✨ Add validating webhook for AWSMachineTemplate #1116
Conversation
k8s-ci-robot
added
cncf-cla: yes
tahsinrahman
force-pushed
the
webhook
branch
3 times, most recently
from
7461e79 to
690d2ec
Compare
| } | ||
|
|
||
| // validateUpdate checks that no immutable fields have been updated | ||
| func validateUpdate(spec *AWSMachineSpec, oldSpec *AWSMachineSpec) error { |
There was a problem hiding this comment.
Are there any fields that we want to be mutable in the template types? @ncdc @vincepri I thought we had wanted to avoid allowing mutability of the template types and instead wanted to require users to update the reference in the MachineDeployment/MachineSet?
If we do want to force full immutability, then we can likely create a generic webhook in CAPI that blocks any update, and just register the webhook for the AWSMachineTemplate type here in CAPA.
There was a problem hiding this comment.
We can allow updates to metadata, but probably all other updates should be rejected. I think we could probably write some generic validation helpers in CAPI, but afaik we still need to do the full webhook code generation & registration for each type.
There was a problem hiding this comment.
According to the docs, we can configure which resources are subject to which admission webhooks at runtime: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly
There was a problem hiding this comment.
Oh, I didn't realize you were thinking about doing it that way. I was thinking of a kubebuilder-ism with its way of registering webhooks.
There was a problem hiding this comment.
We should avoid naming changes to resources given that they're references elsewhere, unless the OwnerReferences get updated automagically?
There was a problem hiding this comment.
As long as it's documented, I think that should be fine. Technically, the same applies for today's default RBAC permissions in CAPI, where we assume bootstrap.<> and infrastructure.<> as default
There was a problem hiding this comment.
@ncdc agreed that clusteradm would be the best place long term to handle this
There was a problem hiding this comment.
@detiber that's right. So the only way to handle this is with the details in the ValidatingWebhookConfiguration.
What do you all think about putting the generic *Template validation as a helper function in cluster-api, but at least for now, having each provider implement their own webhooks for their own templates (using the generic function from cluster-api)?
There was a problem hiding this comment.
@ncdc I think that's fine as long as we track improving that experience later when clusteradm is available.
| // spec.Subnet is a *AWSResourceReference and could technically be | ||
| // a *string, ARN or Filter. However, elsewhere in the code it is only used | ||
| // as a *string, so do the same here. | ||
| if aws.StringValue(spec.Subnet.ID) != aws.StringValue(oldSpec.Subnet.ID) { |
There was a problem hiding this comment.
We should probably check that spec.Subnet isn't nil
| name: validating-webhook-configuration | ||
| webhooks: | ||
| - clientConfig: | ||
| caBundle: Cg== |
There was a problem hiding this comment.
This is generated by kubebuilder. I guess it's a required field. Maybe cert-manager or something else updates it? It decodes to \n.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tahsinrahman, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
controllers/awsmachine_controller.go
Outdated
| @@ -282,13 +280,6 @@ func (r *AWSMachineReconciler) reconcileNormal(ctx context.Context, machineScope | |||
| return reconcile.Result{}, nil | |||
| } | |||
|
|
|||
| // TODO(ncdc): move this validation logic into a validating webhook | |||
There was a problem hiding this comment.
I don't see this logic moved anywhere, am i misunderstanding this Webhook?
There was a problem hiding this comment.
It was in an earlier version of this PR. Not sure why it got deleted?
There was a problem hiding this comment.
as entire spec is immutable, instead of checking every field of spec, i did this
if !reflect.DeepEqual(newAWSMachineTemplate.Spec, oldAWSMachineTemplate.Spec) {
return errors.New("awsMachineTemplateSpec is immutable")
}
There was a problem hiding this comment.
This validation was being used by the AWSMachine controller, where the current webhook is targeting AWSMachineTemplate.
There was a problem hiding this comment.
got it!
that means, we need to deploy another validating webhook for AWSMachine types, to move these logic, right?
There was a problem hiding this comment.
@tahsinrahman are you going to add the AWSMachine validation webhook in this PR?
There was a problem hiding this comment.
Sure, I can add it here, or if it becomes too big for review, i can do it in separate pr, which one works best for you? 😄
There was a problem hiding this comment.
Either way is fine. If you keep them separate, you can retitle this PR to "Add validating webhook for AWSMachineTemplate"?
k8s-ci-robot
added
size/L
tahsinrahman
force-pushed
the
webhook
branch
2 times, most recently
from
f3bb900 to
35a1361
Compare
tahsinrahman
changed the title
| namespace: system | ||
| path: /validate-infrastructure-cluster-x-k8s-io-v1alpha2-awsmachinetemplate | ||
| failurePolicy: Fail | ||
| name: vawsmachinetemplate.kb.io |
There was a problem hiding this comment.
Got it, was mostly curious as it reads funny
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold |
|
Do we need to cut release-0.4 first? |
No, we can branch from any commit at any time. |
|
Do we want to merge this now? It'll break clusterctl |
|
Let's hold on to this until we have all the others open PR merged in 0.4 and we cut the release branch |
|
We also don't have to rush this in. Let's think more about the "clusterctl on master" impact. |
|
/lgtm cancel |
k8s-ci-robot
removed
the
lgtm
|
I'm thinking this will need to move into the v1alpha3 api package (#1202), right? |
|
I updated the pr with v1alpha3 package! |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Yes, master is open for v1alpha3. |
k8s-ci-robot
removed
the
do-not-merge/hold
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #886