Issue 7, 156: Admission webhook #159
Conversation
Signed-off-by: wenqi <[email protected]>
adrianmo
changed the title
adrianmo
added
kind/enhancement
Signed-off-by: wenqi <[email protected]>
Tristan1900
force-pushed
the
admission-webhook
branch
from
f964c88 to
7e888a2
Compare
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
adrianmo
changed the title
There was a problem hiding this comment.
@Tristan1900 you did a great work with the admission webhook! I've added a few comments through the code :)
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: Adrián Moreno <[email protected]>
Signed-off-by: Adrián Moreno <[email protected]>
Signed-off-by: Adrián Moreno <[email protected]>
Signed-off-by: Adrián Moreno <[email protected]>
Signed-off-by: wenqi <[email protected]>
Signed-off-by: wenqi <[email protected]>
|
Thanks @adrianmo for the comments and changes! Could you please review it again? Thanks! |
Signed-off-by: wenqi <[email protected]>
Signed-off-by: Adrián Moreno <[email protected]>
adrianmo
force-pushed
the
admission-webhook
branch
from
40d4ddf to
8dd56fa
Compare
There was a problem hiding this comment.
@Tristan1900 thanks for updating the PR and addressing my comment. It looks good, but I'm worried about one thing. We have lost the ability to run the operator locally, which has been very useful for testing out changes during the development. Have you investigated if it's there a way to re-enable it again? If we can't find a way and the webhook server is causing issues, it'd be OK from my side to explicitly disable the webhook when running the operator locally. What do you think?
Signed-off-by: wenqi <[email protected]>
…a-operator into admission-webhook
adrianmo
added
status/ready
|
@adrianmo Thanks for pointing that out! It makes sense to disable webhook when using |
Change log description
What the code does
There are two concepts here, the admission webhook server and the admission webhook. Admission webhook server is like an http server that serves the incoming requests. Admission webhook implements the application logic and register itself to the webhook server, there are two kinds of admission webhook,
mutating admission webhookandvalidating admission Webhook, right now we only usemutating admission Webhook. The admission webhook server starts in the Operator pod with a fronting k8sservice. When requests come into k8s, apiserver will route the request to thatserviceand the backend admission webhook server will get that request and call the admission webhook for processing. The port that admission webhook server listens to is port 443. To bind port 443, we need to grant permission to Operator process usingsetcap CAP_NET_BIND_SERVICE=+eip.There is a supported version list in our webhook. Any requests with an invalid Pravega version will be rejected. For example
0.6.0is an invalid Pravega version because there is no such released version yet. There is also a supported upgrade path in our webhook, it will reject the request if the upgrade is not supported. For example, rolling upgrade from0.3.0to0.4.0is not supported. However, any upgrade to patch version is supported, such as0.4.0to0.4.1.Purpose of the change
How to test the change
Tests should pass
Signed-off-by: wenqi [email protected]