Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
allow fail close webhook admission
Webhook admission needs to allow failing closed. Even in an alpha state, I don't want to be one DDOS away from having an exposed cluster.
/assign caesarxuchao
/assign sttts
Automatic merge from submit-queue (batch tested with PRs 47717, 53896). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
decode admission responses into a fresh object
Something about the way the admission request object is built causes decoding into back into it to fail with
```
W1013 14:10:42.457423 2960 admission.go:185] rejected by webhook namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations &{%!t(string=namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations) %!t(*errors.errorString=&{reflect.Value.Addr of unaddressable value})}: failed calling admission webhook "namespacereservations.admission.online.openshift.io/apis/admission.online.openshift.io/v1alpha1/namespacereservations": reflect.Value.Addr of unaddressable value
```
This simply creates a fresh object to decode into, which works fine for our usage and makes it possible to actually have the webhook call out to something.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
pkg/api: extract Scheme/Registry/Codecs into pkg/api/legacyscheme
This serves as
- a preparation for the pkg/api->pkg/apis/core move
- and makes the dependency to the scheme explicit when vizualizing
left depenncies.
The later helps with our our efforts to split up the monolithic repo
into self-contained sub-repos, e.g. for kubectl, controller-manager
and kube-apiserver in the future.
Go 1.9 has some better checks for SAN extensions, notably:
630e93ed2d
We recently added ServerName to the rest client TLSConfig:
186a0684d5 (diff-eb3573c6b11347dc3793c477726480efR262)
So we need to be sure that the ServerName "webhook-test.default.svc" is
present in the certificates that we generate."
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
removes k8s.io/kubernetes/pkg/api dependency from the webhook plugin.
**What this PR does / why we need it**: removes `k8s.io/kubernetes/pkg/api` dependency from `webhook` plugin. The runtime.scheme can be injected to the webhook from the plugin initializer.
**Release note**:
```
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Move initializer plugin to the generic apiserver
* Moves `k8s.io/kuberentes/plugin/pkg/admission/initialization` to `k8s.io/apiserver/pkg/admission/plugin/initialization`
* Moves `k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration` to `k8s.io/apiserver/pkg/admission/configuration`
* The initializer plugin used to depend on `k8s.io/kubernetes` because it does a type assertion of `api.Pod`. It tries to skip mirror pod. I converted that code to use the generic accessor pattern.
move k8s.io/kubernetes/plugin/pkg/admission/initialization to
k8s.io/apiserver/pkg/admission/plugin/initialization/initialization.go;
move k8s.io/kubernetes/pkg/kubeapiserver/admission/configuration to
k8s.io/apiserver/pkg/admission/configuration.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
moves admission.v1alpha1.NewAdmissionReview method to webhook plugin
**What this PR does / why we need it**:
this is necessary, because the webhook plugin will be moved down to apiserver.
**Release note**:
```
NONE
```
As part of https://github.com/kubernetes/community/pull/132, thsi commit
adds a generic webhook admission controller. This plugin allows for a
completely declarative approach for filtering/matching admission requests
and for matching admission requests, calls out to an external webhook for
handling admission requests.
