Fix webhook API to also support URLs #54889
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
|
Also @liggitt |
| // webhook, for example, a cluster identifier. | ||
| // | ||
| // Required. | ||
| URL string |
There was a problem hiding this comment.
Unfortunately I'm hearing from @bowei that there is no safe standard DNS form that we could parse? Bowei, please say I misunderstood :( :(
There was a problem hiding this comment.
I'm unsure what is meant by that. I'd expect to fully specify the URL, including the scheme: scheme://host[:port][/path]. What is ambiguous about that?
There was a problem hiding this comment.
Do we need to distinguish between a service exported by the cluster vs a server with a DNS name reachable on the network?
What Daniel is referring to is that we do not want to bake in the current DNS schema into the system in case the schema changes. This is a particularly subtle place to have to be maintained if any changes are done.
Any alternative is to have a different scheme for identifying cluster only services, something like: k8s-service://.
There was a problem hiding this comment.
@liggitt, kube-apiserver must be able to tell whether the DNS name refers to something in the cluster or out of the cluster, because it can't assume the presence of DNS resolution for in-cluster things (or, currently, routes, though that will change in a few quarters).
There was a problem hiding this comment.
I've pushed a commit that keeps both. I don't like it very much. Why not maintain the Service field, and make the external hostname field of that work correctly?
There was a problem hiding this comment.
I'm in favor of only a service reference, and opposed to a URL. As we can see from this discussion, URLs obscure information that needs to be first-class. In particular, if something generates or munges the Service name, it needs to know how to populate this field. Everywhere else in the API we use object references or names.
So, option 3.
There was a problem hiding this comment.
For self-hosted webhooks, I can live with service references, resolved as they are today.
For non-cluster-hosted webhooks, it doesn't make sense to require the indirection of using a service reference pointing to a service which itself points to an external hostname. That still requires the external hostname to be resolvable, and requires all consumers of admission webhook config (even ones in pods that could have used DNS for in- and out- of cluster resolution) to have custom dialers and read permission on the service API objects.
@erictune
Suggestion:
at most one of Service ServiceReference or URL string may be set.
if URL string is used, normal DNS resolution is used, then no magic happens, and<name>.<namespace>.svc.is not expected to work.
This lets the user chose which is the lesser evil: layering violation or non-portable configuration.
That seems reasonable to me (and it's not a layer violation to use DNS to resolve off-cluster webhook hostnames)
There was a problem hiding this comment.
It seems like I never submitted my reply to eric's comment above, but Jordan and Eric's approach seems to be reasonable.
There was a problem hiding this comment.
What I care most about is that we keep service/object references for self-hosted webhooks.
| // render your config non-portable; apiservers will route to the | ||
| // service correctly. | ||
| // | ||
| // If the scheme is present, it must be "https://". |
There was a problem hiding this comment.
If it were, then the CABundle field would have to be optional, but it isn't.
I don't mind changing this--was just keeping the change limited.
|
I think using You were concerned about I would not use option 1 because of the extra DNS changes. I'm not a fan of allowing multiple options in the API type. It seems like an unnecessary layer. Expecting the |
Not very pretty, but it at least makes it possible to use externally hosted hooks. |
|
Thank you everyone. That extension apiservers may not have permission to read arbitrary services seems like a good reason to include the URL. Or at least, I'm not in favor of forcing the system administrator to set up RBAC rules to make sure every apiserver can read every webhook's service. And I agree that relying on external DNS is not a layer violation. So, I now believe that both are necessary, sadly. |
|
I'm fine with keeping both. |
|
To be my own devil's advocate, it's worth noting we'll already have to make sure extension apiservers can read all namespaces. |
That was always the case in order to correctly allow/prevent creation of namespaced resources. I'd really avoid requiring visibility into unrelated namespace content like services. |
|
On mobile, apologies for mistakes. I am very not fond of ad hoc syntax definitions, and that's what using "foo.bar.svc" is. It is not a real host name, but it could become one. It is not an in-cluster FQDN. It is just a syntax that happens to lean a bit on DNS, as defined today. DNS will change eventually (though it will be a long transition). This is one more place to adapt or else you carry your own syntax. If you need a URL,why not k8s-svc://service.namespace ? |
|
@thockin -- is there a place where we can make something like |
|
Yeah, the custom scheme mechanism doesn't work because there's no programatic way for extension apiservers to turn that into a proper string they can DNS resolve. So both it is :( |
|
@bowei A string with a custom format is not the right way to go. The syntax would be less discoverable, it would be different from all other references, defaulting from context would be harder, ... |
k8s-ci-robot
added
size/L
k8s-github-robot
added
the
kind/api-change
lavalamp
changed the title
| // webhook, for example, a cluster identifier. | ||
| // | ||
| // +optional | ||
| URL *string `json:"url,omitempty"` |
There was a problem hiding this comment.
internal types don't get tags
| ClientConfig: admissionregistration.AdmissionHookClientConfig{}, | ||
| }, | ||
| }), | ||
| expectedError: `exactly one of`, |
There was a problem hiding this comment.
get slightly more specific so you include the fields too.
There was a problem hiding this comment.
I intended to copy/paste from the failing test to put in the thing to check, but then the test unexpectedly passed and I didn't...
There was a problem hiding this comment.
I include each field in at least one of the test cases now, I don't like making change-detector tests so I don't think it needs to be universal.
| // `path` is an optional URL path which will be sent in any request to | ||
| // this service. | ||
| // +optional | ||
| Path *string `json:"path,omitempty"` |
There was a problem hiding this comment.
I thought the proto generator was supposed to do that, I guess make generated_files didn't actually run that (WHY?), which explains some other things.
| // webhook, for example, a cluster identifier. | ||
| // | ||
| // +optional | ||
| URL *string `json:"url,omitempty"` |
| } | ||
|
|
||
| // TODO: cache these instead of constructing one each time | ||
| restConfig, err := a.authInfoResolver.ClientConfigFor(serverName) | ||
| restConfig, err := a.authInfoResolver.ClientConfigFor(u.Host) |
There was a problem hiding this comment.
Doesn't host include port? I wonder what the clientConfigFor code does in that case.
There was a problem hiding this comment.
I am not sure if I should split here or let authInfoResolver worry about it-- what if people run two different things on two ports on the same host? (parameter name is "server" which is pretty ambiguous as to whether it should include a port)
There was a problem hiding this comment.
Previously we mandated 443, so at least this doesn't make it worse.
k8s-ci-robot
added
release-note
k8s-github-robot
added
the
approved
|
/retest pull-kubernetes-bazel-test |
|
/retest |
| // | ||
| // If the webhook is running within the cluster, then you should use `service`. | ||
| // | ||
| // If there is only |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: caesarxuchao, lavalamp Associated issue: 492 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest |
| // webhook, for example, a cluster identifier. | ||
| // | ||
| // +optional | ||
| URL *string `json:"url,omitempty" protobuf:"bytes,3,opt,name=url"` |
There was a problem hiding this comment.
Why not require scheme? Making it optional means url.Parse can't be used on the value as specified, right? (I think Parse treats a schemeless host as a relative path)
There was a problem hiding this comment.
There was a problem hiding this comment.
validation does require the scheme, I forgot to fix the comment.
There was a problem hiding this comment.
Looks like it allows "". Should just require https
| @@ -395,47 +400,71 @@ func toStatusErr(name string, result *metav1.Status) *apierrors.StatusError { | |||
|
|
|||
| func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.Webhook) (*rest.RESTClient, error) { | |||
| cacheKey, err := json.Marshal(h.ClientConfig) | |||
| if err != nil { | |||
There was a problem hiding this comment.
If an error occurs, we shouldn't use the cacheKey to look up a client
There was a problem hiding this comment.
this was a rebase problem, oops.
| return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: ErrNeedServiceOrURL} | ||
| } | ||
|
|
||
| u, err := url.Parse(*h.ClientConfig.URL) |
There was a problem hiding this comment.
Does this do the right thing with schemeless urls?
| cfg := rest.CopyConfig(restConfig) | ||
| cfg.Host = u.Host | ||
| cfg.APIPath = u.Path | ||
| // TODO: test if this is needed: cfg.TLSClientConfig.ServerName = u.Host |
There was a problem hiding this comment.
Not needed if host and serverName are the same
| } | ||
| if len(u.Host) == 0 { | ||
| allErrors = append(allErrors, field.Required(fldPath.Child("url"), "host must be provided"+form)) | ||
| } |
There was a problem hiding this comment.
Make sure there's no query or user info?
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
lavalamp
removed
the
do-not-merge/hold
|
chatted w/ @liggitt, going to fix comments in a followup. Don't want to block the merge train. |
|
Talked offline. Will take a follow up on the scheme and cacheKey issues |
|
/retest |
|
Followup is #55534 |
|
/retest |
1 similar comment
|
/retest |
|
I know the e2e isn't due to this PR because #55534 passes... |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Tighten webhook client config validation ref kubernetes/enhancements#492 Fix up some nits left from #54889. ```release-note NONE ```
ref: kubernetes/enhancements#492