Closed adamwg closed 3 years ago
Hi @adamwg, want to give this a shot. If you could give me some pointers on where to start, that'll be great.
@zbigniev The admission-controller-webhook-replacement
check iterates over webhook configurations and ignores them if they meet various conditions - e.g., if their FailurePolicy
is Ignore
. We should add a check for which API groups the configuration applies to. These are configured in the Rules
field of the configuration. The k8s reference docs and k8s Go client docs for webhooks will probably be helpful here.
@adamwg thanks for the details. I looked at the code and have some sense of whats to be done. I guess, the need for this issue came from this conversation.
However, I am unable to completely understand the statement - admission control webhook check should ignore any webhook configuration that doesn't apply to resources in the v1 or apps/v1 apiGroups. Does it imply that another check be added, which checks whether apiGroups
stated in the configuration are (all?) present in apiGroups v1
or apps/v1
(yet to figure out how to get that exhaustive list)?
It'll be great if you could help; here or on Slack. Thanks a lot.
@zbigniev Sorry for the delay getting back to you on this!
The idea here is to check the apiGroups
and apiVersions
in each of the rules
of the webhook config, and generate diagnostics only if the v1
or apps/v1
groups are included. Feel free to reach out on Slack if you need any more guidance!
The admission control webhook check in the
doks
group will currently throw an error for webhooks that apply only to CRDs, but such webhooks would never actually cause a problem for DOKS upgrades since they won't prevent pods from starting. The admission control webhook check should ignore any webhook configuration that doesn't apply to resources in thev1
orapps/v1
apiGroups.