Closed marcrahnsap closed 5 years ago
The AdmitPod function is executed twice, once for the mutating webhook and the second time for the validating webhook.
How often the function is executed (once or twice) in the current design is defined by how karydia is configured with the apiserver (validating webhook only or mutating webhook only or validating & mutating webhook) and not by the function itself or the code flow.
mutationAllowed
is the flag to distinguish both cases and act accordingly. When you run as a validating webhook, you can only accept or deny (return 1-n errors). When running as a mutating webhook, you can decide to patch the object instead - where applicable and possible.
I think with #84 the problem rather was that it returned an admin error (karydia wrongly configured) to the user as an admission error - even for a good spec.
How often the function is executed (once or twice) in the current design is defined by how karydia is configured with the apiserver (validating webhook only or mutating webhook only or validating & mutating webhook) and not by the function itself or the code flow.
I understand that. I installed karydia as it was documented, i.e. it is configured as validating & mutating webhook. The mutating webhook patches the object and it is ready to get deployed, but then the validating webhook throws an error, which should not be the case. A check, if automountServiceAccountToken
is undefined would fix this. With #93 I am addressing this issue.
I think with #84 the problem rather was that it returned an admin error (karydia wrongly configured) to the user as an admission error - even for a good spec.
Why do you mean that karydia is wrongly configured? Can you explain this in more detail?
Description
The AdmitPod function is executed twice, once for the mutating webhook and the second time for the validating webhook. This will always cause a validation error and the pod creation gets blocked.
Checklist
Before submitting this PR, please make sure:
make test