Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding an e2e test for admission webhook #54165

Merged
merged 3 commits into from Oct 28, 2017
Merged

Adding an e2e test for admission webhook #54165

merged 3 commits into from Oct 28, 2017

Conversation

caesarxuchao
Copy link
Member

@caesarxuchao caesarxuchao commented Oct 18, 2017
edited

Part of kubernetes/enhancements#492

The purpose of this test is making sure the webhooks get called, and the apiserver can communicate with the webhook.

We will expand the test cover more webhook features in followups.

The webhook used in the test rejects pods with container names "webhook-disallow". Will upload the source code of the example in a follow up PR.

@caesarxuchao caesarxuchao self-assigned this Oct 18, 2017
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 18, 2017
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 18, 2017
@caesarxuchao caesarxuchao force-pushed the webhook-e2e-test branch 2 times, most recently from 4c17329 to 88a8121 Compare October 18, 2017 20:07
@caesarxuchao caesarxuchao mentioned this pull request Oct 18, 2017
Closed
caesarxuchao
caesarxuchao commented Oct 18, 2017
View reviewed changes
cluster/gce/config-default.sh Outdated
@@ -175,7 +175,7 @@ if [[ ${KUBE_ENABLE_INSECURE_REGISTRY:-false} == "true" ]]; then
fi

# Optional: customize runtime config
RUNTIME_CONFIG="${KUBE_RUNTIME_CONFIG:-}"
RUNTIME_CONFIG="${KUBE_RUNTIME_CONFIG:-admissionregistration.k8s.io/v1alpha1}"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem to be useful, e2e test says

I1018 22:29:18.099] [It] Should be able to deny pod creation
I1018 22:29:18.099]   test/e2e/apimachinery/webhook.go:56
I1018 22:29:18.100] Oct 18 22:28:53.647: INFO: dynamic configuration of initializers requires the alpha admissionregistration.k8s.io group to be enabled

And apiserver log says:

I1018 22:17:17.431016       5 master.go:407] Skipping disabled API group "admissionregistration.k8s.io".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change it to RUNTIME_CONFIG=admissionregistration.k8s.io/v1alpha1, or else it will still read in KUBE_RUNTIME_CONFIG

caesarxuchao
caesarxuchao commented Oct 18, 2017
View reviewed changes
cluster/gce/config-default.sh Outdated
@@ -175,7 +175,8 @@ if [[ ${KUBE_ENABLE_INSECURE_REGISTRY:-false} == "true" ]]; then
fi

# Optional: customize runtime config
RUNTIME_CONFIG="${KUBE_RUNTIME_CONFIG:-}"
#RUNTIME_CONFIG="${KUBE_RUNTIME_CONFIG:-admissionregistration.k8s.io/v1alpha1}"
RUNTIME_CONFIG="admissionregistration.k8s.io/v1alpha1"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got the same result. In apiserver.log:

I1018 23:08:04.489359       5 master.go:407] Skipping disabled API group "admissionregistration.k8s.io".

and

I1018 23:08:03.520458       5 flags.go:52] FLAG: --runtime-config="batch/v2alpha1=true,extensions/v1beta1="

@krzyzacy help?

@caesarxuchao
Copy link
Member Author

/retest

@caesarxuchao caesarxuchao force-pushed the webhook-e2e-test branch 2 times, most recently from d311f58 to c129ae4 Compare October 20, 2017 00:44
@caesarxuchao
Copy link
Member Author

Webhook is broken at HEAD...

@krzyzacy
Copy link
Member

/shrug

@k8s-ci-robot k8s-ci-robot added the ¯\_(ツ)_/¯ ¯\\\_(ツ)_/¯ label Oct 20, 2017
@caesarxuchao caesarxuchao mentioned this pull request Oct 20, 2017
Closed
@caesarxuchao caesarxuchao changed the title [WIP] Adding an e2e test for admission webhook Adding an e2e test for admission webhook Oct 20, 2017
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 20, 2017
@caesarxuchao
Copy link
Member Author

/assign @cheftako

@caesarxuchao
Copy link
Member Author

/release-note-none
/sig api-machinery

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 20, 2017
@erictune erictune added area/admission-control and removed approved Indicates a PR has been approved by an approver from all required OWNERS files. area/admission-control labels Oct 26, 2017
@caesarxuchao
Copy link
Member Author

I removed the mutual tls requirement from the webhook image. The test will still verify other parts of the webhook feature.

I'll open an issue reminding ourselves to add the authn back after we reached agreement on what CA to use (#53828) and figure out how to plumb the CA to the --admission-config-file during e2e test.

cheftako
cheftako approved these changes Oct 27, 2017
View reviewed changes
test/e2e/apimachinery/webhook.go
framework.ExpectNoError(err, "registering webhook config %s with namespace %s", webhookConfigName, namespace)

// The webhook configuration is honored in 1s.
time.Sleep(2 * time.Second)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like this highlights the problem that we have no API to tell us which webhooks are enabled and functioning. I believe we are generally going to want that functionality and once we have it we can fix this sleep.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tracked in #54712

@caesarxuchao caesarxuchao mentioned this pull request Oct 27, 2017
Closed
@caesarxuchao
Copy link
Member Author

Tracking the client authentication in #54709.

@cheftako
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 27, 2017
@caesarxuchao
Copy link
Member Author

@deads2k @lavalamp could you approve? Thank you.

@lavalamp
Copy link
Member

/approve

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 27, 2017
@caesarxuchao
Copy link
Member Author

Rebased.

@caesarxuchao caesarxuchao removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 27, 2017
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 27, 2017
@caesarxuchao caesarxuchao added lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 27, 2017
@caesarxuchao
Copy link
Member Author

/approve no-issue

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: caesarxuchao, cheftako, lavalamp

No associated issue. Update pull-request body to add a reference to an issue, or get approval with /approve no-issue

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 27, 2017
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 54165, 53909). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 444d0c1 into kubernetes:master Oct 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lavalamp lavalamp lavalamp left review comments

@liggitt liggitt liggitt left review comments

@krzyzacy krzyzacy krzyzacy left review comments

@cheftako cheftako cheftako approved these changes

Assignees

@cheftako cheftako

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/admission-control cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. ¯\_(ツ)_/¯ ¯\\\_(ツ)_/¯
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@caesarxuchao @krzyzacy @deads2k @lavalamp @cheftako @k8s-github-robot @liggitt @erictune @k8s-ci-robot