Merge pull request #74562 from roycaihw/feat/admission-webhook-timeout

admission webhook: timeout configuration

pkg/apis/admissionregistration/fuzzer/fuzzer.go

@@ -32,6 +32,10 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.FailurePolicy = &p
 			s := admissionregistration.SideEffectClassUnknown
 			obj.SideEffects = &s
+			if obj.TimeoutSeconds == nil {
+				i := int32(30)
+				obj.TimeoutSeconds = &i
+			}
 		},
 	}
 }

pkg/apis/admissionregistration/types.go

@@ -208,6 +208,13 @@ type Webhook struct {
 	// sideEffects == Unknown or Some. Defaults to Unknown.
 	// +optional
 	SideEffects *SideEffectClass
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// +optional
+	TimeoutSeconds *int32
 }
 
 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make

pkg/apis/admissionregistration/v1beta1/defaults.go

@@ -40,4 +40,8 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) {
 		unknown := admissionregistrationv1beta1.SideEffectClassUnknown
 		obj.SideEffects = &unknown
 	}
+	if obj.TimeoutSeconds == nil {
+		obj.TimeoutSeconds = new(int32)
+		*obj.TimeoutSeconds = 30
+	}
 }

pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go

@@ -301,6 +301,7 @@ func autoConvert_v1beta1_Webhook_To_admissionregistration_Webhook(in *v1beta1.We
 	out.FailurePolicy = (*admissionregistration.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
 	out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
 	out.SideEffects = (*admissionregistration.SideEffectClass)(unsafe.Pointer(in.SideEffects))
+	out.TimeoutSeconds = (*int32)(unsafe.Pointer(in.TimeoutSeconds))
 	return nil
 }
 
@@ -318,6 +319,7 @@ func autoConvert_admissionregistration_Webhook_To_v1beta1_Webhook(in *admissionr
 	out.FailurePolicy = (*v1beta1.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
 	out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
 	out.SideEffects = (*v1beta1.SideEffectClass)(unsafe.Pointer(in.SideEffects))
+	out.TimeoutSeconds = (*int32)(unsafe.Pointer(in.TimeoutSeconds))
 	return nil
 }
 

pkg/apis/admissionregistration/validation/validation.go

@@ -171,6 +171,9 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
 	if hook.SideEffects != nil && !supportedSideEffectClasses.Has(string(*hook.SideEffects)) {
 		allErrors = append(allErrors, field.NotSupported(fldPath.Child("sideEffects"), *hook.SideEffects, supportedSideEffectClasses.List()))
 	}
+	if hook.TimeoutSeconds != nil && (*hook.TimeoutSeconds > 30 || *hook.TimeoutSeconds < 1) {
+		allErrors = append(allErrors, field.Invalid(fldPath.Child("timeoutSeconds"), *hook.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
 
 	if hook.NamespaceSelector != nil {
 		allErrors = append(allErrors, metav1validation.ValidateLabelSelector(hook.NamespaceSelector, fldPath.Child("namespaceSelector"))...)

pkg/apis/admissionregistration/validation/validation_test.go

@@ -26,6 +26,8 @@ import (
 
 func strPtr(s string) *string { return &s }
 
+func int32Ptr(i int32) *int32 { return &i }
+
 func newValidatingWebhookConfiguration(hooks []admissionregistration.Webhook) *admissionregistration.ValidatingWebhookConfiguration {
 	return &admissionregistration.ValidatingWebhookConfiguration{
 		ObjectMeta: metav1.ObjectMeta{
@@ -544,6 +546,63 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				}),
 			expectedError: `clientConfig.service.path: Invalid value: "/apis/foo.bar/v1alpha1/--bad": segment[3]: a DNS-1123 subdomain`,
 		},
+		{
+			name: "timeout seconds cannot be greater than 30",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name:           "webhook.k8s.io",
+						ClientConfig:   validClientConfig,
+						TimeoutSeconds: int32Ptr(31),
+					},
+				}),
+			expectedError: `webhooks[0].timeoutSeconds: Invalid value: 31: the timeout value must be between 1 and 30 seconds`,
+		},
+		{
+			name: "timeout seconds cannot be smaller than 1",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name:           "webhook.k8s.io",
+						ClientConfig:   validClientConfig,
+						TimeoutSeconds: int32Ptr(0),
+					},
+				}),
+			expectedError: `webhooks[0].timeoutSeconds: Invalid value: 0: the timeout value must be between 1 and 30 seconds`,
+		},
+		{
+			name: "timeout seconds must be positive",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name:           "webhook.k8s.io",
+						ClientConfig:   validClientConfig,
+						TimeoutSeconds: int32Ptr(-1),
+					},
+				}),
+			expectedError: `webhooks[0].timeoutSeconds: Invalid value: -1: the timeout value must be between 1 and 30 seconds`,
+		},
+		{
+			name: "valid timeout seconds",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name:           "webhook.k8s.io",
+						ClientConfig:   validClientConfig,
+						TimeoutSeconds: int32Ptr(1),
+					},
+					{
+						Name:           "webhook2.k8s.io",
+						ClientConfig:   validClientConfig,
+						TimeoutSeconds: int32Ptr(15),
+					},
+					{
+						Name:           "webhook3.k8s.io",
+						ClientConfig:   validClientConfig,
+						TimeoutSeconds: int32Ptr(30),
+					},
+				}),
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {

pkg/apis/admissionregistration/zz_generated.deepcopy.go

@@ -257,6 +257,11 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
 		*out = new(SideEffectClass)
 		**out = **in
 	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		*out = new(int32)
+		**out = **in
+	}
 	return
 }