New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Finalizers
, PolicyStatus
, PolicyActive
condition to ClusterAdmissionPolicies
#76
Conversation
Performed with: kubebuilder create webhook --group policies --version v1alpha2 \ --kind ClusterAdmissionPolicy --defaulting --programmatic-validation
So future scaffolding of new components is not namespaced.
Add also PolicyServer webhook patches, as they were already created and added when creating the PolicyServer CR.
Drop uneeded removeKubewardenFinalizer() and its test.
…olicy Add Gingko tests to webhook_suite_test.go.
It is plain wrong. Also, it will add the finalizer again after the reconciler removes it, therefore the ClusterAdmissionPolicy will not get garbage collected. Co-Authored-By: Raul Cabello Martin <raul.cabello@suse.com>
We only use the ClusterAdmissionPolicy controller to call the PolicyServer controller. We don't need this function. Plus, we already have it in pkg/admission/reconciler.go.updateAdmissionPolicyStatus().
PolicyStatus represents whether the ClusterAdmissionPolicy is unscheduled, unschedulable, pending, or active. Run `make manifests` to update CRDs.
This has no effect for changing the default on create, as it cannot be changed there. Nor it gets changed after read later on. It's only for good UX. We keep assuming PolicyStatus can be "" and setting where corresponds. Run `make manifests`.
In the past, we set Conditions and PolicyStatus at the same time. Now, we set PolicyStatus dependending on what state we are moving onto (schedulable, pending, active..) and set the Condition only when the ClusterAdmissionPolicy is active. By removing Conditions from required, we can correctly set the default PolicyStatus to "unscheduled". Co-authored-by: Rafael Fernández López <ereslibre@ereslibre.es>
Allow manager-role to create,get,list,patch,update,watch for both - secrets: needed for webhooks - configmaps: needed for reading the configmap associated with each policy-server
Default to "unscheduled". For "unschedulable", obtain the list of policyServers that match the policy.Spec.PolicyServer. If empty, update the PolicyStatus. For that, export Reconciler.UpdateAdmissionPolicyStatus() and add a new FieldIndexer. For "pending", set it on the watch, until the PolicyServer rollout has finished and the admission webhook is registered. Co-Authored-By: Raul Cabello Martin <raul.cabello@suse.com> Co-Authored-By: Rafael Fernández López <ereslibre@ereslibre.es>
Test with: ``` kubectl wait --for=condition=active clusteradmissionpolicy psp-capabilities ```
Creates local cert and set its where the local controller manager expects it. Useful when developing with `make run WEBHOOKS_ENABLE=false`.
That way one will not get image pull errors when testing, as policy-server image is currently in v0.1.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM just some minor suggestions
Thanks @viccuad !
Remove leftover from previous approach. Run `make manifests`.
config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
Outdated
Show resolved
Hide resolved
config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
Outdated
Show resolved
Hide resolved
This reverts commit 8e1fdc8.
Run `make manifests`.
config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
Outdated
Show resolved
Hide resolved
@viccuad I can't create policies without settings, I get The ClusterAdmissionPolicy "privileged-pods" is invalid: spec.settings: Invalid value: "null": spec.settings in body must be of type object: "null" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @viccuad!, really great work, we learnt quite a lot of things in the process 👏
Run `make manifests`.
This allows for policies with no settings object in the spec. (optional ) This change, in k8s >= v1.20, means that the object will not be pruned if it has no value, and it will be `settings: null` instead. This solves errors suchs as: > The ClusterAdmissionPolicy "psp-capabilities-no-settings" is invalid: > spec.settings: Invalid value: "null": spec.settings in body must be of > type object: "null" See: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#defaulting-and-nullable
In this PR:
Add defaulter, validating, mutating webhooks for ClusterAdmissionPolicies, namely for adding finalizers, and checking that the policyServer is immutable.
Given the difficulty on testing, added
apis/policies/v1alpha2/webhook_suite_test.go
.Refactor
ClusterAdmissionPolicyStatus.PolicyActive
status intoPolicyStatus
: now it acceptsunscheduled
,unschedulable
,pending
,active
.Refactor
PolicyServerBound
Condition toClusterAdmissionPolicyActive
.Test with:
Enable Kustomize patches for cert-manager.
Add RBAC marker for secrets and confimaps, needed to run/test in-cluster.
Drop unneeded funcs, refactor as needed to be able to test.
Closes: #69, #72.
Thanks @ereslibre & @raulcabello for the pairing!
(It may be a good idea to review per commits, instead of by changes).
To test with an out-of-cluster controller, one would need to create a proxy to the webhook server (TBD) since the webhooks are registered against the controller manager webhook server. To allow for the manager to at least start without faiiures, a new
make dev-webhook-certs
target has been added. It creates and sets the certs in localhost and gets called onmake run
.Therefore, to test meanwhile skipping the registration of webhooks yet having a working controller:
To test with an in-cluster controller, cert-manager has been scaffolded for creating the needed cert to register the webhooks.
Example with k3d: