Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated patches for Kubernetes v1.25 #1826

Merged
merged 2 commits into from
Mar 9, 2023
Merged

Updated patches for Kubernetes v1.25 #1826

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e4158a
Updated patches for Kubernetes v1.25
kschumy Mar 8, 2023
ed4bbb9
Checksums
kschumy Mar 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
38 changes: 19 additions & 19 deletions projects/kubernetes/kubernetes/1-25/CHECKSUMS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
b593abf9ea06e756c5d46cc6dc4eb4e639903f83ee6fd85d1c453a7712499c56 _output/1-25/bin/darwin/amd64/kubectl
d0f6c342aa6f0384c8b947c989ff23840e05166fa3f92dae3df07e2b48467bae _output/1-25/bin/linux/amd64/kube-apiserver
3fc04374003bda85c13e536660e247345cc04d78f9bfbd22273db78d7d566139 _output/1-25/bin/linux/amd64/kube-controller-manager
4cf7db9846df1218c26f10d5e5513d8052c31da0f4ea45ee8e84660e90aa8f66 _output/1-25/bin/linux/amd64/kube-proxy
48eab073cb951389bc1d744e55fbc11272d54d304b2d40c6ee5f8a66b2de41be _output/1-25/bin/linux/amd64/kube-scheduler
be31f9dc4a3d9accf3c9442eacdc600ccedcb89e64a8011784202dc38770b2b0 _output/1-25/bin/linux/amd64/kubeadm
793c5f19f9b6a70da33e03fc41b1dabb161cf134e81153ac7219d8c7e15dd6c8 _output/1-25/bin/linux/amd64/kubectl
c55d75c66124cbd660948e00549b218ed7e9b834cffc3c44fdb89cb3cee9bc76 _output/1-25/bin/linux/amd64/kubelet
0924d84fe1903eec195c4fd236941a23ed4c6235621752a499bdd56530644bca _output/1-25/bin/linux/arm64/kube-apiserver
445402428a49c99247a6a332e76d4842f90ed1372457bd441570aa5fef45c334 _output/1-25/bin/linux/arm64/kube-controller-manager
12471c7d94e9d27972ec3a636b9e84b4882acdaca54498eb613ea278cad4cac2 _output/1-25/bin/linux/arm64/kube-proxy
673d93cee31eeabb3ed9c82d07da40729f9cd5eb1657dff82e4b9c893517d202 _output/1-25/bin/linux/arm64/kube-scheduler
1e1bf7cdba60cc83791e9d444c50371b94bd40fff4051936920238897437041d _output/1-25/bin/linux/arm64/kubeadm
efb9dfde5c46320c99228eb47bd55517cd5fb1ac59db4ca6e04ff085e3a1fa52 _output/1-25/bin/linux/arm64/kubectl
b3ae9907a3fcab820d0a321e8bb25f9421455488c39856dd8a151b828a94a13a _output/1-25/bin/linux/arm64/kubelet
c6e86d878ac5433a1e0f381249255dee8776a25225dc1dadb6fe687b2b22e97f _output/1-25/bin/windows/amd64/kube-proxy.exe
1ffb7bf575bc74c889f90694c3cb4480389382fdcaa4868912db06b92ba8c0fe _output/1-25/bin/windows/amd64/kubeadm.exe
c6cc85411ae03d11a6d884d482d54860f22bb18d59353181f89939fd2054bf72 _output/1-25/bin/windows/amd64/kubectl.exe
393240f01db0527e7c8a0305113444700092761b0c99bf3cdf28cc069a31cbca _output/1-25/bin/windows/amd64/kubelet.exe
e4418a44703e1565a08ae6a9660da6712cada21c7518704ba70d03380be7c555 _output/1-25/bin/darwin/amd64/kubectl
05a01a14881d31c619c9532ec2ab9c7ee3edf3fcb3fc3f81722d3aaee6e98d90 _output/1-25/bin/linux/amd64/kube-apiserver
08fa7d50cb98f23b53edcf0f01dec1aa685b0fbe153a2576241a16fe29f0a400 _output/1-25/bin/linux/amd64/kube-controller-manager
11475821ec3e3f4d8b793a307bc6ad8874f6139c2a70a3d5862b23b14dfd3ef0 _output/1-25/bin/linux/amd64/kube-proxy
dee77a0b8cf028283b145d5e2c27acda995c78ed500e41ac07f72283bc10f7fc _output/1-25/bin/linux/amd64/kube-scheduler
0468120a0b81af6807d551d8bf0c53e6f7fb8bc7db9f06c22d8fa21acda63955 _output/1-25/bin/linux/amd64/kubeadm
ff5682d6f2781b5ef4d31177e6674b38c3bb58530a29cd4442cd35eb9405063f _output/1-25/bin/linux/amd64/kubectl
1c469c47f10b4e26543250b41c3986b990e5b0360b8c147c12c3e899df598ce7 _output/1-25/bin/linux/amd64/kubelet
b01b18d084c9d5485defa49c61cd6f8bb80fade233be5272757a07d16dcf90a4 _output/1-25/bin/linux/arm64/kube-apiserver
9174763fe895a4e9c4bedd499cd7c2682b861fba416bbb1d4eedcde90c283ba7 _output/1-25/bin/linux/arm64/kube-controller-manager
766989a3301a99a371ffd8ed282dab739707c6f964f65dc69ac066f7be4d499a _output/1-25/bin/linux/arm64/kube-proxy
2d4cc93a5ff13dd01334459c65b9bf76d37b3a4a71c36c60b17735d6215e11d0 _output/1-25/bin/linux/arm64/kube-scheduler
393cd4d1b1b07ecdc2d2d18f25668129ca3d962df443f387e936fd109593b98c _output/1-25/bin/linux/arm64/kubeadm
5a9235bb142cb16175576d61c622dab55941fdb01558c9deaef4b88df51efe4b _output/1-25/bin/linux/arm64/kubectl
28bd038e3a597ca4bc7b1b4e3048ebe062ad156a43dd48ac88ee252780a8bc71 _output/1-25/bin/linux/arm64/kubelet
ccee2e7dcacf35841cc04395e4ffdb861861ea6231967f8c2a1c32eb0fa525ed _output/1-25/bin/windows/amd64/kube-proxy.exe
c5f584a17a6ca75476ff212e729fdb27390de444f27dc63a3021a611acbfd700 _output/1-25/bin/windows/amd64/kubeadm.exe
945209a394717cad94277beb4e8e6af93f77393aaf30e628abc947bec8cba3eb _output/1-25/bin/windows/amd64/kubectl.exe
f23c1b76b082c60313f4f057a1f2d7bcc8f5e2c121c64c2ca01f284a6544e7a0 _output/1-25/bin/windows/amd64/kubelet.exe
112 changes: 75 additions & 37 deletions ...rnetes/kubernetes/1-25/patches/0002-EKS-PATCH-admission-webhook-exclusion-from-file.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,25 @@ Date: Wed, 21 Dec 2022 20:12:26 -0600
Subject: [PATCH] --EKS-PATCH-- admission webhook exclusion from file

---
.../generic/exclusionrules/exclusion.go | 152 +++++++
.../generic/exclusionrules/exclusion_test.go | 425 ++++++++++++++++++
.../exclusionrules/critical_path_excluder.go | 152 +++++++
.../critical_path_excluder_test.go | 427 ++++++++++++++++++
.../webhook/generic/exclusionrules/matcher.go | 81 ++++
.../generic/exclusionrules/matcher_test.go | 333 ++++++++++++++
.../plugin/webhook/generic/webhook.go | 5 +
.../webhook_exclusion_rules_test.go | 278 ++++++++++++
.../plugin/webhook/generic/webhook.go | 24 +
.../webhook_exclusion_rules_test.go | 281 ++++++++++++
vendor/modules.txt | 1 +
7 files changed, 1275 insertions(+)
create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
7 files changed, 1299 insertions(+)
create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/matcher.go
create mode 100644 staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/matcher_test.go
create mode 100644 test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go

diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
new file mode 100644
index 00000000000..71c4f548854
index 00000000000..65abc4496a8
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder.go
@@ -0,0 +1,152 @@
+package exclusionrules
+
Expand All @@ -35,11 +35,10 @@ index 00000000000..71c4f548854
+)
+
+// Enables you to pass a config file to kube-api-server
+// that defines resources to exempt from admission webhooks.
+const ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR = "EKS_PATCH_EXCLUSION_RULES_FILE"
+
+func init() {
+ LoadRules()
+type CriticalPathExcluder struct {
+ exclusionRules []ExclusionRule
+}
+
+type ExclusionRule struct {
Expand Down Expand Up @@ -71,7 +70,13 @@ index 00000000000..71c4f548854
+ Scope *v1.ScopeType `json:"scope,omitempty"`
+}
+
+var exclusionRules []ExclusionRule
+func NewCriticalPathExcluder() CriticalPathExcluder {
+ exclusionRulesFromFile := readFile()
+ filteredExclusionRules := filterValidRules(exclusionRulesFromFile)
+ return CriticalPathExcluder{
+ exclusionRules: filteredExclusionRules,
+ }
+}
+
+func readFile() []ExclusionRule {
+ //Default values for backwards compatability for eks-d
Expand Down Expand Up @@ -162,26 +167,21 @@ index 00000000000..71c4f548854
+ return false
+}
+
+func LoadRules() {
+ exclusionRulesFromFile := readFile()
+ exclusionRules = filterValidRules(exclusionRulesFromFile)
+}
+
+func ShouldSkipWebhookDueToExclusionRules(attr admission.Attributes) bool {
+ for _, r := range exclusionRules {
+func (excludor CriticalPathExcluder) ShouldSkipWebhookDueToExclusionRules(attr admission.Attributes) bool {
+ for _, r := range excludor.exclusionRules {
+ m := Matcher{ExclusionRule: r, Attr: attr}
+ if m.Matches() {
+ return true
+ }
+ }
+ return false
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
new file mode 100644
index 00000000000..ab6da215728
index 00000000000..481348aa463
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/exclusion_test.go
@@ -0,0 +1,425 @@
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules/critical_path_excluder_test.go
@@ -0,0 +1,427 @@
+package exclusionrules
+
+import (
Expand Down Expand Up @@ -294,8 +294,10 @@ index 00000000000..ab6da215728
+ }
+ for _, testcase := range testcases {
+ t.Run(testcase.name, func(t *testing.T) {
+ exclusionRules = testcase.exclusionRules
+ result := ShouldSkipWebhookDueToExclusionRules(testcase.attr)
+ criticalPathExcluder := CriticalPathExcluder{
+ exclusionRules: testcase.exclusionRules,
+ }
+ result := criticalPathExcluder.ShouldSkipWebhookDueToExclusionRules(testcase.attr)
+ if result != testcase.result {
+ t.Fatalf("Unexpected result %v for test case %v", result, testcase.name)
+ }
Expand Down Expand Up @@ -1034,22 +1036,55 @@ index 00000000000..3f7abbb9d90
+ }
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
index c04225e94f7..f12f920e29e 100644
index c04225e94f7..8d9c56c9db6 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
@@ -20,6 +20,7 @@ import (
@@ -20,6 +20,8 @@ import (
"context"
"fmt"
"io"
+ "k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules"

+ "sync"

admissionv1 "k8s.io/api/admission/v1"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
@@ -153,6 +154,10 @@ func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attri
@@ -38,6 +40,20 @@ import (
clientset "k8s.io/client-go/kubernetes"
)

+var criticalPathExcluder exclusionrules.CriticalPathExcluder
+var LoadCriticalPathExcluder *sync.Once
+
+func init() {
+ // We are using a pointer to sync.Once in order to "reset" the sync.Once within our integration tests
+ // so that when the integration test api-server starts up, sync.Once has not been exhausted
+ // this is required because LoadCriticalPathExcluder is a global variable and when a suite of tests run
+ // the first test that starts an api-server will use up the sync.Once and subsequent launches of the api-server will
+ // not try to load the exclusion rules.
+ // see: test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
+ // see: https://github.com/golang/go/issues/25955#issuecomment-398278056
+ LoadCriticalPathExcluder = new(sync.Once)
+}
+
// Webhook is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.
type Webhook struct {
*admission.Handler
@@ -85,6 +101,10 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
cm.SetAuthenticationInfoResolver(authInfoResolver)
cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver())

+ LoadCriticalPathExcluder.Do(func() {
+ criticalPathExcluder = exclusionrules.NewCriticalPathExcluder()
+ })
+
return &Webhook{
Handler: handler,
sourceFactory: sourceFactory,
@@ -153,6 +173,10 @@ func (a *Webhook) ShouldCallHook(h webhook.WebhookAccessor, attr admission.Attri
return nil, nil
}

+ if exclusionrules.ShouldSkipWebhookDueToExclusionRules(attr) {
+ if criticalPathExcluder.ShouldSkipWebhookDueToExclusionRules(attr) {
+ return nil, nil
+ }
+
Expand All @@ -1058,18 +1093,20 @@ index c04225e94f7..f12f920e29e 100644
m := rules.Matcher{Rule: r, Attr: attr}
diff --git a/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go b/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
new file mode 100644
index 00000000000..0575b054b10
index 00000000000..3388050d507
--- /dev/null
+++ b/test/integration/apiserver/admissionwebhook/webhook_exclusion_rules_test.go
@@ -0,0 +1,278 @@
@@ -0,0 +1,281 @@
+package admissionwebhook
+
+import (
+ "context"
+ "fmt"
+ coordinationv1 "k8s.io/api/coordination/v1"
+ "k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+ "k8s.io/apiserver/pkg/admission/plugin/webhook/generic/exclusionrules"
+ "os"
+ "sync"
+ "testing"
+ "time"
+
Expand All @@ -1092,6 +1129,7 @@ index 00000000000..0575b054b10
+)
+
+func TestWebhookExclusionRulesNoEnvVarSet(t *testing.T) {
+ generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
+ t.Logf("starting server")
+ server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
+ defer server.TearDownFn()
Expand All @@ -1111,6 +1149,7 @@ index 00000000000..0575b054b10
+}
+
+func TestWebhookExclusionRulesEnvVarSetNoFile(t *testing.T) {
+ generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
+ server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
+ defer server.TearDownFn()
+
Expand All @@ -1124,7 +1163,6 @@ index 00000000000..0575b054b10
+ if err != nil {
+ t.Fatalf("unexpected error clearing %v env var", exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR)
+ }
+ exclusionrules.LoadRules()
+
+ createBrokenWebhook(t, client)
+
Expand All @@ -1138,6 +1176,7 @@ index 00000000000..0575b054b10
+}
+
+func TestWebhookExclusionRulesEnvVarSetBadFile(t *testing.T) {
+ generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
+ // Test env var set, bad file, should be broken webhook
+ err := os.Setenv(exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR, exclusionRulesFile)
+ if err != nil {
Expand All @@ -1149,7 +1188,6 @@ index 00000000000..0575b054b10
+ }
+ defer os.Remove(exclusionRulesFile)
+
+ exclusionrules.LoadRules()
+ server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
+ defer server.TearDownFn()
+
Expand All @@ -1169,6 +1207,7 @@ index 00000000000..0575b054b10
+}
+
+func TestWebhookExclusionRules(t *testing.T) {
+ generic.LoadCriticalPathExcluder = new(sync.Once) //reset sync.Once to force behavior of new startup https://github.com/golang/go/issues/25955#issuecomment-398278056
+ err := os.Setenv(exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR, exclusionRulesFile)
+ if err != nil {
+ t.Fatalf("unexpected error clearing %v env var", exclusionrules.ADMISSION_WEBHOOK_EXCLUSION_ENV_VAR)
Expand All @@ -1192,7 +1231,6 @@ index 00000000000..0575b054b10
+ }
+ defer os.Remove(exclusionRulesFile)
+
+ exclusionrules.LoadRules()
+ server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
+ defer server.TearDownFn()
+
Expand Down