github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #127905 from cici37/revert-127400

Browse Source 
Revert pr 127400 due to regression
This commit is contained in:
Kubernetes Prow Robot 2024-10-07 22:02:22 +01:00 committed by GitHub
commit ea13c5e6a2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 3 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
View File

@ -20,8 +20,6 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"sync"
"k8s.io/apiserver/pkg/cel/environment" "k8s.io/apiserver/pkg/cel/environment"
"k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/features"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
@ -47,12 +45,6 @@ import (
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
) )
var (
// filterCompiler is memory heavy, so we only want to create it once and share it.
filterCompilerOnce sync.Once
filterCompiler cel.FilterCompiler
)
// Webhook is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top. // Webhook is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.
type Webhook struct { type Webhook struct {
*admission.Handler *admission.Handler
@ -64,6 +56,7 @@ type Webhook struct {
namespaceMatcher *namespace.Matcher namespaceMatcher *namespace.Matcher
objectMatcher *object.Matcher objectMatcher *object.Matcher
dispatcher Dispatcher dispatcher Dispatcher
filterCompiler cel.FilterCompiler
authorizer authorizer.Authorizer authorizer authorizer.Authorizer
} }
@ -101,10 +94,6 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
cm.SetAuthenticationInfoResolver(authInfoResolver) cm.SetAuthenticationInfoResolver(authInfoResolver)
cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver()) cm.SetServiceResolver(webhookutil.NewDefaultServiceResolver())
filterCompilerOnce.Do(func() {
filterCompiler = cel.NewFilterCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks)))
})
return &Webhook{ return &Webhook{
Handler: handler, Handler: handler,
sourceFactory: sourceFactory, sourceFactory: sourceFactory,
@ -112,6 +101,7 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
namespaceMatcher: &namespace.Matcher{}, namespaceMatcher: &namespace.Matcher{},
objectMatcher: &object.Matcher{}, objectMatcher: &object.Matcher{},
dispatcher: dispatcherFactory(&cm), dispatcher: dispatcherFactory(&cm),
filterCompiler: cel.NewFilterCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks))),
}, nil }, nil
} }
@ -237,7 +227,7 @@ func (a *Webhook) ShouldCallHook(ctx context.Context, h webhook.WebhookAccessor,
return nil, apierrors.NewInternalError(err) return nil, apierrors.NewInternalError(err)
} }
matcher := h.GetCompiledMatcher(filterCompiler) matcher := h.GetCompiledMatcher(a.filterCompiler)
matchResult := matcher.Match(ctx, versionedAttr, nil, a.authorizer) matchResult := matcher.Match(ctx, versionedAttr, nil, a.authorizer)
if matchResult.Error != nil { if matchResult.Error != nil {