openshift / generic-admission-server Goto Github PK

We have problems with our webhooks starting to fail when cert rotation happens. We tried file monitoring the mounted certs and terminating the process if we see a change but even this is not working reliably and we end up with pods still stuck.

It does not seem there's any way to inject healthz checks, or to trap this kind of error. Should we look at adding a health check to this library which monitors for cert auth failures?

Or should we look to an external solution outside our apiserver process, (i.e. our operator) which catches the cert change and forces a redeploy?

cc @deads2k @sttts

Is there interest in supporting CRD conversion webhooks as part of this project? They don't quite fit under the term admission in the project name, but they are structured in an extremely similar way so it'd be great if we could use this to create both.

For context, we'd like to start implementing a conversion webhook in cert-manager and currently use this library for our validating webhook.

Currently, the admission server is hard coded to load the in-cluster configuration, which restricts the server from be ran easily for development/testing/external to the server.

https://github.com/openshift/generic-admission-server/blob/master/pkg/apiserver/apiserver.go#L126-L129

Would you be open to a new New() method named NewWithClientConfig. This would allow servers using this as an delegated apiserver to pass in the client configuration determined via cli args.

It would be helpful to have a document that explains how webhooks written with this library should be deployed.
Or point to a simple example of a webhook based on this library.

I'm writing a webhook and I'd like some documentation explaining:

• how and why this library uses the k8s.io/apiserver library
• that the webhook server is deployed as an aggregated Kubernetes API server.
• the advantages and disadvantages of this approach rather than copying something like:
  • https://github.com/kubernetes/kubernetes/tree/master/test/images/webhook or
  • https://github.com/stackrox/admission-controller-webhook-demo

Hi @deads2k , I noticed that Kind is hardcoded to AdmissionReview in https://github.com/openshift/generic-admission-server/blob/master/pkg/apiserver/apiserver.go#L174

Should this be provided from the **Hook interface, since users of this library can define the singular and plural form the resource.

// NewCommandStartMaster provides a CLI handler for 'start master' command
func NewCommandStartAdmissionServer(out, errOut io.Writer, stopCh <-chan struct{}, admissionHooks ...apiserver.AdmissionHook) *cobra.Command {
	o := NewAdmissionServerOptions(out, errOut, admissionHooks...)

	cmd := &cobra.Command{
		Short: "Launch a namespace reservation API server",
		Long:  "Launch a namespace reservation API server",
		RunE: func(c *cobra.Command, args []string) error {
			if err := o.Complete(); err != nil {
				return err
			}
			if err := o.Validate(args); err != nil {
				return err
			}
			if err := o.RunAdmissionServer(stopCh); err != nil {
				return err
			}
			return nil
		},
	}

	flags := cmd.Flags()
	o.RecommendedOptions.AddFlags(flags)

	return cmd
}

When create a new admission server using this, the description "Launch a namespace reservation API server" make user confused.

The Object in admissionReview at here:

seems always be nil

	pod, ok := admissionSpec.Object.Object.(*corev1.Pod)
	if !ok {
		logger.WithField("object", admissionSpec.Object.Object).Info("received non pod object")
		return util.ToFailAdmissionResponse(ctx, fmt.Errorf("received non pod object"))
	}

Here is the log I see:

$ tail -f /var/log/admission-apiserver.log
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f846d0a-0f15-11e9-af8a-74dbd180a266
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f8529c1-0f15-11e9-af8a-74dbd180a266
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f88d30b-0f15-11e9-af8a-74dbd180a266
time="2019-01-03T05:05:27Z" level=info msg="received non pod object" object="<nil>" requestUID=2f8f88ff-0f15-11e9-af8a-74dbd180a266

Is there any chance that the object can be decoded automatically?