Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sideEffects field to Webhooks #2963

Merged
merged 6 commits into from Jun 21, 2019
Merged

Add sideEffects field to Webhooks #2963

merged 6 commits into from Jun 21, 2019

Conversation

Pothulapati
Copy link
Contributor

Fixes #2850

This PR adds the sideEffects field to the webhooks by default. As sideEffects field is supported from kubernetes version ge 1.12, the PR also bumps the minSupported version for check to 1.12

For users, to run on clusters < 1.12, they can use the --omit-webhook-side-effects to omit the sideEffects during installation, and this is flag is persisted during upgrades.

@ihcsim @grampelberg

@Pothulapati
Bump min supported version to 1.12
2ec0c18 
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
@Pothulapati
Add SideEffects field and corresponding omit flag
3dd2986 
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
@Pothulapati
updating golden test outputs
45adf1f 
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
ihcsim
ihcsim reviewed Jun 20, 2019
View reviewed changes
Copy link
Contributor

@ihcsim ihcsim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR. See comments below.

cli/cmd/install.go Outdated Show resolved Hide resolved
cli/cmd/install.go Outdated Show resolved Hide resolved
@Pothulapati
omit flag dosent have to be exported
f452d34 
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
@Pothulapati
Copy link
Contributor Author

Updated. :) @ihcsim

@ihcsim
Copy link
Contributor

ihcsim commented Jun 20, 2019

Thanks!

I am using this branch to do some testing on upgrade atm. I notice that we need to update the config.Global protobuf to include this new field too. Otherwise, pre-1.12 users will have to keep providing the --omit-webhook-side-effect flag every time they perform an upgrade.

Here's a diff for the needed change:

diff --git a/cli/cmd/install.go b/cli/cmd/install.go
index 53c4f406..359bfab8 100644
--- a/cli/cmd/install.go
+++ b/cli/cmd/install.go
@@ -761,10 +761,11 @@ func (options *installOptions) configs(identity *pb.IdentityContext) *pb.All {
 
 func (options *installOptions) globalConfig(identity *pb.IdentityContext) *pb.Global {
 	return &pb.Global{
-		LinkerdNamespace: controlPlaneNamespace,
-		CniEnabled:       options.noInitContainer,
-		Version:          options.controlPlaneVersion,
-		IdentityContext:  identity,
+		LinkerdNamespace:       controlPlaneNamespace,
+		CniEnabled:             options.noInitContainer,
+		Version:                options.controlPlaneVersion,
+		IdentityContext:        identity,
+		OmitWebhookSideEffects: options.omitWebhookSideEffects,
 	}
 }
 
diff --git a/proto/config/config.proto b/proto/config/config.proto
index 19e3320f..5ee8975d 100644
--- a/proto/config/config.proto
+++ b/proto/config/config.proto
@@ -23,6 +23,8 @@ message Global {
   IdentityContext identity_context = 4;
 
   AutoInjectContext auto_inject_context = 6 [deprecated=true];
+
+  bool omitWebhookSideEffects = 7;
 }
 
 message Proxy {

I omitted the unit tests diff because they are too long. You can update them with go test ./cli/... --update.

@Pothulapati
add flag to proto to support upgrade
d09cab2 
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
@ihcsim
Copy link
Contributor

ihcsim commented Jun 20, 2019

@Pothulapati Thanks for the quick turnaround.

I discovered a tricky issue in upgrade. If I install the control plane with the --omit-webhook-side-effects=true option (pretending I'm on k8s 1.11), and then try to upgrade it with --omit-webhook-side-effects=false (say, now I'm on k8s 1.15), the config.Global.OmitWebhookSideEffects config becomes out-of-sync.

To reproduce:

bin/linkerd version
Client version: git-7e06dde6
Server version: unavailable

# omit the webhook side effects field
bin/linkerd install --omit-webhook-side-effects=true |k apply -f -

# these are correct
k -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
Unknown%
k -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
Unknown%
k -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
  "omitWebhookSideEffects": true

# do an upgrade to enable the field
bin/linkerd upgrade --omit-webhook-side-effects=false|k apply -f -

# this is out-of-sync; it should be false
k -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
  "omitWebhookSideEffects": true

# these are correct
k -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%
k -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%

We just need to make sure that upgrade picks up the new value of the flag:

diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go
index ee5c43e9..94f0e430 100644
--- a/cli/cmd/upgrade.go
+++ b/cli/cmd/upgrade.go
@@ -218,6 +218,7 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter
 		configs.GetGlobal().Version = options.controlPlaneVersion
 	}
 	configs.GetInstall().Flags = options.recordedFlags
+	configs.GetGlobal().OmitWebhookSideEffects = options.omitWebhookSideEffects
 
 	var identity *installIdentityValues
 	idctx := configs.GetGlobal().GetIdentityContext()

@Pothulapati
Fix inconsistency during upgrade command
1456dd9 
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
@Pothulapati
Copy link
Contributor Author

Understood and updated :)
@ihcsim

ihcsim
ihcsim approved these changes Jun 21, 2019
View reviewed changes
Copy link
Contributor

@ihcsim ihcsim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

(Maybe my kubectl is an older version, the --server-dry-run doesn't seem to do much on my local cluster.)

Here are the tests I've run (with auto-inject on emojivoto):

New installation:

bin/linkerd version --client
Client version: git-c74881e

bin/linkerd install |k apply -f -

kubectl -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
  "omitWebhookSideEffects": false
kubectl -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%
kubectl -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%

Upgrade from edge-19.6.2:

linkerd version --client
Client version: edge-19.6.2

kubectl -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
kubectl -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
Unknown%
kubectl -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
Unknown%

bin/linkerd upgrade | kubectl apply -f -
bin/linkerd version
Client version: git-7e06dde6
Server version: git-7e06dde6

kubectl -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
  "omitWebhookSideEffects": false
kubectl -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%
kubectl -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%

Install with --omit-webhook-side-effects=true

bin/linkerd version
Client version: git-7e06dde6
Server version: unavailable

bin/linkerd install --omit-webhook-side-effects=true |k apply -f -
kubectl -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
Unknown%
kubectl -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
Unknown%
kubectl -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
  "omitWebhookSideEffects": true

bin/linkerd upgrade --omit-webhook-side-effects=false | kubectl apply -f -
kubectl -n linkerd get cm linkerd-config -ojsonpath='{.data.global}' | jq . | grep -i omitwebhooksideeffects
  "omitWebhookSideEffects": false
kubectl -n linkerd get mutatingwebhookconfigurations.admissionregistration.k8s.io linkerd-proxy-injector-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%
kubectl -n linkerd get validatingwebhookconfigurations.admissionregistration.k8s.io linkerd-sp-validator-webhook-config -ojsonpath='{.webhooks[*].sideEffects}'
None%

@Pothulapati
Copy link
Contributor Author

@ihcsim dry-run dosen't effect anything with emojivoto because, it is a deployment and our webhooks mutate only pods as in dry-run the deployment isnt actually run, dry-run without sideEffects:None dosent fail, try with a pod deployment with linkerd injection label, it will fail when dry-run is enabled and sideEffects:None is not present :)

@ihcsim
Copy link
Contributor

ihcsim commented Jun 21, 2019

@Pothulapati Ha! Thanks for the tips. You are right. The --server-dry-run is in-effect only with pod workloads, because the Deployment is never persisted by the api server. Hence, our proxy injector isn't triggered, as no pods are created.

E.g. on a PSP-enabled cluster with limit range defined, I can use

kubectl apply --server-dry-run -f my-pod.yaml -o yaml

to see the final injected YAML of my pod. Also, with service profile validator, I can see the sp-validator picks up the admission requests in dry run mode, instead of rejecting it.

@ihcsim ihcsim merged commit a3ce06b into linkerd:master Jun 21, 2019
alpeb added a commit that referenced this pull request Sep 21, 2021
@alpeb
Remove omitWebhookSideEffects flag/setting
a240e13 
This was introduced back in #2963 to support k8s with versions before 1.12 that didn't support the `sideEffects` property in webhooks. It's been a while we no longer support 1.12, so we can safely drop this.
@alpeb alpeb mentioned this pull request Sep 21, 2021
Merged
alpeb added a commit that referenced this pull request Sep 22, 2021
@alpeb
Remove omitWebhookSideEffects flag/setting (#6942)
90f8c9d 
* Remove `omitWebhookSideEffects` flag/setting

This was introduced back in #2963 to support k8s with versions before 1.12 that didn't support the `sideEffects` property in webhooks. It's been a while we no longer support 1.12, so we can safely drop this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ihcsim ihcsim ihcsim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Admission controller not supporting --server-dry-run
2 participants
@Pothulapati @ihcsim