-
Notifications
You must be signed in to change notification settings - Fork 91
Conversation
bb3b1e7
to
c755afb
Compare
/test pilot-e2e-smoketest |
/retest |
1 similar comment
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me (modulo minor comments and requests for clarification). Can you document cluster requirements for this PR? Is this already available on GKE?
platform/kube/admit/admit.go
Outdated
DefaultAdmissionServiceName = "istio-pilot-config" | ||
) | ||
|
||
// Admit implements the external admission webhook for validation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
validation of
platform/kube/admit/admit.go
Outdated
|
||
// DefaultAdmissionServiceName is the default service of the | ||
// validation webhook. | ||
DefaultAdmissionServiceName = "istio-pilot-config" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be pilot itself? seems unnecessary to allocate a service just for validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, though we'll need a new port since this is HTTPS. We'll also need to temporary use a different service name as a workaround for the issue described here, but that should eventually go away (k8s 1.8+).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, then it makes sense but deserves a note in the comment.
platform/kube/admit/admit.go
Outdated
validateNamespaces []string | ||
} | ||
|
||
// GetAPIServerExtensionCACert gets the CA cert that will signed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will be signed by
platform/kube/admit/admit.go
Outdated
// controller. | ||
func GetAPIServerExtensionCACert(cl kubernetes.Interface) ([]byte, error) { | ||
const name = "extension-apiserver-authentication" | ||
c, err := cl.CoreV1().ConfigMaps(metav1.NamespaceSystem).Get(name, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not a secret to store CA cert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is kube-system the right place to store the config? Is the name of the config standard?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is where Kubernetes stores the aggregate apiserver's client CA certificate. We don't control this.
$ kubectl -n kube-system get cm extension-apiserver-authentication
NAME DATA AGE
extension-apiserver-authentication 6 17d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please mention this. It might appear as if we're choosing these names.
platform/kube/admit/admit.go
Outdated
} | ||
|
||
// New creates a new instance of the admission webhook controller. | ||
func New(descriptor model.ConfigDescriptor, hookConfigName, hookName, serviceName, serviceNamespace string, validateNamespaces []string, caBundle []byte) *Admit { // nolint: lll |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: constructors are usually called Create
or Make
around here. Too bad there's no standard name for the pattern. Also, Admit
does not sound good as a thing, maybe call it AdmissionController
.
platform/kube/admit/admit.go
Outdated
} | ||
} | ||
|
||
// Unregister registers the external admission webhook |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unregisters
platform/kube/admit/admit.go
Outdated
Rules: []admissionregistrationv1alpha1.RuleWithOperations{{ | ||
Operations: []admissionregistrationv1alpha1.OperationType{ | ||
admissionregistrationv1alpha1.Create, | ||
admissionregistrationv1alpha1.Update, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PATCH?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no PATCH
operation for admission (see https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/admissionregistration/types.go#L186
platform/kube/admit/admit.go
Outdated
func (a *Admit) Register(client admissionClient.ExternalAdmissionHookConfigurationInterface) error { | ||
var resources []string | ||
for _, schema := range a.descriptor { | ||
resources = append(resources, schema.Plural) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this expecting the kind name? then it should "RouteRules", not "route-rules"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the resource name, e.g. pods
and not Pod
(see https://kubernetes.io/docs/admin/extensible-admission-controllers/#configure-initializers-on-the-fly)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then it's probably to remove "-" if the library code doesn't deal with it well.
platform/kube/admit/admit.go
Outdated
}, | ||
}, | ||
} | ||
client.Delete(webhook.Name, nil) // nolint: errcheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be worth logging even if ignoring the error, for debugging purposes
platform/kube/admit/testcerts.go
Outdated
// This file was generated using openssl by the gencerts.sh script | ||
// and holds raw certificates for the webhook tests. | ||
|
||
package admit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
admit_test is probably better to make it clear these are test artifacts
Codecov Report
@@ Coverage Diff @@
## master #1158 +/- ##
==========================================
- Coverage 70.47% 69.93% -0.55%
==========================================
Files 55 54 -1
Lines 6399 6732 +333
==========================================
+ Hits 4510 4708 +198
- Misses 1668 1798 +130
- Partials 221 226 +5
Continue to review full report at Codecov.
|
/retest |
cc @GregHanson .. you might want to update your k8s image to 1.7.4 |
@@ -1,7 +1,7 @@ | |||
#!/bin/bash | |||
set -ex | |||
|
|||
buildifier -showlog -mode=check $(find . -type f \( -name 'BUILD' -or -name 'WORKSPACE' -or -wholename '.*bazel' -or -wholename '.*bzl' \) -print ) | |||
buildifier -showlog -mode=check $(find . -type f \( -name 'BUILD' -or -name 'WORKSPACE' -or -wholename '.*bazel$' -or -wholename '.*bzl$' \) -print ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good fix!
I went ahead and integrated the webhook with istio-pilot discovery service. It's off by default and requires an additional helper script to work on GKE (see platform/kube/admit/webhook-workaround.sh). I set things up so the majority of the code can be used as-is with some minimal changes to cert derivation/distribution w/o |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Thanks, Jason!
platform/kube/admit/admit.go
Outdated
// // validate webhook's service certificate. | ||
// CABundle []byte | ||
|
||
// DomainSuffix is the DNS domain suffix for Istio CRD resources, e.g. local.cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: cluster.local
@@ -29,6 +29,11 @@ rules: | |||
- apiGroups: [""] | |||
resources: ["namespaces", "nodes", "secrets"] | |||
verbs: ["get", "list", "watch"] | |||
{{if .UseAdmissionWebhook}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: may drop this, since it's a superset of RBAC permissions.
/retest |
@ayj please merge with master.. and upload test logs from your local test cluster run.. Need e2e tests from istio/istio to pass. |
rebase please. |
What this PR does / why we need it:
Add the
istio.io/pilot/platform/kube/admit
package which implements the ExternalAdmissionWebhook for server-side validation of Pilot configuration. This includes a script to enable the workaround described here.This feature requires 1.7.x with external-admission-webhooks. General instructions to enable are here. Specific testing instructions for GKE and Minikube are documented here.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #Fixes #1066.
Special notes for your reviewer:
UPDATED: this PR includes integration with the istio-pilot discovery service. The admission registration is disabled by default since it requires an additional workaround for GKE (see platform/kube/admit/webhook-workaround.sh).
Users can experiment with this feature on GKE using the e2e pre-submit test with the following sequence of commands.
bin/e2e.sh -use-admission-webhook
platform/kube/admit/webhook-workaround.sh
and specify the server-name, secret-name, namespace, and port number of the pilot discovery service, e.g.platform/kube/admit/webhook-workaround.sh \ --service-name istio-pilot \ --secret-name pilot-webhook \ --namespace istio-test-w1g0f \ --port 443
This script converts the istio-pilot discovery service to type=LoadBalancer, waits for ingress IP, creates the workaround external service/endpoint, generates required CA and server certs for webhook, and creates the corresponding k8s secret which is consumed by the admission webhook server.
wait until the LoadBalancer IP forwarding rule is propagated in GCP. You can try curl'ing
<ExternalIP>:8000/v1/registration
until a valid response is returned.Create a (in)valid pilot configuration via kubectl (or istioctl). Invalid configuration should be rejected by apiserver with appropriate error message.
Release note: