Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split the resource semantic webhooks into separate AdmissionControllers #848

Merged
merged 1 commit into from
Nov 15, 2019
Merged

Split the resource semantic webhooks into separate AdmissionControllers #848

merged 1 commit into from
Nov 15, 2019

Conversation

mattmoor
Copy link
Member

@mattmoor mattmoor commented Nov 5, 2019

By combining our validation logic into our mutating webhook we were previously allowing for mutating webhooks evaluated after our own to modify our resources into invalid shapes. There are no guarantees around ordering of mutating webhooks (that I could find), so the only way to remedy this properly is to split apart the two into separate webhook configurations:

  • defaulting: which runs during the mutating admission webhook phase
  • validation: which runs during the validating admission webhook phase.

The diagram in this post is very helpful in illustrating the flow of webhooks.

Fixes: #847

/hold

I need to stage downstream PRs for this.

@knative-prow-robot knative-prow-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 5, 2019
@googlebot googlebot added the cla: yes Indicates the PR's author has signed the CLA. label Nov 5, 2019
@knative-prow-robot knative-prow-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 5, 2019
@mattmoor
Copy link
Member Author

mattmoor commented Nov 5, 2019

This also removes the long-deprecated apis.Immutable support in the webhook.

mattmoor added a commit to mattmoor/sample-controller that referenced this pull request Nov 5, 2019
@mattmoor
Split apart defaulting and validation webhooks
2d91f2e 
Related: knative/pkg#848
@mattmoor mattmoor mentioned this pull request Nov 5, 2019
Merged
mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 5, 2019
@mattmoor
Split apart defaulting and validation webhooks
e7da2f3 
Related: knative/pkg#848
@mattmoor mattmoor mentioned this pull request Nov 5, 2019
Merged
vagababov
vagababov reviewed Nov 5, 2019
View reviewed changes
apis/interfaces.go Outdated Show resolved Hide resolved
webhook/resourcesemantics/validation/validation.go Outdated Show resolved Hide resolved
webhook/resourcesemantics/validation/validation.go Outdated Show resolved Hide resolved
webhook/resourcesemantics/validation/validation.go
ctx = apis.WithUserInfo(ctx, &req.UserInfo)

// None of the validators will accept a nil value for newObj.
if newObj == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be moved quite a lot up. No reason to deal with deserialization of the oldObj.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is largely copy/pasta, so I'd rather leave it for a follow-up cleanup pass.

webhook/resourcesemantics/validation/validation.go Show resolved Hide resolved
webhook/resourcesemantics/validation/validation.go Outdated Show resolved Hide resolved
mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhooks
a650b1a 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhook
4aa7193 
Related: knative/pkg#848
@mattmoor mattmoor mentioned this pull request Nov 6, 2019
Merged
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhook
e540d60 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhook
e56196e 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhook
8583f58 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhooks
5822768 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhook
22e1ec7 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 6, 2019
@mattmoor
Split apart defaulting and validation webhooks
87f8388 
Related: knative/pkg#848
@vagababov
Copy link
Contributor

/lgtm

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 6, 2019
@vaikas
Copy link
Contributor

vaikas commented Nov 7, 2019

/lgtm
/approve

@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mattmoor, vaikas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@matzew
Copy link
Member

matzew commented Nov 8, 2019

hold can be removed ?

mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 14, 2019
@mattmoor
Split apart defaulting and validation webhooks
f2a1a50 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 14, 2019
@mattmoor
Split apart defaulting and validation webhook
2f23bd5 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/sample-controller that referenced this pull request Nov 14, 2019
@mattmoor
Split apart defaulting and validation webhooks
3550c6d 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 14, 2019
@mattmoor
Split apart defaulting and validation webhooks
a091a91 
Related: knative/pkg#848
@mattmoor mattmoor mentioned this pull request Nov 15, 2019
Closed
mattmoor added a commit to mattmoor/sample-controller that referenced this pull request Nov 15, 2019
@mattmoor
Split apart defaulting and validation webhooks
f23a08b 
Related: knative/pkg#848
@mattmoor
Split the resource semantic webhooks into separate AdmissionControllers
dcfbe32 
By combining our validation logic into our mutating webhook we were previously allowing for mutating webhooks evaluated after our own to modify our resources into invalid shapes.  There are no guarantees around ordering of mutating webhooks (that I could find), so the only way to remedy this properly is to split apart the two into separate webhook configurations:
 - `defaulting`: which runs during the mutating admission webhook phase
 - `validation`: which runs during the validating admission webhook phase.

The diagram in [this post](https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/) is very helpful in illustrating the flow of webhooks.

Fixes: knative#847
@knative-metrics-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-knative-pkg-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
webhook/resourcesemantics/defaulting/controller.go Do not exist 100.0%
webhook/resourcesemantics/defaulting/defaulting.go Do not exist 88.5%
webhook/resourcesemantics/defaulting/user_info.go Do not exist 93.3%
webhook/resourcesemantics/validation/controller.go Do not exist 100.0%
webhook/resourcesemantics/validation/validation.go Do not exist 94.7%
webhook/webhook.go 83.6% 82.7% -0.9

mattmoor added a commit to mattmoor/sample-controller that referenced this pull request Nov 15, 2019
@mattmoor
Split apart defaulting and validation webhooks
28b0700 
Related: knative/pkg#848
@n3wscott
Copy link
Contributor

/lgtm

This is gonna fix some weird bugs.

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 15, 2019
@mattmoor
Copy link
Member Author

/hold cancel

@knative-prow-robot knative-prow-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 15, 2019
@knative-prow-robot knative-prow-robot merged commit 4836f68 into knative:master Nov 15, 2019
@mattmoor mattmoor deleted the split-webhook branch November 15, 2019 00:51
mattmoor added a commit to mattmoor/serving that referenced this pull request Nov 15, 2019
@mattmoor
Split apart defaulting and validation webhooks
de4814e 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/eventing that referenced this pull request Nov 15, 2019
@mattmoor
Split apart defaulting and validation webhook
4a6c6f5 
Related: knative/pkg#848
mattmoor added a commit to mattmoor/sample-controller that referenced this pull request Nov 15, 2019
@mattmoor
Split apart defaulting and validation webhooks
8f889bb 
Related: knative/pkg#848
knative-prow-robot pushed a commit to knative-extensions/sample-controller that referenced this pull request Nov 15, 2019
@mattmoor @knative-prow-robot
Split apart defaulting and validation webhooks (#133)
4661ece 
Related: knative/pkg#848
knative-prow-robot pushed a commit to knative/eventing that referenced this pull request Nov 15, 2019
@mattmoor @knative-prow-robot
Split apart defaulting and validation webhook (#2147)
e29ff99 
Related: knative/pkg#848
knative-prow-robot pushed a commit to knative/serving that referenced this pull request Nov 15, 2019
@mattmoor @knative-prow-robot
Split apart defaulting and validation webhooks (#5947)
916ab9f 
Related: knative/pkg#848
@grantr grantr mentioned this pull request Nov 19, 2019
Closed
imjasonh added a commit to imjasonh/pkg that referenced this pull request Mar 22, 2021
@imjasonh
Update webhook/README.md to reflect current packages
93e00a7 
`NewAdmissionController` was moved to `resourcesemantics/validation` in knative#848 and this doc wasn't updated.
@imjasonh imjasonh mentioned this pull request Mar 22, 2021
Merged
knative-prow-robot pushed a commit that referenced this pull request Mar 30, 2021
@imjasonh
Update webhook/README.md to reflect current packages (#2062)
3b7934e 
`NewAdmissionController` was moved to `resourcesemantics/validation` in #848 and this doc wasn't updated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor-sockpuppet mattmoor-sockpuppet mattmoor-sockpuppet left review comments

@vagababov vagababov vagababov left review comments

@grantr grantr Awaiting requested review from grantr

@vaikas vaikas Awaiting requested review from vaikas

Assignees

@vagababov vagababov

@vaikas vaikas

@n3wscott n3wscott

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Split apart resource webhook
9 participants
@mattmoor @vagababov @vaikas @knative-prow-robot @matzew @knative-metrics-robot @n3wscott @mattmoor-sockpuppet @googlebot