default admission hook failure safely

This commit is contained in:
David Eads 2017-10-18 13:44:06 -04:00
parent f07b359e5b
commit 4e79357f9f
2 changed files with 3 additions and 3 deletions

View File

@ -191,7 +191,7 @@ func (a *GenericAdmissionWebhook) Admit(attr admission.Attributes) error {
return
}
ignoreClientCallFailures := hook.FailurePolicy == nil || *hook.FailurePolicy == v1alpha1.Ignore
ignoreClientCallFailures := hook.FailurePolicy != nil && *hook.FailurePolicy == v1alpha1.Ignore
if callErr, ok := err.(*ErrCallingWebhook); ok {
if ignoreClientCallFailures {
glog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr)

View File

@ -216,7 +216,7 @@ func TestAdmit(t *testing.T) {
},
expectAllow: true,
},
"match & fail (but allow because fail open on nil)": {
"match & fail (but disallow because fail closed on nil)": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "internalErr A",
@ -232,7 +232,7 @@ func TestAdmit(t *testing.T) {
Rules: matchEverythingRules,
}},
},
expectAllow: true,
expectAllow: false,
},
"match & fail (but fail because fail closed)": {
hookSource: fakeHookSource{