Webhook configurations can choose which version of Review request they accept #74998
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/release-note-label-needed
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
mbohlool
force-pushed
the
pippin
branch
2 times, most recently
from
13091f8
to
74c1ff0
Compare
liggitt
added
the
api-review
|
/test pull-kubernetes-bazel-test |
liggitt
reviewed
Mar 6, 2019
| @@ -44,4 +44,8 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) { | |||
| obj.TimeoutSeconds = new(int32) | |||
| *obj.TimeoutSeconds = 30 | |||
| } | |||
|
|
|||
| if len(obj.AdmissionReviewVersions) == 0 { | |||
| obj.AdmissionReviewVersions = []string{"v1beta1"} | |||
There was a problem hiding this comment.
prefer SchemeGroupVersion.Version?
| } else { | ||
| seen := map[string]bool{} | ||
| for i, v := range versions { | ||
| if !isAcceptedAdmissionReviewVersion(v) { |
There was a problem hiding this comment.
we don't want to prevent versions we don't understand, or that will block a webhook that supports v1beta1 and v1 from registering itself
| return "v1beta1" == v | ||
| } | ||
|
|
||
| func validateAdmissionReviewVersions(versions []string, fldPath *field.Path) field.ErrorList { |
There was a problem hiding this comment.
this function is still getting called on update (*Strategy#ValidateUpdate -> ValidateValidatingWebhookConfiguration -> validateAdmissionReviewVersions), but lacks the information to know whether it should require a recognized version
we should limit *Strategy#ValidateUpdate to calling Validate*Update, and not have the strategy also call the Validate* method directly (that would let us unit test Validate* and Validate*Update methods and have that actually reflect what validation would be done on create and update)
There was a problem hiding this comment.
ValidateUpdate should not call Validate*. If you check current code, both methods it calls doing the same thing and we basically duplicate validation errors.
strategy#ValidateUpdate calls to both ValidateValidatingWebhookConfiguration and ValidateValidatingWebhookConfigurationUpdate. ValidateValidatingWebhookConfigurationUpdate calls ValidateValidatingWebhookConfiguration on the newObject which is the same as first call strategy#ValidateUpdate did to ValidateValidatingWebhookConfiguration. I will fix strategy.
| allErrors = append(allErrors, validateWebhook(&hook, fldPath)...) | ||
| oldHook, exists := oldWebhooks[hook.Name] | ||
| if exists { | ||
| // Only validate admissionReviewVersions if they were valid before |
There was a problem hiding this comment.
skipping this if the old webhook didn't have recognized versions means we also skip required and duplicate checking, which isn't great
There was a problem hiding this comment.
it might be simpler to do this at the object level rather than the webhook level (being more fine-grained doesn't do a lot for us, and makes the code way more complicated):
- set hadRecognizedVersions to true if all webhooks in the old object provided recognized versions
- change validateAdmissionReviewVersions to take
requireRecognizedVersion booland pass in hadRecognizedVersions here, and pass intruefromValidateMutatingWebhookConfiguration(you did something similar in validateCustomResourceDefinitionSpec and it worked well)
| @@ -66,6 +66,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { | |||
| Strategy: apiextensions.NoneConverter, | |||
| } | |||
| } | |||
| obj.Conversion.ConversionReviewVersions = []string{"v1beta1"} | |||
There was a problem hiding this comment.
Hmm, is the point of this function to make the object valid? any value other than []string{"v1beta1"} is not valid.
There was a problem hiding this comment.
fuzzing doesn't care about validation, just about round-trippability. len(0) doesn't round-trip because empty lists get defaulted
| @@ -68,6 +68,9 @@ func SetDefaults_CustomResourceDefinitionSpec(obj *CustomResourceDefinitionSpec) | |||
| Strategy: NoneConverter, | |||
| } | |||
| } | |||
| if len(obj.Conversion.ConversionReviewVersions) == 0 { | |||
| obj.Conversion.ConversionReviewVersions = []string{"v1beta1"} | |||
There was a problem hiding this comment.
prefer SchemeGroupVersion.Version
| @@ -108,6 +108,11 @@ func (d *validatingDispatcher) callHook(ctx context.Context, h *v1beta1.Webhook, | |||
| } | |||
| } | |||
|
|
|||
| // Currently dispatcher only supports `v1beta1` AdmissionReview | |||
| if !util.HasAdmissionReviewVersion("v1beta1", h) { | |||
There was a problem hiding this comment.
prefer v1beta1.SchemeGroupVersion.Version, and add a TODO to make the dispatcher capable of sending/receiving multiple versions
| @@ -94,6 +94,11 @@ func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta | |||
| } | |||
| } | |||
|
|
|||
| // Currently dispatcher only supports `v1beta1` AdmissionReview | |||
| if !util.HasAdmissionReviewVersion("v1beta1", h) { | |||
There was a problem hiding this comment.
use constant, and add TODO to make this capable of sending/receiving multiple versions
| @@ -216,6 +230,11 @@ func (c *webhookConverter) ConvertToVersion(in runtime.Object, target runtime.Gr | |||
| } | |||
| } | |||
|
|
|||
| // Currently converter only supports `v1beta1` ConversionReview | |||
| if !c.hasConversionReviewVersion("v1beta1") { | |||
| @@ -250,6 +283,9 @@ func ValidateCustomResourceConversion(conversion *apiextensions.CustomResourceCo | |||
| allErrs = append(allErrs, webhook.ValidateWebhookService(fldPath.Child("webhookClientConfig").Child("service"), cc.Service.Name, cc.Service.Namespace, cc.Service.Path)...) | |||
| } | |||
| } | |||
| if mustValidateConversionReviewVersions { | |||
There was a problem hiding this comment.
required and duplicate checking is still worthwhile in all cases, this should only govern whether we require a recognized version
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mbohlool The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
liggitt
removed
the
api-review
liggitt
added
the
priority/important-soon
k8s-ci-robot
removed
the
needs-priority
k8s-ci-robot
removed
the
lgtm
|
squashed, retagging |
k8s-ci-robot
added
lgtm
The vast majority of the size is generated changes and thorough unit tests. |
|
flake #75159 /retest |
|
/retest |
1 similar comment
|
/retest |
|
/test pull-kubernetes-godeps |
mbohlool
added a commit
to mbohlool/kubernetes.github.io
that referenced
this pull request
Mar 13, 2019
mbohlool
added a commit
to mbohlool/kubernetes.github.io
that referenced
this pull request
Mar 14, 2019
mbohlool
added a commit
to mbohlool/kubernetes.github.io
that referenced
this pull request
Mar 15, 2019
k8s-ci-robot
pushed a commit
to kubernetes/website
that referenced
this pull request
Mar 18, 2019
k8s-ci-robot
pushed a commit
to kubernetes/website
that referenced
this pull request
Mar 25, 2019
* Official documentation on Poseidon/Firmament, a new multi-scheduler support for K8S. (#11752) * Added documentation about Poseidon-Firmament scheduler * Fixed some style issues. * Udpated the document as per the review comments. * Fixed some typos and updated the document * Updated the document as per the review comments. * Document timeout attribute for kms-plugin. (#12158) See 72540. * Official documentation on Poseidon/Firmament, a new multi-scheduler (#12343) * Removed the old version of the Poseidon documentation. Incorrect location. * Official documentation on Poseidon/Firmament, a new multi-scheduler support for K8S (#12069) * Official documentation on Poseidon/Firmament, a new multi-scheduler support for K8S. (#11752) * Added documentation about Poseidon-Firmament scheduler * Fixed some style issues. * Udpated the document as per the review comments. * Fixed some typos and updated the document * Updated the document as per the review comments. * Updated the document as per review comments. Added config details. * Updated the document as per the latest review comments. Fixed nits * Made changes as per latest suggestions. * Some more changes added. * Updated as per suggestions. * Changed the release process section. * SIG Docs edits Small edits to match style guidelines. * add plus to feature state * capitalization * revert feature state shortcode since this is a Kubernetes extension, not a direct feature, it shouldn't use the regular feature state tagging. (cherry picked from commit 7730c15) * Remove initializers from doc. It will be removed in 1.14 (#12331) * kubeadm: Document CRI auto detection functionality (#12462) Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com> * Minor doc change for GAing Pod DNS Config (#12514) * Graduate ExpandInUsePersistentVolumes feature to beta (#10574) * Rename 2018-11-07-grpc-load-balancing-with-linkerd.md.md file (#12594) * Add dynamic percentage of node scoring to user docs (#12235) * Add dynamic percentage of node scoring to user docs * addressed review comments * delete special symbol (#12445) * Update documentation for VolumeSubpathEnvExpansion (#11843) * Update documentation for VolumeSubpathEnvExpansion * Address comments - improve descriptions * Graduate Pod Priority and Preemption to GA (#12428) * Added Instana links to the documentation (#12977) * Added link to the Instana Kubernetes integration * Added Instana link for services section Added Instana and a link to the Kubernetes integration to the analytics services section and broadened the scope to APM, monitoring and analytics. * Oxford comma /flex * More Oxford commas, because they matter * Update kubectl plugins to stable (#12847) * documentation for CSI topology beta (#12889) * Document changes to default RBAC discovery ClusterRole(Binding)s (#12888) * Document changes to default RBAC discovery ClusterRole(Binding)s Documentation for kubernetes/enhancements#789 and kubernetes/kubernetes#73807 * documentation review feedback * CSI raw block to beta (#12931) * Change incorrect string raw to block (#12926) Fixes #12925 * Update documentation on node OS/arch labels (#12976) These labels have been promoted to GA: kubernetes/enhancements#793 * local pv GA doc updates (#12915) * Publish CRD OpenAPI Documentation (#12910) * add documentation for CustomResourcePublishOpenAPI * address comments fix links, ordered lists, style and typo * kubeadm: add document for upgrading from 1.13 to 1.14 (single CP and HA) (#13189) * kubeadm: add document for upgrading from 1.13 to 1.14 - remove doc for upgrading 1.10 -> 1.11 * kubeadm: apply amends to upgrade-1.14 doc * kubeadm: apply amends to upgrade-1.14 doc (part2) * kubeadm: apply amends to upgrade-1.14 doc (part3) * kubeadm: add note about "upgrade node experimental-control-plane" + add comment about `upgrade plan` * kubeadm: add missing "You should see output similar to this" * fix bullet indentation (#13214) * mark PodReadinessGate GA (#12800) * Update RuntimeClass documentation for beta (#13043) * Update RuntimeClass documentation for beta * Update feature gate & add upgrade section * formatting fixes * Highlight upgrade action required * Address feedback * CSI ephemeral volume alpha documentation (#10934) * update kubectl documentation (#12867) * update kubectl documentation * add document for Secret/ConfigMap generators * replace `kubectl create -f` by `kubectl apply -f` * Add page for kustomization support in kubectl * fix spelling errors and address comments * Documentation for Windows GMSA feature (#12936) * Documentation for Windows GMSA feature Signed-off-by: Deep Debroy <ddebroy@docker.com> * Enhancements to GMSA docs Signed-off-by: Deep Debroy <ddebroy@docker.com> * Fix links Signed-off-by: Deep Debroy <ddebroy@docker.com> * Fix GMSA link Signed-off-by: Deep Debroy <ddebroy@docker.com> * Add GMSA feature flag in feature flag list Signed-off-by: Deep Debroy <ddebroy@docker.com> * Relocate GMSA to container configuration Signed-off-by: Deep Debroy <ddebroy@docker.com> * Add example for container spec Signed-off-by: Deep Debroy <ddebroy@docker.com> * Remove changes in Windows index Signed-off-by: Deep Debroy <ddebroy@docker.com> * Update configure-gmsa.md * Update configure-gmsa.md * Update configure-gmsa.md * Update configure-gmsa.md * Rearrange the steps into two sections and other edits Signed-off-by: Deep Debroy <ddebroy@docker.com> * Fix links Signed-off-by: Deep Debroy <ddebroy@docker.com> * Add reference to script to generate GMSA YAMLs Signed-off-by: Deep Debroy <ddebroy@docker.com> * Some more clarifications for GMSA Signed-off-by: Deep Debroy <ddebroy@docker.com> * HugePages graduated to GA (#13004) * HugePages graduated to GA * fixing nit for build * Docs for node PID limiting (kubernetes/kubernetes#73651) (#12932) * kubeadm: update the reference documentation for 1.14 (#12911) * kubeadm: update list of generated files for 1.14 NOTE: PLACEHOLDERS! these files are generated by SIG Docs each release, but we need them to pass the k/website PR CI. - add join_phase* (new sub phases of join) - add init_phase_upload-certs.md (new upload certs phase for init) - remove alpha-preflight (now both init and join have this) * kubeadm: update reference docs includes for 1.14 - remove includes from alpha.md - add upload-certs to init-phase.md - add join-phase.md and it's phases * kubeadm: update the editorial content of join and init - cleanup master->control-plane node - add some notes about phases and join - remove table about pre-pulling images - remove outdated info about self-hosting * kubeadm: update target release for v1alpha3 removal 1.14 -> 1.15 * kubeadm: copy edits for 1.14 reference docs (part1) * kubeadm: use "shell" for code blocks * kubeadm: update the 1.14 HA guide (#13191) * kubeadm: update the 1.14 HA guide * kubeadm: try to fix note/caution indent in HA page * kubeadm: fix missing sudo and minor amends in HA doc * kubeadm: apply latest amends to the HA doc for 1.14 * fixed a few missed merge conflicts * Admission Webhook new features doc (#12938) - kubernetes/kubernetes#74998 - kubernetes/kubernetes#74477 - kubernetes/kubernetes#74562 * Clarifications and fixes in GMSA doc (#13226) * Clarifications and fixes in GMSA doc Signed-off-by: Deep Debroy <ddebroy@docker.com> * Update configure-gmsa.md * Reformat to align headings and pre-reqs better Signed-off-by: Deep Debroy <ddebroy@docker.com> * Reformat to align headings and pre-reqs better Signed-off-by: Deep Debroy <ddebroy@docker.com> * Reformat to fix bullets Signed-off-by: Deep Debroy <ddebroy@docker.com> * Reword application of sample gmsa Signed-off-by: Deep Debroy <ddebroy@docker.com> * Update configure-gmsa.md * Address feedback to use active voice Signed-off-by: Deep Debroy <ddebroy@docker.com> * Address feedback to use active voice Signed-off-by: Deep Debroy <ddebroy@docker.com> * RunAsGroup documentation for Progressing this to Beta (#12297) * start serverside-apply documentation (#13077) * start serverside-apply documentation * add more concept info on server side apply * Update api concepts * Update api-concepts.md * fix style issues * Document CSI update (#12928) * Document CSI update * Finish CSI documentation Also fix mistake with ExpandInUsePersistentVolumes documented as beta * Overall docs for CSI Migration feature (#12935) * Placeholder docs for CSI Migration feature Signed-off-by: Deep Debroy <ddebroy@docker.com> * Address CR comments and update feature gates Signed-off-by: Deep Debroy <ddebroy@docker.com> * Add mappings for CSI plugins Signed-off-by: Deep Debroy <ddebroy@docker.com> * Add sections for AWS and GCE PD migration Signed-off-by: Deep Debroy <ddebroy@docker.com> * Add docs for Cinder and CSI Migration info Signed-off-by: Deep Debroy <ddebroy@docker.com> * Clarify scope to volumes with file system Signed-off-by: Deep Debroy <ddebroy@docker.com> * Change the format of EBS and Cinder CSI Migration sections to follow the GCE template Signed-off-by: Deep Debroy <ddebroy@docker.com> * Windows documentation updates for 1.14 (#12929) * Updated the note to indicate doc work for 1.14 * first attempt at md export from gdoc * simplifyig * big attempt * moving DRAFT windows content to PR for review * moving content to PR in markdown for review * updated note tags * Delete windows-contributing.md deleting this file as it is already ported to the github contributor guide * fixed formatting in intro and cluster setup guide * updating formatting for running containers guide * rejiggered end of troubleshooting * fixed minor typos * Clarified the windows binary download step * Update _index.md making updates based on feedback * Update _index.md updating ovn-kubernetes docs * Update _index.md * Update _index.md * updating relative docs links updating all the links to be relative links to /docs * Update _index.md * Update _index.md updates for windows services and ovn-kubernetes * formatted for correct step numbering * fix typos * Update _index.md updates for flannel PR in troubleshooting * Update _index.md * Update _index.md updating a few sections like roadmap, services, troubleshooting/filing tickets * Update _index.md * Update _index.md * Update _index.md * Fixed a few whitespace issues * Update _index.md * Update _index.md * Update _index.md * add section on upgrading CoreDNS (#12909) * documentation for kubelet resource metrics endpoint (#12934) * windows docs updates for 1.14 (#13279) * Delete sample-l2bridge-wincni-config.json this file is not used anywhere * Update _index.md * Update _index.md * Update _index.md * Update _index.md * Update _index.md * Rename content/en/docs/getting-started-guides/windows/_index.md to content/en/docs/setup/windows/_index.md moving to new location * Delete flannel-master-kubectl-get-ds.png * Delete flannel-master-kubeclt-get-pods.png * Delete windows-docker-error.png * Add files via upload * Rename _index.md to add-windows-nodes.md * Create _index.md * Update _index.md * Update add-windows-nodes.md * Update add-windows-nodes.md * Create user-guide-windows-nodes.md * Create user-guide-windows-containers.md * Update and rename add-windows-nodes.md to intro-windows-nodes.md * Update user-guide-windows-containers.md * Rename intro-windows-nodes.md to intro-windows-in-kubernetes.md * Update user-guide-windows-nodes.md * Update user-guide-windows-containers.md * Update user-guide-windows-containers.md * Update user-guide-windows-nodes.md * Update user-guide-windows-containers.md * Update _index.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md fixing the pause image * Update intro-windows-in-kubernetes.md changing tables from html to MD * Update user-guide-windows-nodes.md converting tables from HTML to MD * Update intro-windows-in-kubernetes.md * Update user-guide-windows-nodes.md * Update user-guide-windows-nodes.md * Update user-guide-windows-nodes.md updating the numbering , even though it messes up the notes a little bit. Jim will file a ticket to follow up * Update user-guide-windows-nodes.md * update to windows docs for 1.14 (#13322) * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update user-guide-windows-containers.md * Update user-guide-windows-nodes.md * Update intro-windows-in-kubernetes.md (#13344) * server side apply followup (#13321) * change some parts of serverside apply docs in response to comments * fix typos and wording * Update config.toml (#13365)
|
included in docs PR for 1.15 at kubernetes/website#14671 |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a task from Extensibility GA
Currently apiserver sends AdmissionReview to Admission Webhooks in v1beta1. We are going to introduce AdmissionReview v1 and a prerequisite for that is to have a mechanism for the webhook to define versions they understand. This PR addresses that.
The mechanism is also added to CRD Conversion Webhook stack.
/cc @liggitt @roycaihw @sttts @caesarxuchao