github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

Add annotation for image policy webhook fail open.

Browse Source
This commit is contained in:
Quintin Lee 2017-05-22 19:32:19 -07:00
parent 7043372d05
commit a38c2b4ce1
5 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/annotation_key_constants.go
View File

@ -19,6 +19,10 @@ limitations under the License.
package api package api
const ( const (
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
// webhook backend fails.
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"

4
pkg/api/v1/annotation_key_constants.go
View File

@ -19,6 +19,10 @@ limitations under the License.
package v1 package v1
const ( const (
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
// webhook backend fails.
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"

18
plugin/pkg/admission/imagepolicy/admission.go
View File

@ -89,10 +89,16 @@ func (a *imagePolicyWebhook) filterAnnotations(allAnnotations map[string]string)
} }
// Function to call on webhook failure; behavior determined by defaultAllow flag // Function to call on webhook failure; behavior determined by defaultAllow flag
func (a *imagePolicyWebhook) webhookError(attributes admission.Attributes, err error) error { func (a *imagePolicyWebhook) webhookError(pod *api.Pod, attributes admission.Attributes, err error) error {
if err != nil { if err != nil {
glog.V(2).Infof("error contacting webhook backend: %s", err) glog.V(2).Infof("error contacting webhook backend: %s", err)
if a.defaultAllow { if a.defaultAllow {
annotations := pod.GetAnnotations()
if annotations == nil {
annotations = make(map[string]string)
}
annotations[api.ImagePolicyFailedOpenKey] = "true"
pod.ObjectMeta.SetAnnotations(annotations)
glog.V(2).Infof("resource allowed in spite of webhook backend failure") glog.V(2).Infof("resource allowed in spite of webhook backend failure")
return nil return nil
} }
@ -134,13 +140,13 @@ func (a *imagePolicyWebhook) Admit(attributes admission.Attributes) (err error)
Namespace: attributes.GetNamespace(), Namespace: attributes.GetNamespace(),
}, },
} }
if err := a.admitPod(attributes, &imageReview); err != nil { if err := a.admitPod(pod, attributes, &imageReview); err != nil {
return admission.NewForbidden(attributes, err) return admission.NewForbidden(attributes, err)
} }
return nil return nil
} }
func (a *imagePolicyWebhook) admitPod(attributes admission.Attributes, review *v1alpha1.ImageReview) error { func (a *imagePolicyWebhook) admitPod(pod *api.Pod, attributes admission.Attributes, review *v1alpha1.ImageReview) error {
cacheKey, err := json.Marshal(review.Spec) cacheKey, err := json.Marshal(review.Spec)
if err != nil { if err != nil {
return err return err
@ -153,15 +159,15 @@ func (a *imagePolicyWebhook) admitPod(attributes admission.Attributes, review *v
}) })
if err := result.Error(); err != nil { if err := result.Error(); err != nil {
return a.webhookError(attributes, err) return a.webhookError(pod, attributes, err)
} }
var statusCode int var statusCode int
if result.StatusCode(&statusCode); statusCode < 200 || statusCode >= 300 { if result.StatusCode(&statusCode); statusCode < 200 || statusCode >= 300 {
return a.webhookError(attributes, fmt.Errorf("Error contacting webhook: %d", statusCode)) return a.webhookError(pod, attributes, fmt.Errorf("Error contacting webhook: %d", statusCode))
} }
if err := result.Into(review); err != nil { if err := result.Into(review); err != nil {
return a.webhookError(attributes, err) return a.webhookError(pod, attributes, err)
} }
a.responseCache.Add(string(cacheKey), review.Status, a.statusTTL(review.Status)) a.responseCache.Add(string(cacheKey), review.Status, a.statusTTL(review.Status))

4
staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go
View File

@ -19,6 +19,10 @@ limitations under the License.
package api package api
const ( const (
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
// webhook backend fails.
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"

4
staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go
View File

@ -19,6 +19,10 @@ limitations under the License.
package v1 package v1
const ( const (
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
// webhook backend fails.
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
MirrorPodAnnotationKey string = "kubernetes.io/config.mirror" MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"