From 0a266741f84922072a09d90c86d9506ee4857484 Mon Sep 17 00:00:00 2001 From: Shawn Hurley Date: Wed, 20 Apr 2022 08:56:41 -0400 Subject: [PATCH] adding a new admission plugin to handle api bindings and all validating webhooks --- pkg/admission/plugins.go | 16 ++++++++-------- pkg/admission/validatingwebhook/plugin.go | 13 ++++++++----- test/e2e/conformance/webhook_test.go | 3 --- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/pkg/admission/plugins.go b/pkg/admission/plugins.go index ef2698d9232f..24fb04669bb8 100644 --- a/pkg/admission/plugins.go +++ b/pkg/admission/plugins.go @@ -22,7 +22,6 @@ import ( "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/resourcequota" mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating" - validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating" kubeapiserveroptions "k8s.io/kubernetes/pkg/kubeapiserver/options" certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval" certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing" @@ -45,6 +44,7 @@ import ( "github.com/kcp-dev/kcp/pkg/admission/clusterworkspaceshard" "github.com/kcp-dev/kcp/pkg/admission/clusterworkspacetype" "github.com/kcp-dev/kcp/pkg/admission/clusterworkspacetypeexists" + kcpvalidatingwebhook "github.com/kcp-dev/kcp/pkg/admission/validatingwebhook" ) // AllOrderedPlugins is the list of all the plugins in order. @@ -55,7 +55,7 @@ var AllOrderedPlugins = beforeWebhooks(kubeapiserveroptions.AllOrderedPlugins, clusterworkspacetype.PluginName, clusterworkspacetypeexists.PluginName, apibinding.PluginName, - validatingwebhook.PluginName, + kcpvalidatingwebhook.PluginName, ) func beforeWebhooks(recommended []string, plugins ...string) []string { @@ -79,14 +79,14 @@ func RegisterAllKcpAdmissionPlugins(plugins *admission.Plugins) { clusterworkspacetypeexists.Register(plugins) apiresourceschema.Register(plugins) apibinding.Register(plugins) - validatingwebhook.Register(plugins) + kcpvalidatingwebhook.Register(plugins) } var defaultOnPluginsInKcp = sets.NewString( - lifecycle.PluginName, // NamespaceLifecycle - limitranger.PluginName, // LimitRanger - mutatingwebhook.PluginName, // MutatingAdmissionWebhook - validatingwebhook.PluginName, // ValidatingAdmissionWebhook + lifecycle.PluginName, // NamespaceLifecycle + limitranger.PluginName, // LimitRanger + // mutatingwebhook.PluginName, // MutatingAdmissionWebhook + // validatingwebhook.PluginName, // ValidatingAdmissionWebhook certapproval.PluginName, // CertificateApproval certsigning.PluginName, // CertificateSigning certsubjectrestriction.PluginName, // CertificateSubjectRestriction @@ -98,7 +98,7 @@ var defaultOnPluginsInKcp = sets.NewString( clusterworkspacetypeexists.PluginName, apiresourceschema.PluginName, apibinding.PluginName, - validatingwebhook.PluginName, + kcpvalidatingwebhook.PluginName, ) // defaultOnKubePluginsInKube is a copy of kubeapiserveroptions.defaultOnKubePlugins. diff --git a/pkg/admission/validatingwebhook/plugin.go b/pkg/admission/validatingwebhook/plugin.go index 2eb88a7a65eb..613e2ad9cf33 100644 --- a/pkg/admission/validatingwebhook/plugin.go +++ b/pkg/admission/validatingwebhook/plugin.go @@ -48,6 +48,7 @@ const ( type Plugin struct { // Using validating plugin, for the dispatcher to use. // This plugins admit function will never be called. + *admission.Handler validating.Plugin dipatcher generic.Dispatcher hookSource generic.Source @@ -56,8 +57,9 @@ type Plugin struct { } func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) { - p := &Plugin{} + p := &Plugin{Plugin: validating.Plugin{Webhook: &generic.Webhook{}}} p.Handler = admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update) + dispatcherFactory := validating.NewValidatingDispatcher(&p.Plugin) // Making our own dispatcher so that we can control the webhook accessors. @@ -85,7 +87,8 @@ func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) { cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver()) p.dipatcher = dispatcherFactory(&cm) - + // Need to do this, to make sure that the underlying objects for the call to ShouldCallHook have the right values + p.Plugin.Webhook, err = generic.NewWebhook(p.Handler, configfile, configuration.NewValidatingWebhookConfigurationManager, dispatcherFactory) if err != nil { return nil, err } @@ -98,7 +101,8 @@ func NewValidatingAdmissionWebhook(configfile io.Reader) (*Plugin, error) { } return false }) - klog.Infof("HEREREER~!") + klog.V(0).Infof("HEREREER~!") + fmt.Printf("HERE!!!!") return p, nil } @@ -113,7 +117,6 @@ func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admi } func (p *Plugin) Dispatch(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error { - klog.Infof("HEREREER~!") if rules.IsWebhookConfigurationResource(attr) { return nil } @@ -159,7 +162,7 @@ func (p *Plugin) getAPIBindingWorkspace(attr admission.Attributes, lc logicalclu func (p *Plugin) restrictToLogicalCluster(hooks []webhook.WebhookAccessor, lc logicalcluster.LogicalCluster) []webhook.WebhookAccessor { wh := []webhook.WebhookAccessor{} for _, hook := range hooks { - if hook.GetLogicalCluster() != lc { + if hook.GetLogicalCluster() == lc { wh = append(wh, hook) } } diff --git a/test/e2e/conformance/webhook_test.go b/test/e2e/conformance/webhook_test.go index 44ec2e27e556..0096b7225446 100644 --- a/test/e2e/conformance/webhook_test.go +++ b/test/e2e/conformance/webhook_test.go @@ -174,9 +174,6 @@ func TestWebhookInWorkspace(t *testing.T) { require.Eventually(t, func() bool { return testWebhook.Calls == 1 }, wait.ForeverTestTimeout, 100*time.Millisecond) - fmt.Printf("\nCALLS :%v", testWebhook.Calls) - t.Fail() - } type testWebhookServer struct {