Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

drop rest.ConnectRequest in webhook admission #66633

Closed
wants to merge 1 commit into from
Closed

drop rest.ConnectRequest in webhook admission #66633

wants to merge 1 commit into from

Conversation

mikedanese
Copy link
Member

Instead of trying to convert them to something they are not.

This mitigates #59759 by turning an INTERNAL error into a successful
admission request that omits some of the request information. Eventually
we will probably want to forward CONNECT options, but they aren't
currently versioned.

cc @cjcullen @alexcope @kubernetes/sig-api-machinery-pr-reviews

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 25, 2018
@mikedanese
drop rest.ConnectRequest in webhook admission
cd0e709 
Instead of trying to convert them to something they are not.

This mitigates kubernetes#59759 by turning an INTERNAL error into a successful
admission request that omits some of the request information. Eventually
we will probably want to forward CONNECT options, but they aren't
currently versioned.
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mikedanese
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: deads2k

If they are not already assigned, you can assign the PR to them by writing /assign @deads2k in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 26, 2018
edited
Loading

@mikedanese: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gce cd0e709 link /test pull-kubernetes-e2e-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@liggitt
Copy link
Member

liggitt commented Jul 26, 2018

What object do in-tree admission plugins get in admission attributes for these requests?

@mikedanese
Copy link
Member Author

mikedanese commented Jul 26, 2018
edited
Loading

they get *rest.ConnectRequests:

kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go

Lines 125 to 138 in f1b6611

if mutatingAdmission, ok := admit.(admission.MutationInterface); ok {
err = mutatingAdmission.Admit(admission.NewAttributesRecord(connectRequest, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, userInfo))
if err != nil {
scope.err(err, w, req)
return
}
}
if validatingAdmission, ok := admit.(admission.ValidationInterface); ok {
err = validatingAdmission.Validate(admission.NewAttributesRecord(connectRequest, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, userInfo))
if err != nil {
scope.err(err, w, req)
return
}
}

e.g.:

kubernetes/plugin/pkg/admission/exec/admission.go

Line 97 in f1b6611

connectRequest, ok := a.GetObject().(*rest.ConnectRequest)

@fedebongio
Copy link
Contributor

/cc @caesarxuchao

@caesarxuchao caesarxuchao mentioned this pull request Jul 31, 2018
Merged
@caesarxuchao
Copy link
Member

@mikedanese I'm working on a complete fix at #66807. I tried locally it seemed to work.

@mikedanese
Copy link
Member Author

Let's go with #66807

@mikedanese mikedanese closed this Jul 31, 2018
@mikedanese mikedanese deleted the dontcrash branch July 31, 2018 21:12
k8s-github-robot pushed a commit that referenced this pull request Aug 7, 2018
Merge pull request #66807 from caesarxuchao/remove-connectrequest
d1636b8 
Automatic merge from submit-queue (batch tested with PRs 66196, 67016, 66807, 67023). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Make admission webhooks conversion convert CONNECT body correctly

Fix #59759.

1. Make apiserver pass connectRequest.Options directly to the admission layer. All other information in rest.ConnectRequest is present in admission attributes.
2. Make the scope.Kind of pod/attach, pod/exec, pod/portforward, node/proxy, service/proxy to their respective options Kind, instead of the parent Kind.

I've tested it locally, the conversion is working correctly for "kubectl attach". I'll add e2e tests.

I'll keep this to myself until I add the tests, but cc @mikedanese @liggitt RE. #66633.
k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Aug 7, 2018
@k8s-publishing-bot
Merge pull request #66807 from caesarxuchao/remove-connectrequest
9a8af0d 
Automatic merge from submit-queue (batch tested with PRs 66196, 67016, 66807, 67023). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Make admission webhooks conversion convert CONNECT body correctly

Fix #59759.

1. Make apiserver pass connectRequest.Options directly to the admission layer. All other information in rest.ConnectRequest is present in admission attributes.
2. Make the scope.Kind of pod/attach, pod/exec, pod/portforward, node/proxy, service/proxy to their respective options Kind, instead of the parent Kind.

I've tested it locally, the conversion is working correctly for "kubectl attach". I'll add e2e tests.

I'll keep this to myself until I add the tests, but cc @mikedanese @liggitt RE. kubernetes/kubernetes#66633.

Kubernetes-commit: d1636b8019fa042eb1135263b00293b1c806b1d7
sttts pushed a commit to sttts/apiserver that referenced this pull request Aug 8, 2018
@k8s-publishing-bot
Merge pull request #66807 from caesarxuchao/remove-connectrequest
3a23340 
Automatic merge from submit-queue (batch tested with PRs 66196, 67016, 66807, 67023). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Make admission webhooks conversion convert CONNECT body correctly

Fix #59759.

1. Make apiserver pass connectRequest.Options directly to the admission layer. All other information in rest.ConnectRequest is present in admission attributes.
2. Make the scope.Kind of pod/attach, pod/exec, pod/portforward, node/proxy, service/proxy to their respective options Kind, instead of the parent Kind.

I've tested it locally, the conversion is working correctly for "kubectl attach". I'll add e2e tests.

I'll keep this to myself until I add the tests, but cc @mikedanese @liggitt RE. kubernetes/kubernetes#66633.

Kubernetes-commit: d1636b8019fa042eb1135263b00293b1c806b1d7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@wojtek-t wojtek-t Awaiting requested review from wojtek-t

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

Assignees

@sttts sttts

@deads2k deads2k

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@mikedanese @k8s-ci-robot @liggitt @fedebongio @caesarxuchao @sttts @deads2k