Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.7.0: Handling empty patch in PatchResponseFromRaw #1295

Closed
tatsuhiro-t opened this issue Dec 15, 2020 · 2 comments · Fixed by #1299
Closed

v0.7.0: Handling empty patch in PatchResponseFromRaw #1295

tatsuhiro-t opened this issue Dec 15, 2020 · 2 comments · Fixed by #1299

Comments

@tatsuhiro-t
Copy link
Contributor

tatsuhiro-t commented Dec 15, 2020
edited
Loading

In admission v1, api server requires that patch and patchType are both provided or none are provided:

https://github.com/kubernetes/apiserver/blob/6d407d18a284aae4db693a8a50ca3647cc3ad429/pkg/admission/plugin/webhook/request/admissionreview.go#L67-L73

admission v1beta1 does not have this kind of requirement.

In controller-runtime, PatchResponseFromRaw sets patchType regardless of existence of patch:

controller-runtime/pkg/webhook/admission/response.go

Line 94 in 5720da0

PatchType: func() *admissionv1.PatchType { pt := admissionv1.PatchTypeJSONPatch; return &pt }(),

So if patch is empty, a response contains only patchType and api server does not like it. Webhook call fails.

To make transition from admission v1beta1 to v1 smooth, it would be nice to set patchType only when patch is not empty, like so:

--- a/pkg/webhook/admission/response.go
+++ b/pkg/webhook/admission/response.go
@@ -91,7 +91,13 @@ func PatchResponseFromRaw(original, current []byte) Response {
                Patches: patches,
                AdmissionResponse: admissionv1.AdmissionResponse{
                        Allowed:   true,
-                       PatchType: func() *admissionv1.PatchType { pt := admissionv1.PatchTypeJSONPatch; return &pt }(),
+                       PatchType: func() *admissionv1.PatchType {
+                               if len(patches) == 0 {
+                                       return nil
+                               }
+                               pt := admissionv1.PatchTypeJSONPatch;
+                               return &pt
+                       }(),
                },
        }
 }
@alvaroaleman
Copy link
Member

@tatsuhiro-t can you send a patch for this?

@tatsuhiro-t
Copy link
Contributor Author

sure.

tatsuhiro-t added a commit to zlabjp/controller-runtime-1 that referenced this issue Dec 16, 2020
@tatsuhiro-t
Do not set PatchType if patch is empty
e5eb107 
In admission v1, API server requires that Patch and PatchType are both
provided or none are provided.  Meanwhile, admission v1beta1 does not
have this kind of requirement.

In controller-runtime, PatchResponseFromRaw sets PatchType regardless
of the existence of patch.  If patch is empty, a response contains
only PatchType and API server does not like it.  Webhook call fails.

This change fixes this issue by not setting PatchType if patch is
empty.

Fixes kubernetes-sigs#1295
@tatsuhiro-t tatsuhiro-t mentioned this issue Dec 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛 Do not set PatchType if patch is empty zlabjp/controller-runtime-1
2 participants
@tatsuhiro-t @alvaroaleman