Adding the admistrationregistration api group #52
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shawn-hurley
commented
Mar 11, 2022
| @@ -222,6 +222,7 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) { | |||
| cfg := rest.CopyConfig(restConfig) | |||
| cfg.Host = u.Scheme + "://" + u.Host | |||
| cfg.APIPath = u.Path | |||
| cfg.TLSClientConfig.Insecure = true | |||
There was a problem hiding this comment.
Need to remove, this was to just help me testing a webhook via URL without having to spend too much time on certs.
shawn-hurley
commented
Mar 11, 2022
|
|
||
| name, err := genericapirequest.ClusterNameFrom(ctx) | ||
|
|
||
| fmt.Printf("\n\nCluster: %v\nerr:%v\n\n", name, err) |
There was a problem hiding this comment.
Will remove, used for testing
shawn-hurley
force-pushed
the
add-validation-admission-lcluster-aware
branch
from
d14bc9e to
ef2bdb0
Compare
sttts
reviewed
Mar 30, 2022
| @@ -114,7 +113,7 @@ func NewServerRunOptions() *ServerRunOptions { | |||
| s.Etcd.EnableWatchCache = false | |||
|
|
|||
| // TODO: turn off the admission webhooks for now | |||
| s.Admission.DefaultOffPlugins.Insert(validating.PluginName, mutating.PluginName) | |||
| s.Admission.DefaultOffPlugins.Insert(mutating.PluginName) | |||
sttts
reviewed
Mar 30, 2022
| @@ -118,7 +118,7 @@ func mergeValidatingWebhookConfigurations(configurations []*v1.ValidatingWebhook | |||
| n := c.Webhooks[i].Name | |||
| uid := fmt.Sprintf("%s/%s/%d", c.Name, n, names[n]) | |||
| names[n]++ | |||
| accessors = append(accessors, webhook.NewValidatingWebhookAccessor(uid, c.Name, &c.Webhooks[i])) | |||
| accessors = append(accessors, webhook.NewValidatingWebhookAccessor(uid, c.Name, c.ObjectMeta.ClusterName, &c.Webhooks[i])) | |||
There was a problem hiding this comment.
this needs a rebase to latest kube branch, with logicalcluster.LogicalCluster
sttts
reviewed
Mar 30, 2022
| @@ -21,7 +21,7 @@ import ( | |||
| "sort" | |||
| "sync/atomic" | |||
|
|
|||
| "k8s.io/api/admissionregistration/v1" | |||
| v1 "k8s.io/api/admissionregistration/v1" | |||
sttts
reviewed
Mar 30, 2022
| @@ -31,6 +31,8 @@ type WebhookAccessor interface { | |||
| // GetUID gets a string that uniquely identifies the webhook. | |||
| GetUID() string | |||
|
|
|||
| GetCluster() string | |||
There was a problem hiding this comment.
GetLogicalCluster() logicalcluster.LogicalCluster
sttts
reviewed
Mar 30, 2022
| @@ -93,6 +95,10 @@ type mutatingWebhookAccessor struct { | |||
| clientErr error | |||
| } | |||
|
|
|||
| func (m *mutatingWebhookAccessor) GetCluster() string { | |||
| return "" | |||
sttts
reviewed
Mar 30, 2022
| } | ||
|
|
||
| type validatingWebhookAccessor struct { | ||
| *v1.ValidatingWebhook | ||
| uid string | ||
| configurationName string | ||
| cluster string |
sttts
reviewed
Mar 30, 2022
| @@ -23,7 +23,7 @@ import ( | |||
|
|
|||
| admissionv1 "k8s.io/api/admission/v1" | |||
| admissionv1beta1 "k8s.io/api/admission/v1beta1" | |||
| "k8s.io/api/admissionregistration/v1" | |||
| v1 "k8s.io/api/admissionregistration/v1" | |||
sttts
reviewed
Mar 30, 2022
| func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attributes, o admission.ObjectInterfaces, clusterName string) (*WebhookInvocation, *apierrors.StatusError) { | ||
| if h.GetCluster() != clusterName { | ||
| return nil, nil | ||
| } |
There was a problem hiding this comment.
this looks fine for CRDs, but probably not enough for APIBindings. Before merging this PR I would like to see a kcp "proof" PR showing in e2e that admission works for APIBindings.
There was a problem hiding this comment.
I discussed with Shawn yesterday. I think we might want to split this into
- Just getting webhooks working within a single workspace
- Support for webhooks for APIBindings, after we implement identity
WDYT?
shawn-hurley
force-pushed
the
add-validation-admission-lcluster-aware
branch
from
ef2bdb0 to
03721ff
Compare
Add ability to handle validating and mutating webhooks for logical cluster Attempted to keep the changes localized to admission plugin package
shawn-hurley
force-pushed
the
add-validation-admission-lcluster-aware
branch
from
5d3d7d5 to
7610335
Compare
ncdc
reviewed
Apr 6, 2022
go.mod
Outdated
| @@ -98,7 +98,7 @@ require ( | |||
| gopkg.in/yaml.v2 v2.4.0 | |||
| k8s.io/api v0.0.0 | |||
| k8s.io/apiextensions-apiserver v0.0.0 | |||
| k8s.io/apimachinery v0.0.0 | |||
| k8s.io/apimachinery v0.23.5 | |||
There was a problem hiding this comment.
This is the thing I was saying a rebase should fix, and needs to be reverted. Let me know if you can't get it undone after a go mod tidy.
shawn-hurley
force-pushed
the
add-validation-admission-lcluster-aware
branch
from
7610335 to
0513df7
Compare
ncdc
reviewed
Apr 6, 2022
| @@ -71,14 +75,15 @@ type WebhookAccessor interface { | |||
| } | |||
|
|
|||
| // NewMutatingWebhookAccessor creates an accessor for a MutatingWebhook. | |||
| func NewMutatingWebhookAccessor(uid, configurationName string, h *v1.MutatingWebhook) WebhookAccessor { | |||
| return &mutatingWebhookAccessor{uid: uid, configurationName: configurationName, MutatingWebhook: h} | |||
| func NewMutatingWebhookAccessor(uid, configurationName string, cluster logicalcluster.LogicalCluster, h *v1.MutatingWebhook) WebhookAccessor { | |||
There was a problem hiding this comment.
I think you can undo this and just get the cluster from h inside the function (rather than passing in cluster)
| @@ -171,14 +180,15 @@ func (m *mutatingWebhookAccessor) GetValidatingWebhook() (*v1.ValidatingWebhook, | |||
| } | |||
|
|
|||
| // NewValidatingWebhookAccessor creates an accessor for a ValidatingWebhook. | |||
| func NewValidatingWebhookAccessor(uid, configurationName string, h *v1.ValidatingWebhook) WebhookAccessor { | |||
| return &validatingWebhookAccessor{uid: uid, configurationName: configurationName, ValidatingWebhook: h} | |||
| func NewValidatingWebhookAccessor(uid, configurationName string, cluster logicalcluster.LogicalCluster, h *v1.ValidatingWebhook) WebhookAccessor { | |||
shawn-hurley
force-pushed
the
add-validation-admission-lcluster-aware
branch
from
0513df7 to
1cbba47
Compare
ncdc
reviewed
Apr 6, 2022
| @@ -37,7 +38,7 @@ func TestMutatingWebhookAccessor(t *testing.T) { | |||
| orig.ReinvocationPolicy = nil | |||
|
|
|||
| uid := fmt.Sprintf("test.configuration.admission/%s/0", orig.Name) | |||
| accessor := NewMutatingWebhookAccessor(uid, "test.configuration.admission", orig) | |||
| accessor := NewMutatingWebhookAccessor(uid, "test.configuration.admission", logicalcluster.New(""), orig) | |||
There was a problem hiding this comment.
(General comment, not line specific)
Would like to ensure the unit test accounts for the new GetLogicalCluster function. I see 2 options:
- We modify this file
- We create a new
kcp_accessors_test.gofile where the only thing we test is our changes
1 keeps everything together. 2 makes rebases easier. I think I maybe am voting for 2.
@sttts WDYT?
sttts
reviewed
Apr 27, 2022
| // Overwrite the default for storage data format. | ||
| s.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf" | ||
|
|
||
| s.Admission.DefaultOffPlugins.Insert(validating.PluginName, mutating.PluginName) | ||
|
|
There was a problem hiding this comment.
why this move? Note that every carry patch costs. We shouldn't do them if they are not strictly necessary.
sttts
reviewed
Apr 27, 2022
| "k8s.io/api/admissionregistration/v1" | ||
| logicalcluster "github.com/kcp-dev/apimachinery/pkg/logicalcluster" | ||
|
|
||
| v1 "k8s.io/api/admissionregistration/v1" |
There was a problem hiding this comment.
reduce changes. The alias is not necessary.
sttts
reviewed
Apr 27, 2022
| @@ -22,7 +22,8 @@ import ( | |||
| "testing" | |||
|
|
|||
| fuzz "github.com/google/gofuzz" | |||
| "k8s.io/api/admissionregistration/v1" | |||
| "github.com/kcp-dev/apimachinery/pkg/logicalcluster" | |||
| v1 "k8s.io/api/admissionregistration/v1" | |||
sttts
reviewed
Apr 27, 2022
| return v.cluster | ||
|
|
||
| } | ||
|
|
sttts
reviewed
Apr 27, 2022
| @@ -0,0 +1,10 @@ | |||
| package mutating | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add ability to handle validating and mutating webhooks for logical cluster
Attempted to keep the changes localized to admission plugin package
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: