Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change admission review to v1 #139

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

change admission review to v1 #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions deploy/webhook/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,6 @@ rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["flowcontrol.apiserver.k8s.io"]
resources: ["prioritylevelconfigurations", "flowschemas"]
verbs: ["get", "list", "watch"]
6 changes: 3 additions & 3 deletions deploy/webhook/webhook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ webhooks:
- "*"
resources:
- managedclusters
admissionReviewVersions: ["v1beta1"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 3

Expand Down Expand Up @@ -50,7 +50,7 @@ webhooks:
- "*"
resources:
- managedclusters
admissionReviewVersions: ["v1beta1"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 3

Expand Down Expand Up @@ -79,6 +79,6 @@ webhooks:
- "*"
resources:
- managedclustersetbindings
admissionReviewVersions: ["v1beta1"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 3
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ require (
github.com/open-cluster-management/api v0.0.0-20210409125704-06f2aec1a73f
github.com/openshift/api v0.0.0-20210331193751-3acddb19d360
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480
github.com/openshift/generic-admission-server v1.14.1-0.20210422140326-da96454c926d
github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638
github.com/spf13/cobra v1.1.1
github.com/spf13/pflag v1.0.5
Expand Down
8 changes: 6 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,8 +436,8 @@ github.com/openshift/build-machinery-go v0.0.0-20210115170933-e575b44a7a94/go.mo
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359 h1:ehSDsWQiUVzJZrSEXMC7ceV9JIPEyTYqrpqu3m4Wa08=
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
github.com/openshift/client-go v0.0.0-20210331195552-cf6c2669e01f/go.mod h1:hHaRJ6vp2MRd/CpuZ1oJkqnMGy5eEnoAkQmKPZKcUPI=
github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480 h1:y47BAJFepK8Xls1c+quIOyc46OXiT9LRiqGVjIaMlSA=
github.com/openshift/generic-admission-server v1.14.1-0.20200903115324-4ddcdd976480/go.mod h1:OAHL5WnZphlhVEf5fTdeGLvNwMu1B2zCWpmxJpCA35o=
github.com/openshift/generic-admission-server v1.14.1-0.20210422140326-da96454c926d h1:Z5xcujYaukvRqLWxBiIRn6KdM5Pd1De01fmfD1Rr4dk=
github.com/openshift/generic-admission-server v1.14.1-0.20210422140326-da96454c926d/go.mod h1:m+wYlVQdnPe8JGqoKVpCYnFRIVraqC1SrUowQXh6XlA=
github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638 h1:JVMywK3dwzPAwpTCWIHn2Emx5L11I+0OR15CZXHI4do=
github.com/openshift/library-go v0.0.0-20210407140145-f831e911c638/go.mod h1:pnz961veImKsbn7pQcuFbcVpCQosYiC1fUOjzEDeOLU=
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
Expand Down Expand Up @@ -919,6 +919,7 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
k8s.io/api v0.18.0-beta.2/go.mod h1:2oeNnWEqcSmaM/ibSh3t7xcIqbkGXhzZdn4ezV9T4m0=
k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
k8s.io/api v0.20.0 h1:WwrYoZNM1W1aQEbyl8HNG+oWGzLpZQBlcerS9BQw9yI=
k8s.io/api v0.20.0/go.mod h1:HyLC5l5eoS/ygQYl1BXBgFzWNlkHiAuyNAbevIn+FKg=
k8s.io/api v0.21.0-rc.0 h1:t/kW96KdNJNamYNqxaxRirahK+FaWJQ6BJPbXm5Jb+o=
Expand All @@ -932,6 +933,7 @@ k8s.io/apiextensions-apiserver v0.21.0-rc.0/go.mod h1:ItIoMBJU1gy93Qwr/B2699r4b0
k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
k8s.io/apimachinery v0.18.0-beta.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
k8s.io/apimachinery v0.19.0/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
k8s.io/apimachinery v0.20.0 h1:jjzbTJRXk0unNS71L7h3lxGDH/2HPxMPaQY+MjECKL8=
k8s.io/apimachinery v0.20.0/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.21.0-rc.0 h1:m9dyzHb8QZAHOZKIz2SiabSif1oLsfgrnwiago/9xJA=
Expand All @@ -944,6 +946,7 @@ k8s.io/apiserver v0.21.0-rc.0/go.mod h1:QlW7+1CZTZtAcKvJ34/n4DIb8sC93FeQpkd1KSU+
k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
k8s.io/client-go v0.18.0-beta.2/go.mod h1:UvuVxHjKWIcgy0iMvF+bwNDW7l0mskTNOaOW1Qv5BMA=
k8s.io/client-go v0.19.0/go.mod h1:H9E/VT95blcFQnlyShFgnFT9ZnJOAceiUHM3MlRC+mU=
k8s.io/client-go v0.19.5/go.mod h1:BSG3iuxI40Bs0nNDLS1JRa/7ReBQDHzf0x8nZZrK0fo=
k8s.io/client-go v0.20.0 h1:Xlax8PKbZsjX4gFvNtt4F5MoJ1V5prDvCuoq9B7iax0=
k8s.io/client-go v0.20.0/go.mod h1:4KWh/g+Ocd8KkCwKF8vUNnmqgv+EVnQDK4MBF4oB5tY=
k8s.io/client-go v0.21.0-rc.0 h1:lsPZHT1ZniXJcwg2udlaTOhAT8wf7BE0rn9Vj0+LWMA=
Expand All @@ -956,6 +959,7 @@ k8s.io/code-generator v0.21.0-rc.0/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64
k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc=
k8s.io/component-base v0.18.0-beta.2/go.mod h1:HVk5FpRnyzQ/MjBr9//e/yEBjTVa2qjGXCTuUzcD7ks=
k8s.io/component-base v0.19.0/go.mod h1:dKsY8BxkA+9dZIAh2aWJLL/UdASFDNtGYTCItL4LM7Y=
k8s.io/component-base v0.19.5/go.mod h1:5N/uv5A7fyr0d+t/b1HynXKkUVPEhc8ljkMaBJv4Tp8=
k8s.io/component-base v0.21.0-rc.0 h1:8YgFPDsIhRx7zCOxikZn77nYRnwxrc9aMiuQDJtK1+g=
k8s.io/component-base v0.21.0-rc.0/go.mod h1:XlP0bM7QJFWRGZYPc5NmphkvsYQ+o7804HWH3GTGjDY=
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
Expand Down
10 changes: 5 additions & 5 deletions pkg/webhook/cluster/mutating_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (

clusterv1 "github.com/open-cluster-management/api/cluster/v1"

admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/rest"
Expand All @@ -30,10 +30,10 @@ func (a *ManagedClusterMutatingAdmissionHook) MutatingResource() (schema.GroupVe
}

// Admit is called by generic-admission-server when the registered REST resource above is called with an admission request.
func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you want to have this release of your admission webhook handle both v1beta1 admissionreview and v1 admissionreview. Allowing both will allow you to update the webhook server first and the admission registration second. Probably in two different releases.

  1. release current - registration v1beta1 review, server v1beta1 review
  2. current +1 - registration v1beta1 review, server v1 and v1beta1 review
  3. current +2 - registration v1 review, server v1 and v1beta1 review
  4. current +3 - registration v1 review, server v1 review

klog.V(4).Infof("mutate %q operation for object %q", req.Operation, req.Object)

status := &admissionv1beta1.AdmissionResponse{
status := &admissionv1.AdmissionResponse{
Allowed: true,
}

Expand All @@ -44,7 +44,7 @@ func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.Admiss
}

// only mutate create and update operation
if req.Operation != admissionv1beta1.Create && req.Operation != admissionv1beta1.Update {
if req.Operation != admissionv1.Create && req.Operation != admissionv1.Update {
return status
}

Expand All @@ -61,7 +61,7 @@ func (a *ManagedClusterMutatingAdmissionHook) Admit(req *admissionv1beta1.Admiss
// If LeaseDurationSeconds value is zero, update it to 60 by default
if managedCluster.Spec.LeaseDurationSeconds == 0 {
status.Patch = []byte(defaultLeaseDurationSecondsPatch)
pt := admissionv1beta1.PatchTypeJSONPatch
pt := admissionv1.PatchTypeJSONPatch
status.PatchType = &pt
}

Expand Down
30 changes: 15 additions & 15 deletions pkg/webhook/cluster/mutating_webhook_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,63 +6,63 @@ import (
"testing"

testinghelpers "github.com/open-cluster-management/registration/pkg/helpers/testing"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)

func TestManagedClusterMutate(t *testing.T) {
pt := admissionv1beta1.PatchTypeJSONPatch
pt := admissionv1.PatchTypeJSONPatch
cases := []struct {
name string
request *admissionv1beta1.AdmissionRequest
expectedResponse *admissionv1beta1.AdmissionResponse
request *admissionv1.AdmissionRequest
expectedResponse *admissionv1.AdmissionResponse
allowUpdateAcceptField bool
}{
{
name: "mutate non-managedclusters request",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: metav1.GroupVersionResource{
Group: "test.open-cluster-management.io",
Version: "v1",
Resource: "tests",
},
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
},
},
{
name: "mutate deleting operation",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: managedclustersSchema,
Operation: admissionv1beta1.Delete,
Operation: admissionv1.Delete,
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
},
},
{
name: "mutate a ManagedCluster without LeaseDurationSeconds setting",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: managedclustersSchema,
Operation: admissionv1beta1.Create,
Operation: admissionv1.Create,
Object: newManagedClusterObj(),
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
Patch: []byte(`[{"op": "replace", "path": "/spec/leaseDurationSeconds", "value": 60}]`),
PatchType: &pt,
},
},
{
name: "mutate a ManagedCluster with LeaseDurationSeconds setting",
request: &admissionv1beta1.AdmissionRequest{
request: &admissionv1.AdmissionRequest{
Resource: managedclustersSchema,
Operation: admissionv1beta1.Create,
Operation: admissionv1.Create,
Object: newManagedClusterObjWithLeaseDurationSeconds(60),
},
expectedResponse: &admissionv1beta1.AdmissionResponse{
expectedResponse: &admissionv1.AdmissionResponse{
Allowed: true,
},
},
Expand Down
32 changes: 16 additions & 16 deletions pkg/webhook/cluster/validating_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import (

operatorhelpers "github.com/openshift/library-go/pkg/operator/v1helpers"

admissionv1beta1 "k8s.io/api/admission/v1beta1"
admissionv1 "k8s.io/api/admission/v1"
authenticationv1 "k8s.io/api/authentication/v1"
authorizationv1 "k8s.io/api/authorization/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -43,10 +43,10 @@ func (a *ManagedClusterValidatingAdmissionHook) ValidatingResource() (plural sch
}

// Validate is called by generic-admission-server when the registered REST resource above is called with an admission request.
func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
klog.V(4).Infof("validate %q operation for object %q", admissionSpec.Operation, admissionSpec.Object)

status := &admissionv1beta1.AdmissionResponse{}
status := &admissionv1.AdmissionResponse{}

// only validate the request for managedcluster
if admissionSpec.Resource.Group != "cluster.open-cluster-management.io" ||
Expand All @@ -56,9 +56,9 @@ func (a *ManagedClusterValidatingAdmissionHook) Validate(admissionSpec *admissio
}

switch admissionSpec.Operation {
case admissionv1beta1.Create:
case admissionv1.Create:
return a.validateCreateRequest(admissionSpec)
case admissionv1beta1.Update:
case admissionv1.Update:
return a.validateUpdateRequest(admissionSpec)
default:
status.Allowed = true
Expand All @@ -74,8 +74,8 @@ func (a *ManagedClusterValidatingAdmissionHook) Initialize(kubeClientConfig *res
}

// validateCreateRequest validates create managed cluster operation
func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

// validate ManagedCluster object firstly
managedCluster, err := a.validateManagedClusterObj(request.Object)
Expand Down Expand Up @@ -106,8 +106,8 @@ func (a *ManagedClusterValidatingAdmissionHook) validateCreateRequest(request *a
}

// validateUpdateRequest validates update managed cluster operation.
func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) validateUpdateRequest(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

oldManagedCluster := &clusterv1.ManagedCluster{}
if err := json.Unmarshal(request.OldObject.Raw, oldManagedCluster); err != nil {
Expand Down Expand Up @@ -176,8 +176,8 @@ func (a *ManagedClusterValidatingAdmissionHook) validateManagedClusterObj(reques

// allowUpdateHubAcceptsClientField using SubjectAccessReview API to check whether a request user has been authorized to update
// HubAcceptsClient field
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterName string, userInfo authenticationv1.UserInfo) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

extra := make(map[string]authorizationv1.ExtraValue)
for k, v := range userInfo.Extra {
Expand Down Expand Up @@ -223,9 +223,9 @@ func (a *ManagedClusterValidatingAdmissionHook) allowUpdateAcceptField(clusterNa
}

// allowSetClusterSetLabel checks whether a request user has been authorized to set clusterset label
func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo authenticationv1.UserInfo, originalClusterSet, newClusterSet string) *admissionv1beta1.AdmissionResponse {
func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo authenticationv1.UserInfo, originalClusterSet, newClusterSet string) *admissionv1.AdmissionResponse {
if originalClusterSet == newClusterSet {
return &admissionv1beta1.AdmissionResponse{Allowed: true}
return &admissionv1.AdmissionResponse{Allowed: true}
}

if len(originalClusterSet) > 0 {
Expand All @@ -240,15 +240,15 @@ func (a *ManagedClusterValidatingAdmissionHook) allowSetClusterSetLabel(userInfo
}
}

return &admissionv1beta1.AdmissionResponse{
return &admissionv1.AdmissionResponse{
Allowed: true,
}
}

// allowUpdateClusterSet checks whether a request user has been authorized to add/remove a ManagedCluster
// to/from the ManagedClusterSet
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateClusterSet(userInfo authenticationv1.UserInfo, clusterSetName string) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *ManagedClusterValidatingAdmissionHook) allowUpdateClusterSet(userInfo authenticationv1.UserInfo, clusterSetName string) *admissionv1.AdmissionResponse {
status := &admissionv1.AdmissionResponse{}

extra := make(map[string]authorizationv1.ExtraValue)
for k, v := range userInfo.Extra {
Expand Down
Loading