[GCE] fix unsafe webhook vpa-webhook-config

[britslampe]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR cleans up the unsafe webhook vpa-webhook-config deployed on GCE. The namespaces kube-system and kube-node-lease are considered system-managed. See unsafe webhooks.

Which issue(s) this PR fixes:

Fixes https://github.com/cowboysysop/charts/issues/578

Special notes for your reviewer:

To keep the namespaceSelector optionally empty, the variable definition can be wrapped in an if statement that verifies that the provider is gce.

[linux-foundation-easycla[bot]]

The committers listed above are authorized under a signed CLA.

• :white_check_mark: login: britdm / name: Brittany Mitchell (e23e769c5bf4ca72c796b6209559c8145e5bc38c, 6474581871410f7e942592f6f27a93bf508c56f2, b5bdba3731dd3c2f9844c70967e9968c744348ad, 81ab07261f6db2746f378210a27a3a6a78e8940f)

[k8s-ci-robot]

Welcome @britdm!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

[kwiesmueller]

/assign @sophieliu15

[sophieliu15]

/lgtm

[sophieliu15]

@kwiesmueller Could you take a look to decide whether to approve or not?

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[britslampe]

I have added the additional flag webhookIgnoredNamespaces that could be used to grab a list of comma delimited namespaces passed using --webhook-ignore-namespaces.

For this case, passing --webhook-ignore-namespaces kube-system,kube-node-lease should add those two namespaces to the namespaceSelector. The flag will allow the default empty string and also the option to specify namespaces to ignore.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alvaroaleman, britdm Once this PR has been reviewed and has the lgtm label, please assign jbartosik for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• vertical-pod-autoscaler/OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[voelzmo]

Hey @britdm thanks for the new change! I think, however, we need to have a paramater on all three VPA components, otherwise it can easily happen that users end up in an endless eviction loop: If you have VPA objects in kube-system, recommender will provide a recommendation, updater will evict and the admission-controller ignores this namespace and won't adapt the requests.

I tried to sketch this out in an earlier, longer comment

I imagine the best compromise here is probable a namespace denylist, similar to how the VPA components currently have the concept of an allowlist for namespaces they work in (parameter vpa-object-namespace). The configuration parameter is the the same on all 3 components and you could argue that a user setting this parameter on one component should take care of setting it on the other two components with the same values. Denylist and allowlist should be made exclusive to each other.

So I think the missing changes here are

• rename parameter to something like ignored-vpa-object-namespaces, such that it doesn't reference the webhook and has some resemblence to the already existing vpa-object-namespace
• throw an error, if both parameters are provided. It should only be possible to provide one of ignored-vpa-object-namespaces and vpa-object-namespace
• move documentation for this parameter to the top README
• Bonus: add a test that makes sure this flag works, similar to what we already have for recommenders with different names

[adrianmoisey]

Hey @britdm, are you planning to continue this PR? If not, do you mind if I try work on it?

[britslampe]

Hey @britdm, are you planning to continue this PR? If not, do you mind if I try work on it?

Sure, I have not yet had time to clean up my local copy with changes for this PR, and would appreciate the help to move it forward. One caveat I found with updating the other VPA components is that the conditional statement used to check if both variables are used in the admission controller would need slight modifications to work for the other components.

[adrianmoisey]

I've continued this work over here: https://github.com/kubernetes/autoscaler/pull/6788

[voelzmo]

/close In favor of #6788

[k8s-ci-robot]

@voelzmo: Closed this PR.

In response to this:

/close In favor of #6788

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.