Add validating admission webhook

[przemeklal]

Add validating admission webhook:

• Add validating admission webhook HTTP server application
• Handle incoming AdmissionReview requests and validate their correctness, handle errors if any
• Validate Network Attachment Definition objects
• Send AdmissionReview response with allowed/denied decision and its reason
• In case of any other errors (malformed HTTP request, empty body, etc.) send proper HTTP error code
• Use TLS encryption
• Add some basic unit tests for Network Attachment Definition objects validation
• Build Docker image with webhook application

Add deployment files for validating admission webhook:

• Add script for automated certificates and secret generation
• Add deployment, service and webhook configuration specification files

Add documentation for validating admission webhook.

Fixes #119.

Signed-off-by: Przemyslaw Lal przemyslawx.lal@intel.com

[coveralls]

Pull Request Test Coverage Report for Build 421

• 78 of 140 (55.71%) changed or added relevant lines in 1 file are covered.
• 236 unchanged lines in 3 files lost coverage.
• Overall coverage increased (+2.7%) to 47.721%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
webhook/webhook.go	78	140	55.71%

Files with Coverage Reduction	New Missed Lines	%
types/conf.go	57	27.71%
multus/multus.go	75	52.87%
k8sclient/k8sclient.go	104	48.86%

Totals
Change from base Build 345:	2.7%
Covered Lines:	492
Relevant Lines:	1031

---

💛 - Coveralls

[rkamudhan]

Thank a lot @przemek-lal . I will test it :)

[rkamudhan]

Deployment comments: likely to flexible with all env

[rkamudhan]

Added comments

[rkamudhan]

Include the proxy build args here

docker build --build-arg http_proxy=$(http_proxy) \
		--build-arg HTTP_PROXY=$(HTTP_PROXY) \
		--build-arg https_proxy=$(https_proxy) \
		--build-arg HTTPS_PROXY=$(HTTPS_PROXY) \
		--build-arg no_proxy=$(no_proxy) \
		--build-arg NO_PROXY=$(NO_PROXY) \

[rkamudhan]

change it something like this

#!/usr/bin/env bash
set -e

docker build --build-arg http_proxy=${http_proxy} \
                --build-arg HTTP_PROXY=${HTTP_PROXY} \
                --build-arg https_proxy=${https_proxy} \
                --build-arg HTTPS_PROXY=${HTTPS_PROXY} \
                --build-arg no_proxy=${no_proxy} \
                --build-arg NO_PROXY=${NO_PROXY} -t multus-webhook .

[rkamudhan]

Please change the build script to fit all the deployment env

[rkamudhan]

Include proxy env

[rkamudhan]

change it something like this

#!/usr/bin/env bash
set -e

docker build --build-arg http_proxy=${http_proxy} \
                --build-arg HTTP_PROXY=${HTTP_PROXY} \
                --build-arg https_proxy=${https_proxy} \
                --build-arg HTTPS_PROXY=${HTTPS_PROXY} \
                --build-arg no_proxy=${no_proxy} \
                --build-arg NO_PROXY=${NO_PROXY} -t multus-webhook .

[przemeklal]

okay, proxy env variables added

[rkamudhan]

Regarding the ./certs.sh

I am getting the following error:

 ./certs.sh
Generating private RSA key...
Generating CSR configuration file...
Sending CSR to Kubernetes...
certificatesigningrequest.certificates.k8s.io/multus-webhook-service.default created
Approving CSR...
certificatesigningrequest.certificates.k8s.io/multus-webhook-service.default approved
Waiting for the certificate to be issued..................
Error: certificate not issued. Verify that the API for signing certificates is enabled.

[przemeklal]

Error message says it all:
Error: certificate not issued. Verify that the API for signing certificates is enabled.

As stated in the Manage TLS Certificates in a Cluster guide, in order to sign certificate with Kubernetes CA you need to pass the --cluster-signing-cert-file and --cluster-signing-key-file parameters to the controller manager with paths to your Certificate Authority’s keypair.

[przemeklal]

This should be a Deployment instead of a Pod. I'll update the PR.

[rkamudhan]

@przemek-lal Thanks . I will check these option in my controller. Could you please update the readme file on this. I believe most of the developers, are not aware of these items.

[przemeklal]

Okay, I made a couple of updates:

• moved the webhook app from pod to a deployment (should improve availability after reboots, Docker restarts, K8s nodes going down etc.)
• explicitly mentioned the K8s controller manager arguments which need to be configured in order to enable TLS certs management in a cluster in the webhook doc
• added more tests to bring up coverage so coveralls doesn't fail and beyond that some minor error handling improvements

[rkamudhan]

In my set-up, I am getting only this log, and multus webhook is allowing the invalid net-attach-def

# kubectl logs -l app=multus-webhook
2018-10-12T14:53:49Z [debug] Starting Multus webhook server

Will sync up to get the more details.

[dougbtv]

Looking into a fix for this, but, a few things...

Firstly, If I run the ./certs.sh as a regular user, where my root user doesn't have kubernetes access... I'm presented with the following error:

[centos@kube-master-1 webhook]$ ./certs.sh
Generating private RSA key...
Generating CSR configuration file...
Sending CSR to Kubernetes...
certificatesigningrequest.certificates.k8s.io/multus-webhook-service.default created
Approving CSR...
certificatesigningrequest.certificates.k8s.io/multus-webhook-service.default approved
Waiting for the certificate to be issued...
Certificate issued succesfully.
Creating secret...
Error from server (NotFound): secrets "multus-webhook-secret" not found
secret/multus-webhook-secret created
Patching configuration file with certificate...
./certs.sh: line 91: configuration.yaml: Permission denied
File configuration.yaml patched.

Secondarily, I'm wondering if there's a way we can do this without the installation requiring a shell script to be run before we start this up. Looking for a way to automate this process and reduce the steps to have this installed, maybe through a daemonset / init containers / etc.

[ghost]

Hey Doug, I think that the TLS bootstrapping could be done in a Job. It would create a private key, sign it with K8s CA, then create a secret and validating admission controller configuration. So there would be literally zero input from the user required apart from creating the job by running kubectl command. Would this make sense? In this case no bash scripts would be needed, so no problems with the permissions you had.

[przemeklal]

Hey guys, I just opened a new PR #186 which contains slightly updated validating webhook code and completely changes deployment procedure. It also adds feature for mutating pods basing on the network objects annotations presence, more details in that PR.

[dougbtv]

Guys, it's time! OK to merge this up, sorry if the delay was on my end.