Merge pull request #56213 from deads2k/admission-18-validation

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. require webhook admission kubeconfigfile to be absolute Minimal change to enforce absolute file paths when using webhook admission config. Eventually we should resolve the local file paths relative to the original configuration file, but that requires fairly significant plumbing. @caesarxuchao @sttts @liggitt If this is not fixed, then inconsistent, seemingly random file resolution will happen and may pin this API to bad behavior that we will later have to break. Kubernetes-commit: 65f5c1e8475c26dd503860ddb14356fe83c4e5a5
2017-11-22 07:45:37 -08:00 · 2017-11-22 07:45:37 -08:00 · 21f96018e0
parent bcde3e688c 6d575ed0c4
commit 21f96018e0
3 changed files with 1688 additions and 1682 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -764,115 +764,115 @@
    },
    {
      "ImportPath": "k8s.io/api/admission/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/admissionregistration/v1alpha1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/admissionregistration/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/apps/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/apps/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/apps/v1beta2",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/authentication/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/authentication/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/authorization/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/authorization/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/autoscaling/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/autoscaling/v2beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/batch/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/batch/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/batch/v2alpha1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/certificates/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/core/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/extensions/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/networking/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/policy/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/rbac/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/rbac/v1alpha1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/rbac/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/scheduling/v1alpha1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/settings/v1alpha1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/storage/v1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/storage/v1alpha1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/api/storage/v1beta1",
-			"Rev": "174ae813538241df9752b353943abe002da8299b"
+      "Rev": "bc27cbc7921e1343f1320ec077c51729064fc98f"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/equality",
--- a/pkg/admission/plugin/webhook/config/BUILD
+++ b/pkg/admission/plugin/webhook/config/BUILD
@ -16,6 +16,7 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/errors:go_default_library",
--- a/pkg/admission/plugin/webhook/config/kubeconfig.go
+++ b/pkg/admission/plugin/webhook/config/kubeconfig.go
@ -17,13 +17,14 @@ limitations under the License.
 package config
 import (
 	"fmt"
 	"io"
 	"io/ioutil"
-
+	"path"
 	"fmt"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1"
 )
@ -57,6 +58,10 @@ func LoadConfig(configFile io.Reader) (string, error) {
 			return "", fmt.Errorf("unexpected type: %T", decodedObj)
 		}
 		if !path.IsAbs(config.KubeConfigFile) {
 			return "", field.Invalid(field.NewPath("kubeConfigFile"), config.KubeConfigFile, "must be an absolute file path")
 		}
 		kubeconfigFile = config.KubeConfigFile
 	}
 	return kubeconfigFile, nil