Skip to content

Commit

Permalink
Give users the ability to disable namespace ownership of webhook conf…
Browse files Browse the repository at this point in the history
…igurations (knative#3095)
  • Loading branch information
jonathan-innis authored Sep 26, 2024
1 parent 28b58b8 commit c4843b7
Show file tree
Hide file tree
Showing 7 changed files with 46 additions and 30 deletions.
17 changes: 10 additions & 7 deletions webhook/configmaps/configmaps.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ type reconciler struct {
vwhlister admissionlisters.ValidatingWebhookConfigurationLister
secretlister corelisters.SecretLister

secretName string
secretName string
disableNamespaceOwnership bool
}

var (
Expand Down Expand Up @@ -138,13 +139,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b

webhook := configuredWebhook.DeepCopy()

// Set the owner to namespace.
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %w", err)
if !ac.disableNamespaceOwnership {
// Set the owner to namespace.
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %w", err)
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
webhook.OwnerReferences = []metav1.OwnerReference{nsRef}

for i, wh := range webhook.Webhooks {
if wh.Name != webhook.Name {
Expand Down
5 changes: 3 additions & 2 deletions webhook/configmaps/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,9 @@ func NewAdmissionController(
key: key,
path: path,

constructors: make(map[string]reflect.Value),
secretName: options.SecretName,
constructors: make(map[string]reflect.Value),
secretName: options.SecretName,
disableNamespaceOwnership: options.DisableNamespaceOwnership,

client: client,
vwhlister: vwhInformer.Lister(),
Expand Down
7 changes: 4 additions & 3 deletions webhook/resourcesemantics/defaulting/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co
handlers: opts.types,
callbacks: opts.callbacks,

withContext: opts.wc,
disallowUnknownFields: opts.disallowUnknownFields,
secretName: wopts.SecretName,
withContext: opts.wc,
disallowUnknownFields: opts.disallowUnknownFields,
secretName: wopts.SecretName,
disableNamespaceOwnership: wopts.DisableNamespaceOwnership,

client: client,
mwhlister: mwhInformer.Lister(),
Expand Down
17 changes: 10 additions & 7 deletions webhook/resourcesemantics/defaulting/defaulting.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,9 @@ type reconciler struct {
mwhlister admissionlisters.MutatingWebhookConfigurationLister
secretlister corelisters.SecretLister

disallowUnknownFields bool
secretName string
disallowUnknownFields bool
secretName string
disableNamespaceOwnership bool
}

// CallbackFunc is the function to be invoked.
Expand Down Expand Up @@ -218,12 +219,14 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt

current := configuredWebhook.DeepCopy()

ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %w", err)
if !ac.disableNamespaceOwnership {
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %w", err)
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
current.OwnerReferences = []metav1.OwnerReference{nsRef}
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
current.OwnerReferences = []metav1.OwnerReference{nsRef}

for i, wh := range current.Webhooks {
if wh.Name != current.Name {
Expand Down
7 changes: 4 additions & 3 deletions webhook/resourcesemantics/validation/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co
handlers: opts.types,
callbacks: opts.callbacks,

withContext: opts.wc,
disallowUnknownFields: opts.DisallowUnknownFields(),
secretName: woptions.SecretName,
withContext: opts.wc,
disallowUnknownFields: opts.DisallowUnknownFields(),
secretName: woptions.SecretName,
disableNamespaceOwnership: woptions.DisableNamespaceOwnership,

client: client,
vwhlister: vwhInformer.Lister(),
Expand Down
19 changes: 11 additions & 8 deletions webhook/resourcesemantics/validation/reconcile_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,9 @@ type reconciler struct {
vwhlister admissionlisters.ValidatingWebhookConfigurationLister
secretlister corelisters.SecretLister

disallowUnknownFields bool
secretName string
disallowUnknownFields bool
secretName string
disableNamespaceOwnership bool
}

var (
Expand Down Expand Up @@ -193,13 +194,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b

current := configuredWebhook.DeepCopy()

// Set the owner to namespace.
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %w", err)
if !ac.disableNamespaceOwnership {
// Set the owner to namespace.
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %w", err)
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
current.OwnerReferences = []metav1.OwnerReference{nsRef}
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
current.OwnerReferences = []metav1.OwnerReference{nsRef}

for i, wh := range current.Webhooks {
if wh.Name != current.Name {
Expand Down
4 changes: 4 additions & 0 deletions webhook/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ type Options struct {
// before shutting down.
GracePeriod time.Duration

// DisableNamespaceOwnership configures whether the webhook adds an owner reference for the SYSTEM_NAMESPACE
// Disabling this is useful when you expect the webhook configuration to be managed by something other than knative
DisableNamespaceOwnership bool

// ControllerOptions encapsulates options for creating a new controller,
// including throttling and stats behavior.
ControllerOptions *controller.ControllerOptions
Expand Down

0 comments on commit c4843b7

Please sign in to comment.