kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add AdmissionReviewVersions to admissionregistration and default it 

Kubernetes-commit: f7dff4725f8dc694a852e7fdbdde2c8a6dd5b7d4
This commit is contained in:
Mehdy Bohlool 2019-03-04 20:52:57 -08:00 committed by Kubernetes Publisher
parent 87d65d9bc7
commit 81939cee8f
4 changed files with 207 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/admission/plugin/webhook/mutating/dispatcher.go
View File

@ -94,6 +94,12 @@ func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta
} }
} }
// Currently dispatcher only supports `v1beta1` AdmissionReview
// TODO: Make the dispatcher capable of sending multiple AdmissionReview versions
if !util.HasAdmissionReviewVersion(v1beta1.SchemeGroupVersion.Version, h) {
return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("webhook does not accept v1beta1 AdmissionReview")}
}
// Make the webhook request // Make the webhook request
request := request.CreateAdmissionReview(attr) request := request.CreateAdmissionReview(attr)
client, err := a.cm.HookClient(util.HookClientConfigForWebhook(h)) client, err := a.cm.HookClient(util.HookClientConfigForWebhook(h))

334
pkg/admission/plugin/webhook/testing/testcase.go
View File

@ -211,17 +211,19 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
Rules: []registrationv1beta1.RuleWithOperations{{ Rules: []registrationv1beta1.RuleWithOperations{{
Operations: []registrationv1beta1.OperationType{registrationv1beta1.Create}, Operations: []registrationv1beta1.OperationType{registrationv1beta1.Create},
}}, }},
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
}, },
{ {
Name: "match & allow", Name: "match & allow",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "allow.example.com", Name: "allow.example.com",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"}, ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
@ -229,20 +231,22 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match & disallow", Name: "match & disallow",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "disallow", Name: "disallow",
ClientConfig: ccfgSVC("disallow"), ClientConfig: ccfgSVC("disallow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ErrorContains: "without explanation", ErrorContains: "without explanation",
}, },
{ {
Name: "match & disallow ii", Name: "match & disallow ii",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "disallowReason", Name: "disallowReason",
ClientConfig: ccfgSVC("disallowReason"), ClientConfig: ccfgSVC("disallowReason"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ErrorContains: "you shall not pass", ErrorContains: "you shall not pass",
@ -260,6 +264,7 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
Operator: metav1.LabelSelectorOpIn, Operator: metav1.LabelSelectorOpIn,
}}, }},
}, },
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
@ -277,29 +282,33 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
Operator: metav1.LabelSelectorOpNotIn, Operator: metav1.LabelSelectorOpNotIn,
}}, }},
}, },
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
}, },
{ {
Name: "match & fail (but allow because fail open)", Name: "match & fail (but allow because fail open)",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "internalErr A", Name: "internalErr A",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}, { }, {
Name: "internalErr B", Name: "internalErr B",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}, { }, {
Name: "internalErr C", Name: "internalErr C",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
@ -307,53 +316,60 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match & fail (but disallow because fail close on nil FailurePolicy)", Name: "match & fail (but disallow because fail close on nil FailurePolicy)",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "internalErr A", Name: "internalErr A",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
Rules: matchEverythingRules, Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}, { }, {
Name: "internalErr B", Name: "internalErr B",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
Rules: matchEverythingRules, Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}, { }, {
Name: "internalErr C", Name: "internalErr C",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
Rules: matchEverythingRules, Rules: matchEverythingRules,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: false, ExpectAllow: false,
}, },
{ {
Name: "match & fail (but fail because fail closed)", Name: "match & fail (but fail because fail closed)",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "internalErr A", Name: "internalErr A",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyFail, FailurePolicy: &policyFail,
AdmissionReviewVersions: []string{"v1beta1"},
}, { }, {
Name: "internalErr B", Name: "internalErr B",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyFail, FailurePolicy: &policyFail,
AdmissionReviewVersions: []string{"v1beta1"},
}, { }, {
Name: "internalErr C", Name: "internalErr C",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyFail, FailurePolicy: &policyFail,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: false, ExpectAllow: false,
}, },
{ {
Name: "match & allow (url)", Name: "match & allow (url)",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "allow.example.com", Name: "allow.example.com",
ClientConfig: ccfgURL("allow"), ClientConfig: ccfgURL("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"}, ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
@ -361,31 +377,34 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match & disallow (url)", Name: "match & disallow (url)",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "disallow", Name: "disallow",
ClientConfig: ccfgURL("disallow"), ClientConfig: ccfgURL("disallow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ErrorContains: "without explanation", ErrorContains: "without explanation",
}, { }, {
Name: "absent response and fail open", Name: "absent response and fail open",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "nilResponse", Name: "nilResponse",
ClientConfig: ccfgURL("nilResponse"), ClientConfig: ccfgURL("nilResponse"),
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
}, },
{ {
Name: "absent response and fail closed", Name: "absent response and fail closed",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "nilResponse", Name: "nilResponse",
ClientConfig: ccfgURL("nilResponse"), ClientConfig: ccfgURL("nilResponse"),
FailurePolicy: &policyFail, FailurePolicy: &policyFail,
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ErrorContains: "Webhook response was absent", ErrorContains: "Webhook response was absent",
}, },
@ -397,8 +416,9 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
Rules: []registrationv1beta1.RuleWithOperations{{ Rules: []registrationv1beta1.RuleWithOperations{{
Operations: []registrationv1beta1.OperationType{registrationv1beta1.Create}, Operations: []registrationv1beta1.OperationType{registrationv1beta1.Create},
}}, }},
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsSome, SideEffects: &sideEffectsSome,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsDryRun: true, IsDryRun: true,
ExpectAllow: true, ExpectAllow: true,
@ -406,11 +426,12 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match dry run side effects Unknown", Name: "match dry run side effects Unknown",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "allow", Name: "allow",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsUnknown, SideEffects: &sideEffectsUnknown,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsDryRun: true, IsDryRun: true,
ErrorContains: "does not support dry run", ErrorContains: "does not support dry run",
@ -418,11 +439,12 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match dry run side effects None", Name: "match dry run side effects None",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "allow", Name: "allow",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsNone, SideEffects: &sideEffectsNone,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsDryRun: true, IsDryRun: true,
ExpectAllow: true, ExpectAllow: true,
@ -431,11 +453,12 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match dry run side effects Some", Name: "match dry run side effects Some",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "allow", Name: "allow",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsSome, SideEffects: &sideEffectsSome,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsDryRun: true, IsDryRun: true,
ErrorContains: "does not support dry run", ErrorContains: "does not support dry run",
@ -443,11 +466,12 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match dry run side effects NoneOnDryRun", Name: "match dry run side effects NoneOnDryRun",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "allow", Name: "allow",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsNoneOnDryRun, SideEffects: &sideEffectsNoneOnDryRun,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsDryRun: true, IsDryRun: true,
ExpectAllow: true, ExpectAllow: true,
@ -456,10 +480,11 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
{ {
Name: "illegal annotation format", Name: "illegal annotation format",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "invalidAnnotation", Name: "invalidAnnotation",
ClientConfig: ccfgURL("invalidAnnotation"), ClientConfig: ccfgURL("invalidAnnotation"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
}, },
@ -476,10 +501,11 @@ func NewMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match & remove label", Name: "match & remove label",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "removelabel.example.com", Name: "removelabel.example.com",
ClientConfig: ccfgSVC("removeLabel"), ClientConfig: ccfgSVC("removeLabel"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
AdditionalLabels: map[string]string{"remove": "me"}, AdditionalLabels: map[string]string{"remove": "me"},
@ -489,10 +515,11 @@ func NewMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match & add label", Name: "match & add label",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "addLabel", Name: "addLabel",
ClientConfig: ccfgSVC("addLabel"), ClientConfig: ccfgSVC("addLabel"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectLabels: map[string]string{"pod.name": "my-pod", "added": "test"}, ExpectLabels: map[string]string{"pod.name": "my-pod", "added": "test"},
@ -500,10 +527,11 @@ func NewMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match CRD & add label", Name: "match CRD & add label",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "addLabel", Name: "addLabel",
ClientConfig: ccfgSVC("addLabel"), ClientConfig: ccfgSVC("addLabel"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsCRD: true, IsCRD: true,
ExpectAllow: true, ExpectAllow: true,
@ -512,10 +540,11 @@ func NewMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match CRD & remove label", Name: "match CRD & remove label",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "removelabel.example.com", Name: "removelabel.example.com",
ClientConfig: ccfgSVC("removeLabel"), ClientConfig: ccfgSVC("removeLabel"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsCRD: true, IsCRD: true,
ExpectAllow: true, ExpectAllow: true,
@ -526,21 +555,23 @@ func NewMutatingTestCases(url *url.URL) []Test {
{ {
Name: "match & invalid mutation", Name: "match & invalid mutation",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "invalidMutation", Name: "invalidMutation",
ClientConfig: ccfgSVC("invalidMutation"), ClientConfig: ccfgSVC("invalidMutation"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ErrorContains: "invalid character", ErrorContains: "invalid character",
}, },
{ {
Name: "match & remove label dry run unsupported", Name: "match & remove label dry run unsupported",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "removeLabel", Name: "removeLabel",
ClientConfig: ccfgSVC("removeLabel"), ClientConfig: ccfgSVC("removeLabel"),
Rules: matchEverythingRules, Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsUnknown, SideEffects: &sideEffectsUnknown,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
IsDryRun: true, IsDryRun: true,
ErrorContains: "does not support dry run", ErrorContains: "does not support dry run",
@ -567,11 +598,12 @@ func NewCachedClientTestcases(url *url.URL) []CachedTest {
{ {
Name: "uncached: service webhook, path 'allow'", Name: "uncached: service webhook, path 'allow'",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "cache1", Name: "cache1",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: newMatchEverythingRules(), Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectCacheMiss: true, ExpectCacheMiss: true,
@ -579,11 +611,12 @@ func NewCachedClientTestcases(url *url.URL) []CachedTest {
{ {
Name: "uncached: service webhook, path 'internalErr'", Name: "uncached: service webhook, path 'internalErr'",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "cache2", Name: "cache2",
ClientConfig: ccfgSVC("internalErr"), ClientConfig: ccfgSVC("internalErr"),
Rules: newMatchEverythingRules(), Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectCacheMiss: true, ExpectCacheMiss: true,
@ -591,11 +624,12 @@ func NewCachedClientTestcases(url *url.URL) []CachedTest {
{ {
Name: "cached: service webhook, path 'allow'", Name: "cached: service webhook, path 'allow'",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "cache3", Name: "cache3",
ClientConfig: ccfgSVC("allow"), ClientConfig: ccfgSVC("allow"),
Rules: newMatchEverythingRules(), Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectCacheMiss: false, ExpectCacheMiss: false,
@ -603,11 +637,12 @@ func NewCachedClientTestcases(url *url.URL) []CachedTest {
{ {
Name: "uncached: url webhook, path 'allow'", Name: "uncached: url webhook, path 'allow'",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "cache4", Name: "cache4",
ClientConfig: ccfgURL("allow"), ClientConfig: ccfgURL("allow"),
Rules: newMatchEverythingRules(), Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectCacheMiss: true, ExpectCacheMiss: true,
@ -615,11 +650,12 @@ func NewCachedClientTestcases(url *url.URL) []CachedTest {
{ {
Name: "cached: service webhook, path 'allow'", Name: "cached: service webhook, path 'allow'",
Webhooks: []registrationv1beta1.Webhook{{ Webhooks: []registrationv1beta1.Webhook{{
Name: "cache5", Name: "cache5",
ClientConfig: ccfgURL("allow"), ClientConfig: ccfgURL("allow"),
Rules: newMatchEverythingRules(), Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
FailurePolicy: &policyIgnore, FailurePolicy: &policyIgnore,
AdmissionReviewVersions: []string{"v1beta1"},
}}, }},
ExpectAllow: true, ExpectAllow: true,
ExpectCacheMiss: false, ExpectCacheMiss: false,

10
pkg/admission/plugin/webhook/util/client_config.go
View File

@ -40,3 +40,13 @@ func HookClientConfigForWebhook(w *v1beta1.Webhook) webhook.ClientConfig {
} }
return ret return ret
} }
// HasAdmissionReviewVersion check whether a version is accepted by a given webhook.
func HasAdmissionReviewVersion(a string, w *v1beta1.Webhook) bool {
for _, b := range w.AdmissionReviewVersions {
if b == a {
return true
}
}
return false
}

6
pkg/admission/plugin/webhook/validating/dispatcher.go
View File

@ -108,6 +108,12 @@ func (d *validatingDispatcher) callHook(ctx context.Context, h *v1beta1.Webhook,
} }
} }
// Currently dispatcher only supports `v1beta1` AdmissionReview
// TODO: Make the dispatcher capable of sending multiple AdmissionReview versions
if !util.HasAdmissionReviewVersion(v1beta1.SchemeGroupVersion.Version, h) {
return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("webhook does not accept v1beta1 AdmissionReviewRequest")}
}
// Make the webhook request // Make the webhook request
request := request.CreateAdmissionReview(attr) request := request.CreateAdmissionReview(attr)
client, err := d.cm.HookClient(util.HookClientConfigForWebhook(h)) client, err := d.cm.HookClient(util.HookClientConfigForWebhook(h))