Promote admission webhook API to v1 #79549

liggitt · 2019-06-29T00:04:52Z

What type of PR is this?
/kind api-change
/kind feature

What this PR does / why we need it:

Promotes the {Validating,Mutating}WebhookConfiguration types to v1
failurePolicy default changed from Ignore to Fail for v1
matchPolicy default changed from Exact to Equivalent for v1
timeout default changed from 30s to 10s for v1
sideEffects default value is removed and the field made required for v1
admissionReviewVersions default value is removed and the field made required for v1
webhook names required to be unique when creating v1 configuration objects (Admission Webhook Names are not guaranteed to be unique within their configuration #78510)
Adds unit tests for new defaults
Adds unit tests for new validation

Special notes for your reviewer:

The first commit just copies the existing types, changes package names, and finds/replaces v1beta1 with v1
The subsequent commits change or remove a specific default in the v1 API, or tighten validation in the v1 API
The last commit is generated files

Does this PR introduce a user-facing change?:

The `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` APIs have been promoted to `admissionregistration.k8s.io/v1`:
* `failurePolicy` default changed from `Ignore` to `Fail` for v1
* `matchPolicy` default changed from `Exact` to `Equivalent` for v1
* `timeout` default changed from `30s` to `10s` for v1
* `sideEffects` default value is removed, and the field made required, and only `None` and `NoneOnDryRun` are permitted for v1
* `admissionReviewVersions` default value is removed and the field made required for v1 (supported versions for AdmissionReview are `v1` and `v1beta1`)
* The `name` field for specified webhooks must be unique for `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` objects created via `admissionregistration.k8s.io/v1`
The `admissionregistration.k8s.io/v1beta1` versions of `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` are deprecated and will no longer be served in v1.19.

/sig api-machinery
/cc @sttts @jpbetz @roycaihw

liggitt · 2019-06-29T01:06:07Z

/retest

liggitt · 2019-06-29T01:30:15Z

/retest

liggitt · 2019-07-02T04:32:59Z

/priority important-soon

liggitt · 2019-07-11T00:31:06Z

/retest

sttts · 2019-07-11T16:32:10Z

lgtm
/approve

/assign @smarterclayton

for final lgtm

k8s-ci-robot · 2019-07-11T16:32:40Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [liggitt]
~~api/OWNERS~~ [liggitt]
~~pkg/api/OWNERS~~ [liggitt]
~~staging/src/k8s.io/api/OWNERS~~ [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

smarterclayton · 2019-07-11T21:20:07Z

/lgtm

roycaihw · 2019-09-17T21:10:20Z

/area admission-control

The sideEffects field field became required in v1 version of the resource kubernetes/kubernetes#79549 Also adding failurePolicy: Ignore, because the default value has changed to Fail in v1.16. These changes are not needed for v1beta1, but I still add them for those cases as well for consistency.

…ixes #4627 (#4632) * Backend - Caching - Fixed deployer failure on Kubernetes v1.16+ The sideEffects field field became required in v1 version of the resource kubernetes/kubernetes#79549 Also adding failurePolicy: Ignore, because the default value has changed to Fail in v1.16. These changes are not needed for v1beta1, but I still add them for those cases as well for consistency. * The admissionReviewVersions field became required in the v1 API in v1.16 See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request

…ixes kubeflow#4627 (kubeflow#4632) * Backend - Caching - Fixed deployer failure on Kubernetes v1.16+ The sideEffects field field became required in v1 version of the resource kubernetes/kubernetes#79549 Also adding failurePolicy: Ignore, because the default value has changed to Fail in v1.16. These changes are not needed for v1beta1, but I still add them for those cases as well for consistency. * The admissionReviewVersions field became required in the v1 API in v1.16 See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request

…ixes #4627 (#4632) * Backend - Caching - Fixed deployer failure on Kubernetes v1.16+ The sideEffects field field became required in v1 version of the resource kubernetes/kubernetes#79549 Also adding failurePolicy: Ignore, because the default value has changed to Fail in v1.16. These changes are not needed for v1beta1, but I still add them for those cases as well for consistency. * The admissionReviewVersions field became required in the v1 API in v1.16 See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request

…ixes kubeflow#4627 (kubeflow#4632) * Backend - Caching - Fixed deployer failure on Kubernetes v1.16+ The sideEffects field field became required in v1 version of the resource kubernetes/kubernetes#79549 Also adding failurePolicy: Ignore, because the default value has changed to Fail in v1.16. These changes are not needed for v1beta1, but I still add them for those cases as well for consistency. * The admissionReviewVersions field became required in the v1 API in v1.16 See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request

k8s-ci-robot requested a review from jpbetz June 29, 2019 00:04

k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jun 29, 2019

k8s-ci-robot requested review from roycaihw and sttts June 29, 2019 00:04

liggitt added this to the v1.16 milestone Jun 29, 2019

liggitt force-pushed the admission-webhooks-v1 branch from eb1d207 to a8aeb29 Compare June 29, 2019 00:07

k8s-ci-robot added area/kubectl area/test sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 29, 2019

liggitt force-pushed the admission-webhooks-v1 branch 3 times, most recently from 38632e9 to 875eac0 Compare June 29, 2019 00:54

liggitt force-pushed the admission-webhooks-v1 branch from 875eac0 to ddad5bd Compare June 29, 2019 05:39

k8s-ci-robot added the sig/apps Categorizes an issue or PR as relevant to SIG Apps. label Jun 29, 2019

k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jul 2, 2019

Copy v1beta1 to v1 admission registration types

d2a84a5

Generated

b15aed6

liggitt force-pushed the admission-webhooks-v1 branch from 8500cb2 to b15aed6 Compare July 10, 2019 21:38

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 11, 2019

k8s-ci-robot merged commit 3dd8add into kubernetes:master Jul 12, 2019

liggitt deleted the admission-webhooks-v1 branch July 25, 2019 14:46

This was referenced Aug 2, 2019

Switch admission webhook config manager to v1 #80883

Merged

Limit v1 webhooks to None and NoneOnDryRun side effects classes #81046

Merged

liggitt mentioned this pull request Aug 25, 2019

Mark v1beta1 webhooks/CRD types deprecated in favor of v1 #81899

Merged

k8s-ci-robot added the area/admission-control label Sep 17, 2019

howardjohn mentioned this pull request Nov 11, 2019

Migrate webhooks to API version v1 istio/istio#18838

Closed

jpbetz mentioned this pull request Apr 16, 2020

Webhook with FailurePolicy: Ignore that applies to controller manager leases breaks clusters #90217

Closed

vpnachev mentioned this pull request Aug 25, 2020

Mutating webhook doesn't abide by the failurePolicy of Ignore and blocks further pod creation gardener/gardener#2779

Closed

This was referenced Sep 30, 2020

Update deprecated api group admissionregistration.k8s.io/v1beta1 chaos-mesh/chaos-mesh#1007

Closed

Update deprecated api group admissionregistration.k8s.io/v1beta1 cruise-automation/k-rail#86

Closed

Ark-kun mentioned this pull request Oct 17, 2020

fix(backend): Caching - Fixed deployer failure on Kubernetes v1.16+. Fixes #4627 kubeflow/pipelines#4632

Merged

sonyafenge mentioned this pull request Feb 9, 2021

Promote admission webhook API to v1 CentaurusInfra/arktos#981

Merged

qinqon mentioned this pull request Feb 23, 2021

Use webhookconfig v1 qinqon/kube-admission-webhook#46

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Promote admission webhook API to v1 #79549

Promote admission webhook API to v1 #79549

liggitt commented Jun 29, 2019 •

edited

Loading

liggitt commented Jun 29, 2019

liggitt commented Jun 29, 2019

liggitt commented Jul 2, 2019

liggitt commented Jul 11, 2019

sttts commented Jul 11, 2019

k8s-ci-robot commented Jul 11, 2019

smarterclayton commented Jul 11, 2019

roycaihw commented Sep 17, 2019

Promote admission webhook API to v1 #79549

Promote admission webhook API to v1 #79549

Conversation

liggitt commented Jun 29, 2019 • edited Loading

liggitt commented Jun 29, 2019

liggitt commented Jun 29, 2019

liggitt commented Jul 2, 2019

liggitt commented Jul 11, 2019

sttts commented Jul 11, 2019

k8s-ci-robot commented Jul 11, 2019

smarterclayton commented Jul 11, 2019

roycaihw commented Sep 17, 2019

liggitt commented Jun 29, 2019 •

edited

Loading