kubernetes
KEP-3716: Admission Webhook Match Conditions
Introduce a webhook predicate concept. A predicate is a CEL expression which must evaluate to true for a request to be sent to a webhook.
Tracking issue: https://github.com/kubernetes/enhancements/issues/3716
This PR proposes an alternative (though not mutually exclusive) approach to https://github.com/kubernetes/enhancements/pull/3694.
This is based on a similar proposal for ValidatingAdmissionPolicy: https://github.com/kubernetes/enhancements/pull/3697
/cc @ivelichkovich @maxsmythe @jpbetz @andrewsykim
@tallclair: GitHub didn't allow me to request PR reviews from the following users: ivelichkovich, maxsmythe.
Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.
In response to this:
Introduce a webhook
predicateconcept. A predicate is a CEL expression which must evaluate totruefor a request to be sent to a webhook.https://github.com/kubernetes/enhancements/issues/3716
This PR proposes an alternative (though not mutually exclusive) approach to https://github.com/kubernetes/enhancements/pull/3694.
This is based on a similar proposal for ValidatingAdmissionPolicy: https://github.com/kubernetes/enhancements/pull/3697
/cc @ivelichkovich @maxsmythe @jpbetz @andrewsykim
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I'm in favor of this proposal. I like the consistency with validation policy CEL expression. I think that would make the support for secondary ACL checks "just work", but I'd like to be sure they're explicitly included as a use-case (our GC admission plugin does this when it checks if the user can finalize on * before building a full restmapping).
@jpbetz can you do a close read of the CEL explanation in the godoc? I had a comment on a couple spots that seemed unusual to me and I'd like to be sure I've properly interpreted them.
Joe Betz can you do a close read of the CEL explanation in the godoc? I had a comment on a couple spots that seemed unusual to me and I'd like to be sure I've properly interpreted them.
Yes, I'm responsible for much of it such as the escaping sections and a bunch of the other common sections. (xref https://github.com/kubernetes/website/issues/39089), I'll do another pass on the sections specific to this KEP.
minor updates requested, but I don't think they're contentious. lgtm otherwise. PRR also looks good and the advice from Han about metrics looks good as well.
/approve /assign @jpbetz @lavalamp
Letting Joe and/or Daniel have the lgtm.
@tallclair FYI- https://github.com/kubernetes/enhancements/pull/3854 merged and can be referenced from this for this KEP as needed for authz CEL capabilities.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: deads2k, lavalamp, tallclair
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~keps/prod-readiness/OWNERS~~ [deads2k]
- ~~keps/sig-api-machinery/OWNERS~~ [deads2k,lavalamp]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment