validator server as k8s external admission hook #1218
Conversation
This PR adds the validation server as an external admission webhook of kubernetes. This also introduce the structural validation through protobuf definition. The integration with referential validation is not yet done, that's a TODO. Also this adds a new subcommand to mixs. mixs validator will start a webserver for the webhook.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
- fix typos causing build errors - fix lint errors
pkg/config/crd/validatorserver.go
Outdated
| // verify the content type is accurate | ||
| contentType := r.Header.Get("Content-Type") | ||
| if contentType != "application/json" { | ||
| glog.Errorf("contentType=%s, expect application/json", contentType) |
There was a problem hiding this comment.
Shouldn't these errors return an HTTP response with appropriate status code instead of dropping request?
| if err != nil { | ||
| return nil | ||
| } | ||
| h.ServeHTTP(outBuf, req) |
There was a problem hiding this comment.
|
@jmuk PR needs rebase |
|
I wrote a script to automate the GKE workaround + cert generation for Pilot admission webhook (see here). We could add something similar for Mixer validation if that makes sense. This may not really be suitable for e2e presubmit tests, but does provide a mechanism for users to experiment with the admission webhook validation before k8s 1.8 is available on GKE. |
|
@ayj, your script should be really helpful and work well with my patch too, thanks for the headsup. Will imitate it (or maybe it's worth having it in istio/istio repository?) |
|
@jmuk PR needs rebase |
|
reviewers, please take a look; I've confirmed this is working with @ayj's workaround script. |
Codecov Report
@@ Coverage Diff @@
## master #1218 +/- ##
==========================================
- Coverage 83.85% 83.17% -0.68%
==========================================
Files 122 125 +3
Lines 12094 12420 +326
==========================================
+ Hits 10141 10330 +189
- Misses 1745 1876 +131
- Partials 208 214 +6
Continue to review full report at Codecov.
|
|
@jmuk PR needs rebase |
Codecov Report
@@ Coverage Diff @@
## master #1218 +/- ##
==========================================
- Coverage 84.66% 84.02% -0.64%
==========================================
Files 122 125 +3
Lines 11922 12260 +338
==========================================
+ Hits 10094 10302 +208
- Misses 1632 1755 +123
- Partials 196 203 +7
Continue to review full report at Codecov.
|
|
@mandarjog ping |
1 similar comment
|
@mandarjog ping |
|
Do we still want this PR? |
|
Yes, absolutely, this is a part of validation for mixer config. This is still needed and I'm still waiting for reviews. |
|
@jmuk PR needs rebase |
|
This repo is no longer accepting PRs. Please resubmit this change to the istio/istio repo. Thanks. |
This PR adds the validation server as an external admission webhook
of kubernetes. This also introduce the structural validation
through protobuf definition.
The integration with referential validation is not yet done, that's
a TODO.
Also this adds a new subcommand to mixs. mixs validator will start
a webserver for the webhook.
Release note:
This change is