github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #66425 from liggitt/delete-admission-panic

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Do not attempt to convert nil object during DELETE webhook admission

Fixes #66412 
```release-note
fixes a panic when using a mutating webhook admission plugin with a DELETE operation
```
This commit is contained in:
Kubernetes Submit Queue 2018-07-20 08:59:41 -07:00 committed by GitHub
commit 07387782ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
View File

@ -74,8 +74,11 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.Version
} }
// convert attr.VersionedObject to the internal version in the underlying admission.Attributes // convert attr.VersionedObject to the internal version in the underlying admission.Attributes
if attr.VersionedObject != nil {
return a.plugin.scheme.Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil) return a.plugin.scheme.Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil)
} }
return nil
}
// note that callAttrMutatingHook updates attr // note that callAttrMutatingHook updates attr
func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error { func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
@ -106,6 +109,15 @@ func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta
if err != nil { if err != nil {
return apierrors.NewInternalError(err) return apierrors.NewInternalError(err)
} }
if len(patchObj) == 0 {
return nil
}
// if a non-empty patch was provided, and we have no object we can apply it to (e.g. a DELETE admission operation), error
if attr.VersionedObject == nil {
return apierrors.NewInternalError(fmt.Errorf("admission webhook %q attempted to modify the object, which is not supported for this operation", h.Name))
}
objJS, err := runtime.Encode(a.plugin.jsonSerializer, attr.VersionedObject) objJS, err := runtime.Encode(a.plugin.jsonSerializer, attr.VersionedObject)
if err != nil { if err != nil {
return apierrors.NewInternalError(err) return apierrors.NewInternalError(err)