update admission webhook to handle multiple auth domains #54414
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@deads2k: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
504cf1c
to
0743acb
Compare
liggitt
reviewed
Oct 23, 2017
| if err != nil { | ||
| return nil, err | ||
| } | ||
| kubeconfigFile = config.AdmissionWebhookConfig.KubeConfigFile |
There was a problem hiding this comment.
shouldn't need the extra layer of nesting... I thought the configFile reader you got here was just the config for this admission plugin
There was a problem hiding this comment.
shouldn't need the extra layer of nesting... I thought the configFile reader you got here was just the config for this admission plugin
I followed the pattern from the ImagePolicyWebhook. I agree and I'll fix up the TODO about creating a versioned type, but adding types drowns out content. How about we make ourselves consistent with other webhooks and I promise to create a versioned config in the next 24 hours?
There was a problem hiding this comment.
shouldn't need the extra layer of nesting... I thought the configFile reader you got here was just the config for this admission plugin
I'll remove the layering here and do versioned types in a close followup.
liggitt
reviewed
Oct 23, 2017
| // star prefixed match | ||
| serverSteps := strings.Split(server, ".") | ||
| for i := 1; i < len(serverSteps); i++ { | ||
| nickName := "*." + strings.Join(serverSteps[i:], ".") |
There was a problem hiding this comment.
does this try *.svc? that's a little weird
There was a problem hiding this comment.
does this try *.svc? that's a little weird
It does, but it doesn't make anyone use it. Doing it like this makes the matching rules consistent and predictable for users. The requirement to be a .svc is artificial and I'd rather not have a file format that precludes supporting other possible use-cases.
I don't think that ever makes it behave incorrectly.
liggitt
reviewed
Oct 23, 2017
|
|
||
| // if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config | ||
| if server == "kubernetes.default.svc" { | ||
| return rest.InClusterConfig() |
There was a problem hiding this comment.
if this returns an error we should continue
There was a problem hiding this comment.
if this returns an error we should continue
True. Will fix.
liggitt
reviewed
Oct 23, 2017
| if authConfig, ok := c.kubeconfig.AuthInfos["*"]; ok { | ||
| return restConfigFromKubeconfig(authConfig) | ||
| } | ||
|
|
There was a problem hiding this comment.
fall back to current-context.user if present before anonymous
There was a problem hiding this comment.
fall back to current-context.user if present before anonymous
ok.
0743acb
to
8de800f
Compare
|
Comments addressed. |
8de800f
to
fd4ab3e
Compare
|
Works for me. Please follow up with caching for the restclient construction and API types for the config. |
|
Please don't merge this until we're all agreed. I am not convinced that this is the best option yet. |
lavalamp
reviewed
Oct 24, 2017
| @@ -266,16 +279,21 @@ func (a *GenericAdmissionWebhook) callHook(ctx context.Context, h *v1alpha1.Exte | |||
| } | |||
|
|
|||
| func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.ExternalAdmissionHook) (*rest.RESTClient, error) { | |||
| serverName := h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + ".svc" | |||
There was a problem hiding this comment.
Given this auth model we'd need to change the API to not use k8s services--this wouldn't work for something hosted outside of the cluster. Another PR though.
|
|
||
| func (c *defaultAuthenticationInfoResolver) ClientConfigFor(server string) (*rest.Config, error) { | ||
| // exact match | ||
| if authConfig, ok := c.kubeconfig.AuthInfos[server]; ok { |
There was a problem hiding this comment.
I don't understand the part that turns a kubeconfig file into this structure; it needs examples & at least a comment explaining it? Maybe this already exists or is coming in another PR? Maybe an example in a test?
There was a problem hiding this comment.
I don't understand the part that turns a kubeconfig file into this structure; it needs examples & at least a comment explaining it? Maybe this already exists or is coming in another PR? Maybe an example in a test?
It's the normal decoding path. The types were written long ago when the hub version was optimized for code (with maps) and the external was optimized for serialization.
There was a problem hiding this comment.
I think we still need examples specifically for this feature. They don't have to be in this PR. The field names in kubeconfig files aren't intuitive.
There was a problem hiding this comment.
I think it will look like, (@deads2k correct me if I'm wrong)
users:
- name: "*.svc"
user:
token-file: ".../token"
- name: "*.namespace.svc"
user:
client-certificate-file: ".../client.crt"
client-key-file: ".../client.key"
| serverName: "one.two.three.com", | ||
| kubeconfig: clientcmdapi.Config{ | ||
| AuthInfos: map[string]*clientcmdapi.AuthInfo{ | ||
| "*.two.three.com": {Token: "first"}, |
There was a problem hiding this comment.
What is the use case for this? Won't it be more obvious to system administrators what will happen if we just require exact match? (I don't object to the implementation, it just seems like it will help < 1% of people while making 100% of people have to understand it.)
There was a problem hiding this comment.
What is the use case for this? Won't it be more obvious to system administrators what will happen if we just require exact match? (I don't object to the implementation, it just seems like it will help < 1% of people while making 100% of people have to understand it.)
Authentication domains often follow real domains. If you don't allow any wildcarding, then adding a new service in an existing namespace could require rolling a large number of configmaps. If you do allow wildcarding, then people can choose to use the feature and avoid unnecessary config changes if they understand their deployment topology.
Supporting wildcards does not force anyone to use them, so until someone asks the question, "I have multiple webhooks for my domain, how can I avoid fanning out in this file", they won't care, they'll be able to use exact matches.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, lavalamp Associated issue: 54404 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
sttts
pushed a commit
to sttts/sample-apiserver
that referenced
this pull request
Nov 27, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiextensions-apiserver
that referenced
this pull request
Nov 27, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/kube-aggregator
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/sample-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiextensions-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/kube-aggregator
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/sample-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiextensions-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/kube-aggregator
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/sample-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiextensions-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/kube-aggregator
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/sample-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
sttts
pushed a commit
to sttts/apiextensions-apiserver
that referenced
this pull request
Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/apiserver
that referenced
this pull request
Nov 29, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/kube-aggregator
that referenced
this pull request
Nov 29, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/sample-apiserver
that referenced
this pull request
Nov 29, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/apiextensions-apiserver
that referenced
this pull request
Nov 29, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/apiserver
that referenced
this pull request
Dec 7, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/kube-aggregator
that referenced
this pull request
Dec 7, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/sample-apiserver
that referenced
this pull request
Dec 7, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
k8s-publishing-bot
pushed a commit
to k8s-publishing-bot/apiextensions-apiserver
that referenced
this pull request
Dec 7, 2017
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
|
Can this be done using the WebhookClientConfig part of *WebhookConfiguration objects when the each webhook is registered so it could be updated dynamically? It already stores the CA to validate the webhook's identity, why couldn't it also include information about how to verify the apiserver's identity to the webhook? |
Two main reasons:
|
openshift-publish-robot
pushed a commit
to openshift/kubernetes-sample-apiserver
that referenced
this pull request
Jan 14, 2019
Automatic merge from submit-queue (batch tested with PRs 55812, 55752, 55447, 55848, 50984). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make versioned types for webhook admission config Versioned webhook admission config type as promised in kubernetes/kubernetes#54414. @kubernetes/sig-api-machinery-pr-reviews @ericchiang as promised. fyi. ```yaml kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: GenericAdmissionWebhook configuration: kind: WebhookAdmission apiVersion: apiserver.config.k8s.io/v1alpha1 kubeConfigFile: /path/to/my/file ``` `ADMISSION_CONTROL_CONFIG_FILE=../foo.yaml hack/local-up-cluster.sh` Kubernetes-commit: 25ebf875b4235cb8f43be2aec699d62e78339cec
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #54404
Adds some wiring to have the admission plugin accept a config file for per-apiserver configuration.
@kubernetes/sig-auth-api-reviews @deads2k @ericchiang @liggitt in particular
@kubernetes/sig-api-machinery-pr-reviews @lavalamp @caesarxuchao @sttts @cheftako