New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update admission webhook to accept client config #54156
update admission webhook to accept client config #54156
Conversation
@deads2k: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cmd/kube-apiserver/app/server.go
Outdated
if proxyTransport != nil && proxyTransport.Dial != nil { | ||
webhookClientConfig.Dial = proxyTransport.Dial | ||
// if you set this, you lost e2e safety on your connnection. | ||
webhookClientConfig.TLSClientConfig.Insecure = proxyTransport.TLSClientConfig.InsecureSkipVerify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxyTransport.TLSClientConfig
can be nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxyTransport.TLSClientConfig can be nil
Not in this path, but I'll gate.
25cd3a3
to
d03680a
Compare
@@ -42,10 +43,10 @@ type WantsAuthorizer interface { | |||
admission.Validator | |||
} | |||
|
|||
// WantsClientCert defines a fuction that accepts a cert & key for admission | |||
// WantsWebhookRESTClient defines a function that accepts a cert & key for admission |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix godoc
}, | ||
Dial: dial, | ||
} | ||
cfg := rest.CopyConfig(a.restClientConfig) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do you set the ServerName
and CABundle
?
5ce5932
to
ae60ff2
Compare
ae60ff2
to
2326236
Compare
/retest |
As noted, this PR doesn't change kube-apiserver or federation-apiserver behavior. Plumbing a full client config is consistent with other webhooks and is the standard way to propagate info used to build a client. Discussions about the content of that client config when used from extension API servers can be a follow up. Will wait until tomorrow morning to tag, but I'd expect any approach to continue plumbing the right config structure through |
Tagging as agreed. Can continue discussion as part of subsequent webhook admission work. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt Associated issue: 53827 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
2326236
to
0859798
Compare
/retest |
1 similar comment
/retest |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Fixes #53827
This plumbs a complete client through the plugin initializer for admission webhooks. It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different. Easy things are easy, hard things are possible. This does not change behavior for kube-apiserver.
@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs