Merge pull request #16861 from deads2k/cli-08-clusterup-admission

Automatic merge from submit-queue (batch tested with PRs 16861, 16438).

make webhook admission kind of work

This is done to support openshift/kubernetes-namespace-reservation#3 .  It contains multiple fixes needed to make webhooks run at all.  In addition, it changes validation rules and admission handling until we get changes like kubernetes/kubernetes#53826 into the API.  

This affects handling and compatibility of an alpha feature.

@dgoodwin @abhgupta be ready for upgrade pain in this area.
@bparees I turned this on in cluster-up.  Surgery was relatively minor

Author: openshift-merge-robot

pkg/cmd/server/api/latest/helpers.go

@@ -167,7 +167,6 @@ func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]configap
 	for _, pluginName := range sets.StringKeySet(in).List() {
 		openshiftConfig := in[pluginName]
 
-		fmt.Printf("#### adding for %T\n", openshiftConfig.Configuration)
 		kubeConfig := apiserver.AdmissionPluginConfiguration{
 			Name: pluginName,
 			Path: openshiftConfig.Location,

pkg/cmd/server/origin/admission/plugin_initializer.go

@@ -36,6 +36,7 @@ import (
 	kubeclientgoinformers "k8s.io/client-go/informers"
 	kubeclientgoclient "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
 	kclientsetexternal "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	kexternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"
@@ -144,6 +145,14 @@ func NewPluginInitializer(
 		cloudConfig,
 		restMapper,
 		quotaRegistry)
+	// upstream broke this, so we can't use their mechanism.  We need to get an actual client cert and practically speaking privileged loopback will always have one
+	kubePluginInitializer.SetClientCert(privilegedLoopbackConfig.TLSClientConfig.CertData, privilegedLoopbackConfig.TLSClientConfig.KeyData)
+	// this is a really problematic thing, because it breaks DNS resolution and IP routing, but its for an alpha feature that
+	// I need to work cluster-up
+	kubePluginInitializer.SetServiceResolver(aggregatorapiserver.NewClusterIPServiceResolver(
+		informers.GetClientGoKubeInformers().Core().V1().Services().Lister(),
+	))
+
 	openshiftPluginInitializer := &oadmission.PluginInitializer{
 		OpenshiftInternalAuthorizationClient: authorizationClient,
 		OpenshiftInternalBuildClient:         buildClient,

pkg/cmd/server/origin/aggregator.go

@@ -176,24 +176,25 @@ var apiVersionPriorities = map[schema.GroupVersion]priority{
 	// can reasonably expect seems questionable.
 	{Group: "extensions", Version: "v1beta1"}: {group: 17900, version: 1},
 	// to my knowledge, nothing below here collides
-	{Group: "apps", Version: "v1beta1"}:                       {group: 17800, version: 1},
-	{Group: "authentication.k8s.io", Version: "v1"}:           {group: 17700, version: 15},
-	{Group: "authentication.k8s.io", Version: "v1beta1"}:      {group: 17700, version: 9},
-	{Group: "authorization.k8s.io", Version: "v1"}:            {group: 17600, version: 15},
-	{Group: "authorization.k8s.io", Version: "v1beta1"}:       {group: 17600, version: 9},
-	{Group: "autoscaling", Version: "v1"}:                     {group: 17500, version: 15},
-	{Group: "autoscaling", Version: "v2alpha1"}:               {group: 17500, version: 9},
-	{Group: "batch", Version: "v1"}:                           {group: 17400, version: 15},
-	{Group: "batch", Version: "v2alpha1"}:                     {group: 17400, version: 9},
-	{Group: "certificates.k8s.io", Version: "v1beta1"}:        {group: 17300, version: 9},
-	{Group: "networking.k8s.io", Version: "v1"}:               {group: 17200, version: 15},
-	{Group: "policy", Version: "v1beta1"}:                     {group: 17100, version: 9},
-	{Group: "rbac.authorization.k8s.io", Version: "v1beta1"}:  {group: 17000, version: 12},
-	{Group: "rbac.authorization.k8s.io", Version: "v1alpha1"}: {group: 17000, version: 9},
-	{Group: "settings.k8s.io", Version: "v1alpha1"}:           {group: 16900, version: 9},
-	{Group: "storage.k8s.io", Version: "v1"}:                  {group: 16800, version: 15},
-	{Group: "storage.k8s.io", Version: "v1beta1"}:             {group: 16800, version: 9},
-	{Group: "apiextensions.k8s.io", Version: "v1beta1"}:       {group: 16700, version: 9},
+	{Group: "apps", Version: "v1beta1"}:                          {group: 17800, version: 1},
+	{Group: "authentication.k8s.io", Version: "v1"}:              {group: 17700, version: 15},
+	{Group: "authentication.k8s.io", Version: "v1beta1"}:         {group: 17700, version: 9},
+	{Group: "authorization.k8s.io", Version: "v1"}:               {group: 17600, version: 15},
+	{Group: "authorization.k8s.io", Version: "v1beta1"}:          {group: 17600, version: 9},
+	{Group: "autoscaling", Version: "v1"}:                        {group: 17500, version: 15},
+	{Group: "autoscaling", Version: "v2alpha1"}:                  {group: 17500, version: 9},
+	{Group: "batch", Version: "v1"}:                              {group: 17400, version: 15},
+	{Group: "batch", Version: "v2alpha1"}:                        {group: 17400, version: 9},
+	{Group: "certificates.k8s.io", Version: "v1beta1"}:           {group: 17300, version: 9},
+	{Group: "networking.k8s.io", Version: "v1"}:                  {group: 17200, version: 15},
+	{Group: "policy", Version: "v1beta1"}:                        {group: 17100, version: 9},
+	{Group: "rbac.authorization.k8s.io", Version: "v1beta1"}:     {group: 17000, version: 12},
+	{Group: "rbac.authorization.k8s.io", Version: "v1alpha1"}:    {group: 17000, version: 9},
+	{Group: "settings.k8s.io", Version: "v1alpha1"}:              {group: 16900, version: 9},
+	{Group: "storage.k8s.io", Version: "v1"}:                     {group: 16800, version: 15},
+	{Group: "storage.k8s.io", Version: "v1beta1"}:                {group: 16800, version: 9},
+	{Group: "apiextensions.k8s.io", Version: "v1beta1"}:          {group: 16700, version: 9},
+	{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}: {group: 16700, version: 9},
 
 	// arbitrarily starting openshift around 10000.
 	// bump authorization above RBAC

pkg/oc/bootstrap/docker/openshift/helper.go

@@ -696,16 +696,21 @@ func useAggregator(version semver.Version) bool {
 	return version.GTE(version37)
 }
 
-func useTemplateServiceBroker(version semver.Version) bool {
-	return version.GTE(version37)
-}
-
 func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
 	cfg, configPath, err := h.GetConfigFromLocalDir(configDir)
 	if err != nil {
 		return err
 	}
 
+	// turn on admission webhooks by default.  They are no-ops until someone explicitly tries to configure one
+	if cfg.AdmissionConfig.PluginConfig == nil {
+		cfg.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{}
+	}
+	cfg.AdmissionConfig.PluginConfig["GenericAdmissionWebhook"] = configapi.AdmissionPluginConfig{
+		Configuration: &configapi.DefaultAdmissionConfig{},
+	}
+	cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"] = append(cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"], "apis/admissionregistration.k8s.io/v1alpha1=true")
+
 	if len(opt.RoutingSuffix) > 0 {
 		cfg.RoutingConfig.Subdomain = opt.RoutingSuffix
 	} else {
@@ -721,9 +726,6 @@ func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
 	}
 
 	if len(opt.HTTPProxy) > 0 || len(opt.HTTPSProxy) > 0 || len(opt.NoProxy) > 0 {
-		if cfg.AdmissionConfig.PluginConfig == nil {
-			cfg.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{}
-		}
 
 		var buildDefaults *defaultsapi.BuildDefaultsConfig
 		buildDefaultsConfig, ok := cfg.AdmissionConfig.PluginConfig[defaultsapi.BuildDefaultsPlugin]