feat(admission): implement admission controllers deletion (#32523)

Signed-off-by: Wassim DHIF <[email protected]> Co-authored-by: Esther Kim <[email protected]>
DataDog · Dec 27, 2024 · 70abd23 · 70abd23
1 parent 46749fd
commit 70abd23
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 0 deletions.
diff --git a/pkg/clusteragent/admission/controllers/webhook/controller_v1.go b/pkg/clusteragent/admission/controllers/webhook/controller_v1.go
@@ -212,6 +212,19 @@ func (c *ControllerV1) reconcile() error {
 				log.Errorf("Failed to update Mutating Webhook %s: %v", c.config.getWebhookName(), err)
 			}
 		}
+	} else {
+		mutatingWebhook, err := c.mutatingWebhooksLister.Get(c.config.getWebhookName())
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				log.Errorf("Failed to get Mutating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		} else {
+			log.Infof("Mutating Webhook %s was found, deleting it", c.config.getWebhookName())
+			err := c.deleteMutatingWebhook(mutatingWebhook)
+			if err != nil {
+				log.Errorf("Failed to delete Mutating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		}
 	}
 
 	if c.config.validationEnabled {
@@ -231,6 +244,19 @@ func (c *ControllerV1) reconcile() error {
 				log.Errorf("Failed to update Validating Webhook %s: %v", c.config.getWebhookName(), err)
 			}
 		}
+	} else {
+		validatingWebhook, err := c.validatingWebhooksLister.Get(c.config.getWebhookName())
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				log.Errorf("Failed to get Validating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		} else {
+			log.Infof("Validating Webhook %s was found, deleting it", c.config.getWebhookName())
+			err := c.deleteValidatingWebhook(validatingWebhook)
+			if err != nil {
+				log.Errorf("Failed to delete Validating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		}
 	}
 
 	return err
@@ -273,6 +299,12 @@ func (c *ControllerV1) newValidatingWebhooks(secret *corev1.Secret) []admiv1.Val
 	return webhooks
 }
 
+// deleteValidatingWebhook deletes the ValidatingWebhookConfiguration object.
+func (c *ControllerV1) deleteValidatingWebhook(webhook *admiv1.ValidatingWebhookConfiguration) error {
+	err := c.clientSet.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), webhook.Name, metav1.DeleteOptions{})
+	return err
+}
+
 // createMutatingWebhook creates a new MutatingWebhookConfiguration object.
 func (c *ControllerV1) createMutatingWebhook(secret *corev1.Secret) error {
 	webhook := &admiv1.MutatingWebhookConfiguration{
@@ -310,6 +342,12 @@ func (c *ControllerV1) newMutatingWebhooks(secret *corev1.Secret) []admiv1.Mutat
 	return webhooks
 }
 
+// deleteMutatingWebhook deletes the MutatingWebhookConfiguration object.
+func (c *ControllerV1) deleteMutatingWebhook(webhook *admiv1.MutatingWebhookConfiguration) error {
+	err := c.clientSet.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(context.TODO(), webhook.Name, metav1.DeleteOptions{})
+	return err
+}
+
 // generateTemplates generates the webhook templates from the configuration.
 func (c *ControllerV1) generateTemplates() {
 	// Generate validating webhook templates

diff --git a/pkg/clusteragent/admission/controllers/webhook/controller_v1beta1.go b/pkg/clusteragent/admission/controllers/webhook/controller_v1beta1.go
@@ -213,6 +213,19 @@ func (c *ControllerV1beta1) reconcile() error {
 				log.Errorf("Failed to update Mutating Webhook %s: %v", c.config.getWebhookName(), err)
 			}
 		}
+	} else {
+		mutatingWebhook, err := c.mutatingWebhooksLister.Get(c.config.getWebhookName())
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				log.Errorf("Failed to get Mutating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		} else {
+			log.Infof("Mutating Webhook %s was found, deleting it", c.config.getWebhookName())
+			err := c.deleteMutatingWebhook(mutatingWebhook)
+			if err != nil {
+				log.Errorf("Failed to delete Mutating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		}
 	}
 
 	if c.config.validationEnabled {
@@ -232,6 +245,19 @@ func (c *ControllerV1beta1) reconcile() error {
 				log.Errorf("Failed to update Validating Webhook %s: %v", c.config.getWebhookName(), err)
 			}
 		}
+	} else {
+		validatingWebhook, err := c.validatingWebhooksLister.Get(c.config.getWebhookName())
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				log.Errorf("Failed to get Validating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		} else {
+			log.Infof("Validating Webhook %s was found, deleting it", c.config.getWebhookName())
+			err := c.deleteValidatingWebhook(validatingWebhook)
+			if err != nil {
+				log.Errorf("Failed to delete Validating Webhook %s: %v", c.config.getWebhookName(), err)
+			}
+		}
 	}
 
 	return err
@@ -274,6 +300,12 @@ func (c *ControllerV1beta1) newValidatingWebhooks(secret *corev1.Secret) []admiv
 	return webhooks
 }
 
+// deleteValidatingWebhook deletes the ValidatingWebhookConfiguration object.
+func (c *ControllerV1beta1) deleteValidatingWebhook(webhook *admiv1beta1.ValidatingWebhookConfiguration) error {
+	err := c.clientSet.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Delete(context.TODO(), webhook.Name, metav1.DeleteOptions{})
+	return err
+}
+
 // createMutatingWebhook creates a new MutatingWebhookConfiguration object.
 func (c *ControllerV1beta1) createMutatingWebhook(secret *corev1.Secret) error {
 	webhook := &admiv1beta1.MutatingWebhookConfiguration{
@@ -312,6 +344,12 @@ func (c *ControllerV1beta1) newMutatingWebhooks(secret *corev1.Secret) []admiv1b
 	return webhooks
 }
 
+// deleteMutatingWebhook deletes the MutatingWebhookConfiguration object.
+func (c *ControllerV1beta1) deleteMutatingWebhook(webhook *admiv1beta1.MutatingWebhookConfiguration) error {
+	err := c.clientSet.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Delete(context.TODO(), webhook.Name, metav1.DeleteOptions{})
+	return err
+}
+
 func (c *ControllerV1beta1) generateTemplates() {
 	validatingWebhooks := []admiv1beta1.ValidatingWebhook{}
 	for _, webhook := range c.webhooks {

diff --git a/releasenotes-dca/notes/delete_admission_webhooks-5c89ccd6c0d6ff8b.yaml b/releasenotes-dca/notes/delete_admission_webhooks-5c89ccd6c0d6ff8b.yaml
@@ -0,0 +1,14 @@
+# Each section from every release note are combined when the
+# CHANGELOG-DCA.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+enhancements:
+  - |
+    The Cluster Agent is now able to delete `ValidatingAdmissionWebhook` and `MutatingAdmissionWebhook`
+    depending on the `admission_controller.validation.enabled` and `admission_controller.mutation.enabled` settings.
+    Note that `admission_controller.enabled` must be set to `true` to allow the Cluster Agent to
+    interact with the Kubernetes Admission Controller.