diff --git a/cmd/webhook-manager/app/server.go b/cmd/webhook-manager/app/server.go index 80bc191dbf0..41445e5de2e 100644 --- a/cmd/webhook-manager/app/server.go +++ b/cmd/webhook-manager/app/server.go @@ -77,11 +77,13 @@ func Run(config *options.Config) error { klog.V(3).Infof("Registered '%s' as webhook.", service.Path) http.HandleFunc(service.Path, service.Handler) - - klog.V(3).Infof("Registered configuration for webhook <%s>", service.Path) - registerWebhookConfig(kubeClient, config, service, config.CaCertData) }) + if err = addCaCertForWebhook(kubeClient, config.CaCertData); err != nil { + return fmt.Errorf("failed to add caCert for webhook %v", err) + } + klog.V(3).Infof("Successfully added caCert for all webhooks") + webhookServeError := make(chan struct{}) stopChannel := make(chan os.Signal, 1) signal.Notify(stopChannel, syscall.SIGTERM, syscall.SIGINT) diff --git a/cmd/webhook-manager/app/util.go b/cmd/webhook-manager/app/util.go index 237a969a933..382f332eb96 100644 --- a/cmd/webhook-manager/app/util.go +++ b/cmd/webhook-manager/app/util.go @@ -17,93 +17,95 @@ limitations under the License. package app import ( + "bytes" "context" "crypto/tls" "crypto/x509" - "regexp" - "strings" - + "fmt" v1 "k8s.io/api/admissionregistration/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" + "time" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/klog" "volcano.sh/apis/pkg/client/clientset/versioned" "volcano.sh/volcano/cmd/webhook-manager/app/options" - "volcano.sh/volcano/pkg/webhooks/router" ) -func registerWebhookConfig(kubeClient *kubernetes.Clientset, config *options.Config, service *router.AdmissionService, caBundle []byte) { - sideEffect := v1.SideEffectClassNoneOnDryRun - reviewVersions := []string{"v1"} - webhookLabelSelector := &metav1.LabelSelector{} - clientConfig := v1.WebhookClientConfig{ - CABundle: caBundle, - } - if config.WebhookURL != "" { - url := config.WebhookURL + service.Path - clientConfig.URL = &url - klog.Infof("The URL of webhook manager is <%s>.", url) - } - if config.WebhookName != "" && config.WebhookNamespace != "" { - clientConfig.Service = &v1.ServiceReference{ - Name: config.WebhookName, - Namespace: config.WebhookNamespace, - Path: &service.Path, - } - klog.Infof("The service of webhook manager is <%s/%s/%s>.", - config.WebhookName, config.WebhookNamespace, service.Path) +var ( + validatingWebhooksName = []string{ + "volcano-admission-service-jobs-validate", + "volcano-admission-service-pods-validate", + "volcano-admission-service-queues-validate", } - if config.IgnoredNamespaces != "" { - ignoredNamespaces := strings.Split(strings.TrimSpace(config.IgnoredNamespaces), ",") - klog.Infof("The ignored namespaces list of webhook manager is <%v>.", - ignoredNamespaces) - webhookLabelSelector = &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Values: ignoredNamespaces, - Operator: "NotIn", - Key: "kubernetes.io/metadata.name", - }, - }, - } + mutatingWebhooksName = []string{ + "volcano-admission-service-pods-mutate", + "volcano-admission-service-queues-mutate", + "volcano-admission-service-podgroups-mutate", + "volcano-admission-service-jobs-mutate", } - if service.MutatingConfig != nil { - for i := range service.MutatingConfig.Webhooks { - service.MutatingConfig.Webhooks[i].SideEffects = &sideEffect - service.MutatingConfig.Webhooks[i].AdmissionReviewVersions = reviewVersions - service.MutatingConfig.Webhooks[i].ClientConfig = clientConfig - service.MutatingConfig.Webhooks[i].NamespaceSelector = webhookLabelSelector - } +) - service.MutatingConfig.ObjectMeta.Name = webhookConfigName(config.WebhookName, service.Path) +func addCaCertForWebhook(kubeClient *kubernetes.Clientset, caBundle []byte) error { + for _, mutatingWebhookName := range mutatingWebhooksName { + var mutatingWebhook *v1.MutatingWebhookConfiguration + if err := wait.PollInfinite(time.Second, func() (done bool, err error) { + mutatingWebhook, err = kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), mutatingWebhookName, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + klog.Errorln(err) + return false, nil + } + return false, fmt.Errorf("failed to get mutating webhook %v", err) + } + return true, nil + }); err != nil { + return fmt.Errorf("failed to get mutating webhook %v", err) + } - if err := registerMutateWebhook(kubeClient, service.MutatingConfig); err != nil { - klog.Errorf("Failed to register mutating admission webhook (%s): %v", - service.Path, err) - } else { - klog.V(3).Infof("Registered mutating webhook for path <%s>.", service.Path) + for index := 0; index < len(mutatingWebhook.Webhooks); index++ { + if mutatingWebhook.Webhooks[index].ClientConfig.CABundle == nil || + bytes.Equal(mutatingWebhook.Webhooks[index].ClientConfig.CABundle, caBundle) { + mutatingWebhook.Webhooks[index].ClientConfig.CABundle = caBundle + } } - } - if service.ValidatingConfig != nil { - for i := range service.ValidatingConfig.Webhooks { - service.ValidatingConfig.Webhooks[i].SideEffects = &sideEffect - service.ValidatingConfig.Webhooks[i].AdmissionReviewVersions = reviewVersions - service.ValidatingConfig.Webhooks[i].ClientConfig = clientConfig - service.ValidatingConfig.Webhooks[i].NamespaceSelector = webhookLabelSelector + if _, err := kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), mutatingWebhook, metav1.UpdateOptions{}); err != nil { + return fmt.Errorf("failed to update mutating admission webhooks %v %v", mutatingWebhookName, err) } + } - service.ValidatingConfig.ObjectMeta.Name = webhookConfigName(config.WebhookName, service.Path) + for _, validatingWebhookName := range validatingWebhooksName { + var validatingWebhook *v1.ValidatingWebhookConfiguration + if err := wait.PollInfinite(time.Second, func() (done bool, err error) { + validatingWebhook, err = kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), validatingWebhookName, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + klog.Errorln(err) + return false, nil + } + return false, fmt.Errorf("failed to get validating webhook %v", err) + } + return true, nil + }); err != nil { + return fmt.Errorf("failed to get validating webhook %v", err) + } - if err := registerValidateWebhook(kubeClient, service.ValidatingConfig); err != nil { - klog.Errorf("Failed to register validating admission webhook (%s): %v", - service.Path, err) - } else { - klog.V(3).Infof("Registered validating webhook for path <%s>.", service.Path) + for index := 0; index < len(validatingWebhook.Webhooks); index++ { + if validatingWebhook.Webhooks[index].ClientConfig.CABundle == nil || + bytes.Equal(validatingWebhook.Webhooks[index].ClientConfig.CABundle, caBundle) { + validatingWebhook.Webhooks[index].ClientConfig.CABundle = caBundle + } + } + if _, err := kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), validatingWebhook, metav1.UpdateOptions{}); err != nil { + return fmt.Errorf("failed to update validating admission webhooks %v %v", validatingWebhookName, err) } } + + return nil } // getKubeClient Get a clientset with restConfig. @@ -164,58 +166,3 @@ func configTLS(config *options.Config, restConfig *rest.Config) *tls.Config { klog.Fatal("tls: failed to find any tls config data") return &tls.Config{} } - -func registerMutateWebhook(clientset *kubernetes.Clientset, hook *v1.MutatingWebhookConfiguration) error { - client := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations() - existing, err := client.Get(context.TODO(), hook.Name, metav1.GetOptions{}) - if err != nil && !apierrors.IsNotFound(err) { - return err - } - if err == nil && existing != nil { - klog.V(4).Infof("Updating MutatingWebhookConfiguration %v", hook) - existing.Webhooks = hook.Webhooks - if _, err := client.Update(context.TODO(), existing, metav1.UpdateOptions{}); err != nil { - return err - } - } else { - klog.V(4).Infof("Creating MutatingWebhookConfiguration %v", hook) - if _, err := client.Create(context.TODO(), hook, metav1.CreateOptions{}); err != nil { - return err - } - } - - return nil -} - -func registerValidateWebhook(clientset *kubernetes.Clientset, hook *v1.ValidatingWebhookConfiguration) error { - client := clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations() - - existing, err := client.Get(context.TODO(), hook.Name, metav1.GetOptions{}) - if err != nil && !apierrors.IsNotFound(err) { - return err - } - if err == nil && existing != nil { - existing.Webhooks = hook.Webhooks - klog.V(4).Infof("Updating ValidatingWebhookConfiguration %v", hook) - if _, err := client.Update(context.TODO(), existing, metav1.UpdateOptions{}); err != nil { - return err - } - } else { - klog.V(4).Infof("Creating ValidatingWebhookConfiguration %v", hook) - if _, err := client.Create(context.TODO(), hook, metav1.CreateOptions{}); err != nil { - return err - } - } - - return nil -} - -func webhookConfigName(name, path string) string { - if name == "" { - name = "webhook" - } - - re := regexp.MustCompile(`-+`) - raw := strings.Join([]string{name, strings.ReplaceAll(path, "/", "-")}, "-") - return re.ReplaceAllString(raw, "-") -} diff --git a/hack/generate-yaml.sh b/hack/generate-yaml.sh index b707865972a..e36ba7b55e6 100755 --- a/hack/generate-yaml.sh +++ b/hack/generate-yaml.sh @@ -118,6 +118,7 @@ ${HELM_BIN_DIR}/helm template ${VK_ROOT}/installer/helm/chart/volcano --namespac -s templates/scheduling_v1beta1_podgroup.yaml \ -s templates/scheduling_v1beta1_queue.yaml \ -s templates/nodeinfo_v1alpha1_numatopologies.yaml \ + -s templates/webhooks.yaml \ >> ${DEPLOYMENT_FILE} ${HELM_BIN_DIR}/helm template ${VK_ROOT}/installer/helm/chart/volcano --namespace volcano-monitoring \ diff --git a/installer/helm/chart/volcano/templates/webhooks.yaml b/installer/helm/chart/volcano/templates/webhooks.yaml new file mode 100644 index 00000000000..8b851f9e80b --- /dev/null +++ b/installer/helm/chart/volcano/templates/webhooks.yaml @@ -0,0 +1,279 @@ +{{- if .Values.custom.admission_enable }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-pods-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /pods/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatepod.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-queues-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /queues/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatequeue.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - queues + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-podgroups-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /podgroups/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatepodgroup.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - podgroups + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-jobs-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /jobs/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatejob.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - batch.volcano.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - jobs + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-jobs-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /jobs/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatejob.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - batch.volcano.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jobs + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-pods-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /pods/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatepod.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-queues-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /queues/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatequeue.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - queues + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +{{- end }} \ No newline at end of file diff --git a/installer/volcano-development-arm64.yaml b/installer/volcano-development-arm64.yaml index 04b686beb23..56a42bd0acc 100644 --- a/installer/volcano-development-arm64.yaml +++ b/installer/volcano-development-arm64.yaml @@ -9047,3 +9047,276 @@ status: plural: "" conditions: [] storedVersions: [] +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-pods-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /pods/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatepod.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-queues-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /queues/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatequeue.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - queues + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-podgroups-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /podgroups/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatepodgroup.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - podgroups + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-jobs-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /jobs/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatejob.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - batch.volcano.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - jobs + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-jobs-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /jobs/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatejob.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - batch.volcano.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jobs + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-pods-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /pods/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatepod.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-queues-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /queues/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatequeue.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - queues + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 diff --git a/installer/volcano-development.yaml b/installer/volcano-development.yaml index db6bc052fff..625e7a47ae2 100644 --- a/installer/volcano-development.yaml +++ b/installer/volcano-development.yaml @@ -9047,3 +9047,276 @@ status: plural: "" conditions: [] storedVersions: [] +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-pods-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /pods/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatepod.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-queues-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /queues/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatequeue.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - queues + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-podgroups-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /podgroups/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatepodgroup.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - podgroups + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: volcano-admission-service-jobs-mutate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /jobs/mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutatejob.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - batch.volcano.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - jobs + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-jobs-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /jobs/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatejob.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - batch.volcano.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jobs + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-pods-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /pods/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatepod.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10 +--- +# Source: volcano/templates/webhooks.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: volcano-admission-service-queues-validate +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: volcano-admission-service + namespace: volcano-system + path: /queues/validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: validatequeue.volcano.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - volcano-system + - kube-system + objectSelector: {} + rules: + - apiGroups: + - scheduling.volcano.sh + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - queues + scope: '*' + sideEffects: NoneOnDryRun + timeoutSeconds: 10