github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-10 21:50:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #66936 from jennybuckley/dry-run-webhooks

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 67576, 66936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Support dry run in admission webhooks

**What this PR does / why we need it**:
Follow up to https://github.com/kubernetes/kubernetes/pull/66391
- [x] add DryRun to ```admission.k8s.io/v1beta1.AdmissionReview```
- [x] add DryRunnable to ```admissionregistration.k8s.io/v1beta1.(Valid|Mut)atingWebhookConfiguration```
- [x] add dry run support to (Valid|Mut)atingAdmissionWebhook

Includes all the api-changes outlined by https://github.com/kubernetes/community/pull/2387

/sig api-machinery

**Release note**:
```release-note
To address the possibility dry-run requests overwhelming admission webhooks that rely on side effects and a reconciliation mechanism, a new field is being added to admissionregistration.k8s.io/v1beta1.ValidatingWebhookConfiguration and admissionregistration.k8s.io/v1beta1.MutatingWebhookConfiguration so that webhooks can explicitly register as having dry-run support. If a dry-run request is made on a resource that triggers a non dry-run supporting webhook, the request will be completely rejected, with "400: Bad Request". Additionally, a new field is being added to the admission.k8s.io/v1beta1.AdmissionReview API object, exposing to webhooks whether or not the request being reviewed is a dry-run.
```
This commit is contained in:
Kubernetes Submit Queue
2018-08-22 19:41:58 -07:00
committed by GitHub
parent 687553a47a c61eac7daa
commit 5a16163c87
27 changed files with 407 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html generated
View File

@@ -1049,6 +1049,10 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_deletionpropagation">v1.DeletionPropagation</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_webhook">v1beta1.Webhook</h3>
@@ -1138,13 +1142,16 @@ Default to the empty LabelSelector, which matches everything.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sideEffects</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_sideeffectclass">v1beta1.SideEffectClass</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_deletionpropagation">v1.DeletionPropagation</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_operationtype">v1beta1.OperationType</h3>
@@ -1765,6 +1772,10 @@ Port 443 will be used if it is open, otherwise it is an error.</p></td>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_sideeffectclass">v1beta1.SideEffectClass</h3>
</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>