From f2e18e7ee9e5118f8911e7f14b13a71fbbeaa244 Mon Sep 17 00:00:00 2001 From: Eric Fried Date: Tue, 24 Mar 2026 11:27:57 -0500 Subject: [PATCH] HIVE-3131: Add ValidatingWebhookConfiguration for ClusterPool Turns out we've been running without this... forever, despite having plenty of code for it in our admission server. --- config/hiveadmission/clusterpool-webhook.yaml | 28 +++++++++++ pkg/operator/assets/bindata.go | 48 +++++++++++++++++++ pkg/operator/hive/hiveadmission.go | 1 + 3 files changed, 77 insertions(+) create mode 100644 config/hiveadmission/clusterpool-webhook.yaml diff --git a/config/hiveadmission/clusterpool-webhook.yaml b/config/hiveadmission/clusterpool-webhook.yaml new file mode 100644 index 00000000000..4a77ea02bb2 --- /dev/null +++ b/config/hiveadmission/clusterpool-webhook.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: clusterpoolvalidators.admission.hive.openshift.io +webhooks: +- name: clusterpoolvalidators.admission.hive.openshift.io + admissionReviewVersions: + - v1beta1 + clientConfig: + service: + # reach the webhook via the registered aggregated API + namespace: default + name: kubernetes + path: /apis/admission.hive.openshift.io/v1/clusterpoolvalidators + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hive.openshift.io + apiVersions: + - v1 + resources: + - clusterpools + failurePolicy: Fail + sideEffects: None diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go index 32a9fedaa3a..7eacc73d229 100644 --- a/pkg/operator/assets/bindata.go +++ b/pkg/operator/assets/bindata.go @@ -5,6 +5,7 @@ // config/hiveadmission/apiservice.yaml // config/hiveadmission/clusterdeployment-webhook.yaml // config/hiveadmission/clusterimageset-webhook.yaml +// config/hiveadmission/clusterpool-webhook.yaml // config/hiveadmission/clusterprovision-webhook.yaml // config/hiveadmission/deployment.yaml // config/hiveadmission/dnszones-webhook.yaml @@ -357,6 +358,51 @@ func configHiveadmissionClusterimagesetWebhookYaml() (*asset, error) { return a, nil } +var _configHiveadmissionClusterpoolWebhookYaml = []byte(`--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: clusterpoolvalidators.admission.hive.openshift.io +webhooks: +- name: clusterpoolvalidators.admission.hive.openshift.io + admissionReviewVersions: + - v1beta1 + clientConfig: + service: + # reach the webhook via the registered aggregated API + namespace: default + name: kubernetes + path: /apis/admission.hive.openshift.io/v1/clusterpoolvalidators + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hive.openshift.io + apiVersions: + - v1 + resources: + - clusterpools + failurePolicy: Fail + sideEffects: None +`) + +func configHiveadmissionClusterpoolWebhookYamlBytes() ([]byte, error) { + return _configHiveadmissionClusterpoolWebhookYaml, nil +} + +func configHiveadmissionClusterpoolWebhookYaml() (*asset, error) { + bytes, err := configHiveadmissionClusterpoolWebhookYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "config/hiveadmission/clusterpool-webhook.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _configHiveadmissionClusterprovisionWebhookYaml = []byte(`--- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -2099,6 +2145,7 @@ var _bindata = map[string]func() (*asset, error){ "config/hiveadmission/apiservice.yaml": configHiveadmissionApiserviceYaml, "config/hiveadmission/clusterdeployment-webhook.yaml": configHiveadmissionClusterdeploymentWebhookYaml, "config/hiveadmission/clusterimageset-webhook.yaml": configHiveadmissionClusterimagesetWebhookYaml, + "config/hiveadmission/clusterpool-webhook.yaml": configHiveadmissionClusterpoolWebhookYaml, "config/hiveadmission/clusterprovision-webhook.yaml": configHiveadmissionClusterprovisionWebhookYaml, "config/hiveadmission/deployment.yaml": configHiveadmissionDeploymentYaml, "config/hiveadmission/dnszones-webhook.yaml": configHiveadmissionDnszonesWebhookYaml, @@ -2184,6 +2231,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "apiservice.yaml": {configHiveadmissionApiserviceYaml, map[string]*bintree{}}, "clusterdeployment-webhook.yaml": {configHiveadmissionClusterdeploymentWebhookYaml, map[string]*bintree{}}, "clusterimageset-webhook.yaml": {configHiveadmissionClusterimagesetWebhookYaml, map[string]*bintree{}}, + "clusterpool-webhook.yaml": {configHiveadmissionClusterpoolWebhookYaml, map[string]*bintree{}}, "clusterprovision-webhook.yaml": {configHiveadmissionClusterprovisionWebhookYaml, map[string]*bintree{}}, "deployment.yaml": {configHiveadmissionDeploymentYaml, map[string]*bintree{}}, "dnszones-webhook.yaml": {configHiveadmissionDnszonesWebhookYaml, map[string]*bintree{}}, diff --git a/pkg/operator/hive/hiveadmission.go b/pkg/operator/hive/hiveadmission.go index 0f9098d0da4..89a57b65ed9 100644 --- a/pkg/operator/hive/hiveadmission.go +++ b/pkg/operator/hive/hiveadmission.go @@ -51,6 +51,7 @@ const ( var webhookAssets = []string{ "config/hiveadmission/clusterdeployment-webhook.yaml", "config/hiveadmission/clusterimageset-webhook.yaml", + "config/hiveadmission/clusterpool-webhook.yaml", "config/hiveadmission/clusterprovision-webhook.yaml", "config/hiveadmission/dnszones-webhook.yaml", "config/hiveadmission/machinepool-webhook.yaml",