You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you'd like
[A clear and concise description of what you want to happen.]
Add flag --webhook-defers-to-vap. default to false. Defaulting to false so that GK webhook can act as a fallback in case vap fails. However, for allow cases, it will result in extra CPU usage from the webhook.
If false, vapDefault for the vap driver in constraint framework is nil. when vapDefault is nil, use-vap label cannot override the behavior.
if true, then set vapDefault to VAPDefaultNo such that the use-vap label on constraint template and constraints can override the behavior.
Describe the solution you'd like
[A clear and concise description of what you want to happen.]
Add flag
--webhook-defers-to-vap
. default to false. Defaulting to false so that GK webhook can act as a fallback in case vap fails. However, for allow cases, it will result in extra CPU usage from the webhook.If false,
vapDefault
for the vap driver in constraint framework is nil. when vapDefault is nil, use-vap label cannot override the behavior.if true, then set
vapDefault
toVAPDefaultNo
such that the use-vap label on constraint template and constraints can override the behavior.Note: After reviewing the k8s apiserver code, the admission plugins are processed in a somewhat predictable order, see https://github.com/kubernetes/kubernetes/blob/20d0ab7ae808aaddb1556c3c38ca0607663c50ac/staging/src/k8s.io/apiserver/pkg/admission/chain.go#L46-L55 This means the vap plugin should be processed before any of the webhooks and if there's an error, it will return immediately without hitting any of the subsequent plugins.
From https://github.com/kubernetes/kubernetes/blob/20d0ab7ae808aaddb1556c3c38ca0607663c50ac/pkg/kubeapiserver/options/plugins.go#L97-L102 the comment suggests webhook, resourcequota, and deny plugins should always go last. Technically the order could be changed but it is probably unlikely. We have open-policy-agent/frameworks#400 in framework, but default to nil so use-vap labels cannot override the behavior such that GK can act as a fallback. However, this does mean extra cpu overhead for the successful requests. We will continue to monitor this to determine a good default to set in GK.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: