Skip to content

Commit 20db538

Browse files
Merge pull request #16861 from deads2k/cli-08-clusterup-admission
Automatic merge from submit-queue (batch tested with PRs 16861, 16438). make webhook admission kind of work This is done to support openshift/kubernetes-namespace-reservation#3 . It contains multiple fixes needed to make webhooks run at all. In addition, it changes validation rules and admission handling until we get changes like kubernetes/kubernetes#53826 into the API. This affects handling and compatibility of an alpha feature. @dgoodwin @abhgupta be ready for upgrade pain in this area. @bparees I turned this on in cluster-up. Surgery was relatively minor
2 parents 656fc81 + b8e3c19 commit 20db538

File tree

21 files changed

+486
-251
lines changed

21 files changed

+486
-251
lines changed

pkg/cmd/server/api/latest/helpers.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,6 @@ func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]configap
167167
for _, pluginName := range sets.StringKeySet(in).List() {
168168
openshiftConfig := in[pluginName]
169169

170-
fmt.Printf("#### adding for %T\n", openshiftConfig.Configuration)
171170
kubeConfig := apiserver.AdmissionPluginConfiguration{
172171
Name: pluginName,
173172
Path: openshiftConfig.Location,

pkg/cmd/server/origin/admission/plugin_initializer.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ import (
3636
kubeclientgoinformers "k8s.io/client-go/informers"
3737
kubeclientgoclient "k8s.io/client-go/kubernetes"
3838
"k8s.io/client-go/rest"
39+
aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
3940
kclientsetexternal "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
4041
kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
4142
kexternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"
@@ -144,6 +145,14 @@ func NewPluginInitializer(
144145
cloudConfig,
145146
restMapper,
146147
quotaRegistry)
148+
// upstream broke this, so we can't use their mechanism. We need to get an actual client cert and practically speaking privileged loopback will always have one
149+
kubePluginInitializer.SetClientCert(privilegedLoopbackConfig.TLSClientConfig.CertData, privilegedLoopbackConfig.TLSClientConfig.KeyData)
150+
// this is a really problematic thing, because it breaks DNS resolution and IP routing, but its for an alpha feature that
151+
// I need to work cluster-up
152+
kubePluginInitializer.SetServiceResolver(aggregatorapiserver.NewClusterIPServiceResolver(
153+
informers.GetClientGoKubeInformers().Core().V1().Services().Lister(),
154+
))
155+
147156
openshiftPluginInitializer := &oadmission.PluginInitializer{
148157
OpenshiftInternalAuthorizationClient: authorizationClient,
149158
OpenshiftInternalBuildClient: buildClient,

pkg/cmd/server/origin/aggregator.go

Lines changed: 19 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -176,24 +176,25 @@ var apiVersionPriorities = map[schema.GroupVersion]priority{
176176
// can reasonably expect seems questionable.
177177
{Group: "extensions", Version: "v1beta1"}: {group: 17900, version: 1},
178178
// to my knowledge, nothing below here collides
179-
{Group: "apps", Version: "v1beta1"}: {group: 17800, version: 1},
180-
{Group: "authentication.k8s.io", Version: "v1"}: {group: 17700, version: 15},
181-
{Group: "authentication.k8s.io", Version: "v1beta1"}: {group: 17700, version: 9},
182-
{Group: "authorization.k8s.io", Version: "v1"}: {group: 17600, version: 15},
183-
{Group: "authorization.k8s.io", Version: "v1beta1"}: {group: 17600, version: 9},
184-
{Group: "autoscaling", Version: "v1"}: {group: 17500, version: 15},
185-
{Group: "autoscaling", Version: "v2alpha1"}: {group: 17500, version: 9},
186-
{Group: "batch", Version: "v1"}: {group: 17400, version: 15},
187-
{Group: "batch", Version: "v2alpha1"}: {group: 17400, version: 9},
188-
{Group: "certificates.k8s.io", Version: "v1beta1"}: {group: 17300, version: 9},
189-
{Group: "networking.k8s.io", Version: "v1"}: {group: 17200, version: 15},
190-
{Group: "policy", Version: "v1beta1"}: {group: 17100, version: 9},
191-
{Group: "rbac.authorization.k8s.io", Version: "v1beta1"}: {group: 17000, version: 12},
192-
{Group: "rbac.authorization.k8s.io", Version: "v1alpha1"}: {group: 17000, version: 9},
193-
{Group: "settings.k8s.io", Version: "v1alpha1"}: {group: 16900, version: 9},
194-
{Group: "storage.k8s.io", Version: "v1"}: {group: 16800, version: 15},
195-
{Group: "storage.k8s.io", Version: "v1beta1"}: {group: 16800, version: 9},
196-
{Group: "apiextensions.k8s.io", Version: "v1beta1"}: {group: 16700, version: 9},
179+
{Group: "apps", Version: "v1beta1"}: {group: 17800, version: 1},
180+
{Group: "authentication.k8s.io", Version: "v1"}: {group: 17700, version: 15},
181+
{Group: "authentication.k8s.io", Version: "v1beta1"}: {group: 17700, version: 9},
182+
{Group: "authorization.k8s.io", Version: "v1"}: {group: 17600, version: 15},
183+
{Group: "authorization.k8s.io", Version: "v1beta1"}: {group: 17600, version: 9},
184+
{Group: "autoscaling", Version: "v1"}: {group: 17500, version: 15},
185+
{Group: "autoscaling", Version: "v2alpha1"}: {group: 17500, version: 9},
186+
{Group: "batch", Version: "v1"}: {group: 17400, version: 15},
187+
{Group: "batch", Version: "v2alpha1"}: {group: 17400, version: 9},
188+
{Group: "certificates.k8s.io", Version: "v1beta1"}: {group: 17300, version: 9},
189+
{Group: "networking.k8s.io", Version: "v1"}: {group: 17200, version: 15},
190+
{Group: "policy", Version: "v1beta1"}: {group: 17100, version: 9},
191+
{Group: "rbac.authorization.k8s.io", Version: "v1beta1"}: {group: 17000, version: 12},
192+
{Group: "rbac.authorization.k8s.io", Version: "v1alpha1"}: {group: 17000, version: 9},
193+
{Group: "settings.k8s.io", Version: "v1alpha1"}: {group: 16900, version: 9},
194+
{Group: "storage.k8s.io", Version: "v1"}: {group: 16800, version: 15},
195+
{Group: "storage.k8s.io", Version: "v1beta1"}: {group: 16800, version: 9},
196+
{Group: "apiextensions.k8s.io", Version: "v1beta1"}: {group: 16700, version: 9},
197+
{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}: {group: 16700, version: 9},
197198

198199
// arbitrarily starting openshift around 10000.
199200
// bump authorization above RBAC

pkg/oc/bootstrap/docker/openshift/helper.go

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -696,16 +696,21 @@ func useAggregator(version semver.Version) bool {
696696
return version.GTE(version37)
697697
}
698698

699-
func useTemplateServiceBroker(version semver.Version) bool {
700-
return version.GTE(version37)
701-
}
702-
703699
func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
704700
cfg, configPath, err := h.GetConfigFromLocalDir(configDir)
705701
if err != nil {
706702
return err
707703
}
708704

705+
// turn on admission webhooks by default. They are no-ops until someone explicitly tries to configure one
706+
if cfg.AdmissionConfig.PluginConfig == nil {
707+
cfg.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{}
708+
}
709+
cfg.AdmissionConfig.PluginConfig["GenericAdmissionWebhook"] = configapi.AdmissionPluginConfig{
710+
Configuration: &configapi.DefaultAdmissionConfig{},
711+
}
712+
cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"] = append(cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"], "apis/admissionregistration.k8s.io/v1alpha1=true")
713+
709714
if len(opt.RoutingSuffix) > 0 {
710715
cfg.RoutingConfig.Subdomain = opt.RoutingSuffix
711716
} else {
@@ -721,9 +726,6 @@ func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
721726
}
722727

723728
if len(opt.HTTPProxy) > 0 || len(opt.HTTPSProxy) > 0 || len(opt.NoProxy) > 0 {
724-
if cfg.AdmissionConfig.PluginConfig == nil {
725-
cfg.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{}
726-
}
727729

728730
var buildDefaults *defaultsapi.BuildDefaultsConfig
729731
buildDefaultsConfig, ok := cfg.AdmissionConfig.PluginConfig[defaultsapi.BuildDefaultsPlugin]

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go

Lines changed: 13 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/k8s.io/kubernetes/pkg/apis/admissionregistration/validation/validation.go

Lines changed: 7 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/k8s.io/kubernetes/pkg/apis/admissionregistration/validation/validation_test.go

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/k8s.io/kubernetes/pkg/kubeapiserver/admission/initializer.go

Lines changed: 20 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/k8s.io/kubernetes/plugin/pkg/admission/webhook/BUILD

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)