Add snapshot webhook build and deployment. Modify controller to label invalid objects. #353
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Welcome @AndiLi99! |
|
Hi @AndiLi99. Thanks for your PR. I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/XXL
AndiLi99
force-pushed
the
AndiLi99/webhook
branch
6 times, most recently
from
4f1e8c8 to
55cd2a5
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| @@ -0,0 +1,67 @@ | |||
| # How to deploy the webhook | |||
|
|
|||
| The webhook server is provided as an image which can be built from this repository. It can be deployed anywhere, as long as the api server is able to reach it over HTTPS. It is recommended to deploy the webhook server in the cluster as snapshotting is latency sensitive. A `ValidatingWebhookConfiguration` object is needed to configure the api server to contact the webhook server. Please see the [documentation](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) for more details. The webhook server code is adapted from the [webhook server](https://github.com/kubernetes/kubernetes/tree/v1.18.6/test/images/agnhost/webhook) used in the kubernetes/kubernetes end to end testing code. | |||
There was a problem hiding this comment.
should include a prerequisites/dependencies section in this README to include:
- k8s version
- admission controller is enabled etc
There was a problem hiding this comment.
We should also add a brief description of the webhook and add a link to this doc in the top level README: https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md
There was a problem hiding this comment.
I added the prereq section. I also added a brief description to top level readme with a link. Please take a look.
| Patch the `ValidatingWebhookConfiguration` file from the template, filling in the CA bundle field. | ||
| s | ||
| ```bash | ||
| cat ./deploy/kubernetes/webhook-example/admission-configuration-template | ./deploy/kubernetes/webhook-example/patch-ca-bundle.sh > ./deploy/kubernetes/webhook-example/admission-configuration.yaml |
There was a problem hiding this comment.
maybe do not include the repo path?
cmd/webhook/Dockerfile
Outdated
| @@ -0,0 +1,7 @@ | |||
| FROM gcr.io/distroless/base:latest | |||
| LABEL maintainers="Kubernetes Authors" | |||
| LABEL description="Snapshot Webhook" | |||
There was a problem hiding this comment.
lets call it VolumeSnapshot, ditto everywhere
There was a problem hiding this comment.
I'm following the naming convention from the Dockerfile for csi-snapshotter and snapshot-controller. Do you want to change both of those as well, or have an inconsistent naming pattern?
AndiLi99
force-pushed
the
AndiLi99/webhook
branch
from
3582266 to
47ece7d
Compare
| func convertAdmissionResponseToV1beta1(r *v1.AdmissionResponse) *v1beta1.AdmissionResponse { | ||
| var pt *v1beta1.PatchType | ||
| if r.PatchType != nil { | ||
| t := v1beta1.PatchType(*r.PatchType) |
There was a problem hiding this comment.
I believe it should work, as they're both just strings underneath
| @@ -1285,7 +1302,7 @@ func (ctrl *csiSnapshotCommonController) addSnapshotFinalizer(snapshot *crdv1.Vo | |||
| } | |||
| _, err := ctrl.clientset.SnapshotV1beta1().VolumeSnapshots(snapshotClone.Namespace).Update(context.TODO(), snapshotClone, metav1.UpdateOptions{}) | |||
| if err != nil { | |||
| return newControllerUpdateError(snapshot.Name, err.Error()) | |||
| return newControllerUpdateError(utils.SnapshotKey(snapshot), err.Error()) | |||
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
it looked like a typo, so i changed it
|
Can you add a release note? |
| @@ -0,0 +1,67 @@ | |||
| # How to deploy the webhook | |||
|
|
|||
| The webhook server is provided as an image which can be built from this repository. It can be deployed anywhere, as long as the api server is able to reach it over HTTPS. It is recommended to deploy the webhook server in the cluster as snapshotting is latency sensitive. A `ValidatingWebhookConfiguration` object is needed to configure the api server to contact the webhook server. Please see the [documentation](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) for more details. The webhook server code is adapted from the [webhook server](https://github.com/kubernetes/kubernetes/tree/v1.18.6/test/images/agnhost/webhook) used in the kubernetes/kubernetes end to end testing code. | |||
There was a problem hiding this comment.
We should also add a brief description of the webhook and add a link to this doc in the top level README: https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md
|
@AndiLi99 some of the unit testings are failing because the newly added label for invalid CRs. Those unit test cases need to be fixed. |
k8s-ci-robot
added
the
needs-rebase
|
@AndiLi99 please fix existing invalid tests which are failing due to newly added invalid labels. |
|
/retest |
There was a problem hiding this comment.
couple of more nits.
@xing-yang @msau42 can you two take a look as well?
| Build the docker image | ||
|
|
||
| ```bash | ||
| docker build -t gcr.io/your-project-name/webhook:latest -f ./cmd/webhook/Dockerfile . |
There was a problem hiding this comment.
@xing-yang @msau42 which gcr.io project should this repo use for webhook images?
There was a problem hiding this comment.
should it follow the similar pattern here?
There was a problem hiding this comment.
Official released images will be like this: k8s.gcr.io/sig-storage/csi-snapshotter:v1.2.2
However, you are showing an example on how to build the image yourself so it won't be the official image. I'd suggest not to specify the image repo name.
docker build -t webhook:latest -f ./cmd/webhook/Dockerfile
| spec: | ||
| containers: | ||
| - name: snapshot-validation | ||
| image: gcr.io/your-project-name/validation-webhook:latest # change the image if you wish to use your own custom validation server image |
There was a problem hiding this comment.
please fix the image once my previous comments w.r.t image location is resolved.
example here
There was a problem hiding this comment.
Since we are releasing this together with snapshot-controller and csi-snapshotter, the version will be v2.2.0.
k8s.gcr.io/sig-storage/validation-webhook:v2.2.0
| } | ||
| return &tls.Config{ | ||
| Certificates: []tls.Certificate{sCert}, | ||
| // TODO: uses mutual tls after we agree on what cert the apiserver should use. |
There was a problem hiding this comment.
is there action item for this TODO?
There was a problem hiding this comment.
No, this came from the example webhook. I believe it's for the case where the the webhook server verifies the identity of the api server.
| } | ||
| return decideSnapshotContent(snapcontent, oldSnapcontent, isCreate) | ||
| default: | ||
| err := fmt.Errorf("expect resource to be %s or %s", SnapshotV1Beta1GVR, SnapshotContentV1Beta1GVR) |
There was a problem hiding this comment.
It's an interesting situation here. If a resource other than Snapshot/SnapshotContent has been mis-configured using this webhook for validation, it will fail all the time which might break existing functionality. Should the error here be ignored rather than populated to API server?
There was a problem hiding this comment.
Should the error here be ignored rather than populated to API server?
No, we should break fast. If they misconfigure they should know.
pkg/validation-webhook/snapshot.go
Outdated
| // Which allows the remover of finalizers and therefore deletion of this object | ||
| // Don't rely on the pointers to be nil, because the deserialization method will convert it to | ||
| // The empty struct value. Instead check the operation type. | ||
| err := utils.ValidateSnapshot(oldSnapshot) |
There was a problem hiding this comment.
nit, can be simplified as:
if err := utils.ValidateSnapshot; err != nil { return ...}
this way, you can move line 95 out of the "if isCreate" block and save the call at line 113.
WDYT?
There was a problem hiding this comment.
i cleaned it up differently, ptal
| return *s | ||
| } | ||
| func checkSnapshotImmutableFields(snapshot, oldSnapshot *volumesnapshotv1beta1.VolumeSnapshot) error { | ||
| if snapshot == nil { |
There was a problem hiding this comment.
nil checks are no longer needed
There was a problem hiding this comment.
I wouldn't want to make any assumptions about the caller. The ptr is never nil now, but that may change (future tests, deserialization change). Do you recommend changing it anyways?
| } | ||
|
|
||
| func checkSnapshotContentImmutableFields(snapcontent, oldSnapcontent *volumesnapshotv1beta1.VolumeSnapshotContent) error { | ||
| if snapcontent == nil { |
There was a problem hiding this comment.
nil checks are no longer needed.
|
@AndiLi99 please remove [WIP] from the PR title |
AndiLi99
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
| kind: Deployment | ||
| metadata: | ||
| name: snapshot-validation-deployment | ||
| namespace: default # NOTE: change the namespace |
There was a problem hiding this comment.
Should this namespace be the same as the namespace of the snapshot-controller?
There was a problem hiding this comment.
It doesn't need to be, but it may be easier to organize that way.
| spec: | ||
| containers: | ||
| - name: snapshot-validation | ||
| image: gcr.io/your-project-name/validation-webhook:latest # change the image if you wish to use your own custom validation server image |
There was a problem hiding this comment.
Since we are releasing this together with snapshot-controller and csi-snapshotter, the version will be v2.2.0.
k8s.gcr.io/sig-storage/validation-webhook:v2.2.0
|
I think this is at a good state. Please take a look @yuxiangqian @msau42 @xing-yang |
k8s-ci-robot
added
the
needs-rebase
https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md 1. Ratcheting validation webhook server image 2. Controller labels invalid objects 3. Unit tests for webhook 4. Deployment README and example deployment method with certs 5. Update top-level README Racheting validation: 1. webhook is strict on create 2. webhook is strict on updates where the existing object passes strict validation 3. webhook is relaxed on updates where the existing object fails strict validation (allows finalizer removal, status update, deletion, etc) Additionally the validating wehook server will perform immutability checks on scenario 2 above.
AndiLi99
force-pushed
the
AndiLi99/webhook
branch
from
bd4aefc to
42b6b37
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/retest |
Minor cleanup and change default fail policy and timeout on webhook config.
| @@ -79,6 +81,22 @@ Install CSI Driver: | |||
| * kubectl create -f deploy/kubernetes/csi-snapshotter | |||
| * https://github.com/kubernetes-csi/external-snapshotter/tree/master/deploy/kubernetes/csi-snapshotter | |||
|
|
|||
| ### Validating Webhook | |||
There was a problem hiding this comment.
@xing-yang @yuxiangqian let's look at this before we release, but I think it would be good to revamp the overview to make it more clear of all the pieces in this repo and who is responsible for what:
- CRDs + webhook
- controller
- sidecar
- client libraries
|
This lgtm! Will let @xing-yang and @yuxiangqian give final approvals. Awesome work Andi! |
|
@msau42 Thank you so much! Everyone's help was instrumental in getting this done :) |
| @@ -79,6 +81,22 @@ Install CSI Driver: | |||
| * kubectl create -f deploy/kubernetes/csi-snapshotter | |||
| * https://github.com/kubernetes-csi/external-snapshotter/tree/master/deploy/kubernetes/csi-snapshotter | |||
|
|
|||
| ### Validating Webhook | |||
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AndiLi99, yuxiangqian The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add a webhook which can be used to perform stricter validation, and to do ratcheting validation as part of the release plan.
Please see this KEP for full context on why a webhook is needed.
Add webhook build, docker, and deployment scripts. Boilerplate for adding the snapshot validation endpoint is in place.
Which issue(s) this PR fixes:
Fixes #187
Fixes #363
Special notes for your reviewer:
Does this PR introduce a user-facing change?: