Add MutatingWebhookConfiguration type #55282
Conversation
|
@mbohlool: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-github-robot
added
kind/api-change
| for i, hook := range e.ExternalAdmissionHooks { | ||
| allErrors = append(allErrors, validateExternalAdmissionHook(&hook, field.NewPath("externalAdmissionHooks").Index(i))...) | ||
| for i, hook := range e.Webhooks { | ||
| allErrors = append(allErrors, validateWebhook(&hook, field.NewPath("externalAdmissionHooks").Index(i))...) |
There was a problem hiding this comment.
Do we really need to maintain the old path? I realize the migration may be painful but it would be nice if we could keep the naming consistent.
There was a problem hiding this comment.
that is an old code that should not exists anymore, please let me know if you see any more of these.
| e.ErrStatus.Reason = "LoadingConfiguration" | ||
| e.ErrStatus.Details.Causes = append(e.ErrStatus.Details.Causes, metav1.StatusCause{ | ||
| Type: "ExternalAdmissionHookConfigurationFailure", | ||
| Type: "ValidatingWebhookConfigurationFailure", | ||
| Message: "An error has occurred while refreshing the externalAdmissionHook configuration, no resources can be created/updated/deleted/connected until a refresh succeeds.", |
There was a problem hiding this comment.
Again can we keep the naming consistent?
mbohlool
force-pushed
the
webhooks
branch
2 times, most recently
from
0070052 to
1bcd0b3
Compare
|
/cc @deads2k |
| } | ||
| return nil, err | ||
| } | ||
| return mergeMutatingWebhookConfigurations(list), nil |
There was a problem hiding this comment.
Isn't this list coming from the lister, i.e. a local cache? Does line 83 mutate that object?
There was a problem hiding this comment.
Our standard listers create temporary lists at least. But it doesn't look like it's specified that the callee is the owner of the list. In any case, mergeMutatingWebhookConfigurations does not give any hint that it mutates its arguments.
There was a problem hiding this comment.
This is copied from the existing one-- if the existing one is broken we should fix it both places.
There was a problem hiding this comment.
This modifies the List object but the List object is constructed each time?
There was a problem hiding this comment.
the function should not mutate that list. Will fix.
There was a problem hiding this comment.
@lavalamp Even if the list object is constructed each time, the function should either document that it modifies its parameters or not modify them. It is easier not to modify them. Also existing code does not have this issue because we do not sort validating webhooks. They are called in parallel so the order does not matter.
There was a problem hiding this comment.
ah, thanks for the explanation.
| List(opts metav1.ListOptions) (*v1alpha1.MutatingWebhookConfigurationList, error) | ||
| } | ||
|
|
||
| type MutatingWebhookConfigurationManager struct { |
There was a problem hiding this comment.
godoc. Is this a controller of some sort?
There was a problem hiding this comment.
It collects the mutating webhook objects so that they can be called. Yes, a doc string would be good.
There was a problem hiding this comment.
This is the same as ValidatingWebhookConfigurationManager which was ExternalAdmissionHookConfigurationManager. I would like to not add stuff to this PR and keep it pure renaming and duplicating. Any enhancement should be done in a following PR in my opinion.
There was a problem hiding this comment.
Noticed that as well after commenting.
| @@ -118,35 +118,65 @@ const ( | |||
| // +genclient:nonNamespaced | |||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | |||
|
|
|||
| // ExternalAdmissionHookConfiguration describes the configuration of initializers. | |||
| type ExternalAdmissionHookConfiguration struct { | |||
| // ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. | |||
| ExternalAdmissionHooks []ExternalAdmissionHook | ||
| // +patchMergeKey=name | ||
| // +patchStrategy=merge | ||
| Webhooks []Webhook |
There was a problem hiding this comment.
Webhook or AdmissionHook? I have a very very mild preference for the latter.
There was a problem hiding this comment.
We remove admission from the type name because it was the duplicate of (part of) the package name. I would argue the same here that I prefer Webhook for that reason.
pkg/kubectl/scheme/install.go
Outdated
| @@ -106,7 +106,7 @@ func init() { | |||
| if err := announced.NewGroupMetaFactory( | |||
| &announced.GroupMetaFactoryArgs{ | |||
| GroupName: admissionregistrationv1alpha1.GroupName, | |||
| RootScopedKinds: sets.NewString("InitializerConfiguration", "ExternalAdmissionHookConfiguration"), | |||
| RootScopedKinds: sets.NewString("InitializerConfiguration", "ValidatingWebhookConfiguration"), | |||
There was a problem hiding this comment.
needs to list the mutating one, also?
There was a problem hiding this comment.
Ouch, is this the new scheme of kubectl? Do we really decided to rewrite the group installers here. This hurts.
| ObjectNameFunc: func(obj runtime.Object) (string, error) { | ||
| return obj.(*admissionregistration.ValidatingWebhookConfiguration).Name, nil | ||
| }, | ||
| DefaultQualifiedResource: admissionregistration.Resource("externaladmissionhookconfigurations"), |
There was a problem hiding this comment.
this string probably needs to be updated?
| @@ -153,7 +153,7 @@ func (a *GenericAdmissionWebhook) SetScheme(scheme *runtime.Scheme) { | |||
|
|
|||
| // WantsExternalKubeClientSet defines a function which sets external ClientSet for admission plugins that need it | |||
| func (a *GenericAdmissionWebhook) SetExternalKubeClientSet(client clientset.Interface) { | |||
There was a problem hiding this comment.
The name of this plugin needs to be changed too, but maybe that is another PR?
There was a problem hiding this comment.
Yes, another PR is better.
| @@ -382,7 +382,7 @@ var etcdStorageData = map[schema.GroupVersionResource]struct { | |||
| expectedEtcdPath: "/registry/initializerconfigurations/ic1", | |||
| }, | |||
| gvr("admissionregistration.k8s.io", "v1alpha1", "externaladmissionhookconfigurations"): { | |||
There was a problem hiding this comment.
s/externaladmissionhookconfigurations/validatingwebhookconfigurations/?
There was a problem hiding this comment.
And also duplicate this entry for the mutating ones?
| ObjectNameFunc: func(obj runtime.Object) (string, error) { | ||
| return obj.(*admissionregistration.ExternalAdmissionHookConfiguration).Name, nil | ||
| return obj.(*admissionregistration.ValidatingWebhookConfiguration).Name, nil | ||
| }, | ||
| DefaultQualifiedResource: admissionregistration.Resource("externaladmissionhookconfigurations"), |
|
I left a few comments, looks close. |
|
Wrong button :) |
mbohlool
removed
the
do-not-merge/release-note-label-needed
|
@mbohlool: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
mbohlool
added
the
release-note-none
k8s-github-robot
added
the
approved
k8s-github-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lavalamp, mbohlool Associated issue: 492 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
removed
the
lgtm
mbohlool
removed
the
do-not-merge/release-note-label-needed
|
The change was only automated doc update. Applying lgtm label again. |
mbohlool
added
the
lgtm
|
/test pull-kubernetes-unit |
|
I am going on vacation today. Would be nice if we can set higher priority on this PR so that submit queue merge it sooner. @caesarxuchao |
|
@mbohlool is going to be away for weeks. I'll add the "queue/blocks-others" to get this one merged soon. We can iterate in future PRs if there are more concerns. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 55268, 55282, 55419, 48340, 54829). If you want to cherry-pick this change to another branch, please follow the instructions here. |
| func mergeMutatingWebhookConfigurations( | ||
| list *v1alpha1.MutatingWebhookConfigurationList, | ||
| ) *v1alpha1.MutatingWebhookConfiguration { | ||
| configurations := append([]v1alpha1.MutatingWebhookConfiguration{}, list.Items...) |
As part of Mutating Webhook support, this PR adds the configuration for Mutating webhooks. It also renames existing ReadOnly webhook configurations from ExternalAdmissionHookConfiguration to ValidatingWebhookConfiguration. As part of the process some sub-types are also renamed.
Lastly, the mutating webhook configurations are sorted by name to make the serial executing of them deterministic.
ref: kubernetes/enhancements#492