Merge pull request #54889 from lavalamp/wh-api

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix webhook API to also support URLs

ref: https://github.com/kubernetes/features/issues/492

```release-note
The dynamic admission webhook now supports a URL in addition to a service reference, to accommodate out-of-cluster webhooks.
```

api/openapi-spec/swagger.json

@@ -67928,11 +67928,15 @@
     ],
     "properties": {
      "name": {
-      "description": "Name is the name of the service Required",
+      "description": "`name` is the name of the service. Required",
       "type": "string"
      },
      "namespace": {
-      "description": "Namespace is the namespace of the service Required",
+      "description": "`namespace` is the namespace of the service. Required",
+      "type": "string"
+     },
+     "path": {
+      "description": "`path` is an optional URL path which will be sent in any request to this service.",
       "type": "string"
      }
     }
@@ -68039,22 +68043,20 @@
    "io.k8s.api.admissionregistration.v1alpha1.WebhookClientConfig": {
     "description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
     "required": [
-     "service",
-     "urlPath",
      "caBundle"
     ],
     "properties": {
      "caBundle": {
-      "description": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required",
+      "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
       "type": "string",
       "format": "byte"
      },
      "service": {
-      "description": "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required",
+      "description": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nIf there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error.",
       "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ServiceReference"
      },
-     "urlPath": {
+     "url": {
-      "description": "URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.",
+      "description": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nIf the scheme is present, it must be \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.",
       "type": "string"
      }
     }

api/swagger-spec/admissionregistration.k8s.io_v1alpha1.json

@@ -2631,21 +2631,20 @@
     "description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
     "required": [
      "service",
-     "urlPath",
      "caBundle"
     ],
     "properties": {
+     "url": {
+      "type": "string",
+      "description": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nIf the scheme is present, it must be \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier."
+     },
      "service": {
       "$ref": "v1alpha1.ServiceReference",
-      "description": "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required"
+      "description": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nIf there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error."
-     },
-     "urlPath": {
-      "type": "string",
-      "description": "URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object."
      },
      "caBundle": {
       "type": "string",
-      "description": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required"
+      "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required."
      }
     }
    },
@@ -2659,11 +2658,15 @@
     "properties": {
      "namespace": {
       "type": "string",
-      "description": "Namespace is the namespace of the service Required"
+      "description": "`namespace` is the namespace of the service. Required"
      },
      "name": {
       "type": "string",
-      "description": "Name is the name of the service Required"
+      "description": "`name` is the name of the service. Required"
+     },
+     "path": {
+      "type": "string",
+      "description": "`path` is an optional URL path which will be sent in any request to this service."
      }
     }
    },

docs/api-reference/admissionregistration.k8s.io/v1alpha1/definitions.html

@@ -627,22 +627,34 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
 </thead>
 <tbody>
 <tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>url</code> gives the location of the webhook, in standard URL form (<code>[scheme://]host:port/path</code>). Exactly one of <code>url</code> or <code>service</code> must be specified.<br>
+<br>
+The <code>host</code> should not refer to a service running in the cluster; use the <code>service</code> field instead. The host might be resolved via external DNS in some apiservers (e.g., <code>kube-apiserver</code> cannot resolve in-cluster DNS as that would be a layering violation). <code>host</code> may also be an IP address.<br>
+<br>
+Please note that using <code>localhost</code> or <code>127.0.0.1</code> as a <code>host</code> is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.<br>
+<br>
+If the scheme is present, it must be "https://".<br>
+<br>
+A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
+<tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">service</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>service</code> is a reference to the service for this webhook. Either <code>service</code> or <code>url</code> must be specified.<br>
+<br>
+If the webhook is running within the cluster, then you should use <code>service</code>.<br>
+<br>
+If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_servicereference">v1alpha1.ServiceReference</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
-<td class="tableblock halign-left valign-top"><p class="tableblock">urlPath</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
-<td class="tableblock halign-left valign-top"></td>
-</tr>
-<tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">CABundle is a PEM encoded CA bundle which will be used to validate webhook&#8217;s server certificate. Required</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook&#8217;s server certificate. Required.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
@@ -1070,18 +1082,25 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">namespace</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Namespace is the namespace of the service Required</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>namespace</code> is the namespace of the service. Required</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Name is the name of the service Required</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>name</code> is the name of the service. Required</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">path</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>path</code> is an optional URL path which will be sent in any request to this service.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 

pkg/apis/admissionregistration/types.go

@@ -266,26 +266,60 @@ const (
 // WebhookClientConfig contains the information to make a TLS
 // connection with the webhook
 type WebhookClientConfig struct {
-	// Service is a reference to the service for this webhook. If there is only
+	// `url` gives the location of the webhook, in standard URL form
-	// one port open for the service, that port will be used. If there are multiple
+	// (`[scheme://]host:port/path`). Exactly one of `url` or `service`
-	// ports open, port 443 will be used if it is open, otherwise it is an error.
+	// must be specified.
-	// Required
+	//
-	Service ServiceReference
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// If the scheme is present, it must be "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// +optional
+	URL *string
 
-	// URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
+	// `service` is a reference to the service for this webhook. Either
-	URLPath string
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// If there is only one port open for the service, that port will be
+	// used. If there are multiple ports open, port 443 will be used if it
+	// is open, otherwise it is an error.
+	//
+	// +optional
+	Service *ServiceReference
 
-	// CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate
-	// Required
+	// the webhook's server certificate.
+	// Required.
 	CABundle []byte
 }
 
 // ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReference struct {
-	// Namespace is the namespace of the service
+	// `namespace` is the namespace of the service.
 	// Required
 	Namespace string
-	// Name is the name of the service
+	// `name` is the name of the service.
 	// Required
 	Name string
+
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	// +optional
+	Path *string
 }

pkg/apis/admissionregistration/v1alpha1/zz_generated.conversion.go

@@ -227,6 +227,7 @@ func Convert_admissionregistration_RuleWithOperations_To_v1alpha1_RuleWithOperat
 func autoConvert_v1alpha1_ServiceReference_To_admissionregistration_ServiceReference(in *v1alpha1.ServiceReference, out *admissionregistration.ServiceReference, s conversion.Scope) error {
 	out.Namespace = in.Namespace
 	out.Name = in.Name
+	out.Path = (*string)(unsafe.Pointer(in.Path))
 	return nil
 }
 
@@ -238,6 +239,7 @@ func Convert_v1alpha1_ServiceReference_To_admissionregistration_ServiceReference
 func autoConvert_admissionregistration_ServiceReference_To_v1alpha1_ServiceReference(in *admissionregistration.ServiceReference, out *v1alpha1.ServiceReference, s conversion.Scope) error {
 	out.Namespace = in.Namespace
 	out.Name = in.Name
+	out.Path = (*string)(unsafe.Pointer(in.Path))
 	return nil
 }
 
@@ -323,10 +325,8 @@ func Convert_admissionregistration_Webhook_To_v1alpha1_Webhook(in *admissionregi
 }
 
 func autoConvert_v1alpha1_WebhookClientConfig_To_admissionregistration_WebhookClientConfig(in *v1alpha1.WebhookClientConfig, out *admissionregistration.WebhookClientConfig, s conversion.Scope) error {
-	if err := Convert_v1alpha1_ServiceReference_To_admissionregistration_ServiceReference(&in.Service, &out.Service, s); err != nil {
+	out.URL = (*string)(unsafe.Pointer(in.URL))
-		return err
+	out.Service = (*admissionregistration.ServiceReference)(unsafe.Pointer(in.Service))
-	}
-	out.URLPath = in.URLPath
 	out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
 	return nil
 }
@@ -337,10 +337,8 @@ func Convert_v1alpha1_WebhookClientConfig_To_admissionregistration_WebhookClient
 }
 
 func autoConvert_admissionregistration_WebhookClientConfig_To_v1alpha1_WebhookClientConfig(in *admissionregistration.WebhookClientConfig, out *v1alpha1.WebhookClientConfig, s conversion.Scope) error {
-	if err := Convert_admissionregistration_ServiceReference_To_v1alpha1_ServiceReference(&in.Service, &out.Service, s); err != nil {
+	out.URL = (*string)(unsafe.Pointer(in.URL))
-		return err
+	out.Service = (*v1alpha1.ServiceReference)(unsafe.Pointer(in.Service))
-	}
-	out.URLPath = in.URLPath
 	out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
 	return nil
 }

pkg/apis/admissionregistration/validation/validation.go

@@ -18,6 +18,7 @@ package validation
 
 import (
 	"fmt"
+	"net/url"
 	"strings"
 
 	genericvalidation "k8s.io/apimachinery/pkg/api/validation"
@@ -192,29 +193,69 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
 		allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
 	}
 
-	if len(hook.ClientConfig.URLPath) != 0 {
-		allErrors = append(allErrors, validateURLPath(fldPath.Child("clientConfig", "urlPath"), hook.ClientConfig.URLPath)...)
-	}
-
 	if hook.NamespaceSelector != nil {
 		allErrors = append(allErrors, metav1validation.ValidateLabelSelector(hook.NamespaceSelector, fldPath.Child("namespaceSelector"))...)
 	}
 
+	allErrors = append(allErrors, validateWebhookClientConfig(fldPath.Child("clientConfig"), &hook.ClientConfig)...)
+
 	return allErrors
 }
 
-func validateURLPath(fldPath *field.Path, urlPath string) field.ErrorList {
+func validateWebhookClientConfig(fldPath *field.Path, cc *admissionregistration.WebhookClientConfig) field.ErrorList {
 	var allErrors field.ErrorList
+	if (cc.URL == nil) == (cc.Service == nil) {
+		allErrors = append(allErrors, field.Required(fldPath.Child("url"), "exactly one of url or service is required"))
+	}
+
+	if cc.URL != nil {
+		const form = "; desired format: https://host[/path]"
+		if u, err := url.Parse(*cc.URL); err != nil {
+			allErrors = append(allErrors, field.Required(fldPath.Child("url"), "url must be a valid URL: "+err.Error()+form))
+		} else {
+			if u.Scheme != "" && u.Scheme != "https" {
+				allErrors = append(allErrors, field.Required(fldPath.Child("url"), "'https' is the only allowed URL scheme"+form))
+			}
+			if len(u.Host) == 0 {
+				allErrors = append(allErrors, field.Required(fldPath.Child("url"), "host must be provided"+form))
+			}
+		}
+	}
+
+	if cc.Service != nil {
+		allErrors = append(allErrors, validateWebhookService(fldPath.Child("service"), cc.Service)...)
+	}
+	return allErrors
+}
+
+func validateWebhookService(fldPath *field.Path, svc *admissionregistration.ServiceReference) field.ErrorList {
+	var allErrors field.ErrorList
+
+	if len(svc.Name) == 0 {
+		allErrors = append(allErrors, field.Required(fldPath.Child("name"), "service name is required"))
+	}
+
+	if len(svc.Namespace) == 0 {
+		allErrors = append(allErrors, field.Required(fldPath.Child("namespace"), "service namespace is required"))
+	}
+
+	if svc.Path == nil {
+		return allErrors
+	}
+
+	// TODO: replace below with url.Parse + verifying that host is empty?
+
+	urlPath := *svc.Path
 	if urlPath == "/" || len(urlPath) == 0 {
 		return allErrors
 	}
 	if urlPath == "//" {
-		allErrors = append(allErrors, field.Invalid(fldPath, urlPath, "segment[0] may not be empty"))
+		allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, "segment[0] may not be empty"))
 		return allErrors
 	}
 
 	if !strings.HasPrefix(urlPath, "/") {
-		allErrors = append(allErrors, field.Invalid(fldPath, urlPath, "must start with a '/'"))
+		allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, "must start with a '/'"))
 	}
 
 	urlPathToCheck := urlPath[1:]
@@ -224,12 +265,12 @@ func validateURLPath(fldPath *field.Path, urlPath string) field.ErrorList {
 	steps := strings.Split(urlPathToCheck, "/")
 	for i, step := range steps {
 		if len(step) == 0 {
-			allErrors = append(allErrors, field.Invalid(fldPath, urlPath, fmt.Sprintf("segment[%d] may not be empty", i)))
+			allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, fmt.Sprintf("segment[%d] may not be empty", i)))
 			continue
 		}
 		failures := validation.IsDNS1123Subdomain(step)
 		for _, failure := range failures {
-			allErrors = append(allErrors, field.Invalid(fldPath, urlPath, fmt.Sprintf("segment[%d]: %v", i, failure)))
+			allErrors = append(allErrors, field.Invalid(fldPath.Child("path"), urlPath, fmt.Sprintf("segment[%d]: %v", i, failure)))
 		}
 	}
 

pkg/apis/admissionregistration/validation/validation_test.go

@@ -231,6 +231,8 @@ func TestValidateInitializerConfiguration(t *testing.T) {
 	}
 }
 
+func strPtr(s string) *string { return &s }
+
 func newValidatingWebhookConfiguration(hooks []admissionregistration.Webhook) *admissionregistration.ValidatingWebhookConfiguration {
 	return &admissionregistration.ValidatingWebhookConfiguration{
 		ObjectMeta: metav1.ObjectMeta{
@@ -243,6 +245,9 @@ func newValidatingWebhookConfiguration(hooks []admissionregistration.Webhook) *a
 // TODO: Add TestValidateMutatingWebhookConfiguration to test validation for mutating webhooks.
 
 func TestValidateValidatingWebhookConfiguration(t *testing.T) {
+	validClientConfig := admissionregistration.WebhookClientConfig{
+		URL: strPtr("https://example.com"),
+	}
 	tests := []struct {
 		name          string
 		config        *admissionregistration.ValidatingWebhookConfiguration
@@ -254,12 +259,15 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 					},
 					{
 						Name:         "k8s.io",
+						ClientConfig: validClientConfig,
 					},
 					{
 						Name:         "",
+						ClientConfig: validClientConfig,
 					},
 				}),
 			expectedError: `webhooks[1].name: Invalid value: "k8s.io": should be a domain with at least three segments separated by dots, webhooks[2].name: Required value`,
@@ -358,6 +366,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						Rules: []admissionregistration.RuleWithOperations{
 							{
 								Operations: []admissionregistration.OperationType{"CREATE"},
@@ -377,6 +386,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						Rules: []admissionregistration.RuleWithOperations{
 							{
 								Operations: []admissionregistration.OperationType{"CREATE"},
@@ -397,6 +407,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						Rules: []admissionregistration.RuleWithOperations{
 							{
 								Operations: []admissionregistration.OperationType{"CREATE"},
@@ -417,6 +428,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						Rules: []admissionregistration.RuleWithOperations{
 							{
 								Operations: []admissionregistration.OperationType{"CREATE"},
@@ -436,6 +448,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						Rules: []admissionregistration.RuleWithOperations{
 							{
 								Operations: []admissionregistration.OperationType{"CREATE"},
@@ -456,6 +469,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						Rules: []admissionregistration.RuleWithOperations{
 							{
 								Operations: []admissionregistration.OperationType{"CREATE"},
@@ -476,6 +490,7 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 				[]admissionregistration.Webhook{
 					{
 						Name:         "webhook.k8s.io",
+						ClientConfig: validClientConfig,
 						FailurePolicy: func() *admissionregistration.FailurePolicyType {
 							r := admissionregistration.FailurePolicyType("other")
 							return &r
@@ -485,94 +500,202 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
 			expectedError: `webhooks[0].failurePolicy: Unsupported value: "other": supported values: "Fail", "Ignore"`,
 		},
 		{
-			name: "URLPath must start with slash",
+			name: "both service and URL missing",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name:         "webhook.k8s.io",
+						ClientConfig: admissionregistration.WebhookClientConfig{},
+					},
+				}),
+			expectedError: `exactly one of`,
+		},
+		{
+			name: "both service and URL provided",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "foo/",
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+							},
+							URL: strPtr("example.com/k8s/webhook"),
 						},
 					},
 				}),
-			expectedError: `clientConfig.urlPath: Invalid value: "foo/": must start with a '/'`,
+			expectedError: `[0].clientConfig.url: Required value: exactly one of url or service is required`,
 		},
 		{
-			name: "URLPath accepts slash",
+			name: "blank URL",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "/",
+							URL: strPtr(""),
+						},
+					},
+				}),
+			expectedError: `[0].clientConfig.url: Required value: host must be provided`,
+		},
+		{
+			name: "wrong scheme",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name: "webhook.k8s.io",
+						ClientConfig: admissionregistration.WebhookClientConfig{
+							URL: strPtr("http://example.com"),
+						},
+					},
+				}),
+			expectedError: `https`,
+		},
+		{
+			name: "missing host",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name: "webhook.k8s.io",
+						ClientConfig: admissionregistration.WebhookClientConfig{
+							URL: strPtr("https:///fancy/webhook"),
+						},
+					},
+				}),
+			expectedError: `host must be provided`,
+		},
+		{
+			name: "just totally wrong",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name: "webhook.k8s.io",
+						ClientConfig: admissionregistration.WebhookClientConfig{
+							URL: strPtr("arg#backwards=thisis?html.index/port:host//:https"),
+						},
+					},
+				}),
+			expectedError: `host must be provided`,
+		},
+		{
+			name: "path must start with slash",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name: "webhook.k8s.io",
+						ClientConfig: admissionregistration.WebhookClientConfig{
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("foo/"),
+							},
+						},
+					},
+				}),
+			expectedError: `clientConfig.service.path: Invalid value: "foo/": must start with a '/'`,
+		},
+		{
+			name: "path accepts slash",
+			config: newValidatingWebhookConfiguration(
+				[]admissionregistration.Webhook{
+					{
+						Name: "webhook.k8s.io",
+						ClientConfig: admissionregistration.WebhookClientConfig{
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("/"),
+							},
 						},
 					},
 				}),
 			expectedError: ``,
 		},
 		{
-			name: "URLPath accepts no trailing slash",
+			name: "path accepts no trailing slash",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "/foo",
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("/foo"),
+							},
 						},
 					},
 				}),
 			expectedError: ``,
 		},
 		{
-			name: "URLPath fails //",
+			name: "path fails //",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "//",
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("//"),
+							},
 						},
 					},
 				}),
-			expectedError: `clientConfig.urlPath: Invalid value: "//": segment[0] may not be empty`,
+			expectedError: `clientConfig.service.path: Invalid value: "//": segment[0] may not be empty`,
 		},
 		{
-			name: "URLPath no empty step",
+			name: "path no empty step",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "/foo//bar/",
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("/foo//bar/"),
+							},
 						},
 					},
 				}),
-			expectedError: `clientConfig.urlPath: Invalid value: "/foo//bar/": segment[1] may not be empty`,
+			expectedError: `clientConfig.service.path: Invalid value: "/foo//bar/": segment[1] may not be empty`,
 		}, {
-			name: "URLPath no empty step 2",
+			name: "path no empty step 2",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "/foo/bar//",
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("/foo/bar//"),
+							},
 						},
 					},
 				}),
-			expectedError: `clientConfig.urlPath: Invalid value: "/foo/bar//": segment[2] may not be empty`,
+			expectedError: `clientConfig.service.path: Invalid value: "/foo/bar//": segment[2] may not be empty`,
 		},
 		{
-			name: "URLPath no non-subdomain",
+			name: "path no non-subdomain",
 			config: newValidatingWebhookConfiguration(
 				[]admissionregistration.Webhook{
 					{
 						Name: "webhook.k8s.io",
 						ClientConfig: admissionregistration.WebhookClientConfig{
-							URLPath: "/apis/foo.bar/v1alpha1/--bad",
+							Service: &admissionregistration.ServiceReference{
+								Namespace: "ns",
+								Name:      "n",
+								Path:      strPtr("/apis/foo.bar/v1alpha1/--bad"),
+							},
 						},
 					},
 				}),
-			expectedError: `clientConfig.urlPath: Invalid value: "/apis/foo.bar/v1alpha1/--bad": segment[3]: a DNS-1123 subdomain`,
+			expectedError: `clientConfig.service.path: Invalid value: "/apis/foo.bar/v1alpha1/--bad": segment[3]: a DNS-1123 subdomain`,
 		},
 	}
 	for _, test := range tests {

pkg/apis/admissionregistration/zz_generated.deepcopy.go

@@ -240,6 +240,15 @@ func (in *RuleWithOperations) DeepCopy() *RuleWithOperations {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceReference) DeepCopyInto(out *ServiceReference) {
 	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
@@ -366,7 +375,24 @@ func (in *Webhook) DeepCopy() *Webhook {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig) {
 	*out = *in
-	out.Service = in.Service
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ServiceReference)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	if in.CABundle != nil {
 		in, out := &in.CABundle, &out.CABundle
 		*out = make([]byte, len(*in))

staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go

@@ -449,6 +449,12 @@ func (m *ServiceReference) MarshalTo(dAtA []byte) (int, error) {
 	i++
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
 	i += copy(dAtA[i:], m.Name)
+	if m.Path != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Path)))
+		i += copy(dAtA[i:], *m.Path)
+	}
 	return i, nil
 }
 
@@ -601,6 +607,7 @@ func (m *WebhookClientConfig) MarshalTo(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.Service != nil {
 		dAtA[i] = 0xa
 		i++
 		i = encodeVarintGenerated(dAtA, i, uint64(m.Service.Size()))
@@ -609,16 +616,19 @@ func (m *WebhookClientConfig) MarshalTo(dAtA []byte) (int, error) {
 			return 0, err
 		}
 		i += n10
+	}
 	if m.CABundle != nil {
 		dAtA[i] = 0x12
 		i++
 		i = encodeVarintGenerated(dAtA, i, uint64(len(m.CABundle)))
 		i += copy(dAtA[i:], m.CABundle)
 	}
+	if m.URL != nil {
 		dAtA[i] = 0x1a
 		i++
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.URLPath)))
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.URL)))
-	i += copy(dAtA[i:], m.URLPath)
+		i += copy(dAtA[i:], *m.URL)
+	}
 	return i, nil
 }
 
@@ -764,6 +774,10 @@ func (m *ServiceReference) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = len(m.Name)
 	n += 1 + l + sovGenerated(uint64(l))
+	if m.Path != nil {
+		l = len(*m.Path)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -822,14 +836,18 @@ func (m *Webhook) Size() (n int) {
 func (m *WebhookClientConfig) Size() (n int) {
 	var l int
 	_ = l
+	if m.Service != nil {
 		l = m.Service.Size()
 		n += 1 + l + sovGenerated(uint64(l))
+	}
 	if m.CABundle != nil {
 		l = len(m.CABundle)
 		n += 1 + l + sovGenerated(uint64(l))
 	}
-	l = len(m.URLPath)
+	if m.URL != nil {
+		l = len(*m.URL)
 		n += 1 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -931,6 +949,7 @@ func (this *ServiceReference) String() string {
 	s := strings.Join([]string{`&ServiceReference{`,
 		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
 		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Path:` + valueToStringGenerated(this.Path) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -976,9 +995,9 @@ func (this *WebhookClientConfig) String() string {
 		return "nil"
 	}
 	s := strings.Join([]string{`&WebhookClientConfig{`,
-		`Service:` + strings.Replace(strings.Replace(this.Service.String(), "ServiceReference", "ServiceReference", 1), `&`, ``, 1) + `,`,
+		`Service:` + strings.Replace(fmt.Sprintf("%v", this.Service), "ServiceReference", "ServiceReference", 1) + `,`,
 		`CABundle:` + valueToStringGenerated(this.CABundle) + `,`,
-		`URLPath:` + fmt.Sprintf("%v", this.URLPath) + `,`,
+		`URL:` + valueToStringGenerated(this.URL) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -1878,6 +1897,36 @@ func (m *ServiceReference) Unmarshal(dAtA []byte) error {
 			}
 			m.Name = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.Path = &s
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -2379,6 +2428,9 @@ func (m *WebhookClientConfig) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
+			if m.Service == nil {
+				m.Service = &ServiceReference{}
+			}
 			if err := m.Service.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
@@ -2416,7 +2468,7 @@ func (m *WebhookClientConfig) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 3:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field URLPath", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field URL", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -2441,7 +2493,8 @@ func (m *WebhookClientConfig) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.URLPath = string(dAtA[iNdEx:postIndex])
+			s := string(dAtA[iNdEx:postIndex])
+			m.URL = &s
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -2574,65 +2627,68 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 960 bytes of a gzipped FileDescriptorProto
+	// 1001 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0x4f, 0x6f, 0x23, 0xc5,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
-	0x13, 0xf5, 0xc4, 0x8e, 0x62, 0xb7, 0x6d, 0xed, 0xa6, 0x7f, 0x3f, 0x24, 0x2b, 0x5a, 0x8d, 0xad,
+	0x14, 0xae, 0x9b, 0x54, 0x4d, 0x26, 0xa9, 0xd8, 0x1a, 0x90, 0x42, 0x55, 0xd9, 0x91, 0x0f, 0xa8,
-	0x39, 0xa0, 0xac, 0x10, 0x33, 0x24, 0x8b, 0x56, 0x48, 0x08, 0x50, 0x26, 0x12, 0x2b, 0x4b, 0xd9,
+	0x08, 0xad, 0x4d, 0xba, 0x68, 0x85, 0x84, 0x00, 0xd5, 0x95, 0x58, 0x45, 0x6a, 0xbb, 0x65, 0xb6,
-	0x6c, 0xe8, 0x0d, 0xbb, 0x12, 0xe2, 0x40, 0x7b, 0x5c, 0xb6, 0x1b, 0x8f, 0x67, 0x46, 0xdd, 0x3d,
+	0xec, 0x4a, 0x88, 0x03, 0x13, 0xe7, 0x35, 0x19, 0xe2, 0xd8, 0xd6, 0xcc, 0x38, 0xb4, 0x9c, 0x90,
-	0x66, 0xc3, 0x89, 0x0b, 0x77, 0x24, 0xbe, 0x04, 0x1f, 0x25, 0xc7, 0x85, 0x03, 0xca, 0xc9, 0x22,
+	0x10, 0x77, 0x24, 0xfe, 0x09, 0xfe, 0x0a, 0xce, 0x3d, 0x2e, 0x17, 0xd4, 0x93, 0x45, 0x8d, 0xc4,
-	0x83, 0xc4, 0x91, 0x03, 0xc7, 0x3d, 0xa1, 0x9e, 0x7f, 0x1e, 0xc7, 0x71, 0x88, 0x39, 0xe4, 0xc0,
+	0x91, 0x03, 0xc7, 0x3d, 0xa1, 0xf1, 0x8f, 0xd8, 0x69, 0x9a, 0xd2, 0x70, 0xe8, 0x81, 0x5b, 0xe6,
-	0xcd, 0x5d, 0xd5, 0xef, 0x55, 0xbd, 0xaa, 0xae, 0xf2, 0x20, 0x32, 0xfe, 0x40, 0x98, 0xcc, 0xb7,
+	0x7b, 0xf3, 0x7d, 0xef, 0x7d, 0x33, 0xf3, 0x5e, 0x8c, 0xf0, 0xe8, 0x03, 0x6e, 0x52, 0xdf, 0x1a,
-	0xc6, 0x61, 0x0f, 0xb8, 0x07, 0x12, 0x84, 0x35, 0x05, 0xaf, 0xef, 0x73, 0x2b, 0x75, 0xd0, 0x80,
+	0x85, 0x3d, 0x60, 0x1e, 0x08, 0xe0, 0xd6, 0x04, 0xbc, 0xbe, 0xcf, 0xac, 0x2c, 0x40, 0x02, 0x6a,
-	0x59, 0xb4, 0x3f, 0x61, 0x42, 0x30, 0xdf, 0xe3, 0x30, 0x64, 0x42, 0x72, 0x2a, 0x99, 0xef, 0x59,
+	0x91, 0xfe, 0x98, 0x72, 0x4e, 0x7d, 0x8f, 0xc1, 0x80, 0x72, 0xc1, 0x88, 0xa0, 0xbe, 0x67, 0x4d,
-	0xd3, 0x3d, 0xea, 0x06, 0x23, 0xba, 0x67, 0x0d, 0xc1, 0x03, 0x4e, 0x25, 0xf4, 0xcd, 0x80, 0xfb,
+	0x3a, 0xc4, 0x0d, 0x86, 0xa4, 0x63, 0x0d, 0xc0, 0x03, 0x46, 0x04, 0xf4, 0xcd, 0x80, 0xf9, 0xc2,
-	0xd2, 0xc7, 0x0f, 0x13, 0xa8, 0x49, 0x03, 0x66, 0x5e, 0x0b, 0x35, 0x33, 0xe8, 0xce, 0xbb, 0x43,
+	0x57, 0xdf, 0x49, 0xa9, 0x26, 0x09, 0xa8, 0x79, 0x23, 0xd5, 0xcc, 0xa9, 0x5b, 0x0f, 0x07, 0x54,
-	0x26, 0x47, 0x61, 0xcf, 0x74, 0xfc, 0x89, 0x35, 0xf4, 0x87, 0xbe, 0x15, 0x33, 0xf4, 0xc2, 0x41,
+	0x0c, 0xc3, 0x9e, 0xe9, 0xf8, 0x63, 0x6b, 0xe0, 0x0f, 0x7c, 0x2b, 0x51, 0xe8, 0x85, 0xa7, 0xc9,
-	0x7c, 0x8a, 0x0f, 0xf1, 0xaf, 0x84, 0x79, 0xc7, 0x28, 0x24, 0xe5, 0xf8, 0x1c, 0xac, 0xe9, 0x52,
+	0x2a, 0x59, 0x24, 0xbf, 0x52, 0xe5, 0x2d, 0xa3, 0x54, 0x94, 0xe3, 0x33, 0xb0, 0x26, 0x73, 0xd9,
-	0xf4, 0x9d, 0xf7, 0xe7, 0x77, 0x26, 0xd4, 0x19, 0x31, 0x0f, 0xf8, 0x99, 0x15, 0x8c, 0x87, 0xca,
+	0xb7, 0x0e, 0x8b, 0x3d, 0x70, 0x26, 0xc0, 0x93, 0xc9, 0xf9, 0x43, 0x12, 0x50, 0x0e, 0x6c, 0x02,
-	0x20, 0xac, 0x09, 0x48, 0x7a, 0x1d, 0xca, 0x5a, 0x85, 0xe2, 0xa1, 0x27, 0xd9, 0x04, 0x96, 0x00,
+	0xcc, 0x0a, 0x46, 0x03, 0x19, 0xe3, 0xb3, 0x1b, 0xac, 0x49, 0xa7, 0x07, 0x62, 0xde, 0xcc, 0xd6,
-	0x8f, 0xff, 0x09, 0x20, 0x9c, 0x11, 0x4c, 0xe8, 0x12, 0xee, 0xd1, 0x2a, 0x5c, 0x28, 0x99, 0x6b,
+	0xfb, 0x85, 0xdc, 0x98, 0x38, 0x43, 0xea, 0x01, 0x3b, 0x2f, 0x34, 0xc6, 0x20, 0xc8, 0x4d, 0x45,
-	0x31, 0x4f, 0x0a, 0xc9, 0xaf, 0x82, 0x8c, 0xef, 0x35, 0x54, 0xef, 0x7a, 0x4c, 0x32, 0xea, 0xb2,
+	0x58, 0x8b, 0x58, 0x2c, 0xf4, 0x04, 0x1d, 0xc3, 0x1c, 0xe1, 0xf1, 0xbf, 0x11, 0xb8, 0x33, 0x84,
-	0x6f, 0x81, 0xe3, 0x0e, 0xaa, 0x78, 0x74, 0x02, 0x2d, 0xad, 0xa3, 0xed, 0xd6, 0xec, 0xc6, 0xf9,
+	0x31, 0x99, 0xe3, 0x3d, 0x5a, 0xc4, 0x0b, 0x05, 0x75, 0x2d, 0xea, 0x09, 0x2e, 0xd8, 0x75, 0x92,
-	0xac, 0x5d, 0x8a, 0x66, 0xed, 0xca, 0x31, 0x9d, 0x00, 0x89, 0x3d, 0xf8, 0x14, 0x6d, 0xf2, 0xd0,
+	0xf1, 0x83, 0x82, 0x1a, 0x5d, 0x8f, 0x0a, 0x4a, 0x5c, 0xfa, 0x2d, 0x30, 0xb5, 0x8d, 0xaa, 0x1e,
-	0x05, 0xd1, 0xda, 0xe8, 0x94, 0x77, 0xeb, 0xfb, 0x96, 0x79, 0xeb, 0x9e, 0x98, 0x24, 0x74, 0xc1,
+	0x19, 0x43, 0x4b, 0x69, 0x2b, 0x3b, 0x75, 0xbb, 0x79, 0x11, 0xe9, 0x2b, 0x71, 0xa4, 0x57, 0x8f,
-	0x6e, 0xa6, 0x9c, 0x9b, 0xea, 0x24, 0x48, 0x42, 0x66, 0xfc, 0xa9, 0xa1, 0x56, 0x21, 0x8f, 0x43,
+	0xc8, 0x18, 0x70, 0x12, 0x51, 0x4f, 0xd0, 0x1a, 0x0b, 0x5d, 0xe0, 0xad, 0xd5, 0x76, 0x65, 0xa7,
-	0xdf, 0x1b, 0xb0, 0x61, 0x98, 0x10, 0xe0, 0xaf, 0x50, 0x55, 0x55, 0xb7, 0x4f, 0x25, 0x8d, 0x13,
+	0xb1, 0x6b, 0x99, 0x77, 0xbe, 0x62, 0x13, 0x87, 0x2e, 0xd8, 0x1b, 0x99, 0xe6, 0x9a, 0x5c, 0x71,
-	0xab, 0xef, 0xbf, 0x57, 0x88, 0x9a, 0x8b, 0x35, 0x83, 0xf1, 0x50, 0x19, 0x84, 0xa9, 0x6e, 0x9b,
+	0x9c, 0x8a, 0x19, 0x7f, 0x29, 0xa8, 0x55, 0xaa, 0x63, 0xdf, 0xf7, 0x4e, 0xe9, 0x20, 0x4c, 0x05,
-	0xd3, 0x3d, 0xf3, 0x59, 0xef, 0x6b, 0x70, 0xe4, 0x53, 0x90, 0xd4, 0xc6, 0x69, 0x58, 0x34, 0xb7,
+	0xd4, 0xaf, 0x50, 0x4d, 0x9e, 0x6e, 0x9f, 0x08, 0x92, 0x14, 0xd6, 0xd8, 0x7d, 0xaf, 0x94, 0x75,
-	0x91, 0x9c, 0x15, 0x07, 0xa8, 0xc1, 0xe6, 0xd1, 0x33, 0x6d, 0x8f, 0xd7, 0xd0, 0x56, 0x48, 0xde,
+	0x6a, 0xd6, 0x0c, 0x46, 0x03, 0x09, 0x70, 0x53, 0xee, 0x36, 0x27, 0x1d, 0xf3, 0x69, 0xef, 0x6b,
-	0xfe, 0x7f, 0x1a, 0xab, 0x51, 0x30, 0x0a, 0xb2, 0x10, 0xc1, 0xf8, 0x43, 0x43, 0x0f, 0x56, 0x09,
+	0x70, 0xc4, 0x21, 0x08, 0x62, 0xab, 0x59, 0x5a, 0x54, 0x60, 0x78, 0xaa, 0xaa, 0x06, 0xa8, 0x49,
-	0x3e, 0x62, 0x42, 0xe2, 0x2f, 0x97, 0x44, 0x9b, 0xb7, 0x13, 0xad, 0xd0, 0xb1, 0xe4, 0xfb, 0x69,
+	0x8b, 0xec, 0xb9, 0xb7, 0xc7, 0x4b, 0x78, 0x2b, 0x15, 0x6f, 0xbf, 0x91, 0xe5, 0x6a, 0x96, 0x40,
-	0x1a, 0xd5, 0xcc, 0x52, 0x10, 0x3c, 0x42, 0x9b, 0x4c, 0xc2, 0x24, 0x53, 0x7a, 0xf8, 0xef, 0x94,
+	0x8e, 0x67, 0x32, 0x18, 0x7f, 0x2a, 0x68, 0x7b, 0x91, 0xe1, 0x03, 0xca, 0x85, 0xfa, 0xe5, 0x9c,
-	0x2e, 0x64, 0x3d, 0xef, 0x6c, 0x57, 0x31, 0x93, 0x24, 0x80, 0xf1, 0xab, 0x86, 0x1e, 0x3c, 0x0d,
+	0x69, 0xf3, 0x6e, 0xa6, 0x25, 0x3b, 0xb1, 0xfc, 0x20, 0x2b, 0xa3, 0x96, 0x23, 0x25, 0xc3, 0x43,
-	0x25, 0x95, 0xcc, 0x1b, 0xbe, 0x84, 0xde, 0xc8, 0xf7, 0xc7, 0x77, 0xdd, 0xdd, 0x53, 0x54, 0x4d,
+	0xb4, 0x46, 0x05, 0x8c, 0x73, 0xa7, 0xfb, 0xff, 0xcd, 0xe9, 0x4c, 0xd5, 0xc5, 0xcd, 0x76, 0xa5,
-	0x23, 0x67, 0x7a, 0xf7, 0xd7, 0xd0, 0x9b, 0x42, 0xed, 0x8a, 0x8a, 0x41, 0xaa, 0xdf, 0xa4, 0x4c,
+	0x32, 0x4e, 0x13, 0x18, 0xbf, 0x29, 0x68, 0xfb, 0x30, 0x14, 0x44, 0x50, 0x6f, 0xf0, 0x02, 0x7a,
-	0xea, 0xc9, 0x76, 0x6e, 0x12, 0x76, 0x07, 0x5d, 0x74, 0x17, 0xbb, 0xf8, 0x64, 0x0d, 0x55, 0x37,
+	0x43, 0xdf, 0x1f, 0xdd, 0xf7, 0xed, 0x9e, 0xa0, 0x5a, 0x96, 0x39, 0xf7, 0xbb, 0xbb, 0x84, 0xdf,
-	0x65, 0xbe, 0xa2, 0x93, 0x3f, 0x6a, 0xa8, 0xa2, 0x86, 0x16, 0xbf, 0x83, 0x6a, 0x34, 0x60, 0x4f,
+	0x8c, 0x6a, 0x57, 0x65, 0x0e, 0x5c, 0xfb, 0x26, 0x53, 0x92, 0x4f, 0xb6, 0x7d, 0x9b, 0xb1, 0x7b,
-	0xb8, 0x1f, 0x06, 0xa2, 0xa5, 0x75, 0xca, 0xbb, 0x35, 0xbb, 0x19, 0xcd, 0xda, 0xb5, 0x83, 0x93,
+	0xb8, 0x45, 0x77, 0xf6, 0x16, 0x9f, 0x2c, 0xe1, 0xea, 0xb6, 0xca, 0x17, 0xdc, 0xe4, 0x4f, 0x0a,
-	0x6e, 0x62, 0x24, 0x73, 0x3f, 0xde, 0x43, 0x75, 0x1a, 0xb0, 0x17, 0xc0, 0x55, 0x2e, 0x49, 0xa6,
+	0xaa, 0xca, 0xa6, 0x55, 0xdf, 0x45, 0x75, 0x12, 0xd0, 0x27, 0xcc, 0x0f, 0x03, 0xde, 0x52, 0xda,
-	0x35, 0xfb, 0x5e, 0x34, 0x6b, 0xd7, 0x0f, 0x4e, 0xba, 0x99, 0x99, 0x14, 0xef, 0x28, 0x7e, 0x0e,
+	0x95, 0x9d, 0xba, 0xbd, 0x11, 0x47, 0x7a, 0x7d, 0xef, 0xb8, 0x9b, 0x82, 0xb8, 0x88, 0xab, 0x1d,
-	0xc2, 0x0f, 0xb9, 0x03, 0xa2, 0x55, 0x9e, 0xf3, 0x93, 0xcc, 0x48, 0xe6, 0x7e, 0xe3, 0x27, 0x0d,
+	0xd4, 0x20, 0x01, 0x7d, 0x0e, 0x2c, 0x19, 0xae, 0x49, 0xa5, 0x75, 0xfb, 0xb5, 0x38, 0xd2, 0x1b,
-	0x61, 0x95, 0xd5, 0x4b, 0x26, 0x47, 0xcf, 0x02, 0x48, 0x14, 0x08, 0xfc, 0x09, 0x42, 0x7e, 0x7e,
+	0x7b, 0xc7, 0xdd, 0x1c, 0xc6, 0xe5, 0x3d, 0x52, 0x9f, 0x01, 0xf7, 0x43, 0xe6, 0x00, 0x6f, 0x55,
-	0x4a, 0x93, 0x6c, 0xc7, 0x2f, 0x24, 0xb7, 0xbe, 0x99, 0xb5, 0x9b, 0xf9, 0xe9, 0xf4, 0x2c, 0x00,
+	0x0a, 0x7d, 0x9c, 0x83, 0xb8, 0x88, 0x1b, 0x3f, 0x2b, 0x48, 0x95, 0x55, 0xbd, 0xa0, 0x62, 0xf8,
-	0x52, 0x80, 0xe0, 0xcf, 0x50, 0x45, 0xad, 0xa6, 0xd6, 0x46, 0xdc, 0xb5, 0xb5, 0xd7, 0x5c, 0xbe,
+	0x34, 0x80, 0xd4, 0x01, 0x57, 0x3f, 0x41, 0xc8, 0x9f, 0xae, 0xb2, 0x22, 0xf5, 0xe4, 0x85, 0x4c,
-	0x3a, 0xd5, 0x89, 0xc4, 0x54, 0x06, 0xa0, 0xfb, 0xcf, 0x81, 0x4f, 0x99, 0x03, 0x04, 0x06, 0xc0,
+	0xd1, 0x57, 0x91, 0xbe, 0x31, 0x5d, 0x9d, 0x9c, 0x07, 0x80, 0x4b, 0x14, 0xf5, 0x33, 0x54, 0x95,
-	0xc1, 0x73, 0x00, 0x5b, 0xa8, 0xa6, 0xd6, 0xaa, 0x08, 0xa8, 0x93, 0x6d, 0xdd, 0xed, 0x14, 0x5a,
+	0xa3, 0xa9, 0xb5, 0x9a, 0xdc, 0xda, 0xd2, 0x63, 0x6e, 0x3a, 0x3a, 0xe5, 0x0a, 0x27, 0x52, 0xc6,
-	0x3b, 0xce, 0x1c, 0x64, 0x7e, 0x27, 0xdf, 0xd0, 0x1b, 0xab, 0x36, 0xb4, 0x71, 0xa1, 0x21, 0xfd,
+	0xf7, 0x0a, 0x7a, 0xf0, 0x0c, 0xd8, 0x84, 0x3a, 0x80, 0xe1, 0x14, 0x18, 0x78, 0x0e, 0xa8, 0x16,
-	0x05, 0x75, 0x59, 0xff, 0xbf, 0x37, 0x73, 0x7f, 0x69, 0xc8, 0xb8, 0x59, 0xda, 0x1d, 0x4c, 0x9d,
+	0xaa, 0xcb, 0xb9, 0xca, 0x03, 0xe2, 0xe4, 0x63, 0x77, 0x33, 0xe3, 0xd6, 0x8f, 0xf2, 0x00, 0x2e,
-	0xb7, 0x38, 0x75, 0xdd, 0x35, 0x74, 0xdd, 0x9c, 0xfb, 0x8a, 0xb9, 0xfb, 0xb9, 0x8c, 0xb6, 0xd2,
+	0xf6, 0x4c, 0x47, 0xf4, 0xea, 0xc2, 0x11, 0xbd, 0x8d, 0xaa, 0x01, 0x11, 0xc3, 0x56, 0x25, 0xd9,
-	0xeb, 0xb7, 0xf8, 0x7f, 0x7e, 0x85, 0x1a, 0x8e, 0xcb, 0xc0, 0x93, 0x09, 0x75, 0xfa, 0x7e, 0x3f,
+	0x51, 0x93, 0xd1, 0x63, 0x22, 0x86, 0x38, 0x41, 0x8d, 0x4b, 0x05, 0x69, 0xcf, 0x89, 0x4b, 0xfb,
-	0x5e, 0xbf, 0xf8, 0x87, 0x05, 0x96, 0xf9, 0x5f, 0x5a, 0xd1, 0x4a, 0x16, 0x22, 0xe1, 0x5e, 0xf6,
+	0xff, 0xbf, 0x96, 0xfc, 0x5b, 0x41, 0xc6, 0xed, 0xd6, 0xee, 0xa1, 0x29, 0xbd, 0xd9, 0xa6, 0xec,
-	0x65, 0x50, 0x8e, 0xeb, 0xf2, 0xd1, 0x9a, 0x23, 0xb3, 0x38, 0xc0, 0xd7, 0x7f, 0x27, 0xe0, 0x23,
+	0x2e, 0xe1, 0xeb, 0xf6, 0xda, 0x17, 0xb4, 0xe5, 0xaf, 0x15, 0xb4, 0x9e, 0x6d, 0xbf, 0xc3, 0xdf,
-	0xd4, 0x1c, 0x50, 0xe6, 0x86, 0x1c, 0x4e, 0x7c, 0x97, 0x39, 0x67, 0xad, 0x4a, 0x5c, 0x88, 0xb7,
+	0xf7, 0x19, 0x6a, 0x3a, 0x2e, 0x05, 0x4f, 0xa4, 0xd2, 0xd9, 0xf3, 0xfe, 0x78, 0xf9, 0xc3, 0xdf,
-	0xa3, 0x59, 0xbb, 0xf9, 0x69, 0xd1, 0xf1, 0x66, 0xd6, 0xde, 0x5e, 0x30, 0xc4, 0x03, 0xbe, 0x08,
+	0x2f, 0xa9, 0x14, 0xff, 0x78, 0x65, 0x14, 0xcf, 0x64, 0x52, 0x7b, 0xf9, 0x87, 0x43, 0x25, 0x39,
-	0xc6, 0xaf, 0xd0, 0x76, 0x3e, 0x58, 0xcf, 0xc1, 0x05, 0x47, 0xfa, 0xbc, 0xb5, 0x19, 0x17, 0xec,
+	0x97, 0x8f, 0x96, 0xec, 0xa8, 0xd9, 0xfe, 0xbe, 0xf9, 0x33, 0x42, 0x3d, 0x40, 0x1b, 0xa7, 0x84,
-	0xd1, 0x2d, 0x1f, 0x0c, 0xed, 0x81, 0x9b, 0x41, 0xed, 0xb7, 0xa2, 0x59, 0x7b, 0xfb, 0xf8, 0x2a,
+	0xba, 0x21, 0x83, 0x63, 0xdf, 0xa5, 0xce, 0x79, 0xab, 0x9a, 0x1c, 0xc4, 0xdb, 0x71, 0xa4, 0x6f,
-	0x23, 0x59, 0x0e, 0x62, 0xfc, 0xa2, 0xa1, 0xff, 0x5d, 0x53, 0x67, 0x3c, 0x40, 0x5b, 0x22, 0x59,
+	0x7c, 0x5a, 0x0e, 0xbc, 0x8a, 0xf4, 0xcd, 0x19, 0x20, 0xe9, 0xff, 0x59, 0xb2, 0x7a, 0x86, 0x36,
-	0x11, 0xe9, 0xc3, 0xfd, 0x70, 0x8d, 0x2a, 0x5e, 0x5d, 0x2e, 0xf6, 0xbd, 0xb4, 0x86, 0x5b, 0x99,
+	0xa7, 0x6d, 0xf7, 0x0c, 0x5c, 0x70, 0x84, 0xcf, 0x5a, 0x6b, 0xc9, 0x81, 0x3d, 0xba, 0xe3, 0x83,
-	0x27, 0x23, 0xc7, 0xbb, 0xa8, 0xea, 0x50, 0x3b, 0xf4, 0xfa, 0xe9, 0x86, 0x6b, 0xd8, 0x0d, 0xf5,
+	0x21, 0x3d, 0x70, 0x73, 0xaa, 0xfd, 0x66, 0x1c, 0xe9, 0x9b, 0x47, 0xd7, 0x15, 0xf1, 0x7c, 0x12,
-	0xda, 0x0f, 0x0f, 0x12, 0x1b, 0xc9, 0xbd, 0xf8, 0x21, 0xda, 0x0a, 0xb9, 0x7b, 0x42, 0xe5, 0xa8,
+	0xe3, 0x17, 0x05, 0xbd, 0x7e, 0xc3, 0x39, 0xab, 0x3d, 0xb4, 0xce, 0xd3, 0x01, 0x92, 0x3d, 0xdc,
-	0x55, 0x8e, 0x6b, 0x9d, 0x93, 0x7e, 0x4e, 0x8e, 0x94, 0x99, 0x64, 0x7e, 0xdb, 0x3c, 0xbf, 0xd4,
+	0x0f, 0x97, 0x38, 0xc5, 0xeb, 0xa3, 0xc7, 0x6e, 0xc4, 0x91, 0xbe, 0x9e, 0xa3, 0xb9, 0xb0, 0xba,
-	0x4b, 0xaf, 0x2f, 0xf5, 0xd2, 0xc5, 0xa5, 0x5e, 0xfa, 0x2e, 0xd2, 0xb5, 0xf3, 0x48, 0xd7, 0x5e,
+	0x83, 0x6a, 0x0e, 0xb1, 0x43, 0xaf, 0x9f, 0x0d, 0xbf, 0xa6, 0xdd, 0x94, 0x2f, 0x7d, 0x7f, 0x2f,
-	0x47, 0xba, 0x76, 0x11, 0xe9, 0xda, 0x6f, 0x91, 0xae, 0xfd, 0xf0, 0xbb, 0x5e, 0xfa, 0xa2, 0x9a,
+	0xc5, 0xf0, 0x34, 0xaa, 0xbe, 0x85, 0x2a, 0x21, 0x73, 0xb3, 0x31, 0xb3, 0x1e, 0x47, 0x7a, 0xe5,
-	0xe5, 0xfb, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0x37, 0xaf, 0xd5, 0xfa, 0x23, 0x0c, 0x00, 0x00,
+	0x73, 0x7c, 0x80, 0x25, 0x66, 0x9b, 0x17, 0x57, 0xda, 0xca, 0xcb, 0x2b, 0x6d, 0xe5, 0xf2, 0x4a,
+	0x5b, 0xf9, 0x2e, 0xd6, 0x94, 0x8b, 0x58, 0x53, 0x5e, 0xc6, 0x9a, 0x72, 0x19, 0x6b, 0xca, 0xef,
+	0xb1, 0xa6, 0xfc, 0xf8, 0x87, 0xb6, 0xf2, 0x45, 0x2d, 0xaf, 0xed, 0x9f, 0x00, 0x00, 0x00, 0xff,
+	0xff, 0xca, 0x86, 0x75, 0x7d, 0x7d, 0x0c, 0x00, 0x00,
 }

staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.proto

@@ -22,6 +22,7 @@ syntax = 'proto2';
 package k8s.io.api.admissionregistration.v1alpha1;
 
 import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto";
 import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
 import "k8s.io/apimachinery/pkg/runtime/generated.proto";
 import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
@@ -147,13 +148,18 @@ message RuleWithOperations {
 
 // ServiceReference holds a reference to Service.legacy.k8s.io
 message ServiceReference {
-  // Namespace is the namespace of the service
+  // `namespace` is the namespace of the service.
   // Required
   optional string namespace = 1;
 
-  // Name is the name of the service
+  // `name` is the name of the service.
   // Required
   optional string name = 2;
+
+  // `path` is an optional URL path which will be sent in any request to
+  // this service.
+  // +optional
+  optional string path = 3;
 }
 
 // ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
@@ -252,17 +258,46 @@ message Webhook {
 // WebhookClientConfig contains the information to make a TLS
 // connection with the webhook
 message WebhookClientConfig {
-  // Service is a reference to the service for this webhook. If there is only
+  // `url` gives the location of the webhook, in standard URL form
-  // one port open for the service, that port will be used. If there are multiple
+  // (`[scheme://]host:port/path`). Exactly one of `url` or `service`
-  // ports open, port 443 will be used if it is open, otherwise it is an error.
+  // must be specified.
-  // Required
+  // 
+  // The `host` should not refer to a service running in the cluster; use
+  // the `service` field instead. The host might be resolved via external
+  // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+  // in-cluster DNS as that would be a layering violation). `host` may
+  // also be an IP address.
+  // 
+  // Please note that using `localhost` or `127.0.0.1` as a `host` is
+  // risky unless you take great care to run this webhook on all hosts
+  // which run an apiserver which might need to make calls to this
+  // webhook. Such installs are likely to be non-portable, i.e., not easy
+  // to turn up in a new cluster.
+  // 
+  // If the scheme is present, it must be "https://".
+  // 
+  // A path is optional, and if present may be any string permissible in
+  // a URL. You may use the path to pass an arbitrary string to the
+  // webhook, for example, a cluster identifier.
+  // 
+  // +optional
+  optional string url = 3;
+
+  // `service` is a reference to the service for this webhook. Either
+  // `service` or `url` must be specified.
+  // 
+  // If the webhook is running within the cluster, then you should use `service`.
+  // 
+  // If there is only one port open for the service, that port will be
+  // used. If there are multiple ports open, port 443 will be used if it
+  // is open, otherwise it is an error.
+  // 
+  // +optional
   optional ServiceReference service = 1;
 
-  // URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
+  // `caBundle` is a PEM encoded CA bundle which will be used to validate
-  optional string urlPath = 3;
+  // the webhook's server certificate.
-
+  // Required.
-  // CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
-  // Required
   optional bytes caBundle = 2;
 }
 

staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go

@@ -272,26 +272,60 @@ const (
 // WebhookClientConfig contains the information to make a TLS
 // connection with the webhook
 type WebhookClientConfig struct {
-	// Service is a reference to the service for this webhook. If there is only
+	// `url` gives the location of the webhook, in standard URL form
-	// one port open for the service, that port will be used. If there are multiple
+	// (`[scheme://]host:port/path`). Exactly one of `url` or `service`
-	// ports open, port 443 will be used if it is open, otherwise it is an error.
+	// must be specified.
-	// Required
+	//
-	Service ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"`
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// If the scheme is present, it must be "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// +optional
+	URL *string `json:"url,omitempty" protobuf:"bytes,3,opt,name=url"`
 
-	// URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
+	// `service` is a reference to the service for this webhook. Either
-	URLPath string `json:"urlPath" protobuf:"bytes,3,opt,name=urlPath"`
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// If there is only one port open for the service, that port will be
+	// used. If there are multiple ports open, port 443 will be used if it
+	// is open, otherwise it is an error.
+	//
+	// +optional
+	Service *ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"`
 
-	// CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate
-	// Required
+	// the webhook's server certificate.
+	// Required.
 	CABundle []byte `json:"caBundle" protobuf:"bytes,2,opt,name=caBundle"`
 }
 
 // ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReference struct {
-	// Namespace is the namespace of the service
+	// `namespace` is the namespace of the service.
 	// Required
 	Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"`
-	// Name is the name of the service
+	// `name` is the name of the service.
 	// Required
 	Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
+
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	// +optional
+	Path *string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"`
 }

staging/src/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go

@@ -99,8 +99,9 @@ func (RuleWithOperations) SwaggerDoc() map[string]string {
 
 var map_ServiceReference = map[string]string{
 	"":          "ServiceReference holds a reference to Service.legacy.k8s.io",
-	"namespace": "Namespace is the namespace of the service Required",
+	"namespace": "`namespace` is the namespace of the service. Required",
-	"name":      "Name is the name of the service Required",
+	"name":      "`name` is the name of the service. Required",
+	"path":      "`path` is an optional URL path which will be sent in any request to this service.",
 }
 
 func (ServiceReference) SwaggerDoc() map[string]string {
@@ -142,9 +143,9 @@ func (Webhook) SwaggerDoc() map[string]string {
 
 var map_WebhookClientConfig = map[string]string{
 	"":         "WebhookClientConfig contains the information to make a TLS connection with the webhook",
-	"service":  "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required",
+	"url":      "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nIf the scheme is present, it must be \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.",
-	"urlPath":  "URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.",
+	"service":  "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nIf there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error.",
-	"caBundle": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required",
+	"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
 }
 
 func (WebhookClientConfig) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go

@@ -240,6 +240,15 @@ func (in *RuleWithOperations) DeepCopy() *RuleWithOperations {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceReference) DeepCopyInto(out *ServiceReference) {
 	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
@@ -366,7 +375,24 @@ func (in *Webhook) DeepCopy() *Webhook {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig) {
 	*out = *in
-	out.Service = in.Service
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ServiceReference)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	if in.CABundle != nil {
 		in, out := &in.CABundle, &out.CABundle
 		*out = make([]byte, len(*in))

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/admission.go

@@ -20,6 +20,7 @@ package webhook
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -55,6 +56,10 @@ const (
 	defaultCacheSize = 200
 )
 
+var (
+	ErrNeedServiceOrURL = errors.New("webhook configuration must have either service or URL")
+)
+
 type ErrCallingWebhook struct {
 	WebhookName string
 	Reason      error
@@ -395,36 +400,42 @@ func toStatusErr(name string, result *metav1.Status) *apierrors.StatusError {
 
 func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.Webhook) (*rest.RESTClient, error) {
 	cacheKey, err := json.Marshal(h.ClientConfig)
-	if err != nil {
-		return nil, err
-	}
 	if client, ok := a.cache.Get(string(cacheKey)); ok {
 		return client.(*rest.RESTClient), nil
 	}
 
-	serverName := h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + ".svc"
+	complete := func(cfg *rest.Config) (*rest.RESTClient, error) {
+		cfg.TLSClientConfig.CAData = h.ClientConfig.CABundle
+		cfg.ContentConfig.NegotiatedSerializer = a.negotiatedSerializer
+		cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
+		client, err := rest.UnversionedRESTClientFor(cfg)
+		if err == nil {
+			a.cache.Add(string(cacheKey), client)
+		}
+		return client, err
+	}
+
+	if svc := h.ClientConfig.Service; svc != nil {
+		serverName := svc.Name + "." + svc.Namespace + ".svc"
 		restConfig, err := a.authInfoResolver.ClientConfigFor(serverName)
 		if err != nil {
 			return nil, err
 		}
-
 		cfg := rest.CopyConfig(restConfig)
 		host := serverName + ":443"
 		cfg.Host = "https://" + host
-	cfg.APIPath = h.ClientConfig.URLPath
+		if svc.Path != nil {
+			cfg.APIPath = *svc.Path
+		}
 		cfg.TLSClientConfig.ServerName = serverName
-	cfg.TLSClientConfig.CAData = h.ClientConfig.CABundle
-	cfg.ContentConfig.NegotiatedSerializer = a.negotiatedSerializer
-	cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
 
 		delegateDialer := cfg.Dial
 		if delegateDialer == nil {
 			delegateDialer = net.Dial
 		}
-
 		cfg.Dial = func(network, addr string) (net.Conn, error) {
 			if addr == host {
-			u, err := a.serviceResolver.ResolveEndpoint(h.ClientConfig.Service.Namespace, h.ClientConfig.Service.Name)
+				u, err := a.serviceResolver.ResolveEndpoint(svc.Namespace, svc.Name)
 				if err != nil {
 					return nil, err
 				}
@@ -433,9 +444,27 @@ func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.Webhook) (*rest.RESTCli
 			return delegateDialer(network, addr)
 		}
 
-	client, err := rest.UnversionedRESTClientFor(cfg)
+		return complete(cfg)
-	if err == nil {
-		a.cache.Add(string(cacheKey), client)
 	}
-	return client, err
+
+	if h.ClientConfig.URL == nil {
+		return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: ErrNeedServiceOrURL}
+	}
+
+	u, err := url.Parse(*h.ClientConfig.URL)
+	if err != nil {
+		return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Unparsable URL: %v", err)}
+	}
+
+	restConfig, err := a.authInfoResolver.ClientConfigFor(u.Host)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := rest.CopyConfig(restConfig)
+	cfg.Host = u.Host
+	cfg.APIPath = u.Path
+	// TODO: test if this is needed: cfg.TLSClientConfig.ServerName = u.Host
+
+	return complete(cfg)
 }

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/admission_test.go

@@ -89,6 +89,33 @@ func (f fakeNamespaceLister) Get(name string) (*corev1.Namespace, error) {
 	return nil, errors.NewNotFound(corev1.Resource("namespaces"), name)
 }
 
+// ccfgSVC returns a client config using the service reference mechanism.
+func ccfgSVC(urlPath string) registrationv1alpha1.WebhookClientConfig {
+	return registrationv1alpha1.WebhookClientConfig{
+		Service: &registrationv1alpha1.ServiceReference{
+			Name:      "webhook-test",
+			Namespace: "default",
+			Path:      &urlPath,
+		},
+		CABundle: caCert,
+	}
+}
+
+type urlConfigGenerator struct {
+	baseURL *url.URL
+}
+
+// ccfgURL returns a client config using the URL mechanism.
+func (c urlConfigGenerator) ccfgURL(urlPath string) registrationv1alpha1.WebhookClientConfig {
+	u2 := *c.baseURL
+	u2.Path = urlPath
+	urlString := u2.String()
+	return registrationv1alpha1.WebhookClientConfig{
+		URL:      &urlString,
+		CABundle: caCert,
+	}
+}
+
 // TestAdmit tests that GenericAdmissionWebhook#Admit works as expected
 func TestAdmit(t *testing.T) {
 	scheme := runtime.NewScheme()
@@ -148,6 +175,8 @@ func TestAdmit(t *testing.T) {
 		UID:  "webhook-test",
 	}
 
+	ccfgURL := urlConfigGenerator{serverURL}.ccfgURL
+
 	type test struct {
 		hookSource    fakeHookSource
 		path          string
@@ -155,6 +184,15 @@ func TestAdmit(t *testing.T) {
 		errorContains string
 	}
 
+	matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{
+		Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},
+		Rule: registrationv1alpha1.Rule{
+			APIGroups:   []string{"*"},
+			APIVersions: []string{"*"},
+			Resources:   []string{"*/*"},
+		},
+	}}
+
 	policyFail := registrationv1alpha1.Fail
 	policyIgnore := registrationv1alpha1.Ignore
 
@@ -163,7 +201,7 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "nomatch",
-					ClientConfig: newFakeHookClientConfig("disallow"),
+					ClientConfig: ccfgSVC("disallow"),
 					Rules: []registrationv1alpha1.RuleWithOperations{{
 						Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create},
 					}},
@@ -175,8 +213,8 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "allow",
-					ClientConfig: newFakeHookClientConfig("allow"),
+					ClientConfig: ccfgSVC("allow"),
-					Rules:        newMatchEverythingRules(),
+					Rules:        matchEverythingRules,
 				}},
 			},
 			expectAllow: true,
@@ -185,8 +223,8 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "disallow",
-					ClientConfig: newFakeHookClientConfig("disallow"),
+					ClientConfig: ccfgSVC("disallow"),
-					Rules:        newMatchEverythingRules(),
+					Rules:        matchEverythingRules,
 				}},
 			},
 			errorContains: "without explanation",
@@ -195,8 +233,8 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "disallowReason",
-					ClientConfig: newFakeHookClientConfig("disallowReason"),
+					ClientConfig: ccfgSVC("disallowReason"),
-					Rules:        newMatchEverythingRules(),
+					Rules:        matchEverythingRules,
 				}},
 			},
 			errorContains: "you shall not pass",
@@ -205,7 +243,7 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "disallow",
-					ClientConfig: newFakeHookClientConfig("disallow"),
+					ClientConfig: ccfgSVC("disallow"),
 					Rules:        newMatchEverythingRules(),
 					NamespaceSelector: &metav1.LabelSelector{
 						MatchExpressions: []metav1.LabelSelectorRequirement{{
@@ -222,7 +260,7 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "disallow",
-					ClientConfig: newFakeHookClientConfig("disallow"),
+					ClientConfig: ccfgSVC("disallow"),
 					Rules:        newMatchEverythingRules(),
 					NamespaceSelector: &metav1.LabelSelector{
 						MatchExpressions: []metav1.LabelSelectorRequirement{{
@@ -239,18 +277,18 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:          "internalErr A",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
-					Rules:         newMatchEverythingRules(),
+					Rules:         matchEverythingRules,
 					FailurePolicy: &policyIgnore,
 				}, {
 					Name:          "internalErr B",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
-					Rules:         newMatchEverythingRules(),
+					Rules:         matchEverythingRules,
 					FailurePolicy: &policyIgnore,
 				}, {
 					Name:          "internalErr C",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
-					Rules:         newMatchEverythingRules(),
+					Rules:         matchEverythingRules,
 					FailurePolicy: &policyIgnore,
 				}},
 			},
@@ -260,16 +298,16 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:         "internalErr A",
-					ClientConfig: newFakeHookClientConfig("internalErr"),
+					ClientConfig: ccfgSVC("internalErr"),
-					Rules:        newMatchEverythingRules(),
+					Rules:        matchEverythingRules,
 				}, {
 					Name:         "internalErr B",
-					ClientConfig: newFakeHookClientConfig("internalErr"),
+					ClientConfig: ccfgSVC("internalErr"),
-					Rules:        newMatchEverythingRules(),
+					Rules:        matchEverythingRules,
 				}, {
 					Name:         "internalErr C",
-					ClientConfig: newFakeHookClientConfig("internalErr"),
+					ClientConfig: ccfgSVC("internalErr"),
-					Rules:        newMatchEverythingRules(),
+					Rules:        matchEverythingRules,
 				}},
 			},
 			expectAllow: false,
@@ -278,23 +316,45 @@ func TestAdmit(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:          "internalErr A",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
-					Rules:         newMatchEverythingRules(),
+					Rules:         matchEverythingRules,
 					FailurePolicy: &policyFail,
 				}, {
 					Name:          "internalErr B",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
-					Rules:         newMatchEverythingRules(),
+					Rules:         matchEverythingRules,
 					FailurePolicy: &policyFail,
 				}, {
 					Name:          "internalErr C",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
-					Rules:         newMatchEverythingRules(),
+					Rules:         matchEverythingRules,
 					FailurePolicy: &policyFail,
 				}},
 			},
 			expectAllow: false,
 		},
+		"match & allow (url)": {
+			hookSource: fakeHookSource{
+				hooks: []registrationv1alpha1.Webhook{{
+					Name:         "allow",
+					ClientConfig: ccfgURL("allow"),
+					Rules:        matchEverythingRules,
+				}},
+			},
+			expectAllow: true,
+		},
+		"match & disallow (url)": {
+			hookSource: fakeHookSource{
+				hooks: []registrationv1alpha1.Webhook{{
+					Name:         "disallow",
+					ClientConfig: ccfgURL("disallow"),
+					Rules:        matchEverythingRules,
+				}},
+			},
+			errorContains: "without explanation",
+		},
+		// No need to test everything with the url case, since only the
+		// connection is different.
 	}
 
 	for name, tt := range table {
@@ -378,6 +438,7 @@ func TestAdmitCachedClient(t *testing.T) {
 		Name: "webhook-test",
 		UID:  "webhook-test",
 	}
+	ccfgURL := urlConfigGenerator{serverURL}.ccfgURL
 
 	type test struct {
 		name        string
@@ -393,7 +454,7 @@ func TestAdmitCachedClient(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:          "cache1",
-					ClientConfig:  newFakeHookClientConfig("allow"),
+					ClientConfig:  ccfgSVC("allow"),
 					Rules:         newMatchEverythingRules(),
 					FailurePolicy: &policyIgnore,
 				}},
@@ -406,7 +467,7 @@ func TestAdmitCachedClient(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:          "cache2",
-					ClientConfig:  newFakeHookClientConfig("internalErr"),
+					ClientConfig:  ccfgSVC("internalErr"),
 					Rules:         newMatchEverythingRules(),
 					FailurePolicy: &policyIgnore,
 				}},
@@ -419,7 +480,33 @@ func TestAdmitCachedClient(t *testing.T) {
 			hookSource: fakeHookSource{
 				hooks: []registrationv1alpha1.Webhook{{
 					Name:          "cache3",
-					ClientConfig:  newFakeHookClientConfig("allow"),
+					ClientConfig:  ccfgSVC("allow"),
+					Rules:         newMatchEverythingRules(),
+					FailurePolicy: &policyIgnore,
+				}},
+			},
+			expectAllow: true,
+			expectCache: false,
+		},
+		{
+			name: "cache 4",
+			hookSource: fakeHookSource{
+				hooks: []registrationv1alpha1.Webhook{{
+					Name:          "cache4",
+					ClientConfig:  ccfgURL("allow"),
+					Rules:         newMatchEverythingRules(),
+					FailurePolicy: &policyIgnore,
+				}},
+			},
+			expectAllow: true,
+			expectCache: true,
+		},
+		{
+			name: "cache 5",
+			hookSource: fakeHookSource{
+				hooks: []registrationv1alpha1.Webhook{{
+					Name:          "cache5",
+					ClientConfig:  ccfgURL("allow"),
 					Rules:         newMatchEverythingRules(),
 					FailurePolicy: &policyIgnore,
 				}},
@@ -581,17 +668,6 @@ func TestToStatusErr(t *testing.T) {
 	}
 }
 
-func newFakeHookClientConfig(urlPath string) registrationv1alpha1.WebhookClientConfig {
-	return registrationv1alpha1.WebhookClientConfig{
-		Service: registrationv1alpha1.ServiceReference{
-			Name:      "webhook-test",
-			Namespace: "default",
-		},
-		URLPath:  urlPath,
-		CABundle: caCert,
-	}
-}
-
 func newMatchEverythingRules() []registrationv1alpha1.RuleWithOperations {
 	return []registrationv1alpha1.RuleWithOperations{{
 		Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},

test/e2e/apimachinery/webhook.go

@@ -218,6 +218,8 @@ func deployWebhookAndService(f *framework.Framework, image string, context *cert
 	framework.ExpectNoError(err, "waiting for service %s/%s have %d endpoint", namespace, serviceName, 1)
 }
 
+func strPtr(s string) *string { return &s }
+
 func registerWebhook(f *framework.Framework, context *certContext) {
 	client := f.ClientSet
 	By("Registering the webhook via the AdmissionRegistration API")
@@ -239,11 +241,11 @@ func registerWebhook(f *framework.Framework, context *certContext) {
 					},
 				}},
 				ClientConfig: v1alpha1.WebhookClientConfig{
-					Service: v1alpha1.ServiceReference{
+					Service: &v1alpha1.ServiceReference{
 						Namespace: namespace,
 						Name:      serviceName,
+						Path:      strPtr("/pods"),
 					},
-					URLPath:  "/pods",
 					CABundle: context.signingCert,
 				},
 			},
@@ -268,11 +270,11 @@ func registerWebhook(f *framework.Framework, context *certContext) {
 					},
 				},
 				ClientConfig: v1alpha1.WebhookClientConfig{
-					Service: v1alpha1.ServiceReference{
+					Service: &v1alpha1.ServiceReference{
 						Namespace: namespace,
 						Name:      serviceName,
+						Path:      strPtr("/configmaps"),
 					},
-					URLPath:  "/configmaps",
 					CABundle: context.signingCert,
 				},
 			},

test/integration/etcd/etcd_storage_path_test.go

@@ -382,11 +382,11 @@ var etcdStorageData = map[schema.GroupVersionResource]struct {
 		expectedEtcdPath: "/registry/initializerconfigurations/ic1",
 	},
 	gvr("admissionregistration.k8s.io", "v1alpha1", "validatingwebhookconfigurations"): {
-		stub:             `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"","name":""},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
+		stub:             `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"ns","name":"n"},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
 		expectedEtcdPath: "/registry/validatingwebhookconfigurations/hook1",
 	},
 	gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingwebhookconfigurations"): {
-		stub:             `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"","name":""},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
+		stub:             `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"ns","name":"n"},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
 		expectedEtcdPath: "/registry/mutatingwebhookconfigurations/hook1",
 	},
 	// --