github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 11:21:47 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #54889 from lavalamp/wh-api

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix webhook API to also support URLs

ref: https://github.com/kubernetes/features/issues/492

```release-note
The dynamic admission webhook now supports a URL in addition to a service reference, to accommodate out-of-cluster webhooks.
```
This commit is contained in:
Kubernetes Submit Queue 2017-11-11 23:01:39 -08:00 committed by GitHub
commit e93819049d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 779 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
api/openapi-spec/swagger.json generated
View File

@ -67928,11 +67928,15 @@
],
"properties": {
"name": {
"description": "Name is the name of the service Required",
"description": "`name` is the name of the service. Required",
"type": "string"
},
"namespace": {
"description": "Namespace is the namespace of the service Required",
"description": "`namespace` is the namespace of the service. Required",
"type": "string"
},
"path": {
"description": "`path` is an optional URL path which will be sent in any request to this service.",
"type": "string"
}
}
@ -68039,22 +68043,20 @@
"io.k8s.api.admissionregistration.v1alpha1.WebhookClientConfig": {
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"required": [
"service",
"urlPath",
"caBundle"
],
"properties": {
"caBundle": {
"description": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required",
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
"type": "string",
"format": "byte"
},
"service": {
"description": "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required",
"description": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nIf there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error.",
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ServiceReference"
},
"urlPath": {
"description": "URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.",
"url": {
"description": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nIf the scheme is present, it must be \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.",
"type": "string"
}
}

21
api/swagger-spec/admissionregistration.k8s.io_v1alpha1.json generated
View File

@ -2631,21 +2631,20 @@
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"required": [
"service",
"urlPath",
"caBundle"
],
"properties": {
"url": {
"type": "string",
"description": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nIf the scheme is present, it must be \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier."
},
"service": {
"$ref": "v1alpha1.ServiceReference",
"description": "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required"
},
"urlPath": {
"type": "string",
"description": "URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object."
"description": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nIf there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error."
},
"caBundle": {
"type": "string",
"description": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required"
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required."
}
}
},
@ -2659,11 +2658,15 @@
"properties": {
"namespace": {
"type": "string",
"description": "Namespace is the namespace of the service Required"
"description": "`namespace` is the namespace of the service. Required"
},
"name": {
"type": "string",
"description": "Name is the name of the service Required"
"description": "`name` is the name of the service. Required"
},
"path": {
"type": "string",
"description": "`path` is an optional URL path which will be sent in any request to this service."
}
}
},

41
docs/api-reference/admissionregistration.k8s.io/v1alpha1/definitions.html generated
View File

@ -627,22 +627,34 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>url</code> gives the location of the webhook, in standard URL form (<code>[scheme://]host:port/path</code>). Exactly one of <code>url</code> or <code>service</code> must be specified.<br>
<br>
The <code>host</code> should not refer to a service running in the cluster; use the <code>service</code> field instead. The host might be resolved via external DNS in some apiservers (e.g., <code>kube-apiserver</code> cannot resolve in-cluster DNS as that would be a layering violation). <code>host</code> may also be an IP address.<br>
<br>
Please note that using <code>localhost</code> or <code>127.0.0.1</code> as a <code>host</code> is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.<br>
<br>
If the scheme is present, it must be "https://".<br>
<br>
A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">service</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>service</code> is a reference to the service for this webhook. Either <code>service</code> or <code>url</code> must be specified.<br>
<br>
If the webhook is running within the cluster, then you should use <code>service</code>.<br>
<br>
If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_servicereference">v1alpha1.ServiceReference</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">urlPath</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CABundle is a PEM encoded CA bundle which will be used to validate webhook&#8217;s server certificate. Required</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook&#8217;s server certificate. Required.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
@ -1070,18 +1082,25 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">namespace</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Namespace is the namespace of the service Required</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>namespace</code> is the namespace of the service. Required</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name is the name of the service Required</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>name</code> is the name of the service. Required</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">path</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>path</code> is an optional URL path which will be sent in any request to this service.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>

56
pkg/apis/admissionregistration/types.go
View File

@ -266,26 +266,60 @@ const (
// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
type WebhookClientConfig struct {
// Service is a reference to the service for this webhook. If there is only
// one port open for the service, that port will be used. If there are multiple
// ports open, port 443 will be used if it is open, otherwise it is an error.
// Required
Service ServiceReference
// `url` gives the location of the webhook, in standard URL form
// (`[scheme://]host:port/path`). Exactly one of `url` or `service`
// must be specified.
//
// The `host` should not refer to a service running in the cluster; use
// the `service` field instead. The host might be resolved via external
// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
// in-cluster DNS as that would be a layering violation). `host` may
// also be an IP address.
//
// Please note that using `localhost` or `127.0.0.1` as a `host` is
// risky unless you take great care to run this webhook on all hosts
// which run an apiserver which might need to make calls to this
// webhook. Such installs are likely to be non-portable, i.e., not easy
// to turn up in a new cluster.
//
// If the scheme is present, it must be "https://".
//
// A path is optional, and if present may be any string permissible in
// a URL. You may use the path to pass an arbitrary string to the
// webhook, for example, a cluster identifier.
//
// +optional
URL *string
// URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
URLPath string
// `service` is a reference to the service for this webhook. Either
// `service` or `url` must be specified.
//
// If the webhook is running within the cluster, then you should use `service`.
//
// If there is only one port open for the service, that port will be
// used. If there are multiple ports open, port 443 will be used if it
// is open, otherwise it is an error.
//
// +optional
Service *ServiceReference
// CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
// Required
// `caBundle` is a PEM encoded CA bundle which will be used to validate
// the webhook's server certificate.
// Required.
CABundle []byte
}
// ServiceReference holds a reference to Service.legacy.k8s.io
type ServiceReference struct {
// Namespace is the namespace of the service
// `namespace` is the namespace of the service.
// Required
Namespace string
// Name is the name of the service
// `name` is the name of the service.
// Required
Name string
// `path` is an optional URL path which will be sent in any request to
// this service.
// +optional
Path *string
}

14
pkg/apis/admissionregistration/v1alpha1/zz_generated.conversion.go generated
View File

@ -227,6 +227,7 @@ func Convert_admissionregistration_RuleWithOperations_To_v1alpha1_RuleWithOperat
func autoConvert_v1alpha1_ServiceReference_To_admissionregistration_ServiceReference(in *v1alpha1.ServiceReference, out *admissionregistration.ServiceReference, s conversion.Scope) error {
out.Namespace = in.Namespace
out.Name = in.Name
out.Path = (*string)(unsafe.Pointer(in.Path))
return nil
}
@ -238,6 +239,7 @@ func Convert_v1alpha1_ServiceReference_To_admissionregistration_ServiceReference
func autoConvert_admissionregistration_ServiceReference_To_v1alpha1_ServiceReference(in *admissionregistration.ServiceReference, out *v1alpha1.ServiceReference, s conversion.Scope) error {
out.Namespace = in.Namespace
out.Name = in.Name
out.Path = (*string)(unsafe.Pointer(in.Path))
return nil
}
@ -323,10 +325,8 @@ func Convert_admissionregistration_Webhook_To_v1alpha1_Webhook(in *admissionregi
}
func autoConvert_v1alpha1_WebhookClientConfig_To_admissionregistration_WebhookClientConfig(in *v1alpha1.WebhookClientConfig, out *admissionregistration.WebhookClientConfig, s conversion.Scope) error {
if err := Convert_v1alpha1_ServiceReference_To_admissionregistration_ServiceReference(&in.Service, &out.Service, s); err != nil {
return err
}
out.URLPath = in.URLPath
out.URL = (*string)(unsafe.Pointer(in.URL))
out.Service = (*admissionregistration.ServiceReference)(unsafe.Pointer(in.Service))
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
return nil
}
@ -337,10 +337,8 @@ func Convert_v1alpha1_WebhookClientConfig_To_admissionregistration_WebhookClient
}
func autoConvert_admissionregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(in *admissionregistration.WebhookClientConfig, out *v1alpha1.WebhookClientConfig, s conversion.Scope) error {
if err := Convert_admissionregistration_ServiceReference_To_v1alpha1_ServiceReference(&in.Service, &out.Service, s); err != nil {
return err
}
out.URLPath = in.URLPath
out.URL = (*string)(unsafe.Pointer(in.URL))
out.Service = (*v1alpha1.ServiceReference)(unsafe.Pointer(in.Service))
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
return nil
}

59
pkg/apis/admissionregistration/validation/validation.go
View File

@ -18,6 +18,7 @@ package validation
import (
"fmt"
"net/url"
"strings"
genericvalidation "k8s.io/apimachinery/pkg/api/validation"
@ -192,29 +193,69 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
}
if len(hook.ClientConfig.URLPath) != 0 {
allErrors = append(allErrors, validateURLPath(fldPath.Child("clientConfig", "urlPath"), hook.ClientConfig.URLPath)...)
}
if hook.NamespaceSelector != nil {
allErrors = append(allErrors, metav1validation.ValidateLabelSelector(hook.NamespaceSelector, fldPath.Child("namespaceSelector"))...)
}
allErrors = append(allErrors, validateWebhookClientConfig(fldPath.Child("clientConfig"), &hook.ClientConfig)...)
return allErrors
}
func validateURLPath(fldPath *field.Path, urlPath string) field.ErrorList {
func validateWebhookClientConfig(fldPath *field.Path, cc *admissionregistration.WebhookClientConfig) field.ErrorList {
var allErrors field.ErrorList
if (cc.URL == nil) == (cc.Service == nil) {
allErrors = append(allErrors, field.Required(fldPath.Child("url"), "exactly one of url or service is required"))
}
if cc.URL != nil {
const form = "; desired format: https://host[/path]"
if u, err := url.Parse(*cc.URL); err != nil {
allErrors = append(allErrors, field.Required(fldPath.Child("url"), "url must be a valid URL: "+err.Error()+form))
} else {
if u.Scheme != "" && u.Scheme != "https" {
allErrors = append(allErrors, field.Required(fldPath.Child("url"), "'https' is the only allowed URL scheme"+form))
}
if len(u.Host) == 0 {
allErrors = append(allErrors, field.Required(fldPath.Child("url"), "host must be provided"+form))
}
}
}
if cc.Service != nil {
allErrors = append(allErrors, validateWebhookService(fldPath.Child("service"), cc.Service)...)
}
return allErrors
}
func validateWebhookService(fldPath *field.Path, svc *admissionregistration.ServiceReference) field.ErrorList {
var allErrors field.ErrorList
if len(svc.Name) == 0 {
allErrors = append(allErrors, field.Required(fldPath.Child("name"), "service name is required"))
}
if len(svc.Namespace) == 0 {
allErrors = append(allErrors, field.Required(fldPath.Child("namespace"), "service namespace is required"))
}
if svc.Path == nil {
return allErrors
}
// TODO: replace below with url.Parse + verifying that host is empty?
urlPath := *svc.Path
if urlPath == "/" || len(urlPath) == 0 {
return allErrors
}
if urlPath == "//" {
allErrors = append(allErrors, field.Invalid(fldPath, urlPath, "segment[0] may not be empty"))
allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, "segment[0] may not be empty"))
return allErrors
}
if !strings.HasPrefix(urlPath, "/") {
allErrors = append(allErrors, field.Invalid(fldPath, urlPath, "must start with a '/'"))
allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, "must start with a '/'"))
}
urlPathToCheck := urlPath[1:]
@ -224,12 +265,12 @@ func validateURLPath(fldPath *field.Path, urlPath string) field.ErrorList {
steps := strings.Split(urlPathToCheck, "/")
for i, step := range steps {
if len(step) == 0 {
allErrors = append(allErrors, field.Invalid(fldPath, urlPath, fmt.Sprintf("segment[%d] may not be empty", i)))
allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, fmt.Sprintf("segment[%d] may not be empty", i)))
continue
}
failures := validation.IsDNS1123Subdomain(step)
for _, failure := range failures {
allErrors = append(allErrors, field.Invalid(fldPath, urlPath, fmt.Sprintf("segment[%d]: %v", i, failure)))
allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, fmt.Sprintf("segment[%d]: %v", i, failure)))
}
}

181
pkg/apis/admissionregistration/validation/validation_test.go
View File

@ -231,6 +231,8 @@ func TestValidateInitializerConfiguration(t *testing.T) {
}
}
func strPtr(s string) *string { return &s }
func newValidatingWebhookConfiguration(hooks []admissionregistration.Webhook) *admissionregistration.ValidatingWebhookConfiguration {
return &admissionregistration.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
@ -243,6 +245,9 @@ func newValidatingWebhookConfiguration(hooks []admissionregistration.Webhook) *a
// TODO: Add TestValidateMutatingWebhookConfiguration to test validation for mutating webhooks.
func TestValidateValidatingWebhookConfiguration(t *testing.T) {
validClientConfig := admissionregistration.WebhookClientConfig{
URL: strPtr("https://example.com"),
}
tests := []struct {
name string
config *admissionregistration.ValidatingWebhookConfiguration
@ -253,13 +258,16 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
},
{
Name: "k8s.io",
Name: "k8s.io",
ClientConfig: validClientConfig,
},
{
Name: "",
Name: "",
ClientConfig: validClientConfig,
},
}),
expectedError: `webhooks[1].name: Invalid value: "k8s.io": should be a domain with at least three segments separated by dots, webhooks[2].name: Required value`,
@ -357,7 +365,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
@ -376,7 +385,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
@ -396,7 +406,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
@ -416,7 +427,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
@ -435,7 +447,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
@ -455,7 +468,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
@ -475,7 +489,8 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
FailurePolicy: func() *admissionregistration.FailurePolicyType {
r := admissionregistration.FailurePolicyType("other")
return &r
@ -485,94 +500,202 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
expectedError: `webhooks[0].failurePolicy: Unsupported value: "other": supported values: "Fail", "Ignore"`,
},
{
name: "URLPath must start with slash",
name: "both service and URL missing",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{},
},
}),
expectedError: `exactly one of`,
},
{
name: "both service and URL provided",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "foo/",
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
},
URL: strPtr("example.com/k8s/webhook"),
},
},
}),
expectedError: `clientConfig.urlPath: Invalid value: "foo/": must start with a '/'`,
expectedError: `[0].clientConfig.url: Required value: exactly one of url or service is required`,
},
{
name: "URLPath accepts slash",
name: "blank URL",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "/",
URL: strPtr(""),
},
},
}),
expectedError: `[0].clientConfig.url: Required value: host must be provided`,
},
{
name: "wrong scheme",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URL: strPtr("http://example.com"),
},
},
}),
expectedError: `https`,
},
{
name: "missing host",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URL: strPtr("https:///fancy/webhook"),
},
},
}),
expectedError: `host must be provided`,
},
{
name: "just totally wrong",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URL: strPtr("arg#backwards=thisis?html.index/port:host//:https"),
},
},
}),
expectedError: `host must be provided`,
},
{
name: "path must start with slash",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("foo/"),
},
},
},
}),
expectedError: `clientConfig.service.path: Invalid value: "foo/": must start with a '/'`,
},
{
name: "path accepts slash",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("/"),
},
},
},
}),
expectedError: ``,
},
{
name: "URLPath accepts no trailing slash",
name: "path accepts no trailing slash",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "/foo",
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("/foo"),
},
},
},
}),
expectedError: ``,
},
{
name: "URLPath fails //",
name: "path fails //",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "//",
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("//"),
},
},
},
}),
expectedError: `clientConfig.urlPath: Invalid value: "//": segment[0] may not be empty`,
expectedError: `clientConfig.service.path: Invalid value: "//": segment[0] may not be empty`,
},
{
name: "URLPath no empty step",
name: "path no empty step",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "/foo//bar/",
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("/foo//bar/"),
},
},
},
}),
expectedError: `clientConfig.urlPath: Invalid value: "/foo//bar/": segment[1] may not be empty`,
expectedError: `clientConfig.service.path: Invalid value: "/foo//bar/": segment[1] may not be empty`,
}, {
name: "URLPath no empty step 2",
name: "path no empty step 2",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "/foo/bar//",
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("/foo/bar//"),
},
},
},
}),
expectedError: `clientConfig.urlPath: Invalid value: "/foo/bar//": segment[2] may not be empty`,
expectedError: `clientConfig.service.path: Invalid value: "/foo/bar//": segment[2] may not be empty`,
},
{
name: "URLPath no non-subdomain",
name: "path no non-subdomain",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: admissionregistration.WebhookClientConfig{
URLPath: "/apis/foo.bar/v1alpha1/--bad",
Service: &admissionregistration.ServiceReference{
Namespace: "ns",
Name: "n",
Path: strPtr("/apis/foo.bar/v1alpha1/--bad"),
},
},
},
}),
expectedError: `clientConfig.urlPath: Invalid value: "/apis/foo.bar/v1alpha1/--bad": segment[3]: a DNS-1123 subdomain`,
expectedError: `clientConfig.service.path: Invalid value: "/apis/foo.bar/v1alpha1/--bad": segment[3]: a DNS-1123 subdomain`,
},
}
for _, test := range tests {

28
pkg/apis/admissionregistration/zz_generated.deepcopy.go generated
View File

@ -240,6 +240,15 @@ func (in *RuleWithOperations) DeepCopy() *RuleWithOperations {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceReference) DeepCopyInto(out *ServiceReference) {
*out = *in
if in.Path != nil {
in, out := &in.Path, &out.Path
if *in == nil {
*out = nil
} else {
*out = new(string)
**out = **in
}
}
return
}
@ -366,7 +375,24 @@ func (in *Webhook) DeepCopy() *Webhook {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig) {
*out = *in
out.Service = in.Service
if in.URL != nil {
in, out := &in.URL, &out.URL
if *in == nil {
*out = nil
} else {
*out = new(string)
**out = **in
}
}
if in.Service != nil {
in, out := &in.Service, &out.Service
if *in == nil {
*out = nil
} else {
*out = new(ServiceReference)
(*in).DeepCopyInto(*out)
}
}
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))

216
staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go generated
View File

@ -449,6 +449,12 @@ func (m *ServiceReference) MarshalTo(dAtA []byte) (int, error) {
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
i += copy(dAtA[i:], m.Name)
if m.Path != nil {
dAtA[i] = 0x1a
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Path)))
i += copy(dAtA[i:], *m.Path)
}
return i, nil
}
@ -601,24 +607,28 @@ func (m *WebhookClientConfig) MarshalTo(dAtA []byte) (int, error) {
_ = i
var l int
_ = l
dAtA[i] = 0xa
i++
i = encodeVarintGenerated(dAtA, i, uint64(m.Service.Size()))
n10, err := m.Service.MarshalTo(dAtA[i:])
if err != nil {
return 0, err
if m.Service != nil {
dAtA[i] = 0xa
i++
i = encodeVarintGenerated(dAtA, i, uint64(m.Service.Size()))
n10, err := m.Service.MarshalTo(dAtA[i:])
if err != nil {
return 0, err
}
i += n10
}
i += n10
if m.CABundle != nil {
dAtA[i] = 0x12
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(m.CABundle)))
i += copy(dAtA[i:], m.CABundle)
}
dAtA[i] = 0x1a
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(m.URLPath)))
i += copy(dAtA[i:], m.URLPath)
if m.URL != nil {
dAtA[i] = 0x1a
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(*m.URL)))
i += copy(dAtA[i:], *m.URL)
}
return i, nil
}
@ -764,6 +774,10 @@ func (m *ServiceReference) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
l = len(m.Name)
n += 1 + l + sovGenerated(uint64(l))
if m.Path != nil {
l = len(*m.Path)
n += 1 + l + sovGenerated(uint64(l))
}
return n
}
@ -822,14 +836,18 @@ func (m *Webhook) Size() (n int) {
func (m *WebhookClientConfig) Size() (n int) {
var l int
_ = l
l = m.Service.Size()
n += 1 + l + sovGenerated(uint64(l))
if m.Service != nil {
l = m.Service.Size()
n += 1 + l + sovGenerated(uint64(l))
}
if m.CABundle != nil {
l = len(m.CABundle)
n += 1 + l + sovGenerated(uint64(l))
}
l = len(m.URLPath)
n += 1 + l + sovGenerated(uint64(l))
if m.URL != nil {
l = len(*m.URL)
n += 1 + l + sovGenerated(uint64(l))
}
return n
}
@ -931,6 +949,7 @@ func (this *ServiceReference) String() string {
s := strings.Join([]string{`&ServiceReference{`,
`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
`Path:` + valueToStringGenerated(this.Path) + `,`,
`}`,
}, "")
return s
@ -976,9 +995,9 @@ func (this *WebhookClientConfig) String() string {
return "nil"
}
s := strings.Join([]string{`&WebhookClientConfig{`,
`Service:` + strings.Replace(strings.Replace(this.Service.String(), "ServiceReference", "ServiceReference", 1), `&`, ``, 1) + `,`,
`Service:` + strings.Replace(fmt.Sprintf("%v", this.Service), "ServiceReference", "ServiceReference", 1) + `,`,
`CABundle:` + valueToStringGenerated(this.CABundle) + `,`,
`URLPath:` + fmt.Sprintf("%v", this.URLPath) + `,`,
`URL:` + valueToStringGenerated(this.URL) + `,`,
`}`,
}, "")
return s
@ -1878,6 +1897,36 @@ func (m *ServiceReference) Unmarshal(dAtA []byte) error {
}
m.Name = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 3:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
s := string(dAtA[iNdEx:postIndex])
m.Path = &s
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -2379,6 +2428,9 @@ func (m *WebhookClientConfig) Unmarshal(dAtA []byte) error {
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.Service == nil {
m.Service = &ServiceReference{}
}
if err := m.Service.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
@ -2416,7 +2468,7 @@ func (m *WebhookClientConfig) Unmarshal(dAtA []byte) error {
iNdEx = postIndex
case 3:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field URLPath", wireType)
return fmt.Errorf("proto: wrong wireType = %d for field URL", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
@ -2441,7 +2493,8 @@ func (m *WebhookClientConfig) Unmarshal(dAtA []byte) error {
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.URLPath = string(dAtA[iNdEx:postIndex])
s := string(dAtA[iNdEx:postIndex])
m.URL = &s
iNdEx = postIndex
default:
iNdEx = preIndex
@ -2574,65 +2627,68 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 960 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0x4f, 0x6f, 0x23, 0xc5,
0x13, 0xf5, 0xc4, 0x8e, 0x62, 0xb7, 0x6d, 0xed, 0xa6, 0x7f, 0x3f, 0x24, 0x2b, 0x5a, 0x8d, 0xad,
0x39, 0xa0, 0xac, 0x10, 0x33, 0x24, 0x8b, 0x56, 0x48, 0x08, 0x50, 0x26, 0x12, 0x2b, 0x4b, 0xd9,
0x6c, 0xe8, 0x0d, 0xbb, 0x12, 0xe2, 0x40, 0x7b, 0x5c, 0xb6, 0x1b, 0x8f, 0x67, 0x46, 0xdd, 0x3d,
0x66, 0xc3, 0x89, 0x0b, 0x77, 0x24, 0xbe, 0x04, 0x1f, 0x25, 0xc7, 0x85, 0x03, 0xca, 0xc9, 0x22,
0x83, 0xc4, 0x91, 0x03, 0xc7, 0x3d, 0xa1, 0x9e, 0x7f, 0x1e, 0xc7, 0x71, 0x88, 0x39, 0xe4, 0xc0,
0xcd, 0x5d, 0xd5, 0xef, 0x55, 0xbd, 0xaa, 0xae, 0xf2, 0x20, 0x32, 0xfe, 0x40, 0x98, 0xcc, 0xb7,
0xc6, 0x61, 0x0f, 0xb8, 0x07, 0x12, 0x84, 0x35, 0x05, 0xaf, 0xef, 0x73, 0x2b, 0x75, 0xd0, 0x80,
0x59, 0xb4, 0x3f, 0x61, 0x42, 0x30, 0xdf, 0xe3, 0x30, 0x64, 0x42, 0x72, 0x2a, 0x99, 0xef, 0x59,
0xd3, 0x3d, 0xea, 0x06, 0x23, 0xba, 0x67, 0x0d, 0xc1, 0x03, 0x4e, 0x25, 0xf4, 0xcd, 0x80, 0xfb,
0xd2, 0xc7, 0x0f, 0x13, 0xa8, 0x49, 0x03, 0x66, 0x5e, 0x0b, 0x35, 0x33, 0xe8, 0xce, 0xbb, 0x43,
0x26, 0x47, 0x61, 0xcf, 0x74, 0xfc, 0x89, 0x35, 0xf4, 0x87, 0xbe, 0x15, 0x33, 0xf4, 0xc2, 0x41,
0x7c, 0x8a, 0x0f, 0xf1, 0xaf, 0x84, 0x79, 0xc7, 0x28, 0x24, 0xe5, 0xf8, 0x1c, 0xac, 0xe9, 0x52,
0xf4, 0x9d, 0xf7, 0xe7, 0x77, 0x26, 0xd4, 0x19, 0x31, 0x0f, 0xf8, 0x99, 0x15, 0x8c, 0x87, 0xca,
0x20, 0xac, 0x09, 0x48, 0x7a, 0x1d, 0xca, 0x5a, 0x85, 0xe2, 0xa1, 0x27, 0xd9, 0x04, 0x96, 0x00,
0x8f, 0xff, 0x09, 0x20, 0x9c, 0x11, 0x4c, 0xe8, 0x12, 0xee, 0xd1, 0x2a, 0x5c, 0x28, 0x99, 0x6b,
0x31, 0x4f, 0x0a, 0xc9, 0xaf, 0x82, 0x8c, 0xef, 0x35, 0x54, 0xef, 0x7a, 0x4c, 0x32, 0xea, 0xb2,
0x6f, 0x81, 0xe3, 0x0e, 0xaa, 0x78, 0x74, 0x02, 0x2d, 0xad, 0xa3, 0xed, 0xd6, 0xec, 0xc6, 0xf9,
0xac, 0x5d, 0x8a, 0x66, 0xed, 0xca, 0x31, 0x9d, 0x00, 0x89, 0x3d, 0xf8, 0x14, 0x6d, 0xf2, 0xd0,
0x05, 0xd1, 0xda, 0xe8, 0x94, 0x77, 0xeb, 0xfb, 0x96, 0x79, 0xeb, 0x9e, 0x98, 0x24, 0x74, 0xc1,
0x6e, 0xa6, 0x9c, 0x9b, 0xea, 0x24, 0x48, 0x42, 0x66, 0xfc, 0xa9, 0xa1, 0x56, 0x21, 0x8f, 0x43,
0xdf, 0x1b, 0xb0, 0x61, 0x98, 0x10, 0xe0, 0xaf, 0x50, 0x55, 0x55, 0xb7, 0x4f, 0x25, 0x8d, 0x13,
0xab, 0xef, 0xbf, 0x57, 0x88, 0x9a, 0x8b, 0x35, 0x83, 0xf1, 0x50, 0x19, 0x84, 0xa9, 0x6e, 0x9b,
0xd3, 0x3d, 0xf3, 0x59, 0xef, 0x6b, 0x70, 0xe4, 0x53, 0x90, 0xd4, 0xc6, 0x69, 0x58, 0x34, 0xb7,
0x91, 0x9c, 0x15, 0x07, 0xa8, 0xc1, 0xe6, 0xd1, 0x33, 0x6d, 0x8f, 0xd7, 0xd0, 0x56, 0x48, 0xde,
0xfe, 0x7f, 0x1a, 0xab, 0x51, 0x30, 0x0a, 0xb2, 0x10, 0xc1, 0xf8, 0x43, 0x43, 0x0f, 0x56, 0x09,
0x3e, 0x62, 0x42, 0xe2, 0x2f, 0x97, 0x44, 0x9b, 0xb7, 0x13, 0xad, 0xd0, 0xb1, 0xe4, 0xfb, 0x69,
0x1a, 0xd5, 0xcc, 0x52, 0x10, 0x3c, 0x42, 0x9b, 0x4c, 0xc2, 0x24, 0x53, 0x7a, 0xf8, 0xef, 0x94,
0x2e, 0x64, 0x3d, 0xef, 0x6c, 0x57, 0x31, 0x93, 0x24, 0x80, 0xf1, 0xab, 0x86, 0x1e, 0x3c, 0x0d,
0x25, 0x95, 0xcc, 0x1b, 0xbe, 0x84, 0xde, 0xc8, 0xf7, 0xc7, 0x77, 0xdd, 0xdd, 0x53, 0x54, 0x4d,
0x23, 0x67, 0x7a, 0xf7, 0xd7, 0xd0, 0x9b, 0x42, 0xed, 0x8a, 0x8a, 0x41, 0xaa, 0xdf, 0xa4, 0x4c,
0xea, 0xc9, 0x76, 0x6e, 0x12, 0x76, 0x07, 0x5d, 0x74, 0x17, 0xbb, 0xf8, 0x64, 0x0d, 0x55, 0x37,
0x65, 0xbe, 0xa2, 0x93, 0x3f, 0x6a, 0xa8, 0xa2, 0x86, 0x16, 0xbf, 0x83, 0x6a, 0x34, 0x60, 0x4f,
0xb8, 0x1f, 0x06, 0xa2, 0xa5, 0x75, 0xca, 0xbb, 0x35, 0xbb, 0x19, 0xcd, 0xda, 0xb5, 0x83, 0x93,
0x6e, 0x62, 0x24, 0x73, 0x3f, 0xde, 0x43, 0x75, 0x1a, 0xb0, 0x17, 0xc0, 0x55, 0x2e, 0x49, 0xa6,
0x35, 0xfb, 0x5e, 0x34, 0x6b, 0xd7, 0x0f, 0x4e, 0xba, 0x99, 0x99, 0x14, 0xef, 0x28, 0x7e, 0x0e,
0xc2, 0x0f, 0xb9, 0x03, 0xa2, 0x55, 0x9e, 0xf3, 0x93, 0xcc, 0x48, 0xe6, 0x7e, 0xe3, 0x27, 0x0d,
0x61, 0x95, 0xd5, 0x4b, 0x26, 0x47, 0xcf, 0x02, 0x48, 0x14, 0x08, 0xfc, 0x09, 0x42, 0x7e, 0x7e,
0x4a, 0x93, 0x6c, 0xc7, 0x2f, 0x24, 0xb7, 0xbe, 0x99, 0xb5, 0x9b, 0xf9, 0xe9, 0xf4, 0x2c, 0x00,
0x52, 0x80, 0xe0, 0xcf, 0x50, 0x45, 0xad, 0xa6, 0xd6, 0x46, 0xdc, 0xb5, 0xb5, 0xd7, 0x5c, 0xbe,
0x3a, 0xd5, 0x89, 0xc4, 0x54, 0x06, 0xa0, 0xfb, 0xcf, 0x81, 0x4f, 0x99, 0x03, 0x04, 0x06, 0xc0,
0xc1, 0x73, 0x00, 0x5b, 0xa8, 0xa6, 0xd6, 0xaa, 0x08, 0xa8, 0x93, 0x6d, 0xdd, 0xed, 0x14, 0x5a,
0x3b, 0xce, 0x1c, 0x64, 0x7e, 0x27, 0xdf, 0xd0, 0x1b, 0xab, 0x36, 0xb4, 0x71, 0xa1, 0x21, 0xfd,
0x05, 0x75, 0x59, 0xff, 0xbf, 0x37, 0x73, 0x7f, 0x69, 0xc8, 0xb8, 0x59, 0xda, 0x1d, 0x4c, 0x9d,
0xb7, 0x38, 0x75, 0xdd, 0x35, 0x74, 0xdd, 0x9c, 0xfb, 0x8a, 0xb9, 0xfb, 0xb9, 0x8c, 0xb6, 0xd2,
0xeb, 0xb7, 0xf8, 0x7f, 0x7e, 0x85, 0x1a, 0x8e, 0xcb, 0xc0, 0x93, 0x09, 0x75, 0xfa, 0x7e, 0x3f,
0x5e, 0xbf, 0xf8, 0x87, 0x05, 0x96, 0xf9, 0x5f, 0x5a, 0xd1, 0x4a, 0x16, 0x22, 0xe1, 0x5e, 0xf6,
0x65, 0x50, 0x8e, 0xeb, 0xf2, 0xd1, 0x9a, 0x23, 0xb3, 0x38, 0xc0, 0xd7, 0x7f, 0x27, 0xe0, 0x23,
0xd4, 0x1c, 0x50, 0xe6, 0x86, 0x1c, 0x4e, 0x7c, 0x97, 0x39, 0x67, 0xad, 0x4a, 0x5c, 0x88, 0xb7,
0xa3, 0x59, 0xbb, 0xf9, 0x69, 0xd1, 0xf1, 0x66, 0xd6, 0xde, 0x5e, 0x30, 0xc4, 0x03, 0xbe, 0x08,
0xc6, 0xaf, 0xd0, 0x76, 0x3e, 0x58, 0xcf, 0xc1, 0x05, 0x47, 0xfa, 0xbc, 0xb5, 0x19, 0x17, 0xec,
0xd1, 0x2d, 0x1f, 0x0c, 0xed, 0x81, 0x9b, 0x41, 0xed, 0xb7, 0xa2, 0x59, 0x7b, 0xfb, 0xf8, 0x2a,
0x23, 0x59, 0x0e, 0x62, 0xfc, 0xa2, 0xa1, 0xff, 0x5d, 0x53, 0x67, 0x3c, 0x40, 0x5b, 0x22, 0x59,
0x11, 0xe9, 0xc3, 0xfd, 0x70, 0x8d, 0x2a, 0x5e, 0x5d, 0x2e, 0xf6, 0xbd, 0xb4, 0x86, 0x5b, 0x99,
0x27, 0x23, 0xc7, 0xbb, 0xa8, 0xea, 0x50, 0x3b, 0xf4, 0xfa, 0xe9, 0x86, 0x6b, 0xd8, 0x0d, 0xf5,
0xda, 0x0f, 0x0f, 0x12, 0x1b, 0xc9, 0xbd, 0xf8, 0x21, 0xda, 0x0a, 0xb9, 0x7b, 0x42, 0xe5, 0xa8,
0x55, 0x8e, 0x6b, 0x9d, 0x93, 0x7e, 0x4e, 0x8e, 0x94, 0x99, 0x64, 0x7e, 0xdb, 0x3c, 0xbf, 0xd4,
0x4b, 0xaf, 0x2f, 0xf5, 0xd2, 0xc5, 0xa5, 0x5e, 0xfa, 0x2e, 0xd2, 0xb5, 0xf3, 0x48, 0xd7, 0x5e,
0x47, 0xba, 0x76, 0x11, 0xe9, 0xda, 0x6f, 0x91, 0xae, 0xfd, 0xf0, 0xbb, 0x5e, 0xfa, 0xa2, 0x9a,
0xe5, 0xfb, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0x37, 0xaf, 0xd5, 0xfa, 0x23, 0x0c, 0x00, 0x00,
// 1001 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
0x14, 0xae, 0x9b, 0x54, 0x4d, 0x26, 0xa9, 0xd8, 0x1a, 0x90, 0x42, 0x55, 0xd9, 0x91, 0x0f, 0xa8,
0x08, 0xad, 0x4d, 0xba, 0x68, 0x85, 0x84, 0x00, 0xd5, 0x95, 0x58, 0x45, 0x6a, 0xbb, 0x65, 0xb6,
0xec, 0x4a, 0x88, 0x03, 0x13, 0xe7, 0x35, 0x19, 0xe2, 0xd8, 0xd6, 0xcc, 0x38, 0xb4, 0x9c, 0x90,
0x10, 0x77, 0x24, 0xfe, 0x09, 0xfe, 0x0a, 0xce, 0x3d, 0x2e, 0x17, 0xd4, 0x93, 0x45, 0x8d, 0xc4,
0x91, 0x03, 0xc7, 0x3d, 0xa1, 0xf1, 0x8f, 0xd8, 0x69, 0x9a, 0xd2, 0x70, 0xe8, 0x81, 0x5b, 0xe6,
0x7b, 0xf3, 0x7d, 0xef, 0x7d, 0x33, 0xf3, 0x5e, 0x8c, 0xf0, 0xe8, 0x03, 0x6e, 0x52, 0xdf, 0x1a,
0x85, 0x3d, 0x60, 0x1e, 0x08, 0xe0, 0xd6, 0x04, 0xbc, 0xbe, 0xcf, 0xac, 0x2c, 0x40, 0x02, 0x6a,
0x91, 0xfe, 0x98, 0x72, 0x4e, 0x7d, 0x8f, 0xc1, 0x80, 0x72, 0xc1, 0x88, 0xa0, 0xbe, 0x67, 0x4d,
0x3a, 0xc4, 0x0d, 0x86, 0xa4, 0x63, 0x0d, 0xc0, 0x03, 0x46, 0x04, 0xf4, 0xcd, 0x80, 0xf9, 0xc2,
0x57, 0xdf, 0x49, 0xa9, 0x26, 0x09, 0xa8, 0x79, 0x23, 0xd5, 0xcc, 0xa9, 0x5b, 0x0f, 0x07, 0x54,
0x0c, 0xc3, 0x9e, 0xe9, 0xf8, 0x63, 0x6b, 0xe0, 0x0f, 0x7c, 0x2b, 0x51, 0xe8, 0x85, 0xa7, 0xc9,
0x2a, 0x59, 0x24, 0xbf, 0x52, 0xe5, 0x2d, 0xa3, 0x54, 0x94, 0xe3, 0x33, 0xb0, 0x26, 0x73, 0xd9,
0xb7, 0x0e, 0x8b, 0x3d, 0x70, 0x26, 0xc0, 0x93, 0xc9, 0xf9, 0x43, 0x12, 0x50, 0x0e, 0x6c, 0x02,
0xcc, 0x0a, 0x46, 0x03, 0x19, 0xe3, 0xb3, 0x1b, 0xac, 0x49, 0xa7, 0x07, 0x62, 0xde, 0xcc, 0xd6,
0xfb, 0x85, 0xdc, 0x98, 0x38, 0x43, 0xea, 0x01, 0x3b, 0x2f, 0x34, 0xc6, 0x20, 0xc8, 0x4d, 0x45,
0x58, 0x8b, 0x58, 0x2c, 0xf4, 0x04, 0x1d, 0xc3, 0x1c, 0xe1, 0xf1, 0xbf, 0x11, 0xb8, 0x33, 0x84,
0x31, 0x99, 0xe3, 0x3d, 0x5a, 0xc4, 0x0b, 0x05, 0x75, 0x2d, 0xea, 0x09, 0x2e, 0xd8, 0x75, 0x92,
0xf1, 0x83, 0x82, 0x1a, 0x5d, 0x8f, 0x0a, 0x4a, 0x5c, 0xfa, 0x2d, 0x30, 0xb5, 0x8d, 0xaa, 0x1e,
0x19, 0x43, 0x4b, 0x69, 0x2b, 0x3b, 0x75, 0xbb, 0x79, 0x11, 0xe9, 0x2b, 0x71, 0xa4, 0x57, 0x8f,
0xc8, 0x18, 0x70, 0x12, 0x51, 0x4f, 0xd0, 0x1a, 0x0b, 0x5d, 0xe0, 0xad, 0xd5, 0x76, 0x65, 0xa7,
0xb1, 0x6b, 0x99, 0x77, 0xbe, 0x62, 0x13, 0x87, 0x2e, 0xd8, 0x1b, 0x99, 0xe6, 0x9a, 0x5c, 0x71,
0x9c, 0x8a, 0x19, 0x7f, 0x29, 0xa8, 0x55, 0xaa, 0x63, 0xdf, 0xf7, 0x4e, 0xe9, 0x20, 0x4c, 0x05,
0xd4, 0xaf, 0x50, 0x4d, 0x9e, 0x6e, 0x9f, 0x08, 0x92, 0x14, 0xd6, 0xd8, 0x7d, 0xaf, 0x94, 0x75,
0x6a, 0xd6, 0x0c, 0x46, 0x03, 0x09, 0x70, 0x53, 0xee, 0x36, 0x27, 0x1d, 0xf3, 0x69, 0xef, 0x6b,
0x70, 0xc4, 0x21, 0x08, 0x62, 0xab, 0x59, 0x5a, 0x54, 0x60, 0x78, 0xaa, 0xaa, 0x06, 0xa8, 0x49,
0x8b, 0xec, 0xb9, 0xb7, 0xc7, 0x4b, 0x78, 0x2b, 0x15, 0x6f, 0xbf, 0x91, 0xe5, 0x6a, 0x96, 0x40,
0x8e, 0x67, 0x32, 0x18, 0x7f, 0x2a, 0x68, 0x7b, 0x91, 0xe1, 0x03, 0xca, 0x85, 0xfa, 0xe5, 0x9c,
0x69, 0xf3, 0x6e, 0xa6, 0x25, 0x3b, 0xb1, 0xfc, 0x20, 0x2b, 0xa3, 0x96, 0x23, 0x25, 0xc3, 0x43,
0xb4, 0x46, 0x05, 0x8c, 0x73, 0xa7, 0xfb, 0xff, 0xcd, 0xe9, 0x4c, 0xd5, 0xc5, 0xcd, 0x76, 0xa5,
0x32, 0x4e, 0x13, 0x18, 0xbf, 0x29, 0x68, 0xfb, 0x30, 0x14, 0x44, 0x50, 0x6f, 0xf0, 0x02, 0x7a,
0x43, 0xdf, 0x1f, 0xdd, 0xf7, 0xed, 0x9e, 0xa0, 0x5a, 0x96, 0x39, 0xf7, 0xbb, 0xbb, 0x84, 0xdf,
0x8c, 0x6a, 0x57, 0x65, 0x0e, 0x5c, 0xfb, 0x26, 0x53, 0x92, 0x4f, 0xb6, 0x7d, 0x9b, 0xb1, 0x7b,
0xb8, 0x45, 0x77, 0xf6, 0x16, 0x9f, 0x2c, 0xe1, 0xea, 0xb6, 0xca, 0x17, 0xdc, 0xe4, 0x4f, 0x0a,
0xaa, 0xca, 0xa6, 0x55, 0xdf, 0x45, 0x75, 0x12, 0xd0, 0x27, 0xcc, 0x0f, 0x03, 0xde, 0x52, 0xda,
0x95, 0x9d, 0xba, 0xbd, 0x11, 0x47, 0x7a, 0x7d, 0xef, 0xb8, 0x9b, 0x82, 0xb8, 0x88, 0xab, 0x1d,
0xd4, 0x20, 0x01, 0x7d, 0x0e, 0x2c, 0x19, 0xae, 0x49, 0xa5, 0x75, 0xfb, 0xb5, 0x38, 0xd2, 0x1b,
0x7b, 0xc7, 0xdd, 0x1c, 0xc6, 0xe5, 0x3d, 0x52, 0x9f, 0x01, 0xf7, 0x43, 0xe6, 0x00, 0x6f, 0x55,
0x0a, 0x7d, 0x9c, 0x83, 0xb8, 0x88, 0x1b, 0x3f, 0x2b, 0x48, 0x95, 0x55, 0xbd, 0xa0, 0x62, 0xf8,
0x34, 0x80, 0xd4, 0x01, 0x57, 0x3f, 0x41, 0xc8, 0x9f, 0xae, 0xb2, 0x22, 0xf5, 0xe4, 0x85, 0x4c,
0xd1, 0x57, 0x91, 0xbe, 0x31, 0x5d, 0x9d, 0x9c, 0x07, 0x80, 0x4b, 0x14, 0xf5, 0x33, 0x54, 0x95,
0xa3, 0xa9, 0xb5, 0x9a, 0xdc, 0xda, 0xd2, 0x63, 0x6e, 0x3a, 0x3a, 0xe5, 0x0a, 0x27, 0x52, 0xc6,
0xf7, 0x0a, 0x7a, 0xf0, 0x0c, 0xd8, 0x84, 0x3a, 0x80, 0xe1, 0x14, 0x18, 0x78, 0x0e, 0xa8, 0x16,
0xaa, 0xcb, 0xb9, 0xca, 0x03, 0xe2, 0xe4, 0x63, 0x77, 0x33, 0xe3, 0xd6, 0x8f, 0xf2, 0x00, 0x2e,
0xf6, 0x4c, 0x47, 0xf4, 0xea, 0xc2, 0x11, 0xbd, 0x8d, 0xaa, 0x01, 0x11, 0xc3, 0x56, 0x25, 0xd9,
0x51, 0x93, 0xd1, 0x63, 0x22, 0x86, 0x38, 0x41, 0x8d, 0x4b, 0x05, 0x69, 0xcf, 0x89, 0x4b, 0xfb,
0xff, 0xbf, 0x96, 0xfc, 0x5b, 0x41, 0xc6, 0xed, 0xd6, 0xee, 0xa1, 0x29, 0xbd, 0xd9, 0xa6, 0xec,
0x2e, 0xe1, 0xeb, 0xf6, 0xda, 0x17, 0xb4, 0xe5, 0xaf, 0x15, 0xb4, 0x9e, 0x6d, 0xbf, 0xc3, 0xdf,
0xf7, 0x19, 0x6a, 0x3a, 0x2e, 0x05, 0x4f, 0xa4, 0xd2, 0xd9, 0xf3, 0xfe, 0x78, 0xf9, 0xc3, 0xdf,
0x2f, 0xa9, 0x14, 0xff, 0x78, 0x65, 0x14, 0xcf, 0x64, 0x52, 0x7b, 0xf9, 0x87, 0x43, 0x25, 0x39,
0x97, 0x8f, 0x96, 0xec, 0xa8, 0xd9, 0xfe, 0xbe, 0xf9, 0x33, 0x42, 0x3d, 0x40, 0x1b, 0xa7, 0x84,
0xba, 0x21, 0x83, 0x63, 0xdf, 0xa5, 0xce, 0x79, 0xab, 0x9a, 0x1c, 0xc4, 0xdb, 0x71, 0xa4, 0x6f,
0x7c, 0x5a, 0x0e, 0xbc, 0x8a, 0xf4, 0xcd, 0x19, 0x20, 0xe9, 0xff, 0x59, 0xb2, 0x7a, 0x86, 0x36,
0xa7, 0x6d, 0xf7, 0x0c, 0x5c, 0x70, 0x84, 0xcf, 0x5a, 0x6b, 0xc9, 0x81, 0x3d, 0xba, 0xe3, 0x83,
0x21, 0x3d, 0x70, 0x73, 0xaa, 0xfd, 0x66, 0x1c, 0xe9, 0x9b, 0x47, 0xd7, 0x15, 0xf1, 0x7c, 0x12,
0xe3, 0x17, 0x05, 0xbd, 0x7e, 0xc3, 0x39, 0xab, 0x3d, 0xb4, 0xce, 0xd3, 0x01, 0x92, 0x3d, 0xdc,
0x0f, 0x97, 0x38, 0xc5, 0xeb, 0xa3, 0xc7, 0x6e, 0xc4, 0x91, 0xbe, 0x9e, 0xa3, 0xb9, 0xb0, 0xba,
0x83, 0x6a, 0x0e, 0xb1, 0x43, 0xaf, 0x9f, 0x0d, 0xbf, 0xa6, 0xdd, 0x94, 0x2f, 0x7d, 0x7f, 0x2f,
0xc5, 0xf0, 0x34, 0xaa, 0xbe, 0x85, 0x2a, 0x21, 0x73, 0xb3, 0x31, 0xb3, 0x1e, 0x47, 0x7a, 0xe5,
0x73, 0x7c, 0x80, 0x25, 0x66, 0x9b, 0x17, 0x57, 0xda, 0xca, 0xcb, 0x2b, 0x6d, 0xe5, 0xf2, 0x4a,
0x5b, 0xf9, 0x2e, 0xd6, 0x94, 0x8b, 0x58, 0x53, 0x5e, 0xc6, 0x9a, 0x72, 0x19, 0x6b, 0xca, 0xef,
0xb1, 0xa6, 0xfc, 0xf8, 0x87, 0xb6, 0xf2, 0x45, 0x2d, 0xaf, 0xed, 0x9f, 0x00, 0x00, 0x00, 0xff,
0xff, 0xca, 0x86, 0x75, 0x7d, 0x7d, 0x0c, 0x00, 0x00,
}

57
staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.proto
View File

@ -22,6 +22,7 @@ syntax = 'proto2';
package k8s.io.api.admissionregistration.v1alpha1;
import "k8s.io/api/core/v1/generated.proto";
import "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto";
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
@ -147,13 +148,18 @@ message RuleWithOperations {
// ServiceReference holds a reference to Service.legacy.k8s.io
message ServiceReference {
// Namespace is the namespace of the service
// `namespace` is the namespace of the service.
// Required
optional string namespace = 1;
// Name is the name of the service
// `name` is the name of the service.
// Required
optional string name = 2;
// `path` is an optional URL path which will be sent in any request to
// this service.
// +optional
optional string path = 3;
}
// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
@ -252,17 +258,46 @@ message Webhook {
// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
message WebhookClientConfig {
// Service is a reference to the service for this webhook. If there is only
// one port open for the service, that port will be used. If there are multiple
// ports open, port 443 will be used if it is open, otherwise it is an error.
// Required
// `url` gives the location of the webhook, in standard URL form
// (`[scheme://]host:port/path`). Exactly one of `url` or `service`
// must be specified.
//
// The `host` should not refer to a service running in the cluster; use
// the `service` field instead. The host might be resolved via external
// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
// in-cluster DNS as that would be a layering violation). `host` may
// also be an IP address.
//
// Please note that using `localhost` or `127.0.0.1` as a `host` is
// risky unless you take great care to run this webhook on all hosts
// which run an apiserver which might need to make calls to this
// webhook. Such installs are likely to be non-portable, i.e., not easy
// to turn up in a new cluster.
//
// If the scheme is present, it must be "https://".
//
// A path is optional, and if present may be any string permissible in
// a URL. You may use the path to pass an arbitrary string to the
// webhook, for example, a cluster identifier.
//
// +optional
optional string url = 3;
// `service` is a reference to the service for this webhook. Either
// `service` or `url` must be specified.
//
// If the webhook is running within the cluster, then you should use `service`.
//
// If there is only one port open for the service, that port will be
// used. If there are multiple ports open, port 443 will be used if it
// is open, otherwise it is an error.
//
// +optional
optional ServiceReference service = 1;
// URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
optional string urlPath = 3;
// CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
// Required
// `caBundle` is a PEM encoded CA bundle which will be used to validate
// the webhook's server certificate.
// Required.
optional bytes caBundle = 2;
}

56
staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go
View File

@ -272,26 +272,60 @@ const (
// WebhookClientConfig contains the information to make a TLS
// connection with the webhook
type WebhookClientConfig struct {
// Service is a reference to the service for this webhook. If there is only
// one port open for the service, that port will be used. If there are multiple
// ports open, port 443 will be used if it is open, otherwise it is an error.
// Required
Service ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"`
// `url` gives the location of the webhook, in standard URL form
// (`[scheme://]host:port/path`). Exactly one of `url` or `service`
// must be specified.
//
// The `host` should not refer to a service running in the cluster; use
// the `service` field instead. The host might be resolved via external
// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
// in-cluster DNS as that would be a layering violation). `host` may
// also be an IP address.
//
// Please note that using `localhost` or `127.0.0.1` as a `host` is
// risky unless you take great care to run this webhook on all hosts
// which run an apiserver which might need to make calls to this
// webhook. Such installs are likely to be non-portable, i.e., not easy
// to turn up in a new cluster.
//
// If the scheme is present, it must be "https://".
//
// A path is optional, and if present may be any string permissible in
// a URL. You may use the path to pass an arbitrary string to the
// webhook, for example, a cluster identifier.
//
// +optional
URL *string `json:"url,omitempty" protobuf:"bytes,3,opt,name=url"`
// URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
URLPath string `json:"urlPath" protobuf:"bytes,3,opt,name=urlPath"`
// `service` is a reference to the service for this webhook. Either
// `service` or `url` must be specified.
//
// If the webhook is running within the cluster, then you should use `service`.
//
// If there is only one port open for the service, that port will be
// used. If there are multiple ports open, port 443 will be used if it
// is open, otherwise it is an error.
//
// +optional
Service *ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"`
// CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
// Required
// `caBundle` is a PEM encoded CA bundle which will be used to validate
// the webhook's server certificate.
// Required.
CABundle []byte `json:"caBundle" protobuf:"bytes,2,opt,name=caBundle"`
}
// ServiceReference holds a reference to Service.legacy.k8s.io
type ServiceReference struct {
// Namespace is the namespace of the service
// `namespace` is the namespace of the service.
// Required
Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"`
// Name is the name of the service
// `name` is the name of the service.
// Required
Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
// `path` is an optional URL path which will be sent in any request to
// this service.
// +optional
Path *string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"`
}

11
staging/src/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go generated
View File

@ -99,8 +99,9 @@ func (RuleWithOperations) SwaggerDoc() map[string]string {
var map_ServiceReference = map[string]string{
"": "ServiceReference holds a reference to Service.legacy.k8s.io",
"namespace": "Namespace is the namespace of the service Required",
"name": "Name is the name of the service Required",
"namespace": "`namespace` is the namespace of the service. Required",
"name": "`name` is the name of the service. Required",
"path": "`path` is an optional URL path which will be sent in any request to this service.",
}
func (ServiceReference) SwaggerDoc() map[string]string {
@ -142,9 +143,9 @@ func (Webhook) SwaggerDoc() map[string]string {
var map_WebhookClientConfig = map[string]string{
"": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"service": "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required",
"urlPath": "URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.",
"caBundle": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required",
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nIf the scheme is present, it must be \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.",
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nIf there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error.",
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
}
func (WebhookClientConfig) SwaggerDoc() map[string]string {

28
staging/src/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go generated
View File

@ -240,6 +240,15 @@ func (in *RuleWithOperations) DeepCopy() *RuleWithOperations {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceReference) DeepCopyInto(out *ServiceReference) {
*out = *in
if in.Path != nil {
in, out := &in.Path, &out.Path
if *in == nil {
*out = nil
} else {
*out = new(string)
**out = **in
}
}
return
}
@ -366,7 +375,24 @@ func (in *Webhook) DeepCopy() *Webhook {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig) {
*out = *in
out.Service = in.Service
if in.URL != nil {
in, out := &in.URL, &out.URL
if *in == nil {
*out = nil
} else {
*out = new(string)
**out = **in
}
}
if in.Service != nil {
in, out := &in.Service, &out.Service
if *in == nil {
*out = nil
} else {
*out = new(ServiceReference)
(*in).DeepCopyInto(*out)
}
}
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))

95
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/admission.go
View File

@ -20,6 +20,7 @@ package webhook
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net"
@ -55,6 +56,10 @@ const (
defaultCacheSize = 200
)
var (
ErrNeedServiceOrURL = errors.New("webhook configuration must have either service or URL")
)
type ErrCallingWebhook struct {
WebhookName string
Reason error
@ -395,47 +400,71 @@ func toStatusErr(name string, result *metav1.Status) *apierrors.StatusError {
func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.Webhook) (*rest.RESTClient, error) {
cacheKey, err := json.Marshal(h.ClientConfig)
if err != nil {
return nil, err
}
if client, ok := a.cache.Get(string(cacheKey)); ok {
return client.(*rest.RESTClient), nil
}
serverName := h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + ".svc"
restConfig, err := a.authInfoResolver.ClientConfigFor(serverName)
complete := func(cfg *rest.Config) (*rest.RESTClient, error) {
cfg.TLSClientConfig.CAData = h.ClientConfig.CABundle
cfg.ContentConfig.NegotiatedSerializer = a.negotiatedSerializer
cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
client, err := rest.UnversionedRESTClientFor(cfg)
if err == nil {
a.cache.Add(string(cacheKey), client)
}
return client, err
}
if svc := h.ClientConfig.Service; svc != nil {
serverName := svc.Name + "." + svc.Namespace + ".svc"
restConfig, err := a.authInfoResolver.ClientConfigFor(serverName)
if err != nil {
return nil, err
}
cfg := rest.CopyConfig(restConfig)
host := serverName + ":443"
cfg.Host = "https://" + host
if svc.Path != nil {
cfg.APIPath = *svc.Path
}
cfg.TLSClientConfig.ServerName = serverName
delegateDialer := cfg.Dial
if delegateDialer == nil {
delegateDialer = net.Dial
}
cfg.Dial = func(network, addr string) (net.Conn, error) {
if addr == host {
u, err := a.serviceResolver.ResolveEndpoint(svc.Namespace, svc.Name)
if err != nil {
return nil, err
}
addr = u.Host
}
return delegateDialer(network, addr)
}
return complete(cfg)
}
if h.ClientConfig.URL == nil {
return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: ErrNeedServiceOrURL}
}
u, err := url.Parse(*h.ClientConfig.URL)
if err != nil {
return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Unparsable URL: %v", err)}
}
restConfig, err := a.authInfoResolver.ClientConfigFor(u.Host)
if err != nil {
return nil, err
}
cfg := rest.CopyConfig(restConfig)
host := serverName + ":443"
cfg.Host = "https://" + host
cfg.APIPath = h.ClientConfig.URLPath
cfg.TLSClientConfig.ServerName = serverName
cfg.TLSClientConfig.CAData = h.ClientConfig.CABundle
cfg.ContentConfig.NegotiatedSerializer = a.negotiatedSerializer
cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
cfg.Host = u.Host
cfg.APIPath = u.Path
// TODO: test if this is needed: cfg.TLSClientConfig.ServerName = u.Host
delegateDialer := cfg.Dial
if delegateDialer == nil {
delegateDialer = net.Dial
}
cfg.Dial = func(network, addr string) (net.Conn, error) {
if addr == host {
u, err := a.serviceResolver.ResolveEndpoint(h.ClientConfig.Service.Namespace, h.ClientConfig.Service.Name)
if err != nil {
return nil, err
}
addr = u.Host
}
return delegateDialer(network, addr)
}
client, err := rest.UnversionedRESTClientFor(cfg)
if err == nil {
a.cache.Add(string(cacheKey), client)
}
return client, err
return complete(cfg)
}

158
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/admission_test.go
View File

@ -89,6 +89,33 @@ func (f fakeNamespaceLister) Get(name string) (*corev1.Namespace, error) {
return nil, errors.NewNotFound(corev1.Resource("namespaces"), name)
}
// ccfgSVC returns a client config using the service reference mechanism.
func ccfgSVC(urlPath string) registrationv1alpha1.WebhookClientConfig {
return registrationv1alpha1.WebhookClientConfig{
Service: &registrationv1alpha1.ServiceReference{
Name: "webhook-test",
Namespace: "default",
Path: &urlPath,
},
CABundle: caCert,
}
}
type urlConfigGenerator struct {
baseURL *url.URL
}
// ccfgURL returns a client config using the URL mechanism.
func (c urlConfigGenerator) ccfgURL(urlPath string) registrationv1alpha1.WebhookClientConfig {
u2 := *c.baseURL
u2.Path = urlPath
urlString := u2.String()
return registrationv1alpha1.WebhookClientConfig{
URL: &urlString,
CABundle: caCert,
}
}
// TestAdmit tests that GenericAdmissionWebhook#Admit works as expected
func TestAdmit(t *testing.T) {
scheme := runtime.NewScheme()
@ -148,6 +175,8 @@ func TestAdmit(t *testing.T) {
UID: "webhook-test",
}
ccfgURL := urlConfigGenerator{serverURL}.ccfgURL
type test struct {
hookSource fakeHookSource
path string
@ -155,6 +184,15 @@ func TestAdmit(t *testing.T) {
errorContains string
}
matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},
Rule: registrationv1alpha1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
},
}}
policyFail := registrationv1alpha1.Fail
policyIgnore := registrationv1alpha1.Ignore
@ -163,7 +201,7 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "nomatch",
ClientConfig: newFakeHookClientConfig("disallow"),
ClientConfig: ccfgSVC("disallow"),
Rules: []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create},
}},
@ -175,8 +213,8 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "allow",
ClientConfig: newFakeHookClientConfig("allow"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
}},
},
expectAllow: true,
@ -185,8 +223,8 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "disallow",
ClientConfig: newFakeHookClientConfig("disallow"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("disallow"),
Rules: matchEverythingRules,
}},
},
errorContains: "without explanation",
@ -195,8 +233,8 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "disallowReason",
ClientConfig: newFakeHookClientConfig("disallowReason"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("disallowReason"),
Rules: matchEverythingRules,
}},
},
errorContains: "you shall not pass",
@ -205,7 +243,7 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "disallow",
ClientConfig: newFakeHookClientConfig("disallow"),
ClientConfig: ccfgSVC("disallow"),
Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
@ -222,7 +260,7 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "disallow",
ClientConfig: newFakeHookClientConfig("disallow"),
ClientConfig: ccfgSVC("disallow"),
Rules: newMatchEverythingRules(),
NamespaceSelector: &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
@ -239,18 +277,18 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "internalErr A",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
FailurePolicy: &policyIgnore,
}, {
Name: "internalErr B",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
FailurePolicy: &policyIgnore,
}, {
Name: "internalErr C",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
FailurePolicy: &policyIgnore,
}},
},
@ -260,16 +298,16 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "internalErr A",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
}, {
Name: "internalErr B",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
}, {
Name: "internalErr C",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
}},
},
expectAllow: false,
@ -278,23 +316,45 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "internalErr A",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
FailurePolicy: &policyFail,
}, {
Name: "internalErr B",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
FailurePolicy: &policyFail,
}, {
Name: "internalErr C",
ClientConfig: newFakeHookClientConfig("internalErr"),
Rules: newMatchEverythingRules(),
ClientConfig: ccfgSVC("internalErr"),
Rules: matchEverythingRules,
FailurePolicy: &policyFail,
}},
},
expectAllow: false,
},
"match & allow (url)": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "allow",
ClientConfig: ccfgURL("allow"),
Rules: matchEverythingRules,
}},
},
expectAllow: true,
},
"match & disallow (url)": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "disallow",
ClientConfig: ccfgURL("disallow"),
Rules: matchEverythingRules,
}},
},
errorContains: "without explanation",
},
// No need to test everything with the url case, since only the
// connection is different.
}
for name, tt := range table {
@ -378,6 +438,7 @@ func TestAdmitCachedClient(t *testing.T) {
Name: "webhook-test",
UID: "webhook-test",
}
ccfgURL := urlConfigGenerator{serverURL}.ccfgURL
type test struct {
name string
@ -393,7 +454,7 @@ func TestAdmitCachedClient(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "cache1",
ClientConfig: newFakeHookClientConfig("allow"),
ClientConfig: ccfgSVC("allow"),
Rules: newMatchEverythingRules(),
FailurePolicy: &policyIgnore,
}},
@ -406,7 +467,7 @@ func TestAdmitCachedClient(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "cache2",
ClientConfig: newFakeHookClientConfig("internalErr"),
ClientConfig: ccfgSVC("internalErr"),
Rules: newMatchEverythingRules(),
FailurePolicy: &policyIgnore,
}},
@ -419,7 +480,33 @@ func TestAdmitCachedClient(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "cache3",
ClientConfig: newFakeHookClientConfig("allow"),
ClientConfig: ccfgSVC("allow"),
Rules: newMatchEverythingRules(),
FailurePolicy: &policyIgnore,
}},
},
expectAllow: true,
expectCache: false,
},
{
name: "cache 4",
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "cache4",
ClientConfig: ccfgURL("allow"),
Rules: newMatchEverythingRules(),
FailurePolicy: &policyIgnore,
}},
},
expectAllow: true,
expectCache: true,
},
{
name: "cache 5",
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.Webhook{{
Name: "cache5",
ClientConfig: ccfgURL("allow"),
Rules: newMatchEverythingRules(),
FailurePolicy: &policyIgnore,
}},
@ -581,17 +668,6 @@ func TestToStatusErr(t *testing.T) {
}
}
func newFakeHookClientConfig(urlPath string) registrationv1alpha1.WebhookClientConfig {
return registrationv1alpha1.WebhookClientConfig{
Service: registrationv1alpha1.ServiceReference{
Name: "webhook-test",
Namespace: "default",
},
URLPath: urlPath,
CABundle: caCert,
}
}
func newMatchEverythingRules() []registrationv1alpha1.RuleWithOperations {
return []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},

10
test/e2e/apimachinery/webhook.go
View File

@ -218,6 +218,8 @@ func deployWebhookAndService(f *framework.Framework, image string, context *cert
framework.ExpectNoError(err, "waiting for service %s/%s have %d endpoint", namespace, serviceName, 1)
}
func strPtr(s string) *string { return &s }
func registerWebhook(f *framework.Framework, context *certContext) {
client := f.ClientSet
By("Registering the webhook via the AdmissionRegistration API")
@ -239,11 +241,11 @@ func registerWebhook(f *framework.Framework, context *certContext) {
},
}},
ClientConfig: v1alpha1.WebhookClientConfig{
Service: v1alpha1.ServiceReference{
Service: &v1alpha1.ServiceReference{
Namespace: namespace,
Name: serviceName,
Path: strPtr("/pods"),
},
URLPath: "/pods",
CABundle: context.signingCert,
},
},
@ -268,11 +270,11 @@ func registerWebhook(f *framework.Framework, context *certContext) {
},
},
ClientConfig: v1alpha1.WebhookClientConfig{
Service: v1alpha1.ServiceReference{
Service: &v1alpha1.ServiceReference{
Namespace: namespace,
Name: serviceName,
Path: strPtr("/configmaps"),
},
URLPath: "/configmaps",
CABundle: context.signingCert,
},
},

4
test/integration/etcd/etcd_storage_path_test.go
View File

@ -382,11 +382,11 @@ var etcdStorageData = map[schema.GroupVersionResource]struct {
expectedEtcdPath: "/registry/initializerconfigurations/ic1",
},
gvr("admissionregistration.k8s.io", "v1alpha1", "validatingwebhookconfigurations"): {
stub: `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"","name":""},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
stub: `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"ns","name":"n"},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
expectedEtcdPath: "/registry/validatingwebhookconfigurations/hook1",
},
gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingwebhookconfigurations"): {
stub: `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"","name":""},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
stub: `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"ns","name":"n"},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
expectedEtcdPath: "/registry/mutatingwebhookconfigurations/hook1",
},
// --