remove reference to v1alpha1
This commit is contained in:
Chao Xu
@@ -22,7 +22,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
"k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/api/core/v1"
|
||||
extensions "k8s.io/api/extensions/v1beta1"
|
||||
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
||||
@@ -87,9 +87,9 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
|
||||
framework.SkipUnlessServerVersionGTE(serverWebhookVersion, f.ClientSet.Discovery())
|
||||
framework.SkipUnlessProviderIs("gce", "gke", "local")
|
||||
|
||||
_, err := f.ClientSet.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().List(metav1.ListOptions{})
|
||||
_, err := f.ClientSet.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().List(metav1.ListOptions{})
|
||||
if errors.IsNotFound(err) {
|
||||
framework.Skipf("dynamic configuration of webhooks requires the alpha admissionregistration.k8s.io group to be enabled")
|
||||
framework.Skipf("dynamic configuration of webhooks requires the admissionregistration.k8s.io group to be enabled")
|
||||
}
|
||||
|
||||
By("Setting up server cert")
|
||||
@@ -107,7 +107,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
|
||||
|
||||
It("Should be able to deny pod and configmap creation", func() {
|
||||
registerWebhook(f, context)
|
||||
defer client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Delete(webhookConfigName, nil)
|
||||
defer client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Delete(webhookConfigName, nil)
|
||||
testWebhook(f)
|
||||
})
|
||||
|
||||
@@ -115,19 +115,19 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
|
||||
crdCleanup, dynamicClient := createCRD(f)
|
||||
defer crdCleanup()
|
||||
registerWebhookForCRD(f, context)
|
||||
defer client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Delete(crdWebhookConfigName, nil)
|
||||
defer client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Delete(crdWebhookConfigName, nil)
|
||||
testCRDWebhook(f, dynamicClient)
|
||||
})
|
||||
|
||||
It("Should unconditionally reject operations on fail closed webhook", func() {
|
||||
registerFailClosedWebhook(f, context)
|
||||
defer f.ClientSet.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Delete(webhookFailClosedConfigName, nil)
|
||||
defer f.ClientSet.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Delete(webhookFailClosedConfigName, nil)
|
||||
testFailClosedWebhook(f)
|
||||
})
|
||||
|
||||
It("Should mutate configmap", func() {
|
||||
registerMutatingWebhookForConfigMap(f, context)
|
||||
defer client.AdmissionregistrationV1alpha1().MutatingWebhookConfigurations().Delete(mutatingWebhookConfigName, nil)
|
||||
defer client.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Delete(mutatingWebhookConfigName, nil)
|
||||
testMutatingConfigMapWebhook(f)
|
||||
})
|
||||
|
||||
@@ -135,7 +135,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
|
||||
crdCleanup, dynamicClient := createCRD(f)
|
||||
defer crdCleanup()
|
||||
registerMutatingWebhookForCRD(f, context)
|
||||
defer client.AdmissionregistrationV1alpha1().MutatingWebhookConfigurations().Delete(crdMutatingWebhookConfigName, nil)
|
||||
defer client.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Delete(crdMutatingWebhookConfigName, nil)
|
||||
testMutatingCRDWebhook(f, dynamicClient)
|
||||
})
|
||||
|
||||
@@ -298,26 +298,26 @@ func registerWebhook(f *framework.Framework, context *certContext) {
|
||||
namespace := f.Namespace.Name
|
||||
// A webhook that cannot talk to server, with fail-open policy
|
||||
failOpenHook := failingWebhook(namespace, "fail-open.k8s.io")
|
||||
policyIgnore := v1alpha1.Ignore
|
||||
policyIgnore := v1beta1.Ignore
|
||||
failOpenHook.FailurePolicy = &policyIgnore
|
||||
|
||||
_, err := client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Create(&v1alpha1.ValidatingWebhookConfiguration{
|
||||
_, err := client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Create(&v1beta1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: webhookConfigName,
|
||||
},
|
||||
Webhooks: []v1alpha1.Webhook{
|
||||
Webhooks: []v1beta1.Webhook{
|
||||
{
|
||||
Name: "deny-unwanted-pod-container-name-and-label.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{""},
|
||||
APIVersions: []string{"v1"},
|
||||
Resources: []string{"pods"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/pods"),
|
||||
@@ -327,9 +327,9 @@ func registerWebhook(f *framework.Framework, context *certContext) {
|
||||
},
|
||||
{
|
||||
Name: "deny-unwanted-configmap-data.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create, v1alpha1.Update},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create, v1beta1.Update},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{""},
|
||||
APIVersions: []string{"v1"},
|
||||
Resources: []string{"configmaps"},
|
||||
@@ -345,8 +345,8 @@ func registerWebhook(f *framework.Framework, context *certContext) {
|
||||
},
|
||||
},
|
||||
},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/configmaps"),
|
||||
@@ -371,23 +371,23 @@ func registerMutatingWebhookForConfigMap(f *framework.Framework, context *certCo
|
||||
|
||||
namespace := f.Namespace.Name
|
||||
|
||||
_, err := client.AdmissionregistrationV1alpha1().MutatingWebhookConfigurations().Create(&v1alpha1.MutatingWebhookConfiguration{
|
||||
_, err := client.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Create(&v1beta1.MutatingWebhookConfiguration{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: mutatingWebhookConfigName,
|
||||
},
|
||||
Webhooks: []v1alpha1.Webhook{
|
||||
Webhooks: []v1beta1.Webhook{
|
||||
{
|
||||
Name: "adding-configmap-data-stage-1.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{""},
|
||||
APIVersions: []string{"v1"},
|
||||
Resources: []string{"configmaps"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/mutating-configmaps"),
|
||||
@@ -397,16 +397,16 @@ func registerMutatingWebhookForConfigMap(f *framework.Framework, context *certCo
|
||||
},
|
||||
{
|
||||
Name: "adding-configmap-data-stage-2.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{""},
|
||||
APIVersions: []string{"v1"},
|
||||
Resources: []string{"configmaps"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/mutating-configmaps"),
|
||||
@@ -516,19 +516,19 @@ func testWebhook(f *framework.Framework) {
|
||||
|
||||
// failingWebhook returns a webhook with rule of create configmaps,
|
||||
// but with an invalid client config so that server cannot communicate with it
|
||||
func failingWebhook(namespace, name string) v1alpha1.Webhook {
|
||||
return v1alpha1.Webhook{
|
||||
func failingWebhook(namespace, name string) v1beta1.Webhook {
|
||||
return v1beta1.Webhook{
|
||||
Name: name,
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{""},
|
||||
APIVersions: []string{"v1"},
|
||||
Resources: []string{"configmaps"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/configmaps"),
|
||||
@@ -545,7 +545,7 @@ func registerFailClosedWebhook(f *framework.Framework, context *certContext) {
|
||||
|
||||
namespace := f.Namespace.Name
|
||||
// A webhook that cannot talk to server, with fail-closed policy
|
||||
policyFail := v1alpha1.Fail
|
||||
policyFail := v1beta1.Fail
|
||||
hook := failingWebhook(namespace, "fail-closed.k8s.io")
|
||||
hook.FailurePolicy = &policyFail
|
||||
hook.NamespaceSelector = &metav1.LabelSelector{
|
||||
@@ -558,11 +558,11 @@ func registerFailClosedWebhook(f *framework.Framework, context *certContext) {
|
||||
},
|
||||
}
|
||||
|
||||
_, err := client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Create(&v1alpha1.ValidatingWebhookConfiguration{
|
||||
_, err := client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Create(&v1beta1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: webhookFailClosedConfigName,
|
||||
},
|
||||
Webhooks: []v1alpha1.Webhook{
|
||||
Webhooks: []v1beta1.Webhook{
|
||||
// Server cannot talk to this webhook, so it always fails.
|
||||
// Because this webhook is configured fail-closed, request should be rejected after the call fails.
|
||||
hook,
|
||||
@@ -741,23 +741,23 @@ func registerWebhookForCRD(f *framework.Framework, context *certContext) {
|
||||
By("Registering the crd webhook via the AdmissionRegistration API")
|
||||
|
||||
namespace := f.Namespace.Name
|
||||
_, err := client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Create(&v1alpha1.ValidatingWebhookConfiguration{
|
||||
_, err := client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Create(&v1beta1.ValidatingWebhookConfiguration{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: crdWebhookConfigName,
|
||||
},
|
||||
Webhooks: []v1alpha1.Webhook{
|
||||
Webhooks: []v1beta1.Webhook{
|
||||
{
|
||||
Name: "deny-unwanted-crd-data.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{crdAPIGroup},
|
||||
APIVersions: []string{crdAPIVersion},
|
||||
Resources: []string{crdName + "s"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/crd"),
|
||||
@@ -778,23 +778,23 @@ func registerMutatingWebhookForCRD(f *framework.Framework, context *certContext)
|
||||
By("Registering the mutating webhook for crd via the AdmissionRegistration API")
|
||||
|
||||
namespace := f.Namespace.Name
|
||||
_, err := client.AdmissionregistrationV1alpha1().MutatingWebhookConfigurations().Create(&v1alpha1.MutatingWebhookConfiguration{
|
||||
_, err := client.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Create(&v1beta1.MutatingWebhookConfiguration{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: crdMutatingWebhookConfigName,
|
||||
},
|
||||
Webhooks: []v1alpha1.Webhook{
|
||||
Webhooks: []v1beta1.Webhook{
|
||||
{
|
||||
Name: "mutate-crd-data-stage-1.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{crdAPIGroup},
|
||||
APIVersions: []string{crdAPIVersion},
|
||||
Resources: []string{crdName + "s"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/mutating-crd"),
|
||||
@@ -804,16 +804,16 @@ func registerMutatingWebhookForCRD(f *framework.Framework, context *certContext)
|
||||
},
|
||||
{
|
||||
Name: "mutate-crd-data-stage-2.k8s.io",
|
||||
Rules: []v1alpha1.RuleWithOperations{{
|
||||
Operations: []v1alpha1.OperationType{v1alpha1.Create},
|
||||
Rule: v1alpha1.Rule{
|
||||
Rules: []v1beta1.RuleWithOperations{{
|
||||
Operations: []v1beta1.OperationType{v1beta1.Create},
|
||||
Rule: v1beta1.Rule{
|
||||
APIGroups: []string{crdAPIGroup},
|
||||
APIVersions: []string{crdAPIVersion},
|
||||
Resources: []string{crdName + "s"},
|
||||
},
|
||||
}},
|
||||
ClientConfig: v1alpha1.WebhookClientConfig{
|
||||
Service: &v1alpha1.ServiceReference{
|
||||
ClientConfig: v1beta1.WebhookClientConfig{
|
||||
Service: &v1beta1.ServiceReference{
|
||||
Namespace: namespace,
|
||||
Name: serviceName,
|
||||
Path: strPtr("/mutating-crd"),
|
||||
|
||||
@@ -11,7 +11,7 @@ go_library(
|
||||
visibility = ["//visibility:private"],
|
||||
deps = [
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
"//vendor/k8s.io/api/admission/v1alpha1:go_default_library",
|
||||
"//vendor/k8s.io/api/admission/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/api/admissionregistration/v1alpha1:go_default_library",
|
||||
"//vendor/k8s.io/api/core/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
|
||||
@@ -38,7 +38,7 @@ the tls client, and the webhook is the tls server.
|
||||
The webhook proves its identity by the `serverCert` in the certs.go. The server
|
||||
cert is signed by the CA in certs.go. To let the apiserver trust the `caCert`,
|
||||
the webhook registers itself with the apiserver via the
|
||||
`admissionregistration/v1alpha1/externalAdmissionHook` API, with
|
||||
`admissionregistration/v1beta1/externalAdmissionHook` API, with
|
||||
`clientConfig.caBundle=caCert`.
|
||||
|
||||
For maximum protection, this example webhook requires and verifies the client
|
||||
|
||||
@@ -25,7 +25,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/api/admission/v1alpha1"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
@@ -56,8 +56,8 @@ func (c *Config) addFlags() {
|
||||
"File containing the default x509 private key matching --tls-cert-file.")
|
||||
}
|
||||
|
||||
func toAdmissionResponse(err error) *v1alpha1.AdmissionResponse {
|
||||
return &v1alpha1.AdmissionResponse{
|
||||
func toAdmissionResponse(err error) *v1beta1.AdmissionResponse {
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Result: &metav1.Status{
|
||||
Message: err.Error(),
|
||||
},
|
||||
@@ -65,7 +65,7 @@ func toAdmissionResponse(err error) *v1alpha1.AdmissionResponse {
|
||||
}
|
||||
|
||||
// only allow pods to pull images from specific registry.
|
||||
func admitPods(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
func admitPods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
|
||||
glog.V(2).Info("admitting pods")
|
||||
podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
|
||||
if ar.Request.Resource != podResource {
|
||||
@@ -81,7 +81,7 @@ func admitPods(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
glog.Error(err)
|
||||
return toAdmissionResponse(err)
|
||||
}
|
||||
reviewResponse := v1alpha1.AdmissionResponse{}
|
||||
reviewResponse := v1beta1.AdmissionResponse{}
|
||||
reviewResponse.Allowed = true
|
||||
|
||||
var msg string
|
||||
@@ -104,7 +104,7 @@ func admitPods(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
}
|
||||
|
||||
// deny configmaps with specific key-value pair.
|
||||
func admitConfigMaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
func admitConfigMaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
|
||||
glog.V(2).Info("admitting configmaps")
|
||||
configMapResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
|
||||
if ar.Request.Resource != configMapResource {
|
||||
@@ -119,7 +119,7 @@ func admitConfigMaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
glog.Error(err)
|
||||
return toAdmissionResponse(err)
|
||||
}
|
||||
reviewResponse := v1alpha1.AdmissionResponse{}
|
||||
reviewResponse := v1beta1.AdmissionResponse{}
|
||||
reviewResponse.Allowed = true
|
||||
for k, v := range configmap.Data {
|
||||
if k == "webhook-e2e-test" && v == "webhook-disallow" {
|
||||
@@ -132,7 +132,7 @@ func admitConfigMaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
return &reviewResponse
|
||||
}
|
||||
|
||||
func mutateConfigmaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
func mutateConfigmaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
|
||||
glog.V(2).Info("mutating configmaps")
|
||||
configMapResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
|
||||
if ar.Request.Resource != configMapResource {
|
||||
@@ -147,7 +147,7 @@ func mutateConfigmaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
glog.Error(err)
|
||||
return toAdmissionResponse(err)
|
||||
}
|
||||
reviewResponse := v1alpha1.AdmissionResponse{}
|
||||
reviewResponse := v1beta1.AdmissionResponse{}
|
||||
reviewResponse.Allowed = true
|
||||
if configmap.Data["mutation-start"] == "yes" {
|
||||
reviewResponse.Patch = []byte(patch1)
|
||||
@@ -156,13 +156,13 @@ func mutateConfigmaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
reviewResponse.Patch = []byte(patch2)
|
||||
}
|
||||
|
||||
pt := v1alpha1.PatchTypeJSONPatch
|
||||
pt := v1beta1.PatchTypeJSONPatch
|
||||
reviewResponse.PatchType = &pt
|
||||
|
||||
return &reviewResponse
|
||||
}
|
||||
|
||||
func mutateCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
func mutateCRD(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
|
||||
glog.V(2).Info("mutating crd")
|
||||
cr := struct {
|
||||
metav1.ObjectMeta
|
||||
@@ -176,7 +176,7 @@ func mutateCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
return toAdmissionResponse(err)
|
||||
}
|
||||
|
||||
reviewResponse := v1alpha1.AdmissionResponse{}
|
||||
reviewResponse := v1beta1.AdmissionResponse{}
|
||||
reviewResponse.Allowed = true
|
||||
|
||||
if cr.Data["mutation-start"] == "yes" {
|
||||
@@ -185,12 +185,12 @@ func mutateCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
if cr.Data["mutation-stage-1"] == "yes" {
|
||||
reviewResponse.Patch = []byte(patch2)
|
||||
}
|
||||
pt := v1alpha1.PatchTypeJSONPatch
|
||||
pt := v1beta1.PatchTypeJSONPatch
|
||||
reviewResponse.PatchType = &pt
|
||||
return &reviewResponse
|
||||
}
|
||||
|
||||
func admitCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
func admitCRD(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
|
||||
glog.V(2).Info("admitting crd")
|
||||
cr := struct {
|
||||
metav1.ObjectMeta
|
||||
@@ -204,7 +204,7 @@ func admitCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
return toAdmissionResponse(err)
|
||||
}
|
||||
|
||||
reviewResponse := v1alpha1.AdmissionResponse{}
|
||||
reviewResponse := v1beta1.AdmissionResponse{}
|
||||
reviewResponse.Allowed = true
|
||||
for k, v := range cr.Data {
|
||||
if k == "webhook-e2e-test" && v == "webhook-disallow" {
|
||||
@@ -217,7 +217,7 @@ func admitCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
|
||||
return &reviewResponse
|
||||
}
|
||||
|
||||
type admitFunc func(v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse
|
||||
type admitFunc func(v1beta1.AdmissionReview) *v1beta1.AdmissionResponse
|
||||
|
||||
func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
|
||||
var body []byte
|
||||
@@ -234,8 +234,8 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
|
||||
return
|
||||
}
|
||||
|
||||
var reviewResponse *v1alpha1.AdmissionResponse
|
||||
ar := v1alpha1.AdmissionReview{}
|
||||
var reviewResponse *v1beta1.AdmissionResponse
|
||||
ar := v1beta1.AdmissionReview{}
|
||||
deserializer := codecs.UniversalDeserializer()
|
||||
if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
|
||||
glog.Error(err)
|
||||
@@ -244,7 +244,7 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
|
||||
reviewResponse = admit(ar)
|
||||
}
|
||||
|
||||
response := v1alpha1.AdmissionReview{}
|
||||
response := v1beta1.AdmissionReview{}
|
||||
if reviewResponse != nil {
|
||||
response.Response = reviewResponse
|
||||
response.Response.UID = ar.Request.UID
|
||||
|
||||
@@ -17,7 +17,7 @@ limitations under the License.
|
||||
package main
|
||||
|
||||
import (
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/serializer"
|
||||
@@ -32,5 +32,5 @@ func init() {
|
||||
|
||||
func addToScheme(scheme *runtime.Scheme) {
|
||||
corev1.AddToScheme(scheme)
|
||||
admissionregistrationv1alpha1.AddToScheme(scheme)
|
||||
admissionregistrationv1beta1.AddToScheme(scheme)
|
||||
}
|
||||
|
||||
@@ -388,11 +388,12 @@ var etcdStorageData = map[schema.GroupVersionResource]struct {
|
||||
stub: `{"metadata":{"name":"ic1"},"initializers":[{"name":"initializer.k8s.io","rules":[{"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
|
||||
expectedEtcdPath: "/registry/initializerconfigurations/ic1",
|
||||
},
|
||||
gvr("admissionregistration.k8s.io", "v1alpha1", "validatingwebhookconfigurations"): {
|
||||
// k8s.io/kubernetes/pkg/apis/admissionregistration/v1beta1
|
||||
gvr("admissionregistration.k8s.io", "v1beta1", "validatingwebhookconfigurations"): {
|
||||
stub: `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"ns","name":"n"},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
|
||||
expectedEtcdPath: "/registry/validatingwebhookconfigurations/hook1",
|
||||
},
|
||||
gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingwebhookconfigurations"): {
|
||||
gvr("admissionregistration.k8s.io", "v1beta1", "mutatingwebhookconfigurations"): {
|
||||
stub: `{"metadata":{"name":"hook1","creationTimestamp":null},"webhooks":[{"name":"externaladmissionhook.k8s.io","clientConfig":{"service":{"namespace":"ns","name":"n"},"caBundle":null},"rules":[{"operations":["CREATE"],"apiGroups":["group"],"apiVersions":["version"],"resources":["resource"]}],"failurePolicy":"Ignore"}]}`,
|
||||
expectedEtcdPath: "/registry/mutatingwebhookconfigurations/hook1",
|
||||
},
|
||||
@@ -486,8 +487,8 @@ var ephemeralWhiteList = createEphemeralWhiteList(
|
||||
gvr("policy", "v1beta1", "evictions"), // not stored in etcd, deals with evicting kapiv1.Pod
|
||||
// --
|
||||
|
||||
// k8s.io/kubernetes/pkg/apis/admission/v1alpha1
|
||||
gvr("admission.k8s.io", "v1alpha1", "admissionreviews"), // not stored in etcd, call out to webhooks.
|
||||
// k8s.io/kubernetes/pkg/apis/admission/v1beta1
|
||||
gvr("admission.k8s.io", "v1beta1", "admissionreviews"), // not stored in etcd, call out to webhooks.
|
||||
// --
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user