of the two workspaces in the conformance tests, or add something testing that the webhook is only called for one of them (where the webhook is registered in).

@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch from 2c034f2 to 4b9439f Compare April 29, 2022 17:04
adding a new admission plugin to handle api bindings and all validati…
edf8953 
…ng webhooks

* adding a test case for validating webhook
* add a generic kcp webhook dispatcher for validationg and mutating webhooks.
* Adding e2e tests for new plugins
* admission/webhooks: add index by workspace for bindings
* Adding indexer to the generic webhook struct
@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch from 4b9439f to dfee47b Compare April 29, 2022 17:14
@shawn-hurley
Copy link
Author

@sttts

I believe that the first three are all taken care of!

for the bonus, I believe that I am doing this. Here I am using logical cluster one to create a resource and here We check that the webhook is not called.

@shawn-hurley shawn-hurley force-pushed the add-conformance-webhook-test branch from dfee47b to bea27fc Compare April 29, 2022 18:23
@sttts sttts enabled auto-merge (squash) April 30, 2022 19:07
@sttts sttts merged commit 580b40c into kcp-dev:main Apr 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncdc ncdc ncdc left review comments

@sttts sttts sttts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shawn-hurley @sttts @ncdc