diff --git a/pkg/api/annotation_key_constants.go b/pkg/api/annotation_key_constants.go index bfb42c8ba33..55bf20f9a0c 100644 --- a/pkg/api/annotation_key_constants.go +++ b/pkg/api/annotation_key_constants.go @@ -19,6 +19,10 @@ limitations under the License. package api const ( + // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy + // webhook backend fails. + ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open" + // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" diff --git a/pkg/api/v1/annotation_key_constants.go b/pkg/api/v1/annotation_key_constants.go index 96bbdd57429..8591f08b4b5 100644 --- a/pkg/api/v1/annotation_key_constants.go +++ b/pkg/api/v1/annotation_key_constants.go @@ -19,6 +19,10 @@ limitations under the License. package v1 const ( + // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy + // webhook backend fails. + ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open" + // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" diff --git a/plugin/pkg/admission/imagepolicy/admission.go b/plugin/pkg/admission/imagepolicy/admission.go index f5e6304eebd..25a2bd98cb6 100644 --- a/plugin/pkg/admission/imagepolicy/admission.go +++ b/plugin/pkg/admission/imagepolicy/admission.go @@ -89,10 +89,16 @@ func (a *imagePolicyWebhook) filterAnnotations(allAnnotations map[string]string) } // Function to call on webhook failure; behavior determined by defaultAllow flag -func (a *imagePolicyWebhook) webhookError(attributes admission.Attributes, err error) error { +func (a *imagePolicyWebhook) webhookError(pod *api.Pod, attributes admission.Attributes, err error) error { if err != nil { glog.V(2).Infof("error contacting webhook backend: %s", err) if a.defaultAllow { + annotations := pod.GetAnnotations() + if annotations == nil { + annotations = make(map[string]string) + } + annotations[api.ImagePolicyFailedOpenKey] = "true" + pod.ObjectMeta.SetAnnotations(annotations) glog.V(2).Infof("resource allowed in spite of webhook backend failure") return nil } @@ -134,13 +140,13 @@ func (a *imagePolicyWebhook) Admit(attributes admission.Attributes) (err error) Namespace: attributes.GetNamespace(), }, } - if err := a.admitPod(attributes, &imageReview); err != nil { + if err := a.admitPod(pod, attributes, &imageReview); err != nil { return admission.NewForbidden(attributes, err) } return nil } -func (a *imagePolicyWebhook) admitPod(attributes admission.Attributes, review *v1alpha1.ImageReview) error { +func (a *imagePolicyWebhook) admitPod(pod *api.Pod, attributes admission.Attributes, review *v1alpha1.ImageReview) error { cacheKey, err := json.Marshal(review.Spec) if err != nil { return err @@ -153,15 +159,15 @@ func (a *imagePolicyWebhook) admitPod(attributes admission.Attributes, review *v }) if err := result.Error(); err != nil { - return a.webhookError(attributes, err) + return a.webhookError(pod, attributes, err) } var statusCode int if result.StatusCode(&statusCode); statusCode < 200 || statusCode >= 300 { - return a.webhookError(attributes, fmt.Errorf("Error contacting webhook: %d", statusCode)) + return a.webhookError(pod, attributes, fmt.Errorf("Error contacting webhook: %d", statusCode)) } if err := result.Into(review); err != nil { - return a.webhookError(attributes, err) + return a.webhookError(pod, attributes, err) } a.responseCache.Add(string(cacheKey), review.Status, a.statusTTL(review.Status)) diff --git a/staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go b/staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go index bfb42c8ba33..55bf20f9a0c 100644 --- a/staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go +++ b/staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go @@ -19,6 +19,10 @@ limitations under the License. package api const ( + // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy + // webhook backend fails. + ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open" + // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" diff --git a/staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go b/staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go index 96bbdd57429..8591f08b4b5 100644 --- a/staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go +++ b/staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go @@ -19,6 +19,10 @@ limitations under the License. package v1 const ( + // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy + // webhook backend fails. + ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open" + // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"