example-webhook-admission-controller icon indicating copy to clipboard operation
example-webhook-admission-controller copied to clipboard

Published 20 hours ago verified publisher icon caesarxuchao

Has anyone tried this admission controller with success?

Open filmil opened this issue 8 years ago • 9 comments
trafficstars

The issue I'm having with it is that it installs the admission controller service with a fixed clusterIP: 10.0.0.231. In the webhook code, the address resolver will resolve the webhook to https://10.0.0.231:443. But, this IP address is not accessible to the API server, so I don't see a request to this URL succeeding. How is this supposed to work?

filmil avatar Sep 26 '17 07:09 filmil

I'll update the example this week. The problem you saw is due to a recent change in the upstream: https://github.com/kubernetes/kubernetes/pull/50476.

caesarxuchao avatar Sep 26 '17 20:09 caesarxuchao

Try again? You need to use it with the latest Kubernetes release (v1.8.0 or v1.9.0-alpha.1)

caesarxuchao avatar Sep 27 '17 20:09 caesarxuchao

Just tested with this example and it works with Kubernetes v1.8.0 after some small changes for the ExternalAdmissionHookConfiguration config which I put it into a PR. My test also disabled client cert verification as described in README.

patrickshan avatar Oct 10 '17 06:10 patrickshan

Merged the PR. Thanks.

caesarxuchao avatar Oct 10 '17 06:10 caesarxuchao

@caesarxuchao will apiserver send the whole pod object to webhook admission controller in this example ? I am trying to parse some data inside pod.Annotations which seems to be always empty. I suspected it was sent through by different operation. But it behaves the same even if I turned on all operations "*" related with pods resource. Is this something expected ?

patrickshan avatar Oct 11 '17 06:10 patrickshan

What annotations specifically? I have some hypothesis but need to know the specific fields.

caesarxuchao avatar Oct 16 '17 05:10 caesarxuchao

It's just a self-defined pod annotation included inside deployment, like this one:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  namespace: kube-system
  name: toolbox
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: debian-test
      annotations:
        kitt.com/department: "INF"
    spec:
      containers:
      - name: debian-test
        image: debian
        command:
          - sleep
          - infinity

In theory it should creat a pod with kitt.com/department: INF annotation like this:

$ kubectl get pod toolbox-594df444bc-dhwkg -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kitt.com/department: INF

patrickshan avatar Oct 16 '17 22:10 patrickshan

It's caused by the mismatching object version: the apiserver encodes the pod as api.Pod, and the webhook decodes the pod as v1.Pod. The issue will be fixed by the beta version webhook, the apiserver will encode v1.pod. See https://github.com/kubernetes/kubernetes/issues/49733

For workaround, you can get the annotations by parsing the ar.Spec.Object.Raw directly, the metadata is lost later during the decoding.

caesarxuchao avatar Oct 17 '17 05:10 caesarxuchao

Thanks @caesarxuchao for looking into this. I'll try the workaround for now.

patrickshan avatar Oct 17 '17 22:10 patrickshan