Make isolate validation as optional

Isolation webhook should be matched multus 'namespaceisolation' feature, however, currently multus 'namespaceisolation' is optional and default is false. This change changes isolation validation webhook is optional as multus does. Fix #54.
k8snetworkplumbingwg · Apr 6, 2023 · 8f72cf7 · 8f72cf7
1 parent e83ad89
commit 8f72cf7
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 25 deletions.
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -20,4 +20,4 @@ ADD . /usr/src/net-attach-def-admission-controller
 RUN cd /usr/src/net-attach-def-admission-controller && \
     ./hack/build.sh
 
-CMD ["./bin/webhook"]
+CMD ["/usr/src/net-attach-def-admission-controller/bin/webhook"]
diff --git a/deployments/deployment.yaml b/deployments/deployment.yaml
@@ -30,7 +30,7 @@ spec:
       - name: net-attach-def-admission-controller
         image: ghcr.io/k8snetworkplumbingwg/net-attach-def-admission-controller:snapshot
         command:
-        - ./bin/webhook
+        - /usr/src/net-attach-def-admission-controller/bin/webhook
         args:
         - -bind-address=0.0.0.0
         - -port=443
@@ -59,7 +59,7 @@ spec:
                 fieldPath: status.podIP
         ports:
           - containerPort: 8443
-            hostPort: 8443
+            protocol: TCP
             name: https
         resources:
           requests:

diff --git a/deployments/webhook-isolate.yaml b/deployments/webhook-isolate.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: net-attach-def-admission-controller-isolating-config
+webhooks:
+  - name: net-attach-def-admission-controller-isolating-config.k8s.io
+    clientConfig:
+      service:
+        name: net-attach-def-admission-controller-service
+        namespace: ${NAMESPACE}
+        path: "/isolate"
+      caBundle: ${CA_BUNDLE}
+    admissionReviewVersions: ['v1']
+    sideEffects: None
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: ["apps", ""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
diff --git a/deployments/webhook.yaml → deployments/webhook-validate.yaml b/deployments/webhook.yaml → deployments/webhook-validate.yaml
@@ -1,26 +1,6 @@
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
-metadata:
-  name: net-attach-def-admission-controller-isolating-config
-webhooks:
-  - name: net-attach-def-admission-controller-isolating-config.k8s.io
-    clientConfig:
-      service:
-        name: net-attach-def-admission-controller-service
-        namespace: ${NAMESPACE}
-        path: "/isolate"
-      caBundle: ${CA_BUNDLE}
-    admissionReviewVersions: ['v1']
-    sideEffects: None
-    rules:
-      - operations: [ "CREATE" ]
-        apiGroups: ["apps", ""]
-        apiVersions: ["v1"]
-        resources: ["pods"]
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
 metadata:
   name: net-attach-def-admission-controller-validating-config
 webhooks:

diff --git a/hack/delete-deployment.sh b/hack/delete-deployment.sh
@@ -35,7 +35,12 @@ done
 
 kubectl -n ${NAMESPACE} delete -f ${BASE_DIR}/deployments/service.yaml
 
-cat ${BASE_DIR}/deployments/webhook.yaml | \
+cat ${BASE_DIR}/deployments/webhook-validate.yaml | \
+	${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \
+    sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \
+	kubectl -n ${NAMESPACE} delete -f -
+
+cat ${BASE_DIR}/deployments/webhook-isolate.yaml | \
 	${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \
     sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \
 	kubectl -n ${NAMESPACE} delete -f -

diff --git a/hack/webhook-deployment.sh b/hack/webhook-deployment.sh
@@ -9,6 +9,7 @@ NAMESPACE="kube-system"
 PROMETHEUS_NAMESPACE="monitoring"
 OPERATOR_NAMESPACE="operators"
 INSTALL_SELF_SIGNED_CERT=true
+ENABLE_ISOLATE_WEBHOOK=false
 
 # Give help text for parameters.
 function usage()
@@ -17,6 +18,7 @@ function usage()
     echo -e "\t-h --help"
     echo -e "\t--install-self-signed-cert=${INSTALL_SELF_SIGNED_CERT}"
     echo -e "\t--namespace=${NAMESPACE}"
+    echo -e "\t--enable-isolate-webhook"
 }
 # Parse parameters given as arguments to this script.
 while [ "$1" != "" ]; do
@@ -30,6 +32,9 @@ while [ "$1" != "" ]; do
         --install-self-signed-cert)
             INSTALL_SELF_SIGNED_CERT=$VALUE
             ;;
+        --enable-isolate-webhook)
+            ENABLE_ISOLATE_WEBHOOK=true
+	    ;;
         --namespace)
             NAMESPACE=$VALUE
             ;;
@@ -51,11 +56,20 @@ kubectl -n ${NAMESPACE} create -f ${BASE_DIR}/deployments/deployment.yaml
 
 kubectl -n ${NAMESPACE} create -f ${BASE_DIR}/deployments/service.yaml
 export NAMESPACE
-cat ${BASE_DIR}/deployments/webhook.yaml | \
+# install validate webhook
+cat ${BASE_DIR}/deployments/webhook-validate.yaml | \
 	${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \
 	sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \
 	kubectl -n ${NAMESPACE} create -f -
 
+# install isolate webhook
+if [ "${ENABLE_ISOLATE_WEBHOOK}" == true ]; then
+	cat ${BASE_DIR}/deployments/webhook-isolate.yaml | \
+		${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \
+		sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \
+		kubectl -n ${NAMESPACE} create -f -
+fi
+
 
 sleep 5
 if [[ "$(kubectl get pod -l k8s-app=prometheus-operator -n ${OPERATOR_NAMESPACE} | grep -o prometheus-operator)" == "prometheus-operator" ]]; then