Merge pull request #55282 from mbohlool/webhooks

Automatic merge from submit-queue (batch tested with PRs 55268, 55282, 55419, 48340, 54829). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add MutatingWebhookConfiguration type As part of Mutating Webhook support, this PR adds the configuration for Mutating webhooks. It also renames existing ReadOnly webhook configurations from ExternalAdmissionHookConfiguration to ValidatingWebhookConfiguration. As part of the process some sub-types are also renamed. Lastly, the mutating webhook configurations are sorted by name to make the serial executing of them deterministic. ref: kubernetes/enhancements#492
kubernetes · Nov 10, 2017 · 61f2108 · 61f2108
2 parents 3ce7c3e + 4568e05
commit 61f2108
Show file tree

Hide file tree

Showing 98 changed files with 8,351 additions and 3,287 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/api/swagger-spec/admissionregistration.k8s.io_v1alpha1.json b/api/swagger-spec/admissionregistration.k8s.io_v1alpha1.json
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
diff --git a/docs/api-reference/admissionregistration.k8s.io/v1alpha1/definitions.html b/docs/api-reference/admissionregistration.k8s.io/v1alpha1/definitions.html
diff --git a/docs/api-reference/admissionregistration.k8s.io/v1alpha1/operations.html b/docs/api-reference/admissionregistration.k8s.io/v1alpha1/operations.html
diff --git a/hack/.golint_failures b/hack/.golint_failures
@@ -1,3 +1,4 @@
+
 cluster/images/etcd-version-monitor
 cmd/gke-certificates-controller/app
 cmd/hyperkube
@@ -236,9 +237,10 @@ pkg/proxy/util
 pkg/proxy/winkernel
 pkg/proxy/winuserspace
 pkg/quota/evaluator/core
-pkg/registry/admissionregistration/externaladmissionhookconfiguration/storage
 pkg/registry/admissionregistration/initializerconfiguration/storage
+pkg/registry/admissionregistration/mutatingwebhookconfiguration/storage
 pkg/registry/admissionregistration/rest
+pkg/registry/admissionregistration/validatingwebhookconfiguration/storage
 pkg/registry/apps/rest
 pkg/registry/apps/statefulset
 pkg/registry/apps/statefulset/storage

diff --git a/pkg/BUILD b/pkg/BUILD
@@ -57,6 +57,7 @@ filegroup(
         "//pkg/client/informers/informers_generated/internalversion:all-srcs",
         "//pkg/client/leaderelectionconfig:all-srcs",
         "//pkg/client/listers/admissionregistration/internalversion:all-srcs",
+        "//pkg/client/listers/apis/admissionregistration:all-srcs",
         "//pkg/client/listers/apps/internalversion:all-srcs",
         "//pkg/client/listers/authentication/internalversion:all-srcs",
         "//pkg/client/listers/authorization/internalversion:all-srcs",

diff --git a/pkg/api/testing/defaulting_test.go b/pkg/api/testing/defaulting_test.go
@@ -97,52 +97,54 @@ func TestDefaulting(t *testing.T) {
 		// This object contains only int fields which currently breaks the defaulting test because
 		// it's pretty stupid. Once we add non integer fields, we should uncomment this.
 		// {Group: "kubeadm.k8s.io", Version: "v1alpha1", Kind: "NodeConfiguration"}:                 {},
-		{Group: "extensions", Version: "v1beta1", Kind: "DaemonSet"}:                                                 {},
-		{Group: "extensions", Version: "v1beta1", Kind: "DaemonSetList"}:                                             {},
-		{Group: "apps", Version: "v1beta2", Kind: "DaemonSet"}:                                                       {},
-		{Group: "apps", Version: "v1beta2", Kind: "DaemonSetList"}:                                                   {},
-		{Group: "apps", Version: "v1", Kind: "DaemonSet"}:                                                            {},
-		{Group: "apps", Version: "v1", Kind: "DaemonSetList"}:                                                        {},
-		{Group: "extensions", Version: "v1beta1", Kind: "Deployment"}:                                                {},
-		{Group: "extensions", Version: "v1beta1", Kind: "DeploymentList"}:                                            {},
-		{Group: "apps", Version: "v1beta1", Kind: "Deployment"}:                                                      {},
-		{Group: "apps", Version: "v1beta1", Kind: "DeploymentList"}:                                                  {},
-		{Group: "apps", Version: "v1beta2", Kind: "Deployment"}:                                                      {},
-		{Group: "apps", Version: "v1beta2", Kind: "DeploymentList"}:                                                  {},
-		{Group: "apps", Version: "v1", Kind: "Deployment"}:                                                           {},
-		{Group: "apps", Version: "v1", Kind: "DeploymentList"}:                                                       {},
-		{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicy"}:                                         {},
-		{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicyList"}:                                     {},
-		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSet"}:                                                      {},
-		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSetList"}:                                                  {},
-		{Group: "apps", Version: "v1", Kind: "ReplicaSet"}:                                                           {},
-		{Group: "apps", Version: "v1", Kind: "ReplicaSetList"}:                                                       {},
-		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSet"}:                                                {},
-		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSetList"}:                                            {},
-		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicy"}:                                             {},
-		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicyList"}:                                         {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBinding"}:                        {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBindingList"}:                    {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "RoleBinding"}:                               {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "RoleBindingList"}:                           {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "ClusterRoleBinding"}:                         {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "ClusterRoleBindingList"}:                     {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "RoleBinding"}:                                {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "RoleBindingList"}:                            {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBinding"}:                              {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBindingList"}:                          {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "RoleBinding"}:                                     {},
-		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "RoleBindingList"}:                                 {},
-		{Group: "settings.k8s.io", Version: "v1alpha1", Kind: "PodPreset"}:                                           {},
-		{Group: "settings.k8s.io", Version: "v1alpha1", Kind: "PodPresetList"}:                                       {},
-		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ExternalAdmissionHookConfiguration"}:     {},
-		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ExternalAdmissionHookConfigurationList"}: {},
-		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicy"}:                                           {},
-		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicyList"}:                                       {},
-		{Group: "storage.k8s.io", Version: "v1beta1", Kind: "StorageClass"}:                                          {},
-		{Group: "storage.k8s.io", Version: "v1beta1", Kind: "StorageClassList"}:                                      {},
-		{Group: "storage.k8s.io", Version: "v1", Kind: "StorageClass"}:                                               {},
-		{Group: "storage.k8s.io", Version: "v1", Kind: "StorageClassList"}:                                           {},
+		{Group: "extensions", Version: "v1beta1", Kind: "DaemonSet"}:                                             {},
+		{Group: "extensions", Version: "v1beta1", Kind: "DaemonSetList"}:                                         {},
+		{Group: "apps", Version: "v1beta2", Kind: "DaemonSet"}:                                                   {},
+		{Group: "apps", Version: "v1beta2", Kind: "DaemonSetList"}:                                               {},
+		{Group: "apps", Version: "v1", Kind: "DaemonSet"}:                                                        {},
+		{Group: "apps", Version: "v1", Kind: "DaemonSetList"}:                                                    {},
+		{Group: "extensions", Version: "v1beta1", Kind: "Deployment"}:                                            {},
+		{Group: "extensions", Version: "v1beta1", Kind: "DeploymentList"}:                                        {},
+		{Group: "apps", Version: "v1beta1", Kind: "Deployment"}:                                                  {},
+		{Group: "apps", Version: "v1beta1", Kind: "DeploymentList"}:                                              {},
+		{Group: "apps", Version: "v1beta2", Kind: "Deployment"}:                                                  {},
+		{Group: "apps", Version: "v1beta2", Kind: "DeploymentList"}:                                              {},
+		{Group: "apps", Version: "v1", Kind: "Deployment"}:                                                       {},
+		{Group: "apps", Version: "v1", Kind: "DeploymentList"}:                                                   {},
+		{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicy"}:                                     {},
+		{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicyList"}:                                 {},
+		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSet"}:                                                  {},
+		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSetList"}:                                              {},
+		{Group: "apps", Version: "v1", Kind: "ReplicaSet"}:                                                       {},
+		{Group: "apps", Version: "v1", Kind: "ReplicaSetList"}:                                                   {},
+		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSet"}:                                            {},
+		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSetList"}:                                        {},
+		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicy"}:                                         {},
+		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicyList"}:                                     {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBinding"}:                    {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBindingList"}:                {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "RoleBinding"}:                           {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "RoleBindingList"}:                       {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "ClusterRoleBinding"}:                     {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "ClusterRoleBindingList"}:                 {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "RoleBinding"}:                            {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1beta1", Kind: "RoleBindingList"}:                        {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBinding"}:                          {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBindingList"}:                      {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "RoleBinding"}:                                 {},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "RoleBindingList"}:                             {},
+		{Group: "settings.k8s.io", Version: "v1alpha1", Kind: "PodPreset"}:                                       {},
+		{Group: "settings.k8s.io", Version: "v1alpha1", Kind: "PodPresetList"}:                                   {},
+		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ValidatingWebhookConfiguration"}:     {},
+		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ValidatingWebhookConfigurationList"}: {},
+		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "MutatingWebhookConfiguration"}:       {},
+		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "MutatingWebhookConfigurationList"}:   {},
+		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicy"}:                                       {},
+		{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicyList"}:                                   {},
+		{Group: "storage.k8s.io", Version: "v1beta1", Kind: "StorageClass"}:                                      {},
+		{Group: "storage.k8s.io", Version: "v1beta1", Kind: "StorageClassList"}:                                  {},
+		{Group: "storage.k8s.io", Version: "v1", Kind: "StorageClass"}:                                           {},
+		{Group: "storage.k8s.io", Version: "v1", Kind: "StorageClassList"}:                                       {},
 	}
 
 	f := fuzz.New().NilChance(.5).NumElements(1, 1).RandSource(rand.NewSource(1))

diff --git a/pkg/apis/admissionregistration/doc.go b/pkg/apis/admissionregistration/doc.go
@@ -18,7 +18,7 @@ limitations under the License.
 
 // Package admissionregistration is the internal version of the API.
 // AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
-// InitializerConfiguration and ExternalAdmissionHookConfiguration is for the
+// InitializerConfiguration, ValidatingWebhookConfiguration, and MutatingWebhookConfiguration are for the
 // new dynamic admission controller configuration.
 // +groupName=admissionregistration.k8s.io
 package admissionregistration // import "k8s.io/kubernetes/pkg/apis/admissionregistration"
diff --git a/pkg/apis/admissionregistration/fuzzer/fuzzer.go b/pkg/apis/admissionregistration/fuzzer/fuzzer.go
@@ -26,7 +26,7 @@ import (
 // Funcs returns the fuzzer functions for the admissionregistration api group.
 var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 	return []interface{}{
-		func(obj *admissionregistration.ExternalAdmissionHook, c fuzz.Continue) {
+		func(obj *admissionregistration.Webhook, c fuzz.Continue) {
 			c.FuzzNoCustom(obj) // fuzz self without calling this function again
 			p := admissionregistration.FailurePolicyType("Fail")
 			obj.FailurePolicy = &p

diff --git a/pkg/apis/admissionregistration/install/install.go b/pkg/apis/admissionregistration/install/install.go
@@ -35,7 +35,7 @@ func Install(groupFactoryRegistry announced.APIGroupFactoryRegistry, registry *r
 	if err := announced.NewGroupMetaFactory(
 		&announced.GroupMetaFactoryArgs{
 			GroupName:                  admissionregistration.GroupName,
-			RootScopedKinds:            sets.NewString("InitializerConfiguration", "ExternalAdmissionHookConfiguration"),
+			RootScopedKinds:            sets.NewString("InitializerConfiguration", "ValidatingWebhookConfiguration", "MutatingWebhookConfiguration"),
 			VersionPreferenceOrder:     []string{v1alpha1.SchemeGroupVersion.Version},
 			AddInternalObjectsToScheme: admissionregistration.AddToScheme,
 		},

diff --git a/pkg/apis/admissionregistration/register.go b/pkg/apis/admissionregistration/register.go
@@ -46,8 +46,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&InitializerConfiguration{},
 		&InitializerConfigurationList{},
-		&ExternalAdmissionHookConfiguration{},
-		&ExternalAdmissionHookConfigurationList{},
+		&ValidatingWebhookConfiguration{},
+		&ValidatingWebhookConfigurationList{},
+		&MutatingWebhookConfiguration{},
+		&MutatingWebhookConfigurationList{},
 	)
 	return nil
 }
diff --git a/pkg/apis/admissionregistration/types.go b/pkg/apis/admissionregistration/types.go
@@ -118,35 +118,61 @@ const (
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// ExternalAdmissionHookConfiguration describes the configuration of initializers.
-type ExternalAdmissionHookConfiguration struct {
+// ValidatingWebhookConfiguration describes the configuration of an admission webhook that accepts or rejects and object without changing it.
+type ValidatingWebhookConfiguration struct {
 	metav1.TypeMeta
 	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
 	// +optional
 	metav1.ObjectMeta
-	// ExternalAdmissionHooks is a list of external admission webhooks and the
-	// affected resources and operations.
+	// Webhooks is a list of webhooks and the affected resources and operations.
 	// +optional
-	ExternalAdmissionHooks []ExternalAdmissionHook
+	Webhooks []Webhook
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// ExternalAdmissionHookConfigurationList is a list of ExternalAdmissionHookConfiguration.
-type ExternalAdmissionHookConfigurationList struct {
+// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
+type ValidatingWebhookConfigurationList struct {
 	metav1.TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
 	// +optional
 	metav1.ListMeta
-	// List of ExternalAdmissionHookConfiguration.
-	Items []ExternalAdmissionHookConfiguration
+	// List of ValidatingWebhookConfigurations.
+	Items []ValidatingWebhookConfiguration
 }
 
-// ExternalAdmissionHook describes an external admission webhook and the
-// resources and operations it applies to.
-type ExternalAdmissionHook struct {
-	// The name of the external admission webhook.
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+type MutatingWebhookConfiguration struct {
+	metav1.TypeMeta
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	Webhooks []Webhook
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
+type MutatingWebhookConfigurationList struct {
+	metav1.TypeMeta
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta
+	// List of MutatingWebhookConfiguration.
+	Items []MutatingWebhookConfiguration
+}
+
+// Webhook describes an admission webhook and the resources and operations it applies to.
+type Webhook struct {
+	// The name of the admission webhook.
 	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
 	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
 	// of the organization.
@@ -155,7 +181,7 @@ type ExternalAdmissionHook struct {
 
 	// ClientConfig defines how to communicate with the hook.
 	// Required
-	ClientConfig AdmissionHookClientConfig
+	ClientConfig WebhookClientConfig
 
 	// Rules describes what operations on what resources/subresources the webhook cares about.
 	// The webhook cares about an operation if it matches _any_ Rule.
@@ -191,9 +217,9 @@ const (
 	Connect      OperationType = "CONNECT"
 )
 
-// AdmissionHookClientConfig contains the information to make a TLS
+// WebhookClientConfig contains the information to make a TLS
 // connection with the webhook
-type AdmissionHookClientConfig struct {
+type WebhookClientConfig struct {
 	// Service is a reference to the service for this webhook. If there is only
 	// one port open for the service, that port will be used. If there are multiple
 	// ports open, port 443 will be used if it is open, otherwise it is an error.

diff --git a/pkg/apis/admissionregistration/v1alpha1/defaults.go b/pkg/apis/admissionregistration/v1alpha1/defaults.go
@@ -25,7 +25,7 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
 	return RegisterDefaults(scheme)
 }
 
-func SetDefaults_ExternalAdmissionHook(obj *admissionregistrationv1alpha1.ExternalAdmissionHook) {
+func SetDefaults_Webhook(obj *admissionregistrationv1alpha1.Webhook) {
 	if obj.FailurePolicy == nil {
 		policy := admissionregistrationv1alpha1.Ignore
 		obj.FailurePolicy = &policy

diff --git a/pkg/apis/admissionregistration/v1alpha1/doc.go b/pkg/apis/admissionregistration/v1alpha1/doc.go
@@ -21,7 +21,7 @@ limitations under the License.
 
 // Package v1alpha1 is the v1alpha1 version of the API.
 // AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
-// admissionregistrationv1alpha1.InitializerConfiguration and admissionregistrationv1alpha1.ExternalAdmissionHookConfiguration is for the
+// InitializerConfiguration, ValidatingWebhookConfiguration, and MutatingWebhookConfiguration are for the
 // new dynamic admission controller configuration.
 // +groupName=admissionregistration.k8s.io
 package v1alpha1 // import "k8s.io/kubernetes/pkg/apis/admissionregistration/v1alpha1"