-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admission registration performs webhook rules expansion modifying object on apply #107318
Comments
After some testing, this is also expanding by the So if there are 4 values in |
/sig api-machinery |
I can't reproduce this. After applying the webhook in the description, I see this output when fetching it:
|
it looks like you're creating an object with this:
and the resulting object has this:
is some other controller reading and rewriting the admission configuration object? if so, is that other controller doing the expansion? there's nothing built into kubernetes that does that expansion in webhook config API objects |
@liggitt for this to be modified immediately, it would need to be some other mutating administration webhook making the changes? I'm going to look into what others are deployed. |
a controller could plausibly observe and quickly modify it before your next get request was issued |
starting a watch of the object in a separate tab with |
Thank you Jordan for always being on top of issues! |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened?
When applying a
MutatingWebhookConfiguration
, the.webhooks[].rules[]
array is being expanded by the.webhooks[].rules[].apiVersions[]
values. This is causing configuration drift as the object that is in the manifest is different than the object stored by Kubernetes.This results in the object always being modified and tools like Flux always think the object has changed:
So applying a config like this:
Then reading the object back, results in this:
What did you expect to happen?
The object may be modified, fields added, but defined fields should either stay the same structure or fail validation at apply.
How can we reproduce it (as minimally and precisely as possible)?
Apply an object like this:
Full example: https://github.com/knative/serving/blob/92b5a121d19ca0d9f4aa0c73da3b20e30a5e8a62/config/core/webhooks/domainmapping-defaulting.yaml
Anything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: