New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intercepting "pods/eviction" subresource via validating webhook is not working #110169
Comments
/sig api-machinery |
Can you use validating webhooks with subresources? If not, this might be more of a feature request against the docs. |
@sftim AFAICT, this appears to only (or mostly work) for the list of pods subresource for reference
|
I want to reiterate that I also tested the rules with the below and still the webhook server didn't received any request
|
I've found the problem, I removed the as a reference, the pod I am trying to intercept with the same label used in the apiVersion: v1
kind: Pod
metadata:
labels:
app: <appname>
interceptDBSetPodEvictions: "true"
... other fields omitted as of now, I will only be able to filter by |
/triage accepted |
objectSelector selects on the labels of the object sent to the webhook. for the eviction subresource, this is the Eviction object, not the parent Pod object. It is unlikely the eviction request being submitted has the same labels as the parent Pod. For the /status subresource, the object submitted is the Pod, so the labels are the same /close |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Currently, it is not possible to filter eviction requests based on pod labels [1][2]. For this reason, the pod eviction admitter has to catch all eviction requests in the cluster and only handle eviction requests on virt-launcher pods. Eviction requests on non virt-launcher pods should be approved. Since the existing tests have global variables set by a global BeforeEach function, it is difficult to refactor in place. Create a new Describe clause in order to hold the refactored test. Add new helper functions. For additional details please see [3]. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 [3] kubevirt#11286 Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests based on pod labels [1][2]. For this reason, the pod eviction admitter has to catch all eviction requests in the cluster and only handle eviction requests on virt-launcher pods. Eviction requests on non virt-launcher pods should be approved. Since the existing tests have global variables set by a global BeforeEach function, it is difficult to refactor in place. Create a new Describe clause in order to hold the refactored test. Add new helper functions. For additional details please see [3]. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 [3] kubevirt#11286 Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests based on pod labels [1][2]. For this reason, the pod eviction admitter has to catch all eviction requests in the cluster and only handle eviction requests on virt-launcher pods. Eviction requests on non virt-launcher pods should be approved. Since the existing tests have global variables set by a global BeforeEach function, it is difficult to refactor in place. Create a new Describe clause in order to hold the refactored test. Add new helper functions. For additional details please see [3]. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 [3] kubevirt#11286 Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests based on pod labels [1][2]. For this reason, the pod eviction admitter has to catch all eviction requests in the cluster and only handle eviction requests on virt-launcher pods. Eviction requests on non virt-launcher pods should be approved. Since the existing tests have global variables set by a global BeforeEach function, it is difficult to refactor in place. Create a new Describe clause in order to hold the refactored test. Add new helper functions. For additional details please see [3]. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 [3] kubevirt#11286 Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests by pod label [1][2], thus unfortunately the admitter intercepts all eviction requests in the cluster - including for pods that are not virt-launchers. The admitter checks whether an evicted pod is a virt-launcher by checking the the existence and value of the `kubevirt.io` label. Extract this logic into a function for better readability. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 Treat the pod as a virt-launcher, only after it was verified as such. Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests by pod label [1][2], thus unfortunately the admitter intercepts all eviction requests in the cluster - including for pods that are not virt-launchers. The admitter checks whether an evicted pod is a virt-launcher by checking the the existence and value of the `kubevirt.io` label. Extract this logic into a function for better readability. The value of the `kubevirt.io/domain` annotation on the virt-launcher pod, represents the name of its controlling VMI. Rename the `domainName` variable to `vmiName` in order to better describe its purpose. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests by pod label [1][2], thus unfortunately the admitter intercepts all eviction requests in the cluster - including for pods that are not virt-launchers. The admitter checks whether an evicted pod is a virt-launcher by checking the the existence and value of the `kubevirt.io` label. Extract this logic into a function for better readability. The value of the `kubevirt.io/domain` annotation on the virt-launcher pod, represents the name of its controlling VMI. Rename the `domainName` variable to `vmiName` in order to better describe its purpose. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 Signed-off-by: Orel Misan <omisan@redhat.com>
Currently, it is not possible to filter eviction requests by pod label [1][2], thus unfortunately the admitter intercepts all eviction requests in the cluster - including for pods that are not virt-launchers. The admitter checks whether an evicted pod is a virt-launcher by checking the the existence and value of the `kubevirt.io` label. Rename the `launcher` to `pod` in order to emphesize that it could be any pod. Extract this logic into a function for better readability. The value of the `kubevirt.io/domain` annotation on the virt-launcher pod, represents the name of its controlling VMI. Rename the `domainName` variable to `vmiName` in order to better describe its purpose. [1] kubernetes/kubernetes#110169 (comment) [2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809 Signed-off-by: Orel Misan <omisan@redhat.com>
What happened?
I’ve created a validation webhook server to intercept
pods/eviction
requests but calling evictions via both, the go SDK client and VPA is not invoking the webhook,The webhook config is as follows:
webhook.manifest.yaml
The
namespaceSelector
andobjectSelector
are pointing to the right resources,I am testing by invoking eviction requests with the golang client, via https://github.com/ueokande/kubectl-evict/blob/d3068ae2e8c4f28051187f18ac75406ddc21c551/pkg/cmd/evict_api.go#L60, and also via VPA, which issues eviction requests,
In addition to the
pods/eviction,
I also tried a few combinations in therules.resources
, but nothing seems to work:If I set "pods/status" my webhook server gets status requests though,
It sounds to me that this is still not working #75193
What did you expect to happen?
I expect my custom validation webhook server to intercept pods eviction requests
How can we reproduce it (as minimally and precisely as possible)?
If you create a
validationwebhookconfiguration
with:and you try to evict pods either with https://github.com/ueokande/kubectl-evict, or any other mechanism like VPA, etc. you should notice the webhook server doesn't get called
Anything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: