Update admissionreview to v1

openshift · Apr 19, 2021 · e4ebc43 · e4ebc43
1 parent c9c7866
commit e4ebc43
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 17 deletions.
diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	admissionv1 "k8s.io/api/admission/v1"
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -34,26 +35,51 @@ type ValidatingAdmissionHook interface {
 	// MutatingAdmissionHook as well, the two resources for validating and mutating admission must be different.
 	// Note: this is (usually) not the same as the payload resource!
 	ValidatingResource() (plural schema.GroupVersionResource, singular string)
+}
+
+type ValidatingAdmissionHookV1Alpha1 interface {
+	ValidatingAdmissionHook
 
 	// Validate is called to decide whether to accept the admission request. The returned AdmissionResponse
 	// must not use the Patch field.
 	Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse
 }
 
+type ValidatingAdmissionHookV1 interface {
+	ValidatingAdmissionHook
+
+	// Validate is called to decide whether to accept the v1 admission request. The returned AdmissionResponse
+	// must not use the Patch field.
+	ValidateV1(admissionSpec *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
+}
+
 type MutatingAdmissionHook interface {
 	AdmissionHook
 
 	// MutatingResource is the resource to use for hosting your admission webhook. If the hook implements
 	// ValidatingAdmissionHook as well, the two resources for validating and mutating admission must be different.
 	// Note: this is (usually) not the same as the payload resource!
 	MutatingResource() (plural schema.GroupVersionResource, singular string)
+}
+
+type MutatingAdmissionHookV1Alpha1 interface {
+	MutatingAdmissionHook
 
 	// Admit is called to decide whether to accept the admission request. The returned AdmissionResponse may
 	// use the Patch field to mutate the object from the passed AdmissionRequest.
 	Admit(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse
 }
 
+type MutatingAdmissionHookV1 interface {
+	MutatingAdmissionHook
+
+	// Admit is called to decide whether to accept the v1 admission request. The returned AdmissionResponse may
+	// use the Patch field to mutate the object from the passed AdmissionRequest.
+	AdmitV1(admissionSpec *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
+}
+
 func init() {
+	admissionv1.AddToScheme(Scheme)
 	admissionv1beta1.AddToScheme(Scheme)
 
 	// we need to add the options to empty v1
@@ -220,7 +246,7 @@ func admissionHooksByGroupThenVersion(admissionHooks ...AdmissionHook) map[strin
 				group = map[string][]admissionHookWrapper{}
 				ret[gvr.Group] = group
 			}
-			group[gvr.Version] = append(group[gvr.Version], mutatingAdmissionHookWrapper{mutatingHook})
+			group[gvr.Version] = append(group[gvr.Version], mutatingAdmissionHookWrapper{hook: mutatingHook})
 		}
 		if validatingHook, ok := admissionHooks[i].(ValidatingAdmissionHook); ok {
 			gvr, _ := validatingHook.ValidatingResource()
@@ -229,7 +255,7 @@ func admissionHooksByGroupThenVersion(admissionHooks ...AdmissionHook) map[strin
 				group = map[string][]admissionHookWrapper{}
 				ret[gvr.Group] = group
 			}
-			group[gvr.Version] = append(group[gvr.Version], validatingAdmissionHookWrapper{validatingHook})
+			group[gvr.Version] = append(group[gvr.Version], validatingAdmissionHookWrapper{hook: validatingHook})
 		}
 	}
 
@@ -239,7 +265,7 @@ func admissionHooksByGroupThenVersion(admissionHooks ...AdmissionHook) map[strin
 // admissionHookWrapper wraps either a validating or mutating admission hooks, calling the respective resource and admission method.
 type admissionHookWrapper interface {
 	Resource() (plural schema.GroupVersionResource, singular string)
-	Admission(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse
+	Admission(obj runtime.Object) runtime.Object
 }
 
 type mutatingAdmissionHookWrapper struct {
@@ -250,8 +276,21 @@ func (h mutatingAdmissionHookWrapper) Resource() (plural schema.GroupVersionReso
 	return h.hook.MutatingResource()
 }
 
-func (h mutatingAdmissionHookWrapper) Admission(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
-	return h.hook.Admit(admissionSpec)
+func (h mutatingAdmissionHookWrapper) Admission(obj runtime.Object) runtime.Object {
+	switch t := obj.(type) {
+	case *admissionv1beta1.AdmissionReview:
+		if hook, ok := h.hook.(MutatingAdmissionHookV1Alpha1); ok {
+			t.Response = hook.Admit(t.Request)
+			return t
+		}
+	case *admissionv1.AdmissionReview:
+		if hook, ok := h.hook.(MutatingAdmissionHookV1); ok {
+			t.Response = hook.AdmitV1(t.Request)
+			return t
+		}
+	}
+
+	return obj
 }
 
 type validatingAdmissionHookWrapper struct {
@@ -262,6 +301,19 @@ func (h validatingAdmissionHookWrapper) Resource() (plural schema.GroupVersionRe
 	return h.hook.ValidatingResource()
 }
 
-func (h validatingAdmissionHookWrapper) Admission(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
-	return h.hook.Validate(admissionSpec)
+func (h validatingAdmissionHookWrapper) Admission(obj runtime.Object) runtime.Object {
+	switch t := obj.(type) {
+	case *admissionv1beta1.AdmissionReview:
+		if hook, ok := h.hook.(ValidatingAdmissionHookV1Alpha1); ok {
+			t.Response = hook.Validate(t.Request)
+			return t
+		}
+	case *admissionv1.AdmissionReview:
+		if hook, ok := h.hook.(ValidatingAdmissionHookV1); ok {
+			t.Response = hook.ValidateV1(t.Request)
+			return t
+		}
+	}
+
+	return obj
 }
diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	admissionv1 "k8s.io/api/admission/v1"
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
@@ -30,7 +31,7 @@ func NewAdmissionServerOptions(out, errOut io.Writer, admissionHooks ...apiserve
 		// TODO we will nil out the etcd storage options.  This requires a later level of k8s.io/apiserver
 		RecommendedOptions: genericoptions.NewRecommendedOptions(
 			defaultEtcdPathPrefix,
-			apiserver.Codecs.LegacyCodec(admissionv1beta1.SchemeGroupVersion),
+			apiserver.Codecs.LegacyCodec(admissionv1.SchemeGroupVersion, admissionv1beta1.SchemeGroupVersion),
 		),
 
 		AdmissionHooks: admissionHooks,
@@ -45,8 +46,7 @@ func NewAdmissionServerOptions(out, errOut io.Writer, admissionHooks ...apiserve
 	// delegating authorizer now allows this.
 	o.RecommendedOptions.Authorization = o.RecommendedOptions.Authorization.
 		WithAlwaysAllowPaths("/healthz", "/readyz", "/livez"). // this allows the kubelet to always get health and readiness without causing an access check
-		WithAlwaysAllowGroups("system:masters") // in a kube cluster, system:masters can take any action, so there is no need to ask for an authz check
-
+		WithAlwaysAllowGroups("system:masters")                // in a kube cluster, system:masters can take any action, so there is no need to ask for an authz check
 
 	return o
 }

diff --git a/pkg/registry/admissionreview/admission_review.go b/pkg/registry/admissionreview/admission_review.go
@@ -3,14 +3,14 @@ package admissionreview
 import (
 	"context"
 
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/registry/rest"
 )
 
-type AdmissionHookFunc func(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse
+type AdmissionHookFunc func(obj runtime.Object) runtime.Object
 
 type REST struct {
 	hookFn AdmissionHookFunc
@@ -27,19 +27,17 @@ func NewREST(hookFn AdmissionHookFunc) *REST {
 }
 
 func (r *REST) New() runtime.Object {
-	return &admissionv1beta1.AdmissionReview{}
+	return &admissionv1.AdmissionReview{}
 }
 
 func (r *REST) GroupVersionKind(containingGV schema.GroupVersion) schema.GroupVersionKind {
-	return admissionv1beta1.SchemeGroupVersion.WithKind("AdmissionReview")
+	return admissionv1.SchemeGroupVersion.WithKind("AdmissionReview")
 }
 
 func (r *REST) NamespaceScoped() bool {
 	return false
 }
 
 func (r *REST) Create(ctx context.Context, obj runtime.Object, _ rest.ValidateObjectFunc, _ *metav1.CreateOptions) (runtime.Object, error) {
-	admissionReview := obj.(*admissionv1beta1.AdmissionReview)
-	admissionReview.Response = r.hookFn(admissionReview.Request)
-	return admissionReview, nil
+	return r.hookFn(obj), nil
 }