Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
mutating webhook: audit log mutation existence and patch #77824
Mutating webhooks can silently mutate objects and cause API requests to fail validation (#62666). Currently when a request goes through admission chain, kube-apiserver doesn’t log / store trace of 1. which mutating webhooks mutated the request; 2. what was changed in the request.
Moreover, when a mutated request fails validation, the validation error message doesn’t necessarily reveal the actual cause (mutating webhooks) for the request to be invalid (#65569 (comment)). This makes it hard to debug a Kubernetes cluster, when (misconfigured) mutating webhooks silently invalid valid requests and put the cluster in undesired states.
What this PR does:
This PR records name of mutating webhooks in audit log to help answer the question "which mutating webhooks mutated the request".
Does this PR introduce a user-facing change?:
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
1 similar comment
@roycaihw: The following test failed, say