Admission control webhook check should check apiGroups

[adamwg]

The admission control webhook check in the doks group will currently throw an error for webhooks that apply only to CRDs, but such webhooks would never actually cause a problem for DOKS upgrades since they won't prevent pods from starting. The admission control webhook check should ignore any webhook configuration that doesn't apply to resources in the v1 or apps/v1 apiGroups.

[zbigniev]

Hi @adamwg, want to give this a shot. If you could give me some pointers on where to start, that'll be great.

[adamwg]

@zbigniev The admission-controller-webhook-replacement check iterates over webhook configurations and ignores them if they meet various conditions - e.g., if their FailurePolicy is Ignore. We should add a check for which API groups the configuration applies to. These are configured in the Rules field of the configuration. The k8s reference docs and k8s Go client docs for webhooks will probably be helpful here.

[zbigniev]

@adamwg thanks for the details. I looked at the code and have some sense of whats to be done. I guess, the need for this issue came from this conversation. However, I am unable to completely understand the statement - admission control webhook check should ignore any webhook configuration that doesn't apply to resources in the v1 or apps/v1 apiGroups. Does it imply that another check be added, which checks whether apiGroups stated in the configuration are (all?) present in apiGroups v1 or apps/v1 (yet to figure out how to get that exhaustive list)? It'll be great if you could help; here or on Slack. Thanks a lot.

[adamwg]

@zbigniev Sorry for the delay getting back to you on this!

The idea here is to check the apiGroups and apiVersions in each of the rules of the webhook config, and generate diagnostics only if the v1 or apps/v1 groups are included. Feel free to reach out on Slack if you need any more guidance!