kubewebhook icon indicating copy to clipboard operation
kubewebhook copied to clipboard

Published 20 hours ago verified publisher icon slok

Mutating webhook should support setting `Allowed: false`

Open SOF3 opened this issue 3 years ago • 0 comments
trafficstars

Currently, slok/kubewebhook only supports StopChain and MutatedObject, or returning 500 ISE directly, but it does not support rejecting the request directly in the validating webhook style. https://github.com/slok/kubewebhook/blob/7cda6658a8ec35339496b9062cd23eb6a1e7e8fd/pkg/webhook/mutating/mutator.go#L14-L22

I have confirmed that returning {response: {allowed: false}} in mutating webhooks has a similar effect as validating webhooks.

As explained in #188, kube-apiserver handles the response differently if webhook server responds with 200 or with 500. In particular, in my use case, I am adding alerts for the apiserver_admission_webhook_rejection_count metric with error_type=calling_webhook_error, which cannot distinguish upstream-side 500 errors from proxy-side 502 errors. Allowing returning allowed: false in the mutating webhook allows me to collect the correct metrics.

SOF3 avatar Jun 09 '22 04:06 SOF3