Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(webhook): add validation for namspace delete requests #1754

Merged
merged 3 commits into from
Sep 14, 2020
Merged

feat(webhook): add validation for namspace delete requests #1754

merged 3 commits into from
Sep 14, 2020

Conversation

shubham14bajpai
Copy link
Contributor

@shubham14bajpai shubham14bajpai commented Sep 14, 2020
edited
Loading

What this PR does?:

This PR adds validation on the deletion of openebs namespace
to avoid

  • loss of data in case of accidental deletion of
    namespace
  • stale resources with finalizers in openebs namespace which
    maybe stuck on namespace deletion.

Does this PR require any upgrade changes?:
Yes already handled in the PR itself. Tested 1.10 to latest upgrade: namespace gets added to validatingwebhookconfigurations automatically.

If the changes in this PR are manually verified, list down the scenarios covered::

Local test performed:

Both jiva and cstor volume exist

mayadata:setup$ kubectl get pvc
NAME                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS           AGE
demo-vol-claim-2      Bound    pvc-704959f7-1632-4ab8-96f0-4a4449306418   5Gi        RWO            jiva-1r                7m31s
testclaim-busybox-0   Bound    pvc-d30a84a9-e8f6-48b0-b463-9c1ced1ba159   2G         RWO            openebs-cstor-sparse   7m11s
mayadata:setup$ kubectl delete ns openebs
Error from server: admission webhook "admission-webhook.openebs.io" denied the request: either BDCs or services with the label openebs.io/controller-service=jiva-controller-svc exists in the namespace openebs.

Only cstor volume exists

mayadata:setup$ kubectl get pvc
NAME                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS           AGE
testclaim-busybox-0   Bound    pvc-d30a84a9-e8f6-48b0-b463-9c1ced1ba159   2G         RWO            openebs-cstor-sparse   8m18s
mayadata:setup$ kubectl delete ns openebs
Error from server: admission webhook "admission-webhook.openebs.io" denied the request: either BDCs or services with the label openebs.io/controller-service=jiva-controller-svc exists in the namespace openebs.

Only jiva volume exists

mayadata:setup$ kubectl get pvc
NAME               STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
demo-vol-claim-2   Bound    pvc-e5cf0812-7a43-4ef9-9e27-f2d5b47f9991   5Gi        RWO            jiva-1r        12s
mayadata:setup$ kubectl delete ns openebs
Error from server: admission webhook "admission-webhook.openebs.io" denied the request: either BDCs or services with the label openebs.io/controller-service=jiva-controller-svc exists in the namespace openebs.

After deleting all volumes and pools

mayadata:setup$ kubectl delete ns openebs
namespace "openebs" deleted

Created a cstor & jiva volume in test namespace and deleted the namespace. The webhook did not impact the deletion and cleanup was successful.

mayadata:setup$ kubectl get pvc -n test
NAME                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS           AGE
testclaim-busybox-0   Bound    pvc-a5dfc230-c214-406d-8cce-34084b096fae   2G         RWO            openebs-cstor-sparse   3m36s
demo-vol-claim-2      Bound    pvc-f05675e0-f712-4b60-bb88-b4b42004bcf9   5Gi        RWO            jiva-1r        50s
mayadata:setup$ kubectl delete ns test
namespace "test" deleted

TODO
Add unit test for the added webhook validation.

Checklist:

  • Fixes #
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Has the change log section been updated?
  • Commit has unit tests
  • Commit has integration tests
  • (Optional) Are upgrade changes included in this PR? If not, mention the issue/PR to track:
  • (Optional) If documentation changes are required, which issue on https://github.com/openebs/openebs-docs is used to track them:

@shubham14bajpai
feat(webhook): add validation for namspace delete requests
37b9c4c 
  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
kmova
kmova reviewed Sep 14, 2020
View reviewed changes
pkg/webhook/webhook.go Outdated
if req.Operation == v1beta1.Delete {
return wh.validateNamespaceDeleteRequest(req)
}
klog.V(2).Info("Admission wehbook for PVC module not " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also check that this rule only applies to openebs namespace? Other namespace requests shouldn't get impacted by this.

Add a test to verify that when BDCs are present, a test namespace can be created and deleted without any issues.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the log message and added the manual test result to the PR description.

mittachaitu
mittachaitu reviewed Sep 14, 2020
View reviewed changes
Copy link

@mittachaitu mittachaitu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes are good but provided few comments...

pkg/webhook/webhook.go Outdated Show resolved Hide resolved
pkg/webhook/webhook.go Outdated Show resolved Hide resolved
mittachaitu
mittachaitu approved these changes Sep 14, 2020
View reviewed changes
Copy link

@mittachaitu mittachaitu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes are good

@kmova kmova merged commit 1bc54a4 into openebs-archive:master Sep 14, 2020
shubham14bajpai added a commit to shubham14bajpai/maya that referenced this pull request Sep 14, 2020
@shubham14bajpai
feat(webhook): add validation for namspace delete requests (openebs-a…
93923cd 
…rchive#1754)

  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
shubham14bajpai added a commit to shubham14bajpai/maya that referenced this pull request Sep 14, 2020
@shubham14bajpai
feat(webhook): add validation for namspace delete requests (openebs-a…
ba99eb9 
…rchive#1754)

  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
shubham14bajpai added a commit to shubham14bajpai/maya that referenced this pull request Sep 14, 2020
@shubham14bajpai
feat(webhook): add validation for namspace delete requests (openebs-a…
1c64f65 
…rchive#1754)

  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
This was referenced Sep 14, 2020
Merged
Merged
Merged
kmova pushed a commit that referenced this pull request Sep 14, 2020
@shubham14bajpai @kmova
feat(webhook): add validation for namspace delete requests (#1754)
7375c73 
  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
kmova pushed a commit that referenced this pull request Sep 14, 2020
@shubham14bajpai @kmova
feat(webhook): add validation for namspace delete requests (#1754)
37dc7ec 
  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
kmova pushed a commit that referenced this pull request Sep 14, 2020
@shubham14bajpai @kmova
feat(webhook): add validation for namspace delete requests (#1754)
f2d1029 
  This PR adds validation on deletion of openebs namespace
  to avoid
  - loss of data in case of accidental deletion of
    namespace
  - stale resources with finalizers in openebs namespace which
    may be stuck on namespace deletion.

Signed-off-by: shubham <[email protected]>
@shubham14bajpai shubham14bajpai deleted the ns branch October 12, 2020 05:46
prateekpandey14
prateekpandey14 reviewed Oct 22, 2020
View reviewed changes
pkg/webhook/webhook.go
if err != nil {
response.Allowed = false
response.Result = &metav1.Status{
Message: fmt.Sprintf("error listing BDC in namespace %s: %v", req.Name, err.Error()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failure is here in case of helm chart deletion

prateekpandey14
prateekpandey14 reviewed Oct 22, 2020
View reviewed changes
pkg/webhook/webhook.go
@@ -421,6 +426,9 @@ func (wh *webhook) validate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRespo
response.Allowed = true
klog.Info("Admission webhook request received")
switch req.Kind.Kind {
case "Namespace":
klog.V(2).Infof("Admission webhook request for type %s", req.Kind.Kind)
return wh.validateNamespace(ar)
Copy link
Contributor

@prateekpandey14 prateekpandey14 Oct 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this validate kicks in for any namespace deletion , can we use the webhook namespace itself to get the openebs namespace and skip for other namespace validations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prateekpandey14 prateekpandey14 prateekpandey14 left review comments

@mittachaitu mittachaitu mittachaitu approved these changes

@kmova kmova kmova approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shubham14bajpai @prateekpandey14 @kmova @mittachaitu