Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Finalizers, PolicyStatus, PolicyActive condition to ClusterAdmissionPolicies #76

Merged
merged 26 commits into from Sep 20, 2021
Merged

Add Finalizers, PolicyStatus, PolicyActive condition to ClusterAdmissionPolicies #76

merged 26 commits into from Sep 20, 2021

Conversation

viccuad
Copy link
Member

@viccuad viccuad commented Sep 16, 2021
edited

In this PR:

  • Add defaulter, validating, mutating webhooks for ClusterAdmissionPolicies, namely for adding finalizers, and checking that the policyServer is immutable.
    Given the difficulty on testing, added apis/policies/v1alpha2/webhook_suite_test.go.

  • Refactor ClusterAdmissionPolicyStatus.PolicyActive status into PolicyStatus: now it accepts unscheduled, unschedulable, pending, active.

  • Refactor PolicyServerBound Condition to ClusterAdmissionPolicyActive.
    Test with:

    kubectl wait --for=condition=active clusteradmissionpolicy psp-capabilities

  • Enable Kustomize patches for cert-manager.

  • Add RBAC marker for secrets and confimaps, needed to run/test in-cluster.

  • Drop unneeded funcs, refactor as needed to be able to test.

Closes: #69, #72.

Thanks @ereslibre & @raulcabello for the pairing!

(It may be a good idea to review per commits, instead of by changes).

To test with an out-of-cluster controller, one would need to create a proxy to the webhook server (TBD) since the webhooks are registered against the controller manager webhook server. To allow for the manager to at least start without faiiures, a new make dev-webhook-certs target has been added. It creates and sets the certs in localhost and gets called on make run.
Therefore, to test meanwhile skipping the registration of webhooks yet having a working controller:

$ kubectl create namespace kubewarden-controller-system
$ make install
$ make run ENABLE_WEBHOOKS=false NAMESPACE=kubewarden-controller-system

To test with an in-cluster controller, cert-manager has been scaffolded for creating the needed cert to register the webhooks.
Example with k3d:

$ k3d cluster create
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
$ make docker-build NAMESPACE=kubewarden-controller-system
$ k3d image import controller:latest
$ kubectl create namespace kubewarden-controller-system
$ make deploy IMG=controller:latest NAMESPACE=kubewarden-controller-system
## patch deployment with ImagePullPolicy: Never

viccuad and others added 18 commits September 7, 2021 10:41
@viccuad
Remove indirect from google/go-cmp
25f0198
@viccuad
Scaffold ClusterAdmissionPolicy webhooks
cae98b0 
Performed with:

kubebuilder create webhook --group policies --version v1alpha2 \
    --kind ClusterAdmissionPolicy --defaulting --programmatic-validation
@viccuad
Reset namespaced: false in PROJECT
bed19c8 
So future scaffolding of new components is not namespaced.
@viccuad
Enable Kustomize patches for webhooks
416b9bc 
Add also PolicyServer webhook patches, as they were already created and
added when creating the PolicyServer CR.
@viccuad
Add missing conversionReviewVersions to clusteradmissionpolicies
8c2b809
@viccuad
Refactor: Use controllerutil.RemoveFinalizer() in reconciler.go
3653bd6 
Drop uneeded removeKubewardenFinalizer() and its test.
@viccuad
Add finalizer, make Spec.PolicyServer immutable for ClusterAdmissionP…
e024d02 
…olicy

Add Gingko tests to webhook_suite_test.go.
@viccuad @raulcabello
Don't run defaulter webhook on resource update
273d977 
It is plain wrong. Also, it will add the finalizer again after the
reconciler removes it, therefore the ClusterAdmissionPolicy will not get
garbage collected.

Co-Authored-By: Raul Cabello Martin <raul.cabello@suse.com>
@viccuad
Drop clusteradmissionpolicy_controller.go.updateAdmissionPolicyStatus()
fb3c444 
We only use the ClusterAdmissionPolicy controller to call the
PolicyServer controller. We don't need this function. Plus, we already
have it in pkg/admission/reconciler.go.updateAdmissionPolicyStatus().
@viccuad
Refactor PolicyActive to PolicyStatus and set "active"
46d2b14 
PolicyStatus represents whether the ClusterAdmissionPolicy is
unscheduled, unschedulable, pending, or active.

Run `make manifests` to update CRDs.
@viccuad
Set PolicyStatus "unscheduled" as default in CRD
8e1fdc8 
This has no effect for changing the default on create, as it cannot be
changed there. Nor it gets changed after read later on. It's only for
good UX.

We keep assuming PolicyStatus can be "" and setting where corresponds.

Run `make manifests`.
@viccuad @ereslibre
Don't require Conditions when changing policyStatus
93415e5 
In the past, we set Conditions and PolicyStatus at the same time. Now,
we set PolicyStatus dependending on what state we are moving
onto (schedulable, pending, active..) and set the Condition only when
the ClusterAdmissionPolicy is active.

By removing Conditions from required, we can correctly set the default
PolicyStatus to "unscheduled".

Co-authored-by: Rafael Fernández López <ereslibre@ereslibre.es>
@viccuad
Enable Kustomize patches for cert-manager
5e85a08
@viccuad
Add RBAC marker for secrets and confimaps
8ca47a8 
Allow manager-role to create,get,list,patch,update,watch for both
- secrets: needed for webhooks
- configmaps: needed for reading the configmap associated with each
  policy-server
@viccuad @raulcabello @ereslibre
Set PolicyStatus to "unscheduled", "pending" and "unschedulable"
6ac408b 
Default to "unscheduled".

For "unschedulable", obtain the list of policyServers that match the
policy.Spec.PolicyServer. If empty, update the PolicyStatus. For that,
export Reconciler.UpdateAdmissionPolicyStatus() and add a new
FieldIndexer.

For "pending", set it on the watch, until the PolicyServer rollout has
finished and the admission webhook is registered.

Co-Authored-By: Raul Cabello Martin <raul.cabello@suse.com>
Co-Authored-By: Rafael Fernández López <ereslibre@ereslibre.es>
@viccuad
Refactor PolicyServerBound Condition to ClusterAdmissionPolicyActive
2ea447c 
Test with:
```
kubectl wait --for=condition=active clusteradmissionpolicy psp-capabilities
```
@viccuad
Add make dev-cert-webhooks target
5a6f40c 
Creates local cert and set its where the local controller manager
expects it.

Useful when developing with `make run WEBHOOKS_ENABLE=false`.
@viccuad
Change sample to use policy-server:latest image
31583a9 
That way one will not get image pull errors when testing, as
policy-server image is currently in v0.1.0.
@viccuad viccuad added this to Pending review in Development Sep 16, 2021
@viccuad viccuad self-assigned this Sep 16, 2021
@viccuad viccuad requested a review from jvanz September 16, 2021 18:00
raulcabello
raulcabello requested changes Sep 17, 2021
View reviewed changes
Copy link
Contributor

@raulcabello raulcabello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM just some minor suggestions
Thanks @viccuad !

@viccuad
Generate ClusterAdmissionPolicyActive status correctly
eb9fe88 
Remove leftover from previous approach.
Run `make manifests`.
@raulcabello
Copy link
Contributor

@viccuad I can't create policies without settings, I get The ClusterAdmissionPolicy "privileged-pods" is invalid: spec.settings: Invalid value: "null": spec.settings in body must be of type object: "null"
But if I remove the mutating webhook then I can create them

ereslibre
ereslibre approved these changes Sep 17, 2021
View reviewed changes
Copy link
Member

@ereslibre ereslibre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @viccuad!, really great work, we learnt quite a lot of things in the process 👏

@viccuad
Add RBAC for deployments,services,configmaps,secrets
e7285c2 
Run `make manifests`.
@viccuad
Add Log.Info when policy becomes active
808ff6a
@viccuad
Mark Policy's .spec.settings as nullable
5c01067 
This allows for policies with no settings object in the spec.
(optional )

This change, in k8s >= v1.20, means that the object will not be pruned
if it has no value, and it will be `settings: null` instead.
This solves errors suchs as:

> The ClusterAdmissionPolicy "psp-capabilities-no-settings" is invalid:
> spec.settings: Invalid value: "null": spec.settings in body must be of
> type object: "null"

See:
https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#defaulting-and-nullable
@viccuad viccuad merged commit 954a59b into kubewarden:new-architecture Sep 20, 2021
@ereslibre ereslibre moved this from Pending review to Done in Development Sep 20, 2021
This was referenced Sep 20, 2021
Closed
Closed
@viccuad viccuad deleted the webhooks branch October 6, 2021 09:42
@viccuad viccuad mentioned this pull request Oct 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ereslibre ereslibre ereslibre approved these changes

@raulcabello raulcabello raulcabello approved these changes

@flavio flavio Awaiting requested review from flavio

@jvanz jvanz Awaiting requested review from jvanz

Assignees

@viccuad viccuad

Labels
None yet
Projects
No open projects
Development
Done (weekly)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@viccuad @raulcabello @ereslibre