Skip to content

Commit

Permalink
Resolved a race condition where provisioners could skip having defaul…
Browse files Browse the repository at this point in the history 
…ts if applied before karpenter-webhook came online (#465)

* Resolved a race condition where provisioners could skip having defaults if applied before karpenter-webhook came online

* PR Comments
  • Loading branch information
@ellistarn
ellistarn authored Jun 21, 2021
1 parent 5dbe0d9 commit 9825587
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 62 deletions.
6 changes: 2 additions & 4 deletions charts/karpenter/templates/webhook/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,10 @@ spec:
ports:
- name: webhook
containerPort: 8443
- name: health-probe
containerPort: 8081
livenessProbe:
httpGet:
path: /healthz
port: 8081
scheme: HTTPS
port: 8443
env:
- name: SYSTEM_NAMESPACE
valueFrom:
Expand Down
71 changes: 41 additions & 30 deletions charts/karpenter/templates/webhook/webhooks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,39 +3,50 @@ kind: MutatingWebhookConfiguration
metadata:
name: defaulting.webhook.provisioners.karpenter.sh
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: karpenter-webhook
namespace: '{{ .Release.Namespace }}'
failurePolicy: Fail
sideEffects: None
name: defaulting.webhook.provisioners.karpenter.sh
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: karpenter-webhook
namespace: '{{ .Release.Namespace }}'
failurePolicy: Fail
sideEffects: None
name: defaulting.webhook.provisioners.karpenter.sh
rules:
- apiGroups:
- provisioning.karpenter.sh
apiVersions:
- v1alpha1
resources:
- provisioners
provisioners/status
operations:
- CREATE
- UPDATE
- DELETE

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.provisioners.karpenter.sh
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: karpenter-webhook
namespace: '{{ .Release.Namespace }}'
failurePolicy: Fail
sideEffects: None
name: validation.webhook.provisioners.karpenter.sh
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.configmaps.karpenter.sh
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: karpenter-webhook
namespace: '{{ .Release.Namespace }}'
failurePolicy: Ignore
sideEffects: None
name: validation.webhook.configmaps.karpenter.sh
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: karpenter-webhook
namespace: '{{ .Release.Namespace }}'
failurePolicy: Fail
sideEffects: None
name: validation.webhook.provisioners.karpenter.sh
rules:
- apiGroups:
- provisioning.karpenter.sh
apiVersions:
- v1alpha1
resources:
- provisioners
provisioners/status
operations:
- CREATE
- UPDATE
- DELETE
29 changes: 1 addition & 28 deletions cmd/webhook/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@ package main
import (
"context"
"flag"
"fmt"
"log"
"net/http"

"github.com/awslabs/karpenter/pkg/apis"
"github.com/awslabs/karpenter/pkg/cloudprovider"
Expand All @@ -29,13 +26,10 @@ import (
"knative.dev/pkg/controller"
"knative.dev/pkg/injection"
"knative.dev/pkg/injection/sharedmain"
"knative.dev/pkg/leaderelection"
"knative.dev/pkg/logging"
"knative.dev/pkg/signals"
"knative.dev/pkg/system"
"knative.dev/pkg/webhook"
"knative.dev/pkg/webhook/certificates"
"knative.dev/pkg/webhook/configmaps"
"knative.dev/pkg/webhook/resourcesemantics/defaulting"
"knative.dev/pkg/webhook/resourcesemantics/validation"
)
Expand All @@ -46,39 +40,29 @@ var (

type Options struct {
Port int
HealthProbePort int
}

func main() {
flag.IntVar(&options.Port, "port", 8443, "The port the webhook endpoint binds to for validation and mutation of resources")
flag.IntVar(&options.HealthProbePort, "health-probe-port", 8081, "The port the health probe endpoint binds to for reporting controller health")
flag.Parse()

config := sharedmain.ParseAndGetConfigOrDie()

// Register the cloud provider to attach vendor specific validation logic.
registry.NewCloudProvider(cloudprovider.Options{ClientSet: kubernetes.NewForConfigOrDie(config)})

// Liveness handler
go func() {
mux := http.NewServeMux()
mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) })
log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", options.HealthProbePort), mux))
}()

// Controllers and webhook
sharedmain.MainWithConfig(
webhook.WithOptions(injection.WithNamespaceScope(signals.NewContext(), system.Namespace()), webhook.Options{
Port: options.Port,
ServiceName: "karpenter-webhook",
SecretName: "karpenter-webhook-cert",
}),
"Karpenter Webhooks",
"karpenter.webhooks",
config,
certificates.NewController,
NewCRDDefaultingWebhook,
NewCRDValidationWebhook,
NewConfigmapValidationWebhook,
)
}

Expand All @@ -102,15 +86,4 @@ func NewCRDValidationWebhook(ctx context.Context, w configmap.Watcher) *controll
)
}

func NewConfigmapValidationWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
return configmaps.NewAdmissionController(ctx,
"validation.webhook.configmaps.karpenter.sh",
"/validate-config",
configmap.Constructors{
logging.ConfigMapName(): logging.NewConfigFromConfigMap,
leaderelection.ConfigMapName(): leaderelection.NewConfigFromConfigMap,
},
)
}

func InjectContext(ctx context.Context) context.Context { return ctx }

0 comments on commit 9825587

Please sign in to comment.