⚠ Add admissionregisteration/v1 support for webhook #469
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/L
| @@ -27,7 +27,7 @@ func (c *CronJob) SetupWebhookWithManager(mgr ctrl.Manager) error { | |||
| Complete() | |||
| } | |||
|
|
|||
| // +kubebuilder:webhook:verbs=create;update,path=/validate-testdata-kubebuilder-io-v1-cronjob,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=testdata.kubebuiler.io,resources=cronjobs,versions=v1,name=validation.cronjob.testdata.kubebuilder.io,sideEffects=Some | |||
| // +kubebuilder:webhook:verbs=create;update,path=/validate-testdata-kubebuilder-io-v1-cronjob,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=testdata.kubebuiler.io,resources=cronjobs,versions=v1,name=validation.cronjob.testdata.kubebuilder.io,sideEffects=NoneOnDryRun | |||
There was a problem hiding this comment.
This change is because in admissionregistration/v1, the sideEffects can only be None and NoneOnDryRun when creates Configurations
There was a problem hiding this comment.
Are you checking for this case anywhere? There should be an error if anything other than either of those two is set.
There was a problem hiding this comment.
No, there is no such check, please check this comment: #469 (comment) What do you think about this? Or you think it is better to forbid users to create config with Some and Unknown?
There was a problem hiding this comment.
In general I would want as much static validation as possible for my operator project so that I don't have to wait for my CI's apiserver to tell me my webhook config is invalid when I upgrade from v1beta1 to v1. Is there a good reason not to statically validate side effects?
There was a problem hiding this comment.
I guess the counter-argument is that having one marker for two versions is nice, and if one value in that marker is invalid for one version then you can't generate the config for either version, which I think is what you're suggesting in your comment.
The right solution IMO is to add an optional +kubebuilder:webhook:webhookVersion=<v1|v1beta1> field so you can specify which version to generate for a marker if you want to generate both and configure them differently. The case where this field wasn't added to the marker is the current case, so no version list is needed and this isn't a breaking change. Thoughts?
There was a problem hiding this comment.
I guess the counter-argument is that having one marker for two versions is nice, and if one value in that marker is invalid for one version then you can't generate the config for either version, which I think is what you're suggesting in your comment.
Yeah, exactly. This is my main concern so I decided not to handle the static validation and let kube-apiserver handle it, but it may not be a good solution because users have to modify the configuration every time they re-generate it.
The right solution IMO is to add an optional +kubebuilder:webhook:webhookVersion=<v1|v1beta1> field so you can specify which version to generate for a marker if you want to generate both and configure them differently.
I think this will work, but it will double the number of markers if the user wants to generate both v1 and v1beta1 webhooks. How about we do the following, with a marker +kubebuilder:webhook:webhookVersions=<[]string>:
- We default to generate
v1configuration if the marker is not specified. - Generate
v1if the marker is+kubebuilder:webhook:webhookVersions=v1 - Generate
v1beta1if the marker is+kubebuilder:webhook:webhookVersions=v1beta1 - Generate both
v1andv1beta1if the marker is+kubebuilder:webhook:webhookVersions=v1;v1beta1or+kubebuilder:webhook:webhookVersions=v1beta1;v1, we throw error out if thesideEffects(later we also needed to handleAdmissionReviewVersions) cannot meet requirement for either versions.
In this way, we still provide a chance for the user to generate bothv1andv1beta1in one marker.
The case where this field wasn't added to the marker is the current case, so no version list is needed and this isn't a breaking change.
I think it will still be a breaking change because we will generate v1 configurations by default (currently v1beta1)?
WDYT @estroz ?
There was a problem hiding this comment.
Works for me.
this isn't a breaking change.
To the marker definition I mean, since current markers will work as-is.
There was a problem hiding this comment.
@estroz This has been implemented, PTAL :)
jiachengxu
force-pushed
the
webhook-v1
branch
5 times, most recently
from
4690f4a
to
91e19a6
Compare
jiachengxu
force-pushed
the
webhook-v1
branch
4 times, most recently
from
fc5b278
to
2448353
Compare
k8s-ci-robot
added
the
lgtm
|
kindly ping @vincepri , can you please take a look? |
There was a problem hiding this comment.
/approve
/assign @alvaroaleman
/hold
Feel free to unhold when ready
k8s-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiachengxu, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Should we merge this after we release v0.3.1, I guess this would be v0.4.0? |
|
Actually it seems we already merged #468, which is a breaking change, so this can go in and the next release is v0.4.0 |
|
kindly ping @alvaroaleman , do you have any further comments? If not, I will just unhold the PR, and rock and roll :) |
k8s-ci-robot
removed
the
do-not-merge/hold
|
The problem with making |
|
@caboteria this was fixed in #474, which forces you to set |
|
@vincepri there should probably be another release for this, but since it breaks the v0.4.0 marker scheme, should it be v0.5.0? |
|
Thanks @estroz for the pointer, that helps! I'm "go get"ing the current master rev of controller-tools so I'm all set, but my concern is that the defaults for controller-tools don't work with the current controller-runtime so it's easy for noobs like me to stub their toe when trying to build an operator. Should v1beta1 be the default until controller-runtime works with v1? |
There is no |
|
For making controller-runtime work with |
|
Thanks @estroz, the current master version is better in that respect than 0.4.0 which happily generates manifests that deploy but cause errors at run-time: I guess one person's "fairly indicative" is another's "wtf"... Don't get me wrong, I appreciate the effort that you all are making to move controller-tools forward and I second both the suggestion to release controller-tools 0.5.0 and to make controller-runtime work with v1. At the moment we're in a situation where it's easy for noobs (like me) to waste time having to debug things that should just work. |
🤣 I meant the static error your see when generating admission webhooks for markers that don't have $ controller-gen --version
Version: v0.4.1-0.20200902055707-2f203e490e8a
$ tree api/v1
api/v1
├── cronjob_types.go
├── cronjob_webhook.go
├── groupversion_info.go
└── zz_generated.deepcopy.go
$ cat api/v1/cronjob_webhook.go
package v1
// +kubebuilder:webhook:path=/mutate-batch-my-domain-v1-cronjob,mutating=true,failurePolicy=fail,sideEffects=None,groups=batch.my.domain,resources=cronjobs,verbs=create;update,versions=v1,name=mcronjob.kb.io
...
$ controller-gen webhook paths=./...
AdmissionReviewVersions is mandatory for v1 {Mutating,Validating}WebhookConfigurationThe deploy-time errors you get when deploying a v1 webhook config without |
|
@caboteria A PR is created here: kubernetes-sigs/controller-runtime#1233 to tackle this issue. |
This PR implements support to generate {Mutating, Validating}WebhookConfiguration with version
v1.Fixes #419
The first intention was to add a package marker
webhookVersions=<[]string>for the user to specify the versions that want to generate. It will default tov1if thewebhookVersionsis not specified. However, after discussion with @estroz (#469 (comment)), we found out this cannot work nicely because, for different versions of WebhookConfiguraiton, Some fields (SideEffects, AdmissionReviewVersions) can have different available values, and if one value in that marker is invalid for one version then you can't generate the config for either version.So we decided to use an optional field marker
+kubebuilder:webhookVersions=<[]string>to specify the versions in the+kubebuilder:webhookVersionsdirectly, it works as follows:v1configuration if the marker is not specified.v1if the marker is+kubebuilder:webhook:webhookVersions=v1v1beta1if the marker is+kubebuilder:webhook:webhookVersions=v1beta1v1andv1beta1if the marker is+kubebuilder:webhook:webhookVersions=v1;v1beta1or+kubebuilder:webhook:webhookVersions=v1beta1;v1, we throw error out if thesideEffects(later we also needed to handleAdmissionReviewVersions) cannot meet requirement for either versions.This is a breaking change since we generate
v1version configurations by default if the marker is not specified.