add webhook validation #1158
add webhook validation #1158
Conversation
ayj
force-pushed
the
crd-validation-webhook-step-1
branch
from
bb3b1e7
to
c755afb
Compare
|
/test pilot-e2e-smoketest |
|
/retest |
1 similar comment
|
/retest |
platform/kube/admit/admit.go
Outdated
| DefaultAdmissionServiceName = "istio-pilot-config" | ||
| ) | ||
|
|
||
| // Admit implements the external admission webhook for validation |
platform/kube/admit/admit.go
Outdated
|
|
||
| // DefaultAdmissionServiceName is the default service of the | ||
| // validation webhook. | ||
| DefaultAdmissionServiceName = "istio-pilot-config" |
There was a problem hiding this comment.
should this be pilot itself? seems unnecessary to allocate a service just for validation.
There was a problem hiding this comment.
Yes, though we'll need a new port since this is HTTPS. We'll also need to temporary use a different service name as a workaround for the issue described here, but that should eventually go away (k8s 1.8+).
There was a problem hiding this comment.
I see, then it makes sense but deserves a note in the comment.
platform/kube/admit/admit.go
Outdated
| validateNamespaces []string | ||
| } | ||
|
|
||
| // GetAPIServerExtensionCACert gets the CA cert that will signed the |
platform/kube/admit/admit.go
Outdated
| // controller. | ||
| func GetAPIServerExtensionCACert(cl kubernetes.Interface) ([]byte, error) { | ||
| const name = "extension-apiserver-authentication" | ||
| c, err := cl.CoreV1().ConfigMaps(metav1.NamespaceSystem).Get(name, metav1.GetOptions{}) |
There was a problem hiding this comment.
Why not a secret to store CA cert?
There was a problem hiding this comment.
Is kube-system the right place to store the config? Is the name of the config standard?
There was a problem hiding this comment.
That is where Kubernetes stores the aggregate apiserver's client CA certificate. We don't control this.
$ kubectl -n kube-system get cm extension-apiserver-authentication
NAME DATA AGE
extension-apiserver-authentication 6 17dThere was a problem hiding this comment.
Please mention this. It might appear as if we're choosing these names.
platform/kube/admit/admit.go
Outdated
| } | ||
|
|
||
| // New creates a new instance of the admission webhook controller. | ||
| func New(descriptor model.ConfigDescriptor, hookConfigName, hookName, serviceName, serviceNamespace string, validateNamespaces []string, caBundle []byte) *Admit { // nolint: lll |
There was a problem hiding this comment.
nit: constructors are usually called Create or Make around here. Too bad there's no standard name for the pattern. Also, Admit does not sound good as a thing, maybe call it AdmissionController.
platform/kube/admit/admit.go
Outdated
| } | ||
| } | ||
|
|
||
| // Unregister registers the external admission webhook |
platform/kube/admit/admit.go
Outdated
| Rules: []admissionregistrationv1alpha1.RuleWithOperations{{ | ||
| Operations: []admissionregistrationv1alpha1.OperationType{ | ||
| admissionregistrationv1alpha1.Create, | ||
| admissionregistrationv1alpha1.Update, |
There was a problem hiding this comment.
There is no PATCH operation for admission (see https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/admissionregistration/types.go#L186
platform/kube/admit/admit.go
Outdated
| func (a *Admit) Register(client admissionClient.ExternalAdmissionHookConfigurationInterface) error { | ||
| var resources []string | ||
| for _, schema := range a.descriptor { | ||
| resources = append(resources, schema.Plural) |
There was a problem hiding this comment.
is this expecting the kind name? then it should "RouteRules", not "route-rules"
There was a problem hiding this comment.
This is the resource name, e.g. pods and not Pod (see https://kubernetes.io/docs/admin/extensible-admission-controllers/#configure-initializers-on-the-fly)
There was a problem hiding this comment.
then it's probably to remove "-" if the library code doesn't deal with it well.
platform/kube/admit/admit.go
Outdated
| }, | ||
| }, | ||
| } | ||
| client.Delete(webhook.Name, nil) // nolint: errcheck |
There was a problem hiding this comment.
might be worth logging even if ignoring the error, for debugging purposes
platform/kube/admit/testcerts.go
Outdated
| // This file was generated using openssl by the gencerts.sh script | ||
| // and holds raw certificates for the webhook tests. | ||
|
|
||
| package admit |
There was a problem hiding this comment.
admit_test is probably better to make it clear these are test artifacts
Codecov Report
@@ Coverage Diff @@
## master #1158 +/- ##
==========================================
- Coverage 70.47% 69.93% -0.55%
==========================================
Files 55 54 -1
Lines 6399 6732 +333
==========================================
+ Hits 4510 4708 +198
- Misses 1668 1798 +130
- Partials 221 226 +5
Continue to review full report at Codecov.
|
|
/retest |
|
cc @GregHanson .. you might want to update your k8s image to 1.7.4 |
| @@ -1,7 +1,7 @@ | |||
| #!/bin/bash | |||
| set -ex | |||
|
|
|||
| buildifier -showlog -mode=check $(find . -type f \( -name 'BUILD' -or -name 'WORKSPACE' -or -wholename '.*bazel' -or -wholename '.*bzl' \) -print ) | |||
| buildifier -showlog -mode=check $(find . -type f \( -name 'BUILD' -or -name 'WORKSPACE' -or -wholename '.*bazel$' -or -wholename '.*bzl$' \) -print ) | |||
|
I went ahead and integrated the webhook with istio-pilot discovery service. It's off by default and requires an additional helper script to work on GKE (see platform/kube/admit/webhook-workaround.sh). I set things up so the majority of the code can be used as-is with some minimal changes to cert derivation/distribution w/o |
|
/retest |
platform/kube/admit/admit.go
Outdated
| // // validate webhook's service certificate. | ||
| // CABundle []byte | ||
|
|
||
| // DomainSuffix is the DNS domain suffix for Istio CRD resources, e.g. local.cluster. |
| @@ -29,6 +29,11 @@ rules: | |||
| - apiGroups: [""] | |||
| resources: ["namespaces", "nodes", "secrets"] | |||
| verbs: ["get", "list", "watch"] | |||
| {{if .UseAdmissionWebhook}} | |||
There was a problem hiding this comment.
nit: may drop this, since it's a superset of RBAC permissions.
|
/retest |
|
@ayj please merge with master.. and upload test logs from your local test cluster run.. Need e2e tests from istio/istio to pass. |
|
rebase please. |
What this PR does / why we need it:
Add the
istio.io/pilot/platform/kube/admitpackage which implements the ExternalAdmissionWebhook for server-side validation of Pilot configuration. This includes a script to enable the workaround described here.This feature requires 1.7.x with external-admission-webhooks. General instructions to enable are here. Specific testing instructions for GKE and Minikube are documented here.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Fixes #1066.
Special notes for your reviewer:
UPDATED: this PR includes integration with the istio-pilot discovery service. The admission registration is disabled by default since it requires an additional workaround for GKE (see platform/kube/admit/webhook-workaround.sh).
Users can experiment with this feature on GKE using the e2e pre-submit test with the following sequence of commands.
bin/e2e.sh -use-admission-webhookplatform/kube/admit/webhook-workaround.shand specify the server-name, secret-name, namespace, and port number of the pilot discovery service, e.g.platform/kube/admit/webhook-workaround.sh \ --service-name istio-pilot \ --secret-name pilot-webhook \ --namespace istio-test-w1g0f \ --port 443This script converts the istio-pilot discovery service to type=LoadBalancer, waits for ingress IP, creates the workaround external service/endpoint, generates required CA and server certs for webhook, and creates the corresponding k8s secret which is consumed by the admission webhook server.
wait until the LoadBalancer IP forwarding rule is propagated in GCP. You can try curl'ing
<ExternalIP>:8000/v1/registrationuntil a valid response is returned.Create a (in)valid pilot configuration via kubectl (or istioctl). Invalid configuration should be rejected by apiserver with appropriate error message.
Release note: