tests icon indicating copy to clipboard operation
tests copied to clipboard

Published 20 hours ago verified publisher icon kata-containers

Current admission-controller implementation under `kata-webhook` only works if admission-controller is installed in the `default` namespace

Open pruan-rht opened this issue 4 years ago • 1 comments

Description of problem

Current admission-controller implementation under kata-webhook only works if admission-controller is installed in the default namespace and the incoming pods are installed into the same namespace default.

  1. git clone [email protected]:kata-containers/tests.git
  2. oc new-project foobar
  3. cd tests/kata-webhook;
  4. ./create-certs.sh; oc apply -f deploy/
  5. wait until pod-annotate-webhook-xxx pod is running
  6. oc create -f example-fedora.yaml
$ cat example-fedora.yaml                                                                                      
apiVersion: v1
kind: Pod
metadata:
  name: example-fedora
  labels:
    app: example-fedora-app
spec:
  containers:
    - name: example-fedora
      image: fedora:30
      ports:
        - containerPort: 8080
      command: ["python3"]
      args: [ "-m", "http.server", "8080"]

Expected result

oc get pod example-fedora -o yaml | grep kata should return runtimeClassName: kata

Actual result

the new pod did not mutate to contain the runtimeClassName in the spec

Further information

pruan-rht avatar Nov 20 '20 22:11 pruan-rht

I tired adding "scope: "Namespaced" as a rule for the admission controller. Turns out that just limits what objects it modifies to ones that are namespace. So that did not work out. Started looking into namespaceSelector but nothing to report yet. Using the blacklist option is still an option, but need to find out if it does any patching or only matches exact strings.

cpmeadors avatar Feb 09 '21 21:02 cpmeadors