From 8f72cf761fbf69f012cfc6aec63afaf15090df44 Mon Sep 17 00:00:00 2001 From: Tomofumi Hayashi Date: Fri, 31 Mar 2023 00:39:10 +0900 Subject: [PATCH] Make isolate validation as optional Isolation webhook should be matched multus 'namespaceisolation' feature, however, currently multus 'namespaceisolation' is optional and default is false. This change changes isolation validation webhook is optional as multus does. Fix #54. --- build/Dockerfile | 2 +- deployments/deployment.yaml | 4 ++-- deployments/webhook-isolate.yaml | 20 +++++++++++++++++++ .../{webhook.yaml => webhook-validate.yaml} | 20 ------------------- hack/delete-deployment.sh | 7 ++++++- hack/webhook-deployment.sh | 16 ++++++++++++++- 6 files changed, 44 insertions(+), 25 deletions(-) create mode 100644 deployments/webhook-isolate.yaml rename deployments/{webhook.yaml => webhook-validate.yaml} (51%) diff --git a/build/Dockerfile b/build/Dockerfile index 9ce19f01..91fe948d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -20,4 +20,4 @@ ADD . /usr/src/net-attach-def-admission-controller RUN cd /usr/src/net-attach-def-admission-controller && \ ./hack/build.sh -CMD ["./bin/webhook"] +CMD ["/usr/src/net-attach-def-admission-controller/bin/webhook"] diff --git a/deployments/deployment.yaml b/deployments/deployment.yaml index f258ad26..4c40133c 100644 --- a/deployments/deployment.yaml +++ b/deployments/deployment.yaml @@ -30,7 +30,7 @@ spec: - name: net-attach-def-admission-controller image: ghcr.io/k8snetworkplumbingwg/net-attach-def-admission-controller:snapshot command: - - ./bin/webhook + - /usr/src/net-attach-def-admission-controller/bin/webhook args: - -bind-address=0.0.0.0 - -port=443 @@ -59,7 +59,7 @@ spec: fieldPath: status.podIP ports: - containerPort: 8443 - hostPort: 8443 + protocol: TCP name: https resources: requests: diff --git a/deployments/webhook-isolate.yaml b/deployments/webhook-isolate.yaml new file mode 100644 index 00000000..906329b9 --- /dev/null +++ b/deployments/webhook-isolate.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: net-attach-def-admission-controller-isolating-config +webhooks: + - name: net-attach-def-admission-controller-isolating-config.k8s.io + clientConfig: + service: + name: net-attach-def-admission-controller-service + namespace: ${NAMESPACE} + path: "/isolate" + caBundle: ${CA_BUNDLE} + admissionReviewVersions: ['v1'] + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: ["apps", ""] + apiVersions: ["v1"] + resources: ["pods"] diff --git a/deployments/webhook.yaml b/deployments/webhook-validate.yaml similarity index 51% rename from deployments/webhook.yaml rename to deployments/webhook-validate.yaml index 929c945f..1ac42a14 100644 --- a/deployments/webhook.yaml +++ b/deployments/webhook-validate.yaml @@ -1,26 +1,6 @@ --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration -metadata: - name: net-attach-def-admission-controller-isolating-config -webhooks: - - name: net-attach-def-admission-controller-isolating-config.k8s.io - clientConfig: - service: - name: net-attach-def-admission-controller-service - namespace: ${NAMESPACE} - path: "/isolate" - caBundle: ${CA_BUNDLE} - admissionReviewVersions: ['v1'] - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: ["apps", ""] - apiVersions: ["v1"] - resources: ["pods"] ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration metadata: name: net-attach-def-admission-controller-validating-config webhooks: diff --git a/hack/delete-deployment.sh b/hack/delete-deployment.sh index e2adc3d7..987c5de9 100755 --- a/hack/delete-deployment.sh +++ b/hack/delete-deployment.sh @@ -35,7 +35,12 @@ done kubectl -n ${NAMESPACE} delete -f ${BASE_DIR}/deployments/service.yaml -cat ${BASE_DIR}/deployments/webhook.yaml | \ +cat ${BASE_DIR}/deployments/webhook-validate.yaml | \ + ${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \ + sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \ + kubectl -n ${NAMESPACE} delete -f - + +cat ${BASE_DIR}/deployments/webhook-isolate.yaml | \ ${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \ sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \ kubectl -n ${NAMESPACE} delete -f - diff --git a/hack/webhook-deployment.sh b/hack/webhook-deployment.sh index 7a332b8e..2dbbe9c6 100755 --- a/hack/webhook-deployment.sh +++ b/hack/webhook-deployment.sh @@ -9,6 +9,7 @@ NAMESPACE="kube-system" PROMETHEUS_NAMESPACE="monitoring" OPERATOR_NAMESPACE="operators" INSTALL_SELF_SIGNED_CERT=true +ENABLE_ISOLATE_WEBHOOK=false # Give help text for parameters. function usage() @@ -17,6 +18,7 @@ function usage() echo -e "\t-h --help" echo -e "\t--install-self-signed-cert=${INSTALL_SELF_SIGNED_CERT}" echo -e "\t--namespace=${NAMESPACE}" + echo -e "\t--enable-isolate-webhook" } # Parse parameters given as arguments to this script. while [ "$1" != "" ]; do @@ -30,6 +32,9 @@ while [ "$1" != "" ]; do --install-self-signed-cert) INSTALL_SELF_SIGNED_CERT=$VALUE ;; + --enable-isolate-webhook) + ENABLE_ISOLATE_WEBHOOK=true + ;; --namespace) NAMESPACE=$VALUE ;; @@ -51,11 +56,20 @@ kubectl -n ${NAMESPACE} create -f ${BASE_DIR}/deployments/deployment.yaml kubectl -n ${NAMESPACE} create -f ${BASE_DIR}/deployments/service.yaml export NAMESPACE -cat ${BASE_DIR}/deployments/webhook.yaml | \ +# install validate webhook +cat ${BASE_DIR}/deployments/webhook-validate.yaml | \ ${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \ sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \ kubectl -n ${NAMESPACE} create -f - +# install isolate webhook +if [ "${ENABLE_ISOLATE_WEBHOOK}" == true ]; then + cat ${BASE_DIR}/deployments/webhook-isolate.yaml | \ + ${BASE_DIR}/hack/webhook-patch-ca-bundle.sh | \ + sed -e "s|\${NAMESPACE}|${NAMESPACE}|g" | \ + kubectl -n ${NAMESPACE} create -f - +fi + sleep 5 if [[ "$(kubectl get pod -l k8s-app=prometheus-operator -n ${OPERATOR_NAMESPACE} | grep -o prometheus-operator)" == "prometheus-operator" ]]; then