make webhook admission kind of work #16861
Conversation
openshift-merge-robot
added
the
approved
openshift-ci-robot
added
the
size/XL
|
cluster up changes lgtm. |
|
/retest |
|
Upgrade pain just in the sense that we'll need a build deployed with this change before we can get anything operational? |
Alpha fields are alpha. The API will change and your webhook admission will either disappear or start failing. |
deads2k
force-pushed
the
cli-08-clusterup-admission
branch
from
f568af2 to
6060039
Compare
|
/retest |
openshift-merge-robot
added
the
vendor-update
| @@ -144,6 +145,14 @@ func NewPluginInitializer( | |||
| cloudConfig, | |||
| restMapper, | |||
| quotaRegistry) | |||
| // upstream broke this, so we can't use their mechanism. We need to get an actual client cert and practically speaking privileged loopback will always have one | |||
There was a problem hiding this comment.
broke what?
They wire to the wrong client cert: kubernetes/kubernetes#53828 . Also, it's built such that using the "normal" constructor produces a plugin initializer that will panic on a "normal" admission chain.
There was a problem hiding this comment.
That link helps. Next time I read your PR description.
| @@ -45,6 +45,8 @@ import ( | |||
| "k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration" | |||
|
|
|||
| // install the clientgo admission API for use with api registry | |||
| "strings" | |||
deads2k
force-pushed
the
cli-08-clusterup-admission
branch
3 times, most recently
from
b9fcab6 to
3d06084
Compare
Automatic merge from submit-queue (batch tested with PRs 16867, 16231). remove unnecessary anonymous function There is an upstream replacement for this function. This cleans up the last usages. blocks #16861 /kind bug
| @@ -19,6 +19,8 @@ import ( | |||
| kapi "k8s.io/kubernetes/pkg/api" | |||
|
|
|||
| "github.com/openshift/origin/pkg/cmd/util" | |||
|
|
|||
| _ "github.com/openshift/origin/pkg/api/install" | |||
There was a problem hiding this comment.
how is this related to the PR?
There was a problem hiding this comment.
how is this related to the PR?
if the APIs aren't installed, their fake apiserver fails.
| response := &admissionv1alpha1.AdmissionReview{} | ||
| if err := client.Post().Context(ctx).Body(&request).Do().Into(response); err != nil { |
|
Commented on the upstream PRs. |
deads2k
force-pushed
the
cli-08-clusterup-admission
branch
from
3d06084 to
329cf75
Compare
…have a valid CN; fix a fuzzer
…to work without modifying api
deads2k
force-pushed
the
cli-08-clusterup-admission
branch
from
329cf75 to
b8e3c19
Compare
|
comments addressed |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, sttts The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 16861, 16438). |
|
@deads2k: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| @@ -144,6 +145,14 @@ func NewPluginInitializer( | |||
| cloudConfig, | |||
| restMapper, | |||
| quotaRegistry) | |||
| // upstream broke this, so we can't use their mechanism. We need to get an actual client cert and practically speaking privileged loopback will always have one | |||
| kubePluginInitializer.SetClientCert(privilegedLoopbackConfig.TLSClientConfig.CertData, privilegedLoopbackConfig.TLSClientConfig.KeyData) | |||
There was a problem hiding this comment.
Where can a webhook find the CA that signs this cert?
There was a problem hiding this comment.
Where can a webhook find the CA that signs this cert?
This cert is signed by the client CA for the apiservers. Since the our webhook apiservers are run as aggregated API servers, they automatically trust that CA (though a user could wire it differently). That means that normal cluster authentication and authorization (rbac) rules apply.
This is done to support openshift/kubernetes-namespace-reservation#3 . It contains multiple fixes needed to make webhooks run at all. In addition, it changes validation rules and admission handling until we get changes like kubernetes/kubernetes#53826 into the API.
This affects handling and compatibility of an alpha feature.
@dgoodwin @abhgupta be ready for upgrade pain in this area.
@bparees I turned this on in cluster-up. Surgery was relatively minor