Revert "[release-1.4] instruct K8s to garbage collect the validatingw…

…ebhookconfiguration (istio#19476)" (istio#19750) This reverts commit cf481ad.
brian-avery · Dec 27, 2019 · 7fe9629 · 7fe9629
1 parent 4e50de2
commit 7fe9629
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 29 deletions.
diff --git a/galley/pkg/crd/validation/config.go b/galley/pkg/crd/validation/config.go
@@ -29,7 +29,7 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/howeyc/fsnotify"
 	"k8s.io/api/admissionregistration/v1beta1"
-	rbacv1 "k8s.io/api/rbac/v1"
+	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -305,18 +305,17 @@ func NewWebhookConfigController(p WebhookParameters) (*WebhookConfigController,
 		createInformerWebhookSource: defaultCreateInformerWebhookSource,
 	}
 
-	galleyClusterRoleName := "istio-galley-" + whc.webhookParameters.DeploymentAndServiceNamespace
-	galleyClusterRole, err := whc.webhookParameters.Clientset.RbacV1().ClusterRoles().Get(
-		galleyClusterRoleName, metav1.GetOptions{})
+	galleyNamespace, err := whc.webhookParameters.Clientset.CoreV1().Namespaces().Get(
+		whc.webhookParameters.DeploymentAndServiceNamespace, metav1.GetOptions{})
 	if err != nil {
-		scope.Warnf("Could not find clusterrole: %s to set ownerRef. "+
-			"The validatingwebhookconfiguration must be deleted manually.",
-			galleyClusterRoleName)
+		scope.Warnf("Could not find %s namespace to set ownerRef. "+
+			"The validatingwebhookconfiguration must be deleted manually",
+			whc.webhookParameters.DeploymentAndServiceNamespace)
 	} else {
 		whc.ownerRefs = []metav1.OwnerReference{
 			*metav1.NewControllerRef(
-				galleyClusterRole,
-				rbacv1.SchemeGroupVersion.WithKind("ClusterRole"),
+				galleyNamespace,
+				corev1.SchemeGroupVersion.WithKind("Namespace"),
 			),
 		}
 	}

diff --git a/galley/pkg/crd/validation/config_test.go b/galley/pkg/crd/validation/config_test.go
@@ -27,7 +27,7 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/onsi/gomega"
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
-	rbacv1 "k8s.io/api/rbac/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
@@ -103,9 +103,9 @@ func createTestWebhookConfigController(
 		CACertFile:                    caFile,
 		Clientset:                     cl,
 		WebhookName:                   config.Name,
-		DeploymentName:                dummyClusterRole.Name,
-		ServiceName:                   dummyClusterRole.Name,
-		DeploymentAndServiceNamespace: dummyNamespace,
+		DeploymentName:                dummyNamespace.Name,
+		ServiceName:                   dummyNamespace.Name,
+		DeploymentAndServiceNamespace: dummyNamespace.Namespace,
 	}
 	whc, err := NewWebhookConfigController(options)
 	if err != nil {
@@ -239,7 +239,7 @@ func TestValidatingWebhookConfig(t *testing.T) {
 	for _, tc := range ts {
 		t.Run(tc.name, func(t *testing.T) {
 			whc, cancel := createTestWebhookConfigController(t,
-				fake.NewSimpleClientset(dummyClusterRole, tc.configs.DeepCopyObject()),
+				fake.NewSimpleClientset(dummyNamespace, tc.configs.DeepCopyObject()),
 				createFakeWebhookSource(), want)
 			defer cancel()
 
@@ -295,8 +295,8 @@ func initValidatingWebhookConfiguration() *admissionregistrationv1beta1.Validati
 			Name: "config1",
 			OwnerReferences: []metav1.OwnerReference{
 				*metav1.NewControllerRef(
-					dummyClusterRole,
-					rbacv1.SchemeGroupVersion.WithKind("ClusterRole"),
+					dummyNamespace,
+					corev1.SchemeGroupVersion.WithKind("Namespace"),
 				),
 			},
 		},

diff --git a/galley/pkg/crd/validation/webhook_test.go b/galley/pkg/crd/validation/webhook_test.go
@@ -34,7 +34,6 @@ import (
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -102,23 +101,22 @@ var (
 		},
 	}
 
-	dummyNamespace   = "istio-system"
-	dummyClusterRole = &rbacv1.ClusterRole{
+	dummyNamespace = &v1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "istio-galley-istio-system",
+			Name: "istio-system",
 			UID:  "deadbeef",
 		},
 	}
 
-	dummyClient = fake.NewSimpleClientset(dummyClusterRole)
+	dummyClient = fake.NewSimpleClientset(dummyNamespace)
 
 	createFakeWebhookSource   = fcache.NewFakeControllerSource
 	createFakeEndpointsSource = func() cache.ListerWatcher {
 		source := fcache.NewFakeControllerSource()
 		source.Add(&v1.Endpoints{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      dummyClusterRole.Name,
-				Namespace: dummyNamespace,
+				Name:      dummyNamespace.Name,
+				Namespace: dummyNamespace.Namespace,
 			},
 			Subsets: []v1.EndpointSubset{{
 				Addresses: []v1.EndpointAddress{{
@@ -196,9 +194,9 @@ func createTestWebhook(
 		CACertFile:                    caFile,
 		Clientset:                     cl,
 		WebhookName:                   config.Name,
-		DeploymentName:                dummyClusterRole.Name,
-		ServiceName:                   dummyClusterRole.Name,
-		DeploymentAndServiceNamespace: dummyNamespace,
+		DeploymentName:                dummyNamespace.Name,
+		ServiceName:                   dummyNamespace.Name,
+		DeploymentAndServiceNamespace: dummyNamespace.Namespace,
 	}
 	wh, err := NewWebhook(options)
 	if err != nil {

diff --git a/install/kubernetes/helm/istio/charts/galley/templates/clusterrole.yaml b/install/kubernetes/helm/istio/charts/galley/templates/clusterrole.yaml
@@ -48,6 +48,3 @@ rules:
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["get", "list", "watch"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles"]
-  verbs: ["get", "list", "watch"]