Add validation webhook for service profiles

Fixes #2075

(This supersedes #2508 because it was easier to redo this in master than
rebasing that PR. It addresses all the feedback received in #2508)

The new webhook endpoint is created in a new container in the
linkerd-controller pod.

The proxy injector webhook was refactored to extract-out the scaffolding
to be reused by the validation webhook (and eventually by any other
admission webhooks we'd like to create in the future). The new common
stuff now reside under controller/webhook.

The validation webhook simply sets up the endpoint server and the
webhook config using pkg/webhook, and calls the old
profiles.Validate to perform the actual validation.

I Also got rid of the unused -no-init-container flag in the proxy injector.

Todo in a follow-up PRs: remove the SP check from the CLI check.

Signed-off-by: Alejandro Pedraza <[email protected]>

chart/templates/controller.yaml

@@ -24,6 +24,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
   verbs: ["list", "get", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["create", "get", "delete"]
 - apiGroups: ["linkerd.io"]
   resources: ["serviceprofiles"]
   verbs: ["list", "get", "watch"]
@@ -77,6 +80,24 @@ spec:
     port: 8086
     targetPort: 8086
 ---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: controller
+  annotations:
+    {{.CreatedByAnnotation}}: {{.CliVersion}}
+spec:
+  type: ClusterIP
+  selector:
+    {{.ControllerComponentLabel}}: controller
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
 kind: Deployment
 apiVersion: extensions/v1beta1
 metadata:
@@ -187,6 +208,31 @@ spec:
         {{ end -}}
         securityContext:
           runAsUser: {{.ControllerUID}}
+      - name: sp-validator
+        image: {{.ControllerImage}}
+        imagePullPolicy: {{.ImagePullPolicy}}
+        args:
+        - "sp-validator"
+        - "-controller-namespace={{.Namespace}}"
+        - "-log-level={{.ControllerLogLevel}}"
+        ports:
+        - name: sp-validator
+          containerPort: 8443
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 9997
+          failureThreshold: 7
+        {{ with .SPValidatorResources -}}
+        {{- template "resources" . }}
+        {{ end -}}
+        securityContext:
+          runAsUser: {{.ControllerUID}}
       volumes:
       - name: config
         configMap:

chart/templates/proxy_injector.yaml

@@ -35,7 +35,6 @@ spec:
         - "proxy-injector"
         - "-controller-namespace={{.Namespace}}"
         - "-log-level={{.ControllerLogLevel}}"
-        - "-no-init-container={{.NoInitContainer}}"
         ports:
         - name: proxy-injector
           containerPort: 8443

cli/cmd/install.go

@@ -62,6 +62,7 @@ type (
 		IdentityResources,
 		PrometheusResources,
 		ProxyInjectorResources,
+		SPValidatorResources,
 		PublicAPIResources,
 		TapResources,
 		WebResources *resources
@@ -431,6 +432,7 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins
 		values.DestinationResources = &*defaultConstraints
 		values.GrafanaResources = &*defaultConstraints
 		values.ProxyInjectorResources = &*defaultConstraints
+		values.SPValidatorResources = &*defaultConstraints
 		values.PublicAPIResources = &*defaultConstraints
 		values.TapResources = &*defaultConstraints
 		values.WebResources = &*defaultConstraints

cli/cmd/testdata/install_default.golden

@@ -283,6 +283,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
   verbs: ["list", "get", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["create", "get", "delete"]
 - apiGroups: ["linkerd.io"]
   resources: ["serviceprofiles"]
   verbs: ["list", "get", "watch"]
@@ -336,6 +339,24 @@ spec:
     port: 8086
     targetPort: 8086
 ---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: linkerd
+  labels:
+    linkerd.io/control-plane-component: controller
+  annotations:
+    linkerd.io/created-by: linkerd/cli dev-undefined
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: controller
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -446,6 +467,29 @@ spec:
         resources: {}
         securityContext:
           runAsUser: 2103
+      - args:
+        - sp-validator
+        - -controller-namespace=linkerd
+        - -log-level=info
+        image: gcr.io/linkerd-io/controller:dev-undefined
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+        name: sp-validator
+        ports:
+        - containerPort: 8443
+          name: sp-validator
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9997
+        resources: {}
+        securityContext:
+          runAsUser: 2103
       - env:
         - name: LINKERD2_PROXY_LOG
           value: warn,linkerd2_proxy=info

cli/cmd/testdata/install_ha_output.golden

@@ -289,6 +289,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
   verbs: ["list", "get", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["create", "get", "delete"]
 - apiGroups: ["linkerd.io"]
   resources: ["serviceprofiles"]
   verbs: ["list", "get", "watch"]
@@ -342,6 +345,24 @@ spec:
     port: 8086
     targetPort: 8086
 ---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: linkerd
+  labels:
+    linkerd.io/control-plane-component: controller
+  annotations:
+    linkerd.io/created-by: linkerd/cli dev-undefined
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: controller
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -461,6 +482,32 @@ spec:
             memory: 50Mi
         securityContext:
           runAsUser: 2103
+      - args:
+        - sp-validator
+        - -controller-namespace=linkerd
+        - -log-level=info
+        image: gcr.io/linkerd-io/controller:dev-undefined
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+        name: sp-validator
+        ports:
+        - containerPort: 8443
+          name: sp-validator
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9997
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 2103
       - env:
         - name: LINKERD2_PROXY_LOG
           value: warn,linkerd2_proxy=info

cli/cmd/testdata/install_ha_with_overrides_output.golden

@@ -289,6 +289,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
   verbs: ["list", "get", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["create", "get", "delete"]
 - apiGroups: ["linkerd.io"]
   resources: ["serviceprofiles"]
   verbs: ["list", "get", "watch"]
@@ -342,6 +345,24 @@ spec:
     port: 8086
     targetPort: 8086
 ---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: linkerd
+  labels:
+    linkerd.io/control-plane-component: controller
+  annotations:
+    linkerd.io/created-by: linkerd/cli dev-undefined
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: controller
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -461,6 +482,32 @@ spec:
             memory: 50Mi
         securityContext:
           runAsUser: 2103
+      - args:
+        - sp-validator
+        - -controller-namespace=linkerd
+        - -log-level=info
+        image: gcr.io/linkerd-io/controller:dev-undefined
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+        name: sp-validator
+        ports:
+        - containerPort: 8443
+          name: sp-validator
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9997
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 2103
       - env:
         - name: LINKERD2_PROXY_LOG
           value: warn,linkerd2_proxy=info

cli/cmd/testdata/install_no_init_container.golden

@@ -259,6 +259,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
   verbs: ["list", "get", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations"]
+  verbs: ["create", "get", "delete"]
 - apiGroups: ["linkerd.io"]
   resources: ["serviceprofiles"]
   verbs: ["list", "get", "watch"]
@@ -312,6 +315,24 @@ spec:
     port: 8086
     targetPort: 8086
 ---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: linkerd
+  labels:
+    linkerd.io/control-plane-component: controller
+  annotations:
+    linkerd.io/created-by: linkerd/cli dev-undefined
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: controller
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -422,6 +443,29 @@ spec:
         resources: {}
         securityContext:
           runAsUser: 2103
+      - args:
+        - sp-validator
+        - -controller-namespace=linkerd
+        - -log-level=info
+        image: gcr.io/linkerd-io/controller:dev-undefined
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+        name: sp-validator
+        ports:
+        - containerPort: 8443
+          name: sp-validator
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9997
+        resources: {}
+        securityContext:
+          runAsUser: 2103
       - env:
         - name: LINKERD2_PROXY_LOG
           value: warn,linkerd2_proxy=info