From aad0e2e15f789fc3768d6e5607b86e8b824b3917 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 20 Jul 2018 00:15:49 -0400 Subject: [PATCH] Do not attempt to convert nil object during DELETE webhook admission --- .../plugin/webhook/mutating/dispatcher.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go index adfe9f37f3e..88e23c25d98 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go @@ -74,7 +74,10 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.Version } // convert attr.VersionedObject to the internal version in the underlying admission.Attributes - return a.plugin.scheme.Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil) + if attr.VersionedObject != nil { + return a.plugin.scheme.Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil) + } + return nil } // note that callAttrMutatingHook updates attr @@ -106,6 +109,15 @@ func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta if err != nil { return apierrors.NewInternalError(err) } + if len(patchObj) == 0 { + return nil + } + + // if a non-empty patch was provided, and we have no object we can apply it to (e.g. a DELETE admission operation), error + if attr.VersionedObject == nil { + return apierrors.NewInternalError(fmt.Errorf("admission webhook %q attempted to modify the object, which is not supported for this operation", h.Name)) + } + objJS, err := runtime.Encode(a.plugin.jsonSerializer, attr.VersionedObject) if err != nil { return apierrors.NewInternalError(err)