ee11899e67
changes to the fatal message generated
...
Signed-off-by: Dipankar Das <dipankardas0115@gmail.com>
Kubernetes-commit: 50bc46bd8fdc687811b3e4bba6a3d8d0706c8d59
2023-01-11 08:08:25 +05:30
41fdf0ebe7
Added fatalf for error handling
...
Signed-off-by: Dipankar Das <dipankardas0115@gmail.com>
Kubernetes-commit: 526b4b4ce226349b1e0587db14d1321d0b27bbff
2023-01-07 15:45:45 +05:30
19d202d87c
make CEL admission controller code consumable ( #115412 )
...
* Make policy decision object public
Signed-off-by: Max Smythe <smythe@google.com>
* Separate version conversion from validation
Signed-off-by: Max Smythe <smythe@google.com>
* Address review comments
Signed-off-by: Max Smythe <smythe@google.com>
* Fix variable name
Signed-off-by: Max Smythe <smythe@google.com>
---------
Signed-off-by: Max Smythe <smythe@google.com>
Kubernetes-commit: 0ed74145fb00626ce0e900812a54ca3de5406f2e
2023-02-01 17:29:30 -08:00
d2e96d0915
use transformer to set gvk back
...
Kubernetes-commit: 24fb6b89812ac86622a536dba861729ed5a20b74
2023-01-26 12:14:14 -08:00
721045969b
add unfortunate deepcopy
...
Kubernetes-commit: 65513eac3ab67f08745197d8af469532284b797e
2023-01-24 14:46:35 -08:00
f77de04c6a
fix integration test by working around #3030
...
test uses kind field which is not populated for native types
Kubernetes-commit: 1554e50be43660bc9f03d97cc26b235ad4f94d6c
2023-01-24 12:00:05 -08:00
1b8963b016
use typedinformer if available
...
reduces memory and cpu when things like configmap are used as a param
cannot be shared due to limitatoins of sharedinformerfactory
Kubernetes-commit: b969dfec9fd33f8bfff47e54f2995a4865839ea6
2023-01-19 10:04:52 -08:00
2ea5662b05
use namespacedName for keys in fakeCompiler
...
Kubernetes-commit: 0c495cb429e54a6d25e9252aca3e32fd9f0aef6b
2023-01-19 10:04:46 -08:00
73db86feab
fix bug with param controllers being removed if used by more than one policy
...
Kubernetes-commit: ecd267d097ec7cd26fa5a6343622c3772f66486f
2023-01-17 15:27:45 -08:00
9be70531b4
refactor admission controller to avoid contention
...
refresh admission policies up to once per second based upon last known good data
Kubernetes-commit: 5f59f449832e5206fe9b5fd7d9a43721c4c9ae44
2022-12-15 16:30:52 -08:00
3fe59ceb77
defer Done call
...
safer in case of panic
Kubernetes-commit: 517df8f3051b5b0a9eb57a5bad1d6bc16fb61985
2022-12-15 13:09:11 -08:00
d053de6ca3
Enable propagration of HasSynced
...
* Add tracker types and tests
* Modify ResourceEventHandler interface's OnAdd member
* Add additional ResourceEventHandlerDetailedFuncs struct
* Fix SharedInformer to let users track HasSynced for their handlers
* Fix in-tree controllers which weren't computing HasSynced correctly
* Deprecate the cache.Pop function
Kubernetes-commit: 8100efc7b3122ad119ee8fa4bbbedef3b90f2e0d
2022-11-18 00:12:50 +00:00
47687312f4
Rename FG to `ValidatingAdmissionPolicy`
...
Kubernetes-commit: 29737124860b1414affa07ed6db30fccdbae3b55
2022-11-09 17:27:20 +00:00
55bc692e10
Rename admission cel package to validatingadmissionpolicy
...
Kubernetes-commit: 40c21dafcdb7d4f7ee85c652b362632f3b620861
2022-11-08 14:18:26 +00:00
806e2feeca
add test for error when informers are not ready
...
Kubernetes-commit: acf571fcbed6e762a2a654bfbe6c415e668dfed3
2022-11-09 15:28:37 -08:00
2167932c69
use existing admissionHandler readyfunc to wait for sync
...
is what other plugins do, and should decrease verbosity in logs
Kubernetes-commit: df315f347c911c5cc189d14f6dc70a23da52e57d
2022-11-08 13:07:42 -08:00
8884260fa6
Add metrics integration.
...
Kubernetes-commit: 99494e67779d0db5a1bf304256e7df273070bf95
2022-10-31 19:22:35 +00:00
7c2a6f0ee8
fix possible race in admission test of listwatch
...
Kubernetes-commit: 4e217159cfc1441f3c3234059fc6fca0eb13a66d
2022-11-07 12:01:44 -08:00
0e28c0c81f
Fix params to be null instead of an empty map if paramRef is null
...
Kubernetes-commit: 65460b14d2b9ea20aaf2c6fece191af53ae57249
2022-11-08 13:49:50 -05:00
81aeb1b5e9
Integrate cel admission with API.
...
Co-authored-by: Alexander Zielenski <zielenski@google.com>
Co-authored-by: Joe Betz <jpbetz@google.com>
Kubernetes-commit: e7d83a1fb7b3e4f6a75ed73bc6e410946e12ad9f
2022-11-07 21:38:55 +00:00
58f75bc06a
Add match check for policy and binding.
...
Co-authored-by: Max Smythe <smythe@google.com>
Kubernetes-commit: 46f97d4662d5b403badd29675d79d0c74875b9f0
2022-11-07 21:33:17 +00:00
9f6b13b337
Update admission initializers.
...
Moved RestMapper and add DynamicClient
Kubernetes-commit: c8a089de4692ef94ec25fc5874906640d0ec9a28
2022-11-07 21:24:46 +00:00
464de72d97
Adding new api version of admissionregistration.k8s.io v1alpha1 for CEL in Admission Control
...
Kubernetes-commit: 0486e062618f2181857ae7b235dcd4b8be0964e4
2022-10-04 04:46:55 +00:00
95fe36122a
Fix canonical imports
...
Signed-off-by: Max Smythe <smythe@google.com>
Kubernetes-commit: 003fbae25bf4c76b8b71d56206b51e1ee6e80812
2022-10-25 20:40:27 -07:00
73e7490c2b
Make interface for webhook predicates more specific
...
Signed-off-by: Max Smythe <smythe@google.com>
Kubernetes-commit: 00ebe0bf623295dc589e43e8c299003f9e939f65
2022-10-25 16:34:06 -07:00
3dc8d71b8a
Move webhook scoping rules into a predicates directory
...
Signed-off-by: Max Smythe <smythe@google.com>
Kubernetes-commit: b4ee0c0574932b99a9e877c84d880a5f00fdd3cc
2022-10-25 16:28:16 -07:00
aa161f2fc0
migrate apiserver utiltrace usage to component-base/tracing
...
Kubernetes-commit: de26b9023f2872c5cd7e15fad5dd5ab649222c13
2022-10-20 18:15:38 +00:00
ee983a05da
fix flaky admission tests
...
would fllake .04% of the time on my machine.
In tests waiting for objects to be reconciled, would erroneously treat the "Not Found" case as an error rather than waiting a bit.
also add some more context to test errors to improve debuggability
Kubernetes-commit: bfbc1f3479423b5c53231cfec58895746ef2de69
2022-10-21 09:47:18 -07:00
e25b9399a5
add cel admission controller tests
...
84% coverage
Kubernetes-commit: 8b74e73e3825e725d05376de717ad96506a52eec
2022-10-12 18:03:44 -07:00
cd8f0b6cf7
add cel admission plugin and initializer
...
Kubernetes-commit: a41a536dbdb72877fa48f85272e479eb628e68f8
2022-10-12 10:21:31 -07:00
b154760894
add generics tests
...
84.1% coverage
Kubernetes-commit: 74b103cd52da3b0149aa9e50a569a89bdd46e1db
2022-10-13 13:44:03 -07:00
b1196b949c
add cel admission controller
...
Kubernetes-commit: 2286501e227ead064e95880a6f28904526f887a6
2022-10-12 10:21:08 -07:00
bf7388424e
add OWNERS
...
Kubernetes-commit: c52fae186a60f0d480f26628c55656c76c7ccac0
2022-10-12 16:11:11 -07:00
a32e26b98a
fix: remove redundant error log print
...
Kubernetes-commit: 45ed5ba9939c581d0633772ea3177780fae95db0
2022-09-26 14:52:25 +08:00
7e94033a61
Generate and format files
...
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
2022-07-19 20:54:13 -04:00
4c5e4623d3
cleanup: use append other than for loop
...
Signed-off-by: HaoJie Liu <liuhaojie@beyondcent.com>
Kubernetes-commit: 29b5cd04bd2c7e2676687d3b613c9b065b128e54
2022-07-21 15:29:30 +08:00
057c272d7b
Fix a typo
...
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
Kubernetes-commit: b2fc44f3f064f56fd9d772f8ecc192614ed79c69
2022-05-18 13:18:47 +03:00
2428ade32a
Fix leaking goroutines in QuotaEvaluator
...
Kubernetes-commit: 9d974e6e89285e3e0cb7ff928407a3350b224084
2022-05-26 21:10:10 +02:00
5ab2c69c4c
Fix ResourceQuota admission shutdown
...
Kubernetes-commit: f8211d7e447cc6c29139ebf3422f0752278d6da1
2022-05-18 19:30:23 +02:00
25c5c2ccf3
Handle panic during validating admission webhook admission
...
Validating admission webhook evaluation can fail, if uncaught this
crashes a kube-apiserver. Add handling to catch panic while preserving
the behavior of "must not fail".
Kubernetes-commit: d412bf92b3b02bda93707c6aaba945f28bf60c72
2022-03-16 13:47:32 -04:00
80256820ce
storage: move the APIObjectVersioner definition to storage
...
The means by which we extract and parse the version of an API object is
not specific to etcd3. In order to allow for a generic suite of tests
against any storage.Interface imlpementation, we need this logic to live
outside of the etcd3 package, or import cycles will exist.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes-commit: 3939f3003e9605c06f65e64d1fc6f94b294f9d97
2022-05-11 07:44:21 -07:00
72aa2c42fc
refactor: rename webhook duration tracker
...
Kubernetes-commit: 4a9b9028153c6984b9cf69067cc0a1aa12a00e73
2022-02-01 15:44:59 -05:00
dccc77dd13
add failopen metric
...
Kubernetes-commit: 6542f4bb993ebec23ec2198aaba89b629e3ec831
2021-12-21 14:11:12 -08:00
56a3a30ae1
Check in OWNERS modified by update-yamlfmt.sh
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 9405e9b55ebcd461f161859a698b949ea3bde31d
2021-12-09 21:31:26 -05:00
78c055e084
Added requestSloLatencies metric
...
Kubernetes-commit: 0afa569499d480df4977568454a50790891860f5
2021-10-25 22:19:24 +00:00
18b69ef17d
Switch from json-iterator to utiljson
...
Kubernetes-commit: bba877d3a6d0e6498d5e43a54939d5e4e8baee1a
2021-09-14 17:54:37 -04:00
b898581360
Migrate to k8s.io/utils/clock in apiserver
...
Kubernetes-commit: 859a98c0358610e2c127cd2fba1be601ca975188
2021-09-14 20:36:07 +02:00
771ffe6475
generated: Run hack/update-gofmt.sh
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
Kubernetes-commit: 481cf6fbe753b9eb2a47ced179211206b0a99540
2021-08-12 17:13:11 -04:00
0741f109f6
Add a new webhook metric tracking request totals.
...
Also add a 1.0s bucket boundary to the webhook latency metric.
Kubernetes-commit: 8ed1628a6e75f4029853502dbac44fdb0edac5fc
2021-06-22 22:32:47 +00:00
2402d951d2
Revert "Add a namespace label to admission metrics and expand histogram range to 0-10s"
...
Kubernetes-commit: 1a87ae19a62d0c61afa6b381a54c6798effa49eb
2021-07-30 14:34:45 +02:00
fe1610f3fe
switch from golang-lru to the one in k8s.io/utils
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 79d0c6cdc10293c9bfe644ce31dc186a936579b0
2021-07-07 13:45:07 -04:00
7edb7c1c1e
Add attr to the argument list of ObserveWebhookRejection, and remove
...
operation, as it is included in attr.
Kubernetes-commit: fb23e449ab680bc53fc1aae826e377c1153d51e4
2021-05-18 17:42:02 +00:00
f9b4d95442
add fail-open audit logs to validating and mutating admission webhook
...
Kubernetes-commit: 9fe7c8955bcb1edbb5aa4fe6bfb8bb6d93d381de
2021-05-18 13:31:03 -04:00
8c01d7fe18
apiserver: wrap errors in admission with context
...
When the API server encounters an error during admission webhook
handling, lower-level errors are bubbled up without any additional
context added. This leads to fairly opaque and unintelligible errors. It
is not clear to users if the API server itself is having an error (for
instance, fetching the REST client) or if the request to the webhook
failed in some way.
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Kubernetes-commit: ae9e71ba68cb1dd00bb5ed2635bac9aab2abbafe
2021-04-27 11:19:01 -07:00
887895128f
staging/src/k8s.io/apiserver/pkg/admission: migrate to structured logs
...
Kubernetes-commit: 2dc8cadd00962512fa90c460b9fa86a175ca73fc
2021-01-18 17:19:32 +08:00
4c292300d7
add context to metrics in apiserver admission webhook
...
Kubernetes-commit: b3aeaa4ed7bf8d419a96b4456a97bdf4c29e4330
2020-12-09 16:46:15 -08:00
ee05a4663e
bugfix: check Spec.AllocateLoadBalancerNodePorts for nodeport and skip zero usage in delta evaluator
...
Signed-off-by: pacoxu <paco.xu@daocloud.io>
When Spec.AllocateLoadBalancerNodePorts is "false" NodePort shall
not be included when computing quota for type:LoadBalancer.
Co-authored-by: uablrek
Kubernetes-commit: 15867d9e8a1faf007f6df563c26a9b5e8744b2a1
2020-12-22 19:19:15 +08:00
5d58b175c8
fix S1021 var declaration
...
Signed-off-by: Ken Sipe <kensipe@gmail.com>
Kubernetes-commit: 6c49299739a9819c3672248517ab3d6636d1d8c6
2020-06-25 17:10:34 -05:00
8e88bf25dd
Fix go lint on folder apimachinery/pkg/runtime/serializer/json
...
Kubernetes-commit: 4b8b9c92bfc4bffe2fbaca3c5a5f731b77dc8915
2020-11-06 20:20:57 -03:00
618f4b129a
Make the creation of namespace using POST and PATCH consistent
...
PATCH verb is used when creating a namespace using server-side apply,
while POST verb is used when creating a namespace using client-side
apply.
The difference in path between the two ways to create a namespace led to
an inconsistency when calling webhooks. When server-side apply is used,
the request sent to webhooks has the field "namespace" populated with
the name of namespace being created. On the other hand, when using
client-side apply the "namespace" field is omitted.
This commit aims to make the behaviour consistent and populates the
"namespace" field when creating a namespace using POST verb (i.e.
client-side apply).
Kubernetes-commit: 3cb510e33eecbdc37aad14f121396ccfbf5268cb
2020-09-21 12:13:12 +02:00
8622b05104
fix duplicate testcase names
...
Kubernetes-commit: c3f71ad5487844e4cdd01702d4df3ac8606ca397
2020-09-17 17:15:05 -07:00
db03041f4b
Add more tests for LRU cache lookup
...
Kubernetes-commit: cc0b86fa3c5d83ab8023f9403feee3928794f85a
2020-08-04 14:57:45 +02:00
50305ec465
Move ResourceQuota admission to k8s.io/apiserver
...
Kubernetes-commit: 70d440bc7e3ec31b3f193b85f265b39d629aa3bb
2020-07-29 10:34:39 +02:00
ada9fc3d08
extend ShouldCallHook benchmark to verify performance imporvement
...
Kubernetes-commit: 850a913ea98a070e26cc62cbf95508084e8cc66b
2020-07-28 10:09:37 +08:00
7e3b5e44da
skip mismatched webhookAccessor and object
...
Kubernetes-commit: c1d78f2619b69585713597e4ffdaeef12b6c20ec
2020-07-01 23:57:04 +08:00
97937c66f2
Revert nested trace PR#88936
...
Kubernetes-commit: 02cf58102a61b6d1e021e256381ff750573ce55d
2020-07-20 09:55:05 -07:00
7a467399ac
Enable nested tracing, add request filter chain tracing incl. authn/authz tracing
...
Kubernetes-commit: b12ac0abc64adb71d97fbde12f373b1424631f20
2020-03-06 16:11:21 -08:00
ff5372c83d
Add warnings capability for admission webhooks
...
Kubernetes-commit: 5eef60a00aeb18eda4238dbd8f6dc96930a6a05a
2020-06-30 16:27:56 -04:00
5879417a28
switch over k/k to use klog v2
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 442a69c3bdf6fe8e525b05887e57d89db1e2f3a5
2020-04-17 15:25:06 -04:00
337d7943db
generated: run refactor
...
Kubernetes-commit: 3aa59f7f3077642592dc8a864fcef8ba98699894
2020-02-07 18:16:47 -08:00
f7c2e26715
cleanup req.Context() and ResponseWrapper
...
Kubernetes-commit: 968adfa99362f733ef82f4aabb34a59dbbd6e56a
2020-01-27 18:52:27 -08:00
5737088b7f
refactor
...
Kubernetes-commit: d55d6175f8e2cfdab0b79aac72046a652c2eb515
2020-01-27 18:19:44 -08:00
b858bded65
Promote WebhookAdmissionConfiguration to v1
...
Kubernetes-commit: 71fad812caf6be07be3c5eabe9fdc39c29f7b2a9
2019-11-12 09:43:35 -05:00
331894196f
add featuregate inspection as admission plugin initializer
...
Kubernetes-commit: 675c2fb924e82091f7ce4601e48daf4cc7030e72
2019-11-05 14:28:40 -05:00
3d42d38e70
namespace: Provide a special status cause when a namespace is terminating
...
Clients should be able to identify when a namespace is being terminated and
take special action such as backing off or giving up. Add a helper for
getting the cause of an error and then add a special cause to the forbidden
error that namespace lifecycle admission returns. We can't change the forbidden
reason without potentially breaking older clients and so cause is the
appropriate tool.
Add `StatusCause` and `HasStatusCause` to the errors package to make checking
for causes simpler. Add `NamespaceTerminatingCause` to the v1 API as a constant.
Kubernetes-commit: a62c5b282fda7c0832d329cde45e5e0a836924e8
2019-10-19 22:57:21 -04:00
c51b9411f6
Switch admission webhook config manager to v1
...
Kubernetes-commit: f247e75980061d7cf83c63c0fb1f12c7060c599f
2019-08-01 21:57:39 -04:00
25bf5d3b30
Add integration test for webhook client auth
...
Kubernetes-commit: e734c70e037cf1311581eb61ae3e45adaa76771b
2019-09-02 22:37:07 -04:00
80b9dc503b
Plumb service port, URL port to webhook client auth resolution
...
Kubernetes-commit: d127042cb81cbf545332ec3124161525ef84183c
2019-09-02 22:38:36 -04:00
ce4eaaeeb3
Make webhook benchmarks parallel
...
Kubernetes-commit: 601b7d33a9cf0b724cdabb5de81b0bf2821f0fca
2019-08-28 13:27:38 -04:00
8d86fef522
wire up the webhook rejection metrics in webhook handlers
...
Kubernetes-commit: 620f5f2c587971be50cb27bb2a2d35209b3dc058
2019-08-28 17:32:07 -07:00
e248b8b513
fix semantics of the rejected label in webhook metrics
...
when error calling webhook is ignored, do not log the request as
rejected
Kubernetes-commit: f3c793512b45ea3910d5e5a379292c13b62ab64b
2019-08-28 15:31:27 -07:00
58f780d1e2
Use cached selectors/client for webhooks
...
Kubernetes-commit: 8c10d929cac13dc50ca4ffaca83e7ae5c8e41292
2019-08-24 17:12:14 -04:00
b7340127c3
Add admission benchmarks
...
go test ./vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating -bench . -benchmem -run DoNotRun
go test ./vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating -bench . -benchmem -run DoNotRun
Kubernetes-commit: 27f535e26ad88fa30d5c0fcde4bc31897b9d521c
2019-08-24 17:40:07 -04:00
eb2a4467ba
Let webhook accessors construct client/selectors once
...
Kubernetes-commit: 14154c2345e7e467be0ff003c61cec9c0bd2be3e
2019-08-20 17:16:21 -04:00
db2bae4d84
tests
...
Kubernetes-commit: d35757c653893279df566985c3368f0277fe7c02
2019-05-31 16:22:55 -07:00
f4a47ec53f
mutating webhook: audit log mutation existence and actual patch
...
Kubernetes-commit: 7784353a69932a4e7b4dde55b78828abf5fa4ee6
2019-05-31 16:22:30 -07:00
70c200c6a0
audit & admission: associate annotation with audit level
...
Kubernetes-commit: 318226f3403f56aaf796af3f439c13674aa2b7ab
2019-05-31 15:36:29 -07:00
71ef46fa12
Use lesser of context or webhook-specific timeout in webhooks
...
Kubernetes-commit: c63284b1f3996e7830c1aca85281d349d0091c82
2019-08-19 11:23:05 -04:00
0c706a033c
Plumb context to admission Admit/Validate
...
Kubernetes-commit: 61774cd7176cae0c0324d23ab20e6c6b3038153f
2019-08-19 10:48:08 -04:00
f103fcda51
Replace string concatination with trace fields
...
Kubernetes-commit: 46a04d50af78e01d06a9879d62cc71fbe892076f
2019-08-02 23:47:24 -07:00
81b56d7030
Add trace to webhook invocations
...
Kubernetes-commit: 31799ebe88534272d45c2a33396e343a5083c773
2019-05-31 16:50:54 -07:00
90d670a108
AdmissionReview: Allow webhook admission to dispatch v1 or v1beta1
...
Kubernetes-commit: dda9bcb082be058c30c83d45e757edbaac8dc65f
2019-07-12 08:44:24 -04:00
65ba1e64bc
Adding test cases to make sure objectSelector works for CRD
...
Kubernetes-commit: 58fa71d1ed375876a86fe5961ad5a87a0eb23fa2
2019-05-31 10:12:42 -07:00
32d3c876b0
Flake fix: poll for webhook registration to complete in reinvocation integration tests
...
Kubernetes-commit: e51320f69d92e4d08bc25eec5a4b7a58d23184ab
2019-06-04 14:19:26 -07:00
ec622aa8bd
minor changes, propagating interface changes
...
Kubernetes-commit: 7738c7ee8fbbaa79aed2ca221141a6b3b4f826be
2019-05-29 17:20:43 -07:00
8658264258
object matcher
...
Kubernetes-commit: 6cf499db6c1dd464c6072706106dec6c5284dff7
2019-05-29 15:56:52 -07:00
b22ec2bd98
Add mutating admission webhook reinvocation
...
Kubernetes-commit: 95fa928ecb636e8d16af31ab613678c555fc76a3
2019-05-29 22:31:26 -07:00
b2b1ef14ec
split admissionregistration.v1beta1/Webhook into MutatingWebhook and ValidatingWebhook
...
Kubernetes-commit: 55ecc45455f191c404e355097bf1beae9c42f895
2019-05-29 21:30:45 -07:00
0e6c33d9b7
Consider equivalent resources when calling webhook
...
Kubernetes-commit: f2abdcf43f5e0435824104fe6f1af9fb3871d455
2019-05-20 14:36:19 -04:00
d555b9c5d2
Move object conversion to webhook dispatch point
...
convert versionedattrs as needed
Allow per-webhook kind/version
Kubernetes-commit: fc495f457f8b7c58d062d12b03a96abd0879e4d2
2019-05-20 12:10:49 -04:00
054e44a286
make ObjectInterfaces impl generic
...
Kubernetes-commit: 9071d21e3b1989ffeee4f533406e4fef6bf32aa8
2019-05-13 11:22:11 -04:00
afec0f3efa
Skip namespace selector evaluation for 'select all' selectors
...
Kubernetes-commit: e068a98f4fed7ad1fa92acc00c5d3210acd29675
2019-05-20 17:45:34 -04:00
f384b59525
Update tests for: Pass {Operation}Option to Webhooks
...
Kubernetes-commit: 900d652a9ac11e53293950b3d191295c21430215
2019-05-07 13:37:07 -07:00
19327df6d5
Pass {Operation}Option to Webhooks
...
Kubernetes-commit: 140c8c73a64deb102b528109138ca9fb7dbb2392
2019-05-07 13:34:18 -07:00
7c5dd5a07b
Ensure 4xx+ response codes from webhook rejections
...
Kubernetes-commit: 50076439fccb4ed6cf7b59f6f4add279ee7751aa
2019-04-24 15:27:19 -04:00
5ba3621283
webhook: respect the status error from webhook
...
today, apiserver generates an internal server error for any call
to mutatingwebhook if it gives allowed=false. this is not right as
it is really not an intenal error, it can be a forbidden as well
if the webhook wants it to be.
Kubernetes-commit: c2fcdc818be1441dd788cae22648c04b1650d3af
2019-01-09 14:28:33 -08:00
6c13576bf2
Add port to ServiceResolvers
...
Kubernetes-commit: 11f37d757fc0b710245446c80a8c9578ce2c02f1
2019-03-01 16:32:50 -08:00
81939cee8f
Add AdmissionReviewVersions to admissionregistration and default it
...
Kubernetes-commit: f7dff4725f8dc694a852e7fdbdde2c8a6dd5b7d4
2019-03-04 20:52:57 -08:00
e63ca1e6d5
Add scope restrictions to webhook admission rules
...
Kubernetes-commit: 0797d812220be9b76716d366f13215b94b70bf5d
2019-02-24 15:18:05 -05:00
30a9fb6e25
honor timeout when dispatch
...
Kubernetes-commit: e1e9ee53113413a1038a3f12c87acc61baaf726b
2019-02-26 14:42:55 -08:00
3f0755b631
Explicitly set GVK when sending objects to webhooks
...
Kubernetes-commit: e752a48a3012e43e4471cce0412cd9beadd3be57
2019-02-23 00:19:47 -05:00
0fbb46dc25
Remove the propagated scheme from the Admission chain
...
Kubernetes-commit: cebb4ee2ac9e19fe90f78c3285978e585e67a3ac
2019-02-16 13:28:14 -08:00
792921debf
Mechanical changes due to signature change for Admit and Validate functions
...
Kubernetes-commit: d08bc3774dfd93ba9fa389062900a5ffb25768d6
2019-02-16 00:44:29 -08:00
87b5ac0c06
Add ObjectInterfaces to Admission and Validation
...
Kubernetes-commit: 513a87c7b25aa58f84fafe0dc170cee4c76e481b
2019-02-16 12:27:24 -08:00
8f8d23605e
fix shellcheck in k8s.io/apiserver
...
Kubernetes-commit: 481c2d8e03508dba2c28aeb4bba48ce48904183b
2019-01-24 13:55:09 +08:00
123cf8011f
Remove alpha InitializerConfiguration types, Initializers admission plugin
...
Kubernetes-commit: dc1fa870bff65c20f48a83ea3af54adb3f526e28
2019-01-16 10:19:44 -05:00
d294e6b5b4
Update non-test code to use DefaultMutableFeatureGate
...
Kubernetes-commit: d440ecdd3b41a4fc4a207195e1bb976422d6d35e
2018-11-20 23:59:52 -05:00
2710b17b80
Move from glog to klog
...
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
2018-11-09 13:49:10 -05:00
26065df432
CRD Conversion
...
Kubernetes-commit: e2ca575d0f40d94578c7c0babce543ab5199d2d0
2018-11-09 14:55:06 -08:00
8d99f185d1
fix some golint in staging/src/k8s.io/apiserver/pkg/admission/plugin/
...
Kubernetes-commit: 3de8767dc6ca8d47d29f99c2956a5fcf54df84d9
2018-09-26 14:30:50 +08:00
90f716757e
*: Remove comment tags in GoDoc
...
Adding blank line between comment tag and package name in doc.go. So
that the comment tags such as '+k8s:deepcopy-gen=package' do not show up
in GoDoc.
Kubernetes-commit: 61117761cd4a1b2e6ad9ff2d7eb915f3d2739dc6
2018-09-04 14:08:32 -07:00
0e8a1a0c6e
Modification: revise some errors about golint in some packages
...
1. pkg/client
2. staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing
Related to: https://github.com/kubernetes/kubernetes/issues/68026
Kubernetes-commit: 1fbb8b20e20616e1a1e957c01b1bb595c7703433
2018-08-31 13:22:25 +08:00
21f6e2bcdd
Refactor addmission webhook hook client to a util package
...
Kubernetes-commit: 5652d5cffadcd8a2f107b6aecf5fc06c0fc473f1
2018-08-26 23:20:23 +10:00
817f61120c
Support dry run in admission webhooks
...
Kubernetes-commit: 2d0ec48f9beea6182a9a3bfdcc5eb98e50b44f77
2018-08-21 16:06:27 -07:00
9ee094cdf2
support annotations for admission webhook
...
Kubernetes-commit: 0ebfc3e07866494049f44cd008e5cbfe4d81d4af
2018-07-31 13:25:53 +08:00
fef02d6bec
Add test cases for webhook dry run
...
Kubernetes-commit: 3a506be626398f927049c3ce735fd29ac0efd5f1
2018-08-07 14:59:29 -07:00
53e7058d7c
Fix typo in webhook dry-run check
...
Kubernetes-commit: aa36dc94cd7a2e538ad5e6ef8999fbbe9dc0df78
2018-08-07 14:37:24 -07:00
dc1d8e7050
block dry run if a webhook would be called
...
Kubernetes-commit: e4c219df42c77ecb8f0588197072bef81bca7429
2018-08-07 09:27:18 -07:00
91278157f6
Support dry run in admission plugins
...
Kubernetes-commit: adafb1365e2b9f6c422c437e916e22a4fe1c2e3a
2018-08-06 10:37:44 -07:00
0511e4e41d
fix a TODO in ValidatingAdmissionWebhook
...
Kubernetes-commit: 162499515c0813f579770091dc30925207d063b2
2018-06-04 14:55:46 +08:00
a1b44cc72f
Do not attempt to convert nil object during DELETE webhook admission
...
Kubernetes-commit: aad0e2e15f789fc3768d6e5607b86e8b824b3917
2018-07-20 00:15:49 -04:00
7694cbf962
generated: Avoid use of reflect.Call in conversion code paths
...
Kubernetes-commit: ef561ba8b58a4427a51b2b5dbb9ad633e45f04a7
2018-07-03 16:17:14 -04:00
0f7bbcadfb
Add missing error handling in schema-related code
...
Kubernetes-commit: bfe313d5f351dfae086a85a97e7103183173e5b5
2018-06-03 14:59:58 +10:00
d51f943047
fix field removal in mutating admission webhooks
...
A mutating admission controller webhook doesn't remove object fields
when instructed to.
E.g. when the JSON patch
[
{"op": "remove", "path": "/spec/containers/0/resources/limits/fpga-arria10"},
{"op": "add", "path": "/spec/containers/0/resources/limits/fpga-interface-id-524abcf", "value": 1}
]
is applied to this pod
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
restartPolicy: Never
containers:
-
name: test-pod-container
image: ubuntu:bionic
imagePullPolicy: IfNotPresent
command: [ "ls", "-l", "/" ]
resources:
limits:
fpga-arria10: 1
in order to replace the resource name "fpga-arria10" with something understandable
by the device plugin the resulting pod spec still contains the old field plus
a new one. The resulting pod looks like
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
restartPolicy: Never
containers:
-
name: test-pod-container
image: ubuntu:bionic
imagePullPolicy: IfNotPresent
command: [ "ls", "-l", "/" ]
resources:
limits:
fpga-arria10: 1
fpga-interface-id-524abcf: 1
The patch unmarshals patched JSON into a new empty object instead of
existing one. Otherwise JSON unmarshaling reuses existing maps, keeping
existing entries as specified in the "encoding/json" standard package.
Kubernetes-commit: 4a72e17bd227b79ed89981735691af3601043bf9
2018-05-23 16:57:54 +03:00
5b356b15a2
Use Dial with context
...
Kubernetes-commit: 5e8e570dbda6ed89af9bc2e0a05e3d94bfdfcb61
2018-05-19 08:14:37 +10:00
c41d1d0993
simplify api registration
...
Kubernetes-commit: c5445d3c56e06ab366b9cca34bd69c5cc386ec47
2018-05-07 08:32:20 -04:00
0203b2aa93
Update all script to use /usr/bin/env bash in shebang
...
Kubernetes-commit: 9b15af19b22e91284eeb89827b2091caaec25bf6
2018-04-16 18:31:44 +02:00
88d943c0e6
eliminate indirection from type registration
...
Kubernetes-commit: e7fbbe0e3c91f34836b999e695aa133503cfdae5
2018-04-24 08:21:23 -04:00
62408eb418
Honor existing CA bundle and TLS server name in webhook client
...
Kubernetes-commit: 54c883f27bdb9ac1bd6602e34643296644e574f7
2018-04-17 01:01:30 -04:00
584fe98b64
admission/webhook: fix panic from empty response in mutating webhooks
...
Kubernetes-commit: 10969e1b8dcb89cc97d591df63be7464cefb454b
2018-02-12 14:58:57 +01:00
378bb80fc8
admission/webhook: refactor to webhook = generic-webhook + source + dispatcher
...
- unify test cases
- remove broken VersionedAttributes override abstraction
This overriding had no effect. The versioned.Attributes were never
used as admission.Attributes.Better make the versioned objects
explicit than hiding them under a wrong abstraction.
- remove wrapping of scheme.Convert
- internalize conversion package
Kubernetes-commit: 72f8a369d021037ca6179339d50ad595b5462a6c
2018-01-16 10:37:41 +01:00
716af975eb
regenerated all files and remove all YEAR fields
...
Kubernetes-commit: b49ef6531c11f1c834e0d7591f5c965f6193c711
2018-01-22 20:37:53 +08:00
627fa76a8b
sync: initially remove files BUILD */BUILD BUILD.bazel */BUILD.bazel
2018-03-15 09:38:17 +00:00
f86f44d94d
Make admission webhooks work in custom apiservers.
...
Created a scheme that only understands admission/v1beta1 and use it to
encode/decode admissionReviews.
Also made the NegotiationSerializer setup static
Kubernetes-commit: 3ab516035d17c2b2798797eb8ee85522ccbc051e
2018-03-09 11:25:34 -08:00
c28dea8a20
Make admission webhooks not ignore scheme
...
Kubernetes-commit: 7d5696eb6d98a0ce76e4fe18c3e37aec05060b46
2018-03-08 11:35:13 -08:00
89e1aa5933
Prevent webhooks from affecting admission requests for webhooks
...
Kubernetes-commit: 58b43ad27d00191cf5291d8508dc346f1924b785
2018-03-05 16:35:52 -08:00
9fa0aca343
Run hack/update-all.sh
...
Kubernetes-commit: c8dacd8e631f59ef158c79156d77a99fd2a632cc
2018-02-26 17:16:14 -08:00
1ab12b2dc8
Autogenerated: hack/update-bazel.sh
...
Kubernetes-commit: ef56a8d6bb3800ab7803713eafc4191e8202ad6e
2018-02-16 13:43:01 -08:00
9535cc877f
run update bazel staging-dep
...
Kubernetes-commit: ea7a71301009fb3e0426ea93f070c27538e59f86
2017-11-29 23:28:53 +08:00
3dc2191ae3
add wait ready for mutating/validating webhook configuration
...
Kubernetes-commit: ec3925978511cc6b844c5b479c9b30ae21a0136a
2017-12-06 11:06:04 +08:00
Dipankar Das