MutatingAdmissionWebhook for relocating image references #37
Conversation
Codecov Report
@@ Coverage Diff @@
## master #37 +/- ##
==========================================
+ Coverage 68.12% 73.79% +5.66%
==========================================
Files 8 9 +1
Lines 342 416 +74
==========================================
+ Hits 233 307 +74
Misses 95 95
Partials 14 14
Continue to review full report at Codecov.
|
|
TODO: add namespaceSelector so that the webhook doesn't apply to itself. Without this, the following can occur if the webhook is created before the underlying service: (Thanks @scothis who spotted this.) |
Done. |
There was a problem hiding this comment.
The CRD semantics will take a couple more iterations to get right. There are a number of corner cases that don't appear to have consistent defined semantics.
A simpler alternative, would be a single ConfigMap that is mounted in the webhook. This would sidestep reconciling the CRD resources to a single map.
Other questions/comments are inline. Happy to voice on anything that may be confusing.
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: imagemaps.webhook.image-relocation.pivotal.io |
There was a problem hiding this comment.
webhook is an implementation detail. - should generally be avoided in api groups.
| name: imagemaps.webhook.image-relocation.pivotal.io | |
| name: imagemaps.imagerelocation.pivotal.io |
There was a problem hiding this comment.
Removed, but kept the - for readability.
| metadata: | ||
| name: ir-cluster-role | ||
| rules: | ||
| - apiGroups: ["*"] |
There was a problem hiding this comment.
can we lock this down to the exact permissions needed?
There was a problem hiding this comment.
Sure, but I'll need to investigate.
There was a problem hiding this comment.
Added a FIXME comment for now.
| names: | ||
| plural: imagemaps | ||
| singular: imagemap | ||
| kind: ImageMap |
There was a problem hiding this comment.
Cluster scoped resources, should be use Cluster as a prefix
| kind: ImageMap | |
| kind: ClusterImageMap |
pkg/api/v1alpha1/imagemap_types.go
Outdated
| Map map[string]string `json:"map,omitempty"` | ||
| } | ||
|
|
||
| func (in *ImageMapSpec) DeepCopyInto(out *ImageMapSpec) { |
There was a problem hiding this comment.
DeepCopy methods are typically generated and put into a separate file (zz_generated.deepcopy.go) so they can be updated without impacting the main source.
There was a problem hiding this comment.
I put the generated methods in such a file but had to add these manually.
pkg/api/v1alpha1/imagemap_types.go
Outdated
|
|
||
| // ImageMapStatus defines the observed state of ImageMap | ||
| type ImageMapStatus struct { | ||
| Map map[string]string `json:"map,omitempty"` |
There was a problem hiding this comment.
are these values any different than the spec?
| return admission.Errored(http.StatusBadRequest, fmt.Errorf("decoding pod: %s", err)) | ||
| } | ||
| } else { | ||
| err := i.client.Get(ctx, types.NamespacedName{Namespace: req.Namespace, Name: req.Name}, &pod) |
There was a problem hiding this comment.
how can you get a resource from the API Server that hasn't been created yet? I know this isn't original code, I'm just noticing it now
There was a problem hiding this comment.
I'm not sure, but I was nervous about ripping this code out. I'll check with @cppforlife.
I don't think you detailed the corner cases inline. Please could you elaborate?
This doesn't feel particularly scalable. For instance, if more than one bundle was relocated by different people, they'd have to coordinate to merge the relocation mappings into the single ConfigMap. Plus they'd need to handle any inconsistencies manually.
Thanks! |
|
Closing as the plan is to put the webhook in its own repository (https://github.com/pivotal/kubernetes-image-mapper), starting with vmware-archive/kubernetes-image-mapper#2. |
Based on the spike in vmware-archive/image-relocation#37. Deleted controllers/suite_test.go until we are ready to add an integration test.
Based on https://github.com/k14s/k8s-resource-protection, thanks to
@cppforlife.
Fixes https://github.com/pivotal/image-relocation/issues/36