openshift / generic-admission-server Goto Github PK
View Code? Open in Web Editor NEWA library for writing admission webhooks based on k8s.io/apiserver
License: Apache License 2.0
A library for writing admission webhooks based on k8s.io/apiserver
License: Apache License 2.0
We have problems with our webhooks starting to fail when cert rotation happens. We tried file monitoring the mounted certs and terminating the process if we see a change but even this is not working reliably and we end up with pods still stuck.
It does not seem there's any way to inject healthz checks, or to trap this kind of error. Should we look at adding a health check to this library which monitors for cert auth failures?
Or should we look to an external solution outside our apiserver process, (i.e. our operator) which catches the cert change and forces a redeploy?
Is there interest in supporting CRD conversion webhooks as part of this project? They don't quite fit under the term admission
in the project name, but they are structured in an extremely similar way so it'd be great if we could use this to create both.
For context, we'd like to start implementing a conversion webhook in cert-manager and currently use this library for our validating webhook.
Currently, the admission server is hard coded to load the in-cluster configuration, which restricts the server from be ran easily for development/testing/external to the server.
Would you be open to a new New()
method named NewWithClientConfig
. This would allow servers using this as an delegated apiserver to pass in the client configuration determined via cli args.
It would be helpful to have a document that explains how webhooks written with this library should be deployed.
Or point to a simple example of a webhook based on this library.
I'm writing a webhook and I'd like some documentation explaining:
k8s.io/apiserver
libraryHi @deads2k , I noticed that Kind is hardcoded to AdmissionReview
in https://github.com/openshift/generic-admission-server/blob/master/pkg/apiserver/apiserver.go#L174
Should this be provided from the **Hook interface, since users of this library can define the singular and plural form the resource.
// NewCommandStartMaster provides a CLI handler for 'start master' command
func NewCommandStartAdmissionServer(out, errOut io.Writer, stopCh <-chan struct{}, admissionHooks ...apiserver.AdmissionHook) *cobra.Command {
o := NewAdmissionServerOptions(out, errOut, admissionHooks...)
cmd := &cobra.Command{
Short: "Launch a namespace reservation API server",
Long: "Launch a namespace reservation API server",
RunE: func(c *cobra.Command, args []string) error {
if err := o.Complete(); err != nil {
return err
}
if err := o.Validate(args); err != nil {
return err
}
if err := o.RunAdmissionServer(stopCh); err != nil {
return err
}
return nil
},
}
flags := cmd.Flags()
o.RecommendedOptions.AddFlags(flags)
return cmd
}
When create a new admission server using this, the description "Launch a namespace reservation API server" make user confused.
The Object
in admissionReview at here:
seems always be nil
pod, ok := admissionSpec.Object.Object.(*corev1.Pod)
if !ok {
logger.WithField("object", admissionSpec.Object.Object).Info("received non pod object")
return util.ToFailAdmissionResponse(ctx, fmt.Errorf("received non pod object"))
}
Here is the log I see:
$ tail -f /var/log/admission-apiserver.log
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f846d0a-0f15-11e9-af8a-74dbd180a266
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f8529c1-0f15-11e9-af8a-74dbd180a266
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f88d30b-0f15-11e9-af8a-74dbd180a266
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f8f88ff-0f15-11e9-af8a-74dbd180a266
Is there any chance that the object can be decoded automatically?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.