Prevent webhooks from affecting admission requests for WebhookConfiguration objects #59840
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
sig/api-machinery
jennybuckley
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
from
8ecac7c to
c71f1c2
Compare
|
Besides |
|
/assign @caesarxuchao |
test/e2e/apimachinery/webhook.go
Outdated
| @@ -123,6 +125,12 @@ var _ = SIGDescribe("AdmissionWebhook", func() { | |||
| testCRDWebhook(f, testcrd.Crd, testcrd.DynamicClient) | |||
| }) | |||
|
|
|||
| It("Should not be able to prevent deleting validating-webhook-configurations", func() { | |||
There was a problem hiding this comment.
The same is true for the mutating-webhook-configurations, could you expand the test?
test/e2e/apimachinery/webhook.go
Outdated
| // NOTE: This path isn't something the service knows how to handle. | ||
| Path: strPtr("/validating-webhook-configurations"), | ||
| }, | ||
| // Without CA bundle, the call to webhook always fails |
There was a problem hiding this comment.
Could you add to the comment that the failure policy is "Fail"? Otherwise this test would have given us false negative.
There was a problem hiding this comment.
I am working on changing this to use the correct CA and updating the webhook test image to handle a function that always denies requests so this test doesn't have to rely on a broken CA and failing closed to deny requests.
I think that will be a more clear way of testing this.
|
Why is the new e2e test passing? I thought we haven't built in the mechanism to skip webhook configurations. |
|
@caesarxuchao edit: now the test fails as expected before the second commit, and passes after the second commit. |
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
2 times, most recently
from
bdbf2c0 to
174033d
Compare
|
/kind bug |
| return true | ||
| } else { | ||
| return false | ||
| } |
There was a problem hiding this comment.
optional nit (shorter/prettier/clearer):
if gvk.Group == "admissionregistration.k8s.io" {
if gvk.Kind == "ValidatingWebhookConfiguration" || gvk.Kind == "MutatingWebhookConfiguration" {
return true
}
}
return false
Maybe this could go in k8s.io/apiserver/pkg/admission/plugin/webhook/config or k8s.io/apiserver/pkg/admission/plugin/webhook/request? It looks like there's already a few packages there that might be appropriate.
There was a problem hiding this comment.
I think webhook/config is for the plugin config passed to the apiserver at startup, and webhook/request "creates admissionReview request based on admission attributes" according to the doc.go, maybe a new package like "common" or "util"?
or are we trying to avoid that.
| @@ -253,6 +257,18 @@ func (a *MutatingWebhook) Admit(attr admission.Attributes) error { | |||
| return a.convertor.Convert(versionedAttr.Object, attr.GetObject()) | |||
| } | |||
|
|
|||
| // TODO: factor into a common place along with the validating webhook version. | |||
| func (a *MutatingWebhook) shouldSkipAllHooks(attr admission.Attributes) bool { | |||
There was a problem hiding this comment.
Optional nit: in this case I think it's best to highlight the reason for skipping-- maybe "isWebhookConfigurationResource"?
If we grow additional reasons here, then I'd go for the current name.
|
This is clearly a bug fix, seems OK. |
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
from
174033d to
6bd940b
Compare
k8s-ci-robot
added
the
needs-rebase
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
from
6bd940b to
a65bbe2
Compare
k8s-ci-robot
removed
the
needs-rebase
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
from
a65bbe2 to
9f1be2f
Compare
|
/retest |
1 similar comment
|
/retest |
|
/priority important-soon |
k8s-ci-robot
added
the
priority/important-soon
| // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks | ||
| // from putting the cluster in a state which cannot be recovered from without completely | ||
| // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called | ||
| // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects |
There was a problem hiding this comment.
Nit: missing final period. (this goes into the api documentation or I wouldn't care)
test/e2e/apimachinery/webhook.go
Outdated
| Service: &v1beta1.ServiceReference{ | ||
| Namespace: namespace, | ||
| Name: serviceName, | ||
| Path: strPtr(""), |
There was a problem hiding this comment.
Add a comment explaining what the webhook will do when called?
test/e2e/apimachinery/webhook.go
Outdated
| } | ||
| } | ||
|
|
||
| func testWebhookForWebhookConfigurations(f *framework.Framework) { |
There was a problem hiding this comment.
Perhaps add a comment that this test assumes the deletion-rejecting webhook from registerWebhookForWebhookConfigurations is in place?
|
Sorry I found a few more things--no more, I promise. Can you fix and squash non-generated changes, then I will lgtm & approve. |
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
from
3059ae4 to
bba4aee
Compare
|
@lavalamp should be good now |
jennybuckley
force-pushed
the
webhooks-on-webhooks
branch
from
bba4aee to
b4abf56
Compare
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jennybuckley, lavalamp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process @caesarxuchao @jennybuckley @lavalamp Pull Request Labels
|
|
@jennybuckley: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
As it stands now webhooks can be added to the system which make it impossible for a user to remove that webhook, or two webhooks could be registered which make it impossible to remove each other.
The first commit of this will add a test to make sure webhook deletion is never blocked by a webhook. This test will fail until the second commit is added which will prevent webhooks from affecting admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in the admissionregistration.k8s.io group
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Part of fixing #59124 (Verifies that it can remove the broken webhook.)
Release note: