In kubernetes version 1.16, admissionregistration/v1beta1 will be deprecated in favor of admissionregistration.k8s.io/v1. We need to update shipperctl code.
Timeouts. From the docs:
Because webhooks add to API request latency, they should evaluate as quickly as possible. timeoutSeconds allows configuring how long the API server should wait for a webhook to respond before treating the call as a failure.
If the timeout expires before the webhook responds, the webhook call will be ignored or the API call will be rejected based on the failure policy.
The timeout value must be between 1 and 30 seconds.
Admission webhooks created using admissionregistration.k8s.io/v1 default timeouts to 30 seconds.
Admission webhooks created using admissionregistration.k8s.io/v1 default timeouts to 10 seconds.
It is not yet applicable in v1.13.
To align webhook created with shipperctl with webhook that we run in our clusters, we need to update Rule:APIVersions to include both v1alpha1 and v1 (current code only has v1alpha1).
We can consider using using namespaceSelector in order to not validate objects on shipper system and kube system namespaces.. From the docs:
Webhooks may optionally limit which requests for namespaced resources are intercepted, based on the labels of the containing namespace, by specifying a namespaceSelector.
The namespaceSelector decides whether to run the webhook on a request for a namespaced resource (or a Namespace object), based on whether the namespace’s labels match the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is a cluster scoped resource other than a Namespace, namespaceSelector has no effect.
A note about failurePolicy, from the docs:
failurePolicy defines how unrecognized errors and timeout errors from the admission webhook are handled. Allowed values are Ignore or Fail.
Ignore means that an error calling the webhook is ignored and the API request is allowed to continue.
Fail means that an error calling the webhook causes the admission to fail and the API request to be rejected.
Suggestions for updates to webhook:
In kubernetes version 1.16, admissionregistration/v1beta1 will be deprecated in favor of admissionregistration.k8s.io/v1. We need to update shipperctl code.
Timeouts. From the docs: Because webhooks add to API request latency, they should evaluate as quickly as possible.
timeoutSecondsallows configuring how long the API server should wait for a webhook to respond before treating the call as a failure. If the timeout expires before the webhook responds, the webhook call will be ignored or the API call will be rejected based on the failure policy. The timeout value must be between 1 and 30 seconds. Admission webhooks created using admissionregistration.k8s.io/v1 default timeouts to 30 seconds. Admission webhooks created using admissionregistration.k8s.io/v1 default timeouts to 10 seconds. It is not yet applicable in v1.13.To align webhook created with shipperctl with webhook that we run in our clusters, we need to update
Rule:APIVersionsto include bothv1alpha1andv1(current code only hasv1alpha1).We can consider using using
namespaceSelectorin order to not validate objects on shipper system and kube system namespaces.. From the docs: Webhooks may optionally limit which requests for namespaced resources are intercepted, based on the labels of the containing namespace, by specifying anamespaceSelector. ThenamespaceSelectordecides whether to run the webhook on a request for a namespaced resource (or a Namespace object), based on whether the namespace’s labels match the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is a cluster scoped resource other than a Namespace,namespaceSelectorhas no effect.We can consider monitoring our admission webhook