Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable webhook admission controllers #7983

Closed
davidvossel opened this issue Apr 16, 2018 · 12 comments
Closed

enable webhook admission controllers #7983

davidvossel opened this issue Apr 16, 2018 · 12 comments

Comments

@davidvossel
Copy link

Description

The KubeVirt project needs the ability to have MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers enabled in openshift.

Apiserver admission controllers are enabled via the --admission-control argument (see roles/openshift_service_catalog/templates/api_server.j2) This argument takes a list of admission controllers. We need the ability to append the MutatingAdmissionWebhook and ValidatingAdmissionWebhook values to that list.

This is blocking our ability to provide webhook validation of our VirtualMachine CRD objects. kubevirt/kubevirt#911
@davidvossel davidvossel mentioned this issue Apr 17, 2018
Merged
@davidvossel
Copy link
Author

Also, I did attempt to enable the ValidatingAdmissionWebhook using the osm_api_server_args variable, but this did not appear to work.

osm_api_server_args={'admission-control': ['KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck,ValidatingAdmissionWebhook']}

This did result in the master-config.yaml file having these bits set

kubernetesMasterConfig:
  apiServerArguments:
    admission-control:
    - KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck,ValidatingAdmissionWebhook

However, the apiserver did not appear to pickup the ValidatingAdmissionWebhook admission controller on startup.

I'm testing with openshift v3.0.0-alpha.4 which should have the ability to use admission webhooks.

@sdodson
Copy link
Member

sdodson commented Apr 18, 2018

Does making them a list work?

osm_api_server_args={'admission-control': ['KubernetesNamespaceLifecycle','DefaultServicePlan','ServiceBindingsLifecycle','ServicePlanChangeValidator','BrokerAuthSarCheck','ValidatingAdmissionWebhook']}

@sdodson
Copy link
Member

sdodson commented Apr 18, 2018

Apiserver admission controllers are enabled via the --admission-control argument (see roles/openshift_service_catalog/templates/api_server.j2) This argument takes a list of admission controllers. We need the ability to append the MutatingAdmissionWebhook and ValidatingAdmissionWebhook values to that list.

The task file you're referencing only applies to the service catalog api server, you need this configured in the base API server, right?

@sdodson
Copy link
Member

sdodson commented Apr 18, 2018

@sttts @deads2k Can either of you help here? What's the right way to configure what they're looking to do?

@deads2k
Copy link
Contributor

deads2k commented Apr 18, 2018

@sttts @deads2k Can either of you help here? What's the right way to configure what they're looking to do?

The normal master-config.yaml enablement described here https://docs.openshift.org/3.6/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules ought to work.

@davidvossel
Copy link
Author

@deads2k how is the openshift admission plugin related to enabling the new ValidatingAdmissionWebhook and MutatingAdmissionWebhook webhooks?

@deads2k
Copy link
Contributor

deads2k commented Apr 18, 2018

@deads2k how is the openshift admission plugin related to enabling the new ValidatingAdmissionWebhook and MutatingAdmissionWebhook webhooks?

It's the way to configure admission plugins for the openshift master apiserver, which includes the kube-apiserver.

@davidvossel
Copy link
Author

It's the way to configure admission plugins for the openshift master apiserver, which includes the kube-apiserver.

@deads2k Sorry, I'm not seeing the relationship between the admission plugins and what I'm trying to do.

I want to turn on the ValidatingAdmissionWebhook and MutatingAdmissionWebhook admission controllers on for the kube-api server. This are two values that need to be set in the --admission-control argument passed to the kube-api server. https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use

Here's the only openshift documentation I can find related to webhooks. It does not indicate how to enable this functionality in the apiserver though.
https://docs.openshift.org/3.9/architecture/additional_concepts/dynamic_admission_controllers.html

@deads2k
Copy link
Contributor

deads2k commented Apr 18, 2018 

admissionConfig:
  pluginConfig:
    ValidatingAdmissionWebhook: 
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false 
    MutatingAdmissionWebhook: 
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false

or something close.

@davidvossel
Copy link
Author

thanks, this worked. I see that openshift converged it's admission chain with k8s. That's what threw me off.

Here's the ansible env var I used for anyone who's wanting to know how to set this up.

openshift_master_admission_plugin_config={"ValidatingAdmissionWebhook":{"configuration":{"kind": "DefaultAdmissionConfig","apiVersion": "v1","disable": false}}}

@judavi
Copy link

judavi commented Jun 4, 2018

@davidvossel how you use this ansible env var when your openshift is already running?

@judavi
Copy link

judavi commented Jun 4, 2018
edited
Loading

Answering my own question but could be handy for a newbie like me:

  1. Edit /etc/origin/master/master-config.yaml (or your config file)
  2. Add
admissionConfig:
  pluginConfig:
        ValidatingAdmissionWebhook:
            configuration: {kind: DefaultAdmissionConfig, apiVersion: v1, disable: false}
  1. restart the service
    systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers

@sttts sttts mentioned this issue Sep 6, 2018
Closed
This was referenced Nov 26, 2018
Closed
Closed
@Reamer Reamer mentioned this issue Jun 26, 2019
Merged
@sebgl sebgl mentioned this issue Apr 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sdodson @davidvossel @judavi @deads2k