admission/webhooks: wire global webhook configurations

kcp-dev · Jan 27, 2023 · c9b50c3 · c9b50c3
1 parent a898194
commit c9b50c3
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 13 deletions.
diff --git a/pkg/admission/initializers/initializer.go b/pkg/admission/initializers/initializer.go
@@ -17,6 +17,7 @@ limitations under the License.
 package initializers
 
 import (
+	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 
 	"k8s.io/apiserver/pkg/admission"
@@ -28,7 +29,7 @@ import (
 )
 
 // NewKcpInformersInitializer returns an admission plugin initializer that injects
-// kcp shared informer factories into admission plugins.
+// both local and global kcp shared informer factories into admission plugins.
 func NewKcpInformersInitializer(
 	local, global kcpinformers.SharedInformerFactory,
 ) *kcpInformersInitializer {
@@ -38,6 +39,27 @@ func NewKcpInformersInitializer(
 	}
 }
 
+type kubeInformersInitializer struct {
+	localKcpInformers, globalKcpInformers kcpkubernetesinformers.SharedInformerFactory
+}
+
+func (i *kubeInformersInitializer) Initialize(plugin admission.Interface) {
+	if wants, ok := plugin.(WantsKubeInformers); ok {
+		wants.SetKubeInformers(i.localKcpInformers, i.globalKcpInformers)
+	}
+}
+
+// NewKubeInformersInitializer returns an admission plugin initializer that injects
+// both local and global kube shared informer factories into admission plugins.
+func NewKubeInformersInitializer(
+	local, global kcpkubernetesinformers.SharedInformerFactory,
+) *kubeInformersInitializer {
+	return &kubeInformersInitializer{
+		localKcpInformers:  local,
+		globalKcpInformers: global,
+	}
+}
+
 type kcpInformersInitializer struct {
 	localKcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory
 }

diff --git a/pkg/admission/initializers/interfaces.go b/pkg/admission/initializers/interfaces.go
@@ -17,18 +17,25 @@ limitations under the License.
 package initializers
 
 import (
+	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 
 	kcpclientset "github.com/kcp-dev/kcp/pkg/client/clientset/versioned/cluster"
 	kcpinformers "github.com/kcp-dev/kcp/pkg/client/informers/externalversions"
 )
 
 // WantsKcpInformers interface should be implemented by admission plugins
-// that want to have a kcp informer factory injected.
+// that want to have both local and global kcp informer factories injected.
 type WantsKcpInformers interface {
 	SetKcpInformers(local, global kcpinformers.SharedInformerFactory)
 }
 
+// WantsKubeInformers interface should be implemented by admission plugins
+// that want to have both local and global kube informer factories injected.
+type WantsKubeInformers interface {
+	SetKubeInformers(local, global kcpkubernetesinformers.SharedInformerFactory)
+}
+
 // WantsKubeClusterClient interface should be implemented by admission plugins
 // that want to have a kube cluster client injected.
 type WantsKubeClusterClient interface {

diff --git a/pkg/admission/mutatingwebhook/plugin.go b/pkg/admission/mutatingwebhook/plugin.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"io"
 
+	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	"github.com/kcp-dev/logicalcluster/v3"
 
 	admissionv1 "k8s.io/api/admission/v1"
@@ -30,7 +31,6 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
-	"k8s.io/apiserver/pkg/informerfactoryhack"
 	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/informers"
 
@@ -53,6 +53,7 @@ var (
 	_ = admission.MutationInterface(&Plugin{})
 	_ = admission.InitializationValidator(&Plugin{})
 	_ = kcpinitializers.WantsKcpInformers(&Plugin{})
+	_ = kcpinitializers.WantsKubeInformers(&Plugin{})
 )
 
 func NewMutatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) {
@@ -118,10 +119,12 @@ func (p *Plugin) Admit(ctx context.Context, attr admission.Attributes, o admissi
 
 // SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface.
 func (p *Plugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
-	clusterAwareFactory := informerfactoryhack.Unwrap(f)
+	p.Plugin.SetExternalKubeInformerFactory(f) // for namespaces
+}
+
+func (p *Plugin) SetKubeInformers(local, global kcpkubernetesinformers.SharedInformerFactory) {
 	p.WebhookDispatcher.SetHookSource(func(cluster logicalcluster.Name) generic.Source {
-		informer := clusterAwareFactory.Admissionregistration().V1().MutatingWebhookConfigurations().Cluster(cluster)
+		informer := global.Admissionregistration().V1().MutatingWebhookConfigurations().Cluster(cluster)
 		return configuration.NewMutatingWebhookConfigurationManagerForInformer(informer)
-	}, clusterAwareFactory.Admissionregistration().V1().MutatingWebhookConfigurations().Informer().HasSynced)
-	p.Plugin.SetExternalKubeInformerFactory(f)
+	}, global.Admissionregistration().V1().MutatingWebhookConfigurations().Informer().HasSynced)
 }
diff --git a/pkg/admission/validatingwebhook/plugin.go b/pkg/admission/validatingwebhook/plugin.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"io"
 
+	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	"github.com/kcp-dev/logicalcluster/v3"
 
 	admissionv1 "k8s.io/api/admission/v1"
@@ -30,7 +31,6 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
-	"k8s.io/apiserver/pkg/informerfactoryhack"
 	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	kubernetesinformers "k8s.io/client-go/informers"
 
@@ -53,6 +53,7 @@ var (
 	_ = admission.ValidationInterface(&Plugin{})
 	_ = admission.InitializationValidator(&Plugin{})
 	_ = kcpinitializers.WantsKcpInformers(&Plugin{})
+	_ = kcpinitializers.WantsKubeInformers(&Plugin{})
 )
 
 func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) {
@@ -118,10 +119,12 @@ func (p *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admi
 
 // SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface.
 func (p *Plugin) SetExternalKubeInformerFactory(f kubernetesinformers.SharedInformerFactory) {
-	clusterAwareFactory := informerfactoryhack.Unwrap(f)
+	p.Plugin.SetExternalKubeInformerFactory(f) // for namespaces
+}
+
+func (p *Plugin) SetKubeInformers(local, global kcpkubernetesinformers.SharedInformerFactory) {
 	p.WebhookDispatcher.SetHookSource(func(cluster logicalcluster.Name) generic.Source {
-		informer := clusterAwareFactory.Admissionregistration().V1().ValidatingWebhookConfigurations().Cluster(cluster)
-		return configuration.NewValidatingWebhookConfigurationManagerForInformer(informer)
-	}, clusterAwareFactory.Admissionregistration().V1().ValidatingWebhookConfigurations().Informer().HasSynced)
-	p.Plugin.SetExternalKubeInformerFactory(f)
+		informer := global.Admissionregistration().V1().MutatingWebhookConfigurations().Cluster(cluster)
+		return configuration.NewMutatingWebhookConfigurationManagerForInformer(informer)
+	}, global.Admissionregistration().V1().MutatingWebhookConfigurations().Informer().HasSynced)
 }
diff --git a/pkg/server/config.go b/pkg/server/config.go
@@ -453,6 +453,7 @@ func NewConfig(opts *kcpserveroptions.CompletedOptions) (*Config, error) {
 
 	admissionPluginInitializers := []admission.PluginInitializer{
 		kcpadmissioninitializers.NewKcpInformersInitializer(c.KcpSharedInformerFactory, c.CacheKcpSharedInformerFactory),
+		kcpadmissioninitializers.NewKubeInformersInitializer(c.KubeSharedInformerFactory, c.CacheKubeSharedInformerFactory),
 		kcpadmissioninitializers.NewKubeClusterClientInitializer(c.KubeClusterClient),
 		kcpadmissioninitializers.NewKcpClusterClientInitializer(c.KcpClusterClient),
 		kcpadmissioninitializers.NewDeepSARClientInitializer(c.DeepSARClient),