github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #66936 from jennybuckley/dry-run-webhooks 

Automatic merge from submit-queue (batch tested with PRs 67576, 66936). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Support dry run in admission webhooks

**What this PR does / why we need it**:
Follow up to https://github.com/kubernetes/kubernetes/pull/66391
- [x] add DryRun to ```admission.k8s.io/v1beta1.AdmissionReview```
- [x] add DryRunnable to ```admissionregistration.k8s.io/v1beta1.(Valid|Mut)atingWebhookConfiguration```
- [x] add dry run support to (Valid|Mut)atingAdmissionWebhook

Includes all the api-changes outlined by https://github.com/kubernetes/community/pull/2387

/sig api-machinery

**Release note**:
```release-note
To address the possibility dry-run requests overwhelming admission webhooks that rely on side effects and a reconciliation mechanism, a new field is being added to admissionregistration.k8s.io/v1beta1.ValidatingWebhookConfiguration and admissionregistration.k8s.io/v1beta1.MutatingWebhookConfiguration so that webhooks can explicitly register as having dry-run support. If a dry-run request is made on a resource that triggers a non dry-run supporting webhook, the request will be completely rejected, with "400: Bad Request". Additionally, a new field is being added to the admission.k8s.io/v1beta1.AdmissionReview API object, exposing to webhooks whether or not the request being reviewed is a dry-run.
```
pull/8/head
Kubernetes Submit Queue 2018-08-22 19:41:58 -07:00 committed by GitHub
parent 687553a47a c61eac7daa
commit 5a16163c87
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 407 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/openapi-spec/swagger.json generated
View File

@ -73548,6 +73548,10 @@
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1beta1.RuleWithOperations"
}
},
"sideEffects": {
"description": "SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.",
"type": "string"
}
}
},

8
api/swagger-spec/admissionregistration.k8s.io_v1beta1.json generated
View File

@ -1786,6 +1786,10 @@
"namespaceSelector": {
"$ref": "v1.LabelSelector",
"description": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything."
},
"sideEffects": {
"$ref": "v1beta1.SideEffectClass",
"description": "SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown."
}
}
},
@ -1917,6 +1921,10 @@
}
}
},
"v1beta1.SideEffectClass": {
"id": "v1beta1.SideEffectClass",
"properties": {}
},
"v1.WatchEvent": {
"id": "v1.WatchEvent",
"required": [

19
docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html generated
View File

@ -1049,6 +1049,10 @@ Depending on the enclosing object, subresources might not be allowed. Required.<
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_deletionpropagation">v1.DeletionPropagation</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_webhook">v1beta1.Webhook</h3>
@ -1138,13 +1142,16 @@ Default to the empty LabelSelector, which matches everything.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sideEffects</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_sideeffectclass">v1beta1.SideEffectClass</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_deletionpropagation">v1.DeletionPropagation</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_operationtype">v1beta1.OperationType</h3>
@ -1765,6 +1772,10 @@ Port 443 will be used if it is open, otherwise it is an error.</p></td>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_sideeffectclass">v1beta1.SideEffectClass</h3>
</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>

5
pkg/apis/admission/types.go
View File

@ -73,6 +73,11 @@ type AdmissionRequest struct {
// OldObject is the existing object. Only populated for UPDATE requests.
// +optional
OldObject runtime.Object
// DryRun indicates that modifications will definitely not be persisted for this request.
// Calls to webhooks must have no side effects if DryRun is true.
// Defaults to false.
// +optional
DryRun *bool
}
// AdmissionResponse describes an admission response.

2
pkg/apis/admission/v1beta1/zz_generated.conversion.go generated
View File

@ -89,6 +89,7 @@ func autoConvert_v1beta1_AdmissionRequest_To_admission_AdmissionRequest(in *v1be
if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.OldObject, &out.OldObject, s); err != nil {
return err
}
out.DryRun = (*bool)(unsafe.Pointer(in.DryRun))
return nil
}
@ -115,6 +116,7 @@ func autoConvert_admission_AdmissionRequest_To_v1beta1_AdmissionRequest(in *admi
if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.OldObject, &out.OldObject, s); err != nil {
return err
}
out.DryRun = (*bool)(unsafe.Pointer(in.DryRun))
return nil
}

5
pkg/apis/admission/zz_generated.deepcopy.go generated
View File

@ -37,6 +37,11 @@ func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
if in.OldObject != nil {
out.OldObject = in.OldObject.DeepCopyObject()
}
if in.DryRun != nil {
in, out := &in.DryRun, &out.DryRun
*out = new(bool)
**out = **in
}
return
}

2
pkg/apis/admissionregistration/fuzzer/fuzzer.go
View File

@ -30,6 +30,8 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.FuzzNoCustom(obj) // fuzz self without calling this function again
p := admissionregistration.FailurePolicyType("Fail")
obj.FailurePolicy = &p
s := admissionregistration.SideEffectClassUnknown
obj.SideEffects = &s
},
}
}

25
pkg/apis/admissionregistration/types.go
View File

@ -112,6 +112,22 @@ const (
Fail FailurePolicyType = "Fail"
)
type SideEffectClass string
const (
// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
SideEffectClassUnknown SideEffectClass = "Unknown"
// SideEffectClassNone means that calling the webhook will have no side effects.
SideEffectClassNone SideEffectClass = "None"
// SideEffectClassSome means that calling the webhook will possibly have side effects.
// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
SideEffectClassSome SideEffectClass = "Some"
// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
// request being reviewed has the dry-run attribute, the side effects will be suppressed.
SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun"
)
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@ -235,6 +251,15 @@ type Webhook struct {
// Default to the empty LabelSelector, which matches everything.
// +optional
NamespaceSelector *metav1.LabelSelector
// SideEffects states whether this webhookk has side effects.
// Acceptable values are: Unknown, None, Some, NoneOnDryRun
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
// rejected by a future step in the admission change and the side effects therefore need to be undone.
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
// sideEffects == Unknown or Some. Defaults to Unknown.
// +optional
SideEffects *SideEffectClass
}
// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make

5
pkg/apis/admissionregistration/v1beta1/defaults.go
View File

@ -35,4 +35,9 @@ func SetDefaults_Webhook(obj *admissionregistrationv1beta1.Webhook) {
selector := metav1.LabelSelector{}
obj.NamespaceSelector = &selector
}
if obj.SideEffects == nil {
// TODO: revisit/remove this default and possibly make the field required when promoting to v1
unknown := admissionregistrationv1beta1.SideEffectClassUnknown
obj.SideEffects = &unknown
}
}

2
pkg/apis/admissionregistration/v1beta1/zz_generated.conversion.go generated
View File

@ -300,6 +300,7 @@ func autoConvert_v1beta1_Webhook_To_admissionregistration_Webhook(in *v1beta1.We
out.Rules = *(*[]admissionregistration.RuleWithOperations)(unsafe.Pointer(&in.Rules))
out.FailurePolicy = (*admissionregistration.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
out.SideEffects = (*admissionregistration.SideEffectClass)(unsafe.Pointer(in.SideEffects))
return nil
}
@ -316,6 +317,7 @@ func autoConvert_admissionregistration_Webhook_To_v1beta1_Webhook(in *admissionr
out.Rules = *(*[]v1beta1.RuleWithOperations)(unsafe.Pointer(&in.Rules))
out.FailurePolicy = (*v1beta1.FailurePolicyType)(unsafe.Pointer(in.FailurePolicy))
out.NamespaceSelector = (*v1.LabelSelector)(unsafe.Pointer(in.NamespaceSelector))
out.SideEffects = (*v1beta1.SideEffectClass)(unsafe.Pointer(in.SideEffects))
return nil
}

10
pkg/apis/admissionregistration/validation/validation.go
View File

@ -192,6 +192,9 @@ func validateWebhook(hook *admissionregistration.Webhook, fldPath *field.Path) f
if hook.FailurePolicy != nil && !supportedFailurePolicies.Has(string(*hook.FailurePolicy)) {
allErrors = append(allErrors, field.NotSupported(fldPath.Child("failurePolicy"), *hook.FailurePolicy, supportedFailurePolicies.List()))
}
if hook.SideEffects != nil && !supportedSideEffectClasses.Has(string(*hook.SideEffects)) {
allErrors = append(allErrors, field.NotSupported(fldPath.Child("sideEffects"), *hook.SideEffects, supportedSideEffectClasses.List()))
}
if hook.NamespaceSelector != nil {
allErrors = append(allErrors, metav1validation.ValidateLabelSelector(hook.NamespaceSelector, fldPath.Child("namespaceSelector"))...)
@ -291,6 +294,13 @@ var supportedFailurePolicies = sets.NewString(
string(admissionregistration.Fail),
)
var supportedSideEffectClasses = sets.NewString(
string(admissionregistration.SideEffectClassUnknown),
string(admissionregistration.SideEffectClassNone),
string(admissionregistration.SideEffectClassSome),
string(admissionregistration.SideEffectClassNoneOnDryRun),
)
var supportedOperations = sets.NewString(
string(admissionregistration.OperationAll),
string(admissionregistration.Create),

15
pkg/apis/admissionregistration/validation/validation_test.go
View File

@ -499,6 +499,21 @@ func TestValidateValidatingWebhookConfiguration(t *testing.T) {
}),
expectedError: `webhooks[0].failurePolicy: Unsupported value: "other": supported values: "Fail", "Ignore"`,
},
{
name: "SideEffects can only be \"Unknown\", \"None\", \"Some\", or \"NoneOnDryRun\"",
config: newValidatingWebhookConfiguration(
[]admissionregistration.Webhook{
{
Name: "webhook.k8s.io",
ClientConfig: validClientConfig,
SideEffects: func() *admissionregistration.SideEffectClass {
r := admissionregistration.SideEffectClass("other")
return &r
}(),
},
}),
expectedError: `webhooks[0].sideEffects: Unsupported value: "other": supported values: "None", "NoneOnDryRun", "Some", "Unknown"`,
},
{
name: "both service and URL missing",
config: newValidatingWebhookConfiguration(

5
pkg/apis/admissionregistration/zz_generated.deepcopy.go generated
View File

@ -341,6 +341,11 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
*out = new(v1.LabelSelector)
(*in).DeepCopyInto(*out)
}
if in.SideEffects != nil {
in, out := &in.SideEffects, &out.SideEffects
*out = new(SideEffectClass)
**out = **in
}
return
}

137
staging/src/k8s.io/api/admission/v1beta1/generated.pb.go generated
View File

@ -149,6 +149,16 @@ func (m *AdmissionRequest) MarshalTo(dAtA []byte) (int, error) {
return 0, err
}
i += n5
if m.DryRun != nil {
dAtA[i] = 0x58
i++
if *m.DryRun {
dAtA[i] = 1
} else {
dAtA[i] = 0
}
i++
}
return i, nil
}
@ -314,6 +324,9 @@ func (m *AdmissionRequest) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
l = m.OldObject.Size()
n += 1 + l + sovGenerated(uint64(l))
if m.DryRun != nil {
n += 2
}
return n
}
@ -388,6 +401,7 @@ func (this *AdmissionRequest) String() string {
`UserInfo:` + strings.Replace(strings.Replace(this.UserInfo.String(), "UserInfo", "k8s_io_api_authentication_v1.UserInfo", 1), `&`, ``, 1) + `,`,
`Object:` + strings.Replace(strings.Replace(this.Object.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
`OldObject:` + strings.Replace(strings.Replace(this.OldObject.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
`DryRun:` + valueToStringGenerated(this.DryRun) + `,`,
`}`,
}, "")
return s
@ -760,6 +774,27 @@ func (m *AdmissionRequest) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
case 11:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field DryRun", wireType)
}
var v int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
v |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
b := bool(v != 0)
m.DryRun = &b
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -1316,55 +1351,57 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 800 bytes of a gzipped FileDescriptorProto
// 821 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x54, 0xcf, 0x6f, 0xe3, 0x44,
0x14, 0x8e, 0x37, 0x3f, 0x3d, 0xa9, 0xd8, 0xec, 0x00, 0x92, 0x15, 0x21, 0x27, 0xf4, 0x80, 0x8a,
0xb4, 0x1d, 0xd3, 0x0a, 0x56, 0xd5, 0x8a, 0x4b, 0xcc, 0x46, 0xa8, 0x42, 0x6a, 0xab, 0x69, 0x83,
0x80, 0x03, 0xd2, 0xc4, 0x9e, 0x26, 0x26, 0xf1, 0x8c, 0xf1, 0x8c, 0x53, 0x72, 0x43, 0x5c, 0xb9,
0xf0, 0x3f, 0x71, 0xe9, 0xb1, 0xc7, 0x9e, 0x22, 0x1a, 0xfe, 0x00, 0xee, 0x3d, 0x21, 0x8f, 0xc7,
0x71, 0x48, 0x5b, 0x68, 0xd1, 0x9e, 0x32, 0xef, 0xbd, 0xef, 0xfb, 0x9e, 0xe7, 0x7b, 0x2f, 0x03,
0xfa, 0x93, 0x03, 0x81, 0x02, 0xee, 0x4c, 0x92, 0x21, 0x8d, 0x19, 0x95, 0x54, 0x38, 0x33, 0xca,
0x7c, 0x1e, 0x3b, 0xba, 0x40, 0xa2, 0xc0, 0x21, 0x7e, 0x18, 0x08, 0x11, 0x70, 0xe6, 0xcc, 0xf6,
0x86, 0x54, 0x92, 0x3d, 0x67, 0x44, 0x19, 0x8d, 0x89, 0xa4, 0x3e, 0x8a, 0x62, 0x2e, 0x39, 0xfc,
0x20, 0x43, 0x23, 0x12, 0x05, 0x68, 0x85, 0x46, 0x1a, 0xdd, 0xde, 0x1d, 0x05, 0x72, 0x9c, 0x0c,
0x91, 0xc7, 0x43, 0x67, 0xc4, 0x47, 0xdc, 0x51, 0xa4, 0x61, 0x72, 0xae, 0x22, 0x15, 0xa8, 0x53,
0x26, 0xd6, 0x7e, 0xb9, 0xde, 0x3a, 0x91, 0x63, 0xca, 0x64, 0xe0, 0x11, 0x99, 0xf5, 0xdf, 0x6c,
0xdd, 0xfe, 0xb4, 0x40, 0x87, 0xc4, 0x1b, 0x07, 0x8c, 0xc6, 0x73, 0x27, 0x9a, 0x8c, 0xd2, 0x84,
0x70, 0x42, 0x2a, 0xc9, 0x7d, 0x2c, 0xe7, 0x21, 0x56, 0x9c, 0x30, 0x19, 0x84, 0xf4, 0x0e, 0xe1,
0xd5, 0x7f, 0x11, 0x84, 0x37, 0xa6, 0x21, 0xd9, 0xe4, 0x6d, 0xff, 0x55, 0x05, 0xad, 0x5e, 0xee,
0x08, 0xa6, 0x3f, 0x26, 0x54, 0x48, 0xe8, 0x82, 0x72, 0x12, 0xf8, 0x96, 0xd1, 0x35, 0x76, 0x4c,
0xf7, 0x93, 0xcb, 0x45, 0xa7, 0xb4, 0x5c, 0x74, 0xca, 0x83, 0xc3, 0x37, 0xb7, 0x8b, 0xce, 0x87,
0x0f, 0x35, 0x92, 0xf3, 0x88, 0x0a, 0x34, 0x38, 0x7c, 0x83, 0x53, 0x32, 0xfc, 0x06, 0x54, 0x26,
0x01, 0xf3, 0xad, 0x67, 0x5d, 0x63, 0xa7, 0xb9, 0xff, 0x0a, 0x15, 0x13, 0x58, 0xd1, 0x50, 0x34,
0x19, 0xa5, 0x09, 0x81, 0x52, 0x1b, 0xd0, 0x6c, 0x0f, 0x7d, 0x19, 0xf3, 0x24, 0xfa, 0x9a, 0xc6,
0xe9, 0xc7, 0x7c, 0x15, 0x30, 0xdf, 0xdd, 0xd2, 0xcd, 0x2b, 0x69, 0x84, 0x95, 0x22, 0x1c, 0x83,
0x46, 0x4c, 0x05, 0x4f, 0x62, 0x8f, 0x5a, 0x65, 0xa5, 0xfe, 0xfa, 0xe9, 0xea, 0x58, 0x2b, 0xb8,
0x2d, 0xdd, 0xa1, 0x91, 0x67, 0xf0, 0x4a, 0x1d, 0x7e, 0x06, 0x9a, 0x22, 0x19, 0xe6, 0x05, 0xab,
0xa2, 0xfc, 0x78, 0x57, 0x13, 0x9a, 0xa7, 0x45, 0x09, 0xaf, 0xe3, 0x60, 0x17, 0x54, 0x18, 0x09,
0xa9, 0x55, 0x55, 0xf8, 0xd5, 0x15, 0x8e, 0x48, 0x48, 0xb1, 0xaa, 0x40, 0x07, 0x98, 0xe9, 0xaf,
0x88, 0x88, 0x47, 0xad, 0x9a, 0x82, 0xbd, 0xd0, 0x30, 0xf3, 0x28, 0x2f, 0xe0, 0x02, 0x03, 0x3f,
0x07, 0x26, 0x8f, 0xd2, 0xc1, 0x05, 0x9c, 0x59, 0x75, 0x45, 0xb0, 0x73, 0xc2, 0x71, 0x5e, 0xb8,
0x5d, 0x0f, 0x70, 0x41, 0x80, 0x67, 0xa0, 0x91, 0x08, 0x1a, 0x1f, 0xb2, 0x73, 0x6e, 0x35, 0x94,
0x63, 0x1f, 0xa1, 0xf5, 0x7f, 0xc4, 0x3f, 0x96, 0x38, 0x75, 0x6a, 0xa0, 0xd1, 0x85, 0x3b, 0x79,
0x06, 0xaf, 0x94, 0xe0, 0x00, 0xd4, 0xf8, 0xf0, 0x07, 0xea, 0x49, 0xcb, 0x54, 0x9a, 0xbb, 0x0f,
0x4e, 0x41, 0xef, 0x20, 0xc2, 0xe4, 0xa2, 0xff, 0x93, 0xa4, 0x2c, 0x1d, 0x80, 0xfb, 0x8e, 0x96,
0xae, 0x1d, 0x2b, 0x11, 0xac, 0xc5, 0xe0, 0xf7, 0xc0, 0xe4, 0x53, 0x3f, 0x4b, 0x5a, 0xe0, 0xff,
0x28, 0xaf, 0xac, 0x3c, 0xce, 0x75, 0x70, 0x21, 0xb9, 0xfd, 0x4b, 0x05, 0xbc, 0x58, 0xdb, 0x78,
0x11, 0x71, 0x26, 0xe8, 0x5b, 0x59, 0xf9, 0x8f, 0x41, 0x9d, 0x4c, 0xa7, 0xfc, 0x82, 0x66, 0x5b,
0xdf, 0x70, 0x9f, 0x6b, 0x9d, 0x7a, 0x2f, 0x4b, 0xe3, 0xbc, 0x0e, 0x4f, 0x40, 0x4d, 0x48, 0x22,
0x13, 0xa1, 0x37, 0xf8, 0xe5, 0xe3, 0x36, 0xf8, 0x54, 0x71, 0x5c, 0x90, 0xda, 0x86, 0xa9, 0x48,
0xa6, 0x12, 0x6b, 0x1d, 0xd8, 0x01, 0xd5, 0x88, 0x48, 0x6f, 0xac, 0xb6, 0x74, 0xcb, 0x35, 0x97,
0x8b, 0x4e, 0xf5, 0x24, 0x4d, 0xe0, 0x2c, 0x0f, 0x0f, 0x80, 0xa9, 0x0e, 0x67, 0xf3, 0x28, 0x5f,
0xcd, 0x76, 0x6a, 0xd2, 0x49, 0x9e, 0xbc, 0x5d, 0x0f, 0x70, 0x01, 0x86, 0xbf, 0x1a, 0xa0, 0x45,
0x12, 0x3f, 0x90, 0x3d, 0xc6, 0xb8, 0x54, 0x4b, 0x22, 0xac, 0x5a, 0xb7, 0xbc, 0xd3, 0xdc, 0xef,
0xa3, 0x7f, 0x7b, 0x59, 0xd1, 0x1d, 0x9f, 0x51, 0x6f, 0x43, 0xa7, 0xcf, 0x64, 0x3c, 0x77, 0x2d,
0x6d, 0x54, 0x6b, 0xb3, 0x8c, 0xef, 0x34, 0x6e, 0x7f, 0x01, 0xde, 0xbf, 0x57, 0x04, 0xb6, 0x40,
0x79, 0x42, 0xe7, 0xd9, 0x08, 0x71, 0x7a, 0x84, 0xef, 0x81, 0xea, 0x8c, 0x4c, 0x13, 0xaa, 0xc6,
0x61, 0xe2, 0x2c, 0x78, 0xfd, 0xec, 0xc0, 0xd8, 0xfe, 0xdd, 0x00, 0xcf, 0xd7, 0x3e, 0x6e, 0x16,
0xd0, 0x0b, 0x38, 0x00, 0xf5, 0x38, 0x7b, 0x00, 0x95, 0x46, 0x73, 0x1f, 0x3d, 0xfa, 0x72, 0x8a,
0xe5, 0x36, 0xd3, 0x51, 0xeb, 0x00, 0xe7, 0x5a, 0xf0, 0x5b, 0xf5, 0x5c, 0xa9, 0xdb, 0xeb, 0xc7,
0xd0, 0x79, 0xa2, 0x69, 0xee, 0x96, 0x7e, 0x9f, 0x54, 0x84, 0x57, 0x72, 0xee, 0xee, 0xe5, 0x8d,
0x5d, 0xba, 0xba, 0xb1, 0x4b, 0xd7, 0x37, 0x76, 0xe9, 0xe7, 0xa5, 0x6d, 0x5c, 0x2e, 0x6d, 0xe3,
0x6a, 0x69, 0x1b, 0xd7, 0x4b, 0xdb, 0xf8, 0x63, 0x69, 0x1b, 0xbf, 0xfd, 0x69, 0x97, 0xbe, 0xab,
0x6b, 0xe1, 0xbf, 0x03, 0x00, 0x00, 0xff, 0xff, 0x8d, 0xe4, 0x17, 0xc7, 0x4d, 0x07, 0x00, 0x00,
0x14, 0x8e, 0x37, 0x69, 0x12, 0x4f, 0x2a, 0x36, 0x3b, 0x80, 0x64, 0x45, 0xc8, 0x09, 0x3d, 0xa0,
0x20, 0x6d, 0xc7, 0xb4, 0x82, 0x55, 0xb5, 0xe2, 0x12, 0xd3, 0x08, 0x55, 0x48, 0xdb, 0x6a, 0x76,
0x83, 0x80, 0x03, 0xd2, 0xc4, 0x9e, 0x4d, 0x4c, 0xe2, 0x19, 0xe3, 0x99, 0x49, 0xc9, 0x0d, 0x71,
0xe5, 0x82, 0xc4, 0x9f, 0xc4, 0xa5, 0xc7, 0x3d, 0xee, 0x29, 0xa2, 0xe1, 0xbf, 0xe8, 0x09, 0x79,
0x3c, 0x8e, 0x43, 0xba, 0x85, 0x5d, 0xb4, 0x27, 0xfb, 0xfd, 0xf8, 0xbe, 0x37, 0xf3, 0xbd, 0x37,
0x0f, 0x0c, 0x67, 0x27, 0x02, 0x45, 0xdc, 0x9b, 0xa9, 0x31, 0x4d, 0x19, 0x95, 0x54, 0x78, 0x0b,
0xca, 0x42, 0x9e, 0x7a, 0x26, 0x40, 0x92, 0xc8, 0x23, 0x61, 0x1c, 0x09, 0x11, 0x71, 0xe6, 0x2d,
0x8e, 0xc6, 0x54, 0x92, 0x23, 0x6f, 0x42, 0x19, 0x4d, 0x89, 0xa4, 0x21, 0x4a, 0x52, 0x2e, 0x39,
0xfc, 0x20, 0xcf, 0x46, 0x24, 0x89, 0xd0, 0x26, 0x1b, 0x99, 0xec, 0xce, 0xe1, 0x24, 0x92, 0x53,
0x35, 0x46, 0x01, 0x8f, 0xbd, 0x09, 0x9f, 0x70, 0x4f, 0x83, 0xc6, 0xea, 0xb9, 0xb6, 0xb4, 0xa1,
0xff, 0x72, 0xb2, 0xce, 0xc3, 0xed, 0xd2, 0x4a, 0x4e, 0x29, 0x93, 0x51, 0x40, 0x64, 0x5e, 0x7f,
0xb7, 0x74, 0xe7, 0xd3, 0x32, 0x3b, 0x26, 0xc1, 0x34, 0x62, 0x34, 0x5d, 0x7a, 0xc9, 0x6c, 0x92,
0x39, 0x84, 0x17, 0x53, 0x49, 0x5e, 0x85, 0xf2, 0xee, 0x42, 0xa5, 0x8a, 0xc9, 0x28, 0xa6, 0xb7,
0x00, 0x8f, 0xfe, 0x0b, 0x20, 0x82, 0x29, 0x8d, 0xc9, 0x2e, 0xee, 0xe0, 0xf7, 0x3a, 0x68, 0x0f,
0x0a, 0x45, 0x30, 0xfd, 0x51, 0x51, 0x21, 0xa1, 0x0f, 0xaa, 0x2a, 0x0a, 0x1d, 0xab, 0x67, 0xf5,
0x6d, 0xff, 0x93, 0xab, 0x55, 0xb7, 0xb2, 0x5e, 0x75, 0xab, 0xa3, 0xb3, 0xd3, 0x9b, 0x55, 0xf7,
0xc3, 0xbb, 0x0a, 0xc9, 0x65, 0x42, 0x05, 0x1a, 0x9d, 0x9d, 0xe2, 0x0c, 0x0c, 0xbf, 0x01, 0xb5,
0x59, 0xc4, 0x42, 0xe7, 0x5e, 0xcf, 0xea, 0xb7, 0x8e, 0x1f, 0xa1, 0xb2, 0x03, 0x1b, 0x18, 0x4a,
0x66, 0x93, 0xcc, 0x21, 0x50, 0x26, 0x03, 0x5a, 0x1c, 0xa1, 0x2f, 0x53, 0xae, 0x92, 0xaf, 0x69,
0x9a, 0x1d, 0xe6, 0xab, 0x88, 0x85, 0xfe, 0xbe, 0x29, 0x5e, 0xcb, 0x2c, 0xac, 0x19, 0xe1, 0x14,
0x34, 0x53, 0x2a, 0xb8, 0x4a, 0x03, 0xea, 0x54, 0x35, 0xfb, 0xe3, 0x37, 0x67, 0xc7, 0x86, 0xc1,
0x6f, 0x9b, 0x0a, 0xcd, 0xc2, 0x83, 0x37, 0xec, 0xf0, 0x33, 0xd0, 0x12, 0x6a, 0x5c, 0x04, 0x9c,
0x9a, 0xd6, 0xe3, 0x5d, 0x03, 0x68, 0x3d, 0x2d, 0x43, 0x78, 0x3b, 0x0f, 0xf6, 0x40, 0x8d, 0x91,
0x98, 0x3a, 0x7b, 0x3a, 0x7f, 0x73, 0x85, 0x27, 0x24, 0xa6, 0x58, 0x47, 0xa0, 0x07, 0xec, 0xec,
0x2b, 0x12, 0x12, 0x50, 0xa7, 0xae, 0xd3, 0x1e, 0x98, 0x34, 0xfb, 0x49, 0x11, 0xc0, 0x65, 0x0e,
0xfc, 0x1c, 0xd8, 0x3c, 0xc9, 0x1a, 0x17, 0x71, 0xe6, 0x34, 0x34, 0xc0, 0x2d, 0x00, 0xe7, 0x45,
0xe0, 0x66, 0xdb, 0xc0, 0x25, 0x00, 0x3e, 0x03, 0x4d, 0x25, 0x68, 0x7a, 0xc6, 0x9e, 0x73, 0xa7,
0xa9, 0x15, 0xfb, 0x08, 0x6d, 0xbf, 0x88, 0x7f, 0x0c, 0x71, 0xa6, 0xd4, 0xc8, 0x64, 0x97, 0xea,
0x14, 0x1e, 0xbc, 0x61, 0x82, 0x23, 0x50, 0xe7, 0xe3, 0x1f, 0x68, 0x20, 0x1d, 0x5b, 0x73, 0x1e,
0xde, 0xd9, 0x05, 0x33, 0x83, 0x08, 0x93, 0xcb, 0xe1, 0x4f, 0x92, 0xb2, 0xac, 0x01, 0xfe, 0x3b,
0x86, 0xba, 0x7e, 0xae, 0x49, 0xb0, 0x21, 0x83, 0xdf, 0x03, 0x9b, 0xcf, 0xc3, 0xdc, 0xe9, 0x80,
0xff, 0xc3, 0xbc, 0x91, 0xf2, 0xbc, 0xe0, 0xc1, 0x25, 0x25, 0x3c, 0x00, 0xf5, 0x30, 0x5d, 0x62,
0xc5, 0x9c, 0x56, 0xcf, 0xea, 0x37, 0x7d, 0x90, 0x9d, 0xe1, 0x54, 0x7b, 0xb0, 0x89, 0x1c, 0xfc,
0x52, 0x03, 0x0f, 0xb6, 0x5e, 0x85, 0x48, 0x38, 0x13, 0xf4, 0xad, 0x3c, 0x8b, 0x8f, 0x41, 0x83,
0xcc, 0xe7, 0xfc, 0x92, 0xe6, 0x2f, 0xa3, 0xe9, 0xdf, 0x37, 0x3c, 0x8d, 0x41, 0xee, 0xc6, 0x45,
0x1c, 0x5e, 0x80, 0xba, 0x90, 0x44, 0x2a, 0x61, 0xa6, 0xfc, 0xe1, 0xeb, 0x4d, 0xf9, 0x53, 0x8d,
0xc9, 0xaf, 0x85, 0xa9, 0x50, 0x73, 0x89, 0x0d, 0x0f, 0xec, 0x82, 0xbd, 0x84, 0xc8, 0x60, 0xaa,
0x27, 0x79, 0xdf, 0xb7, 0xd7, 0xab, 0xee, 0xde, 0x45, 0xe6, 0xc0, 0xb9, 0x1f, 0x9e, 0x00, 0x5b,
0xff, 0x3c, 0x5b, 0x26, 0xc5, 0xf8, 0x76, 0x32, 0x21, 0x2f, 0x0a, 0xe7, 0xcd, 0xb6, 0x81, 0xcb,
0x64, 0xf8, 0xab, 0x05, 0xda, 0x44, 0x85, 0x91, 0x1c, 0x30, 0xc6, 0xa5, 0x1e, 0x24, 0xe1, 0xd4,
0x7b, 0xd5, 0x7e, 0xeb, 0x78, 0x88, 0xfe, 0x6d, 0xfb, 0xa2, 0x5b, 0x3a, 0xa3, 0xc1, 0x0e, 0xcf,
0x90, 0xc9, 0x74, 0xe9, 0x3b, 0x46, 0xa8, 0xf6, 0x6e, 0x18, 0xdf, 0x2a, 0xdc, 0xf9, 0x02, 0xbc,
0xff, 0x4a, 0x12, 0xd8, 0x06, 0xd5, 0x19, 0x5d, 0xe6, 0x2d, 0xc4, 0xd9, 0x2f, 0x7c, 0x0f, 0xec,
0x2d, 0xc8, 0x5c, 0x51, 0xdd, 0x0e, 0x1b, 0xe7, 0xc6, 0xe3, 0x7b, 0x27, 0xd6, 0xc1, 0x1f, 0x16,
0xb8, 0xbf, 0x75, 0xb8, 0x45, 0x44, 0x2f, 0xe1, 0x08, 0x34, 0xd2, 0x7c, 0x49, 0x6a, 0x8e, 0xd6,
0x31, 0x7a, 0xed, 0xcb, 0x69, 0x94, 0xdf, 0xca, 0x5a, 0x6d, 0x0c, 0x5c, 0x70, 0xc1, 0x6f, 0xf5,
0x4a, 0xd3, 0xb7, 0x37, 0x0b, 0xd3, 0x7b, 0x43, 0xd1, 0xfc, 0x7d, 0xb3, 0xc3, 0xb4, 0x85, 0x37,
0x74, 0xfe, 0xe1, 0xd5, 0xb5, 0x5b, 0x79, 0x71, 0xed, 0x56, 0x5e, 0x5e, 0xbb, 0x95, 0x9f, 0xd7,
0xae, 0x75, 0xb5, 0x76, 0xad, 0x17, 0x6b, 0xd7, 0x7a, 0xb9, 0x76, 0xad, 0x3f, 0xd7, 0xae, 0xf5,
0xdb, 0x5f, 0x6e, 0xe5, 0xbb, 0x86, 0x21, 0xfe, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xf4, 0xc2, 0x6f,
0x1b, 0x71, 0x07, 0x00, 0x00,
}

5
staging/src/k8s.io/api/admission/v1beta1/generated.proto
View File

@ -73,6 +73,11 @@ message AdmissionRequest {
// OldObject is the existing object. Only populated for UPDATE requests.
// +optional
optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
// DryRun indicates that modifications will definitely not be persisted for this request.
// Defaults to false.
// +optional
optional bool dryRun = 11;
}
// AdmissionResponse describes an admission response.

4
staging/src/k8s.io/api/admission/v1beta1/types.go
View File

@ -71,6 +71,10 @@ type AdmissionRequest struct {
// OldObject is the existing object. Only populated for UPDATE requests.
// +optional
OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
// DryRun indicates that modifications will definitely not be persisted for this request.
// Defaults to false.
// +optional
DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
}
// AdmissionResponse describes an admission response.

1
staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go generated
View File

@ -39,6 +39,7 @@ var map_AdmissionRequest = map[string]string{
"userInfo": "UserInfo is information about the requesting user",
"object": "Object is the object from the incoming request prior to default values being applied",
"oldObject": "OldObject is the existing object. Only populated for UPDATE requests.",
"dryRun": "DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
}
func (AdmissionRequest) SwaggerDoc() map[string]string {

5
staging/src/k8s.io/api/admission/v1beta1/zz_generated.deepcopy.go generated
View File

@ -33,6 +33,11 @@ func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
in.UserInfo.DeepCopyInto(&out.UserInfo)
in.Object.DeepCopyInto(&out.Object)
in.OldObject.DeepCopyInto(&out.OldObject)
if in.DryRun != nil {
in, out := &in.DryRun, &out.DryRun
*out = new(bool)
**out = **in
}
return
}

155
staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go generated
View File

@ -457,6 +457,12 @@ func (m *Webhook) MarshalTo(dAtA []byte) (int, error) {
}
i += n7
}
if m.SideEffects != nil {
dAtA[i] = 0x32
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(*m.SideEffects)))
i += copy(dAtA[i:], *m.SideEffects)
}
return i, nil
}
@ -656,6 +662,10 @@ func (m *Webhook) Size() (n int) {
l = m.NamespaceSelector.Size()
n += 1 + l + sovGenerated(uint64(l))
}
if m.SideEffects != nil {
l = len(*m.SideEffects)
n += 1 + l + sovGenerated(uint64(l))
}
return n
}
@ -779,6 +789,7 @@ func (this *Webhook) String() string {
`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "RuleWithOperations", "RuleWithOperations", 1), `&`, ``, 1) + `,`,
`FailurePolicy:` + valueToStringGenerated(this.FailurePolicy) + `,`,
`NamespaceSelector:` + strings.Replace(fmt.Sprintf("%v", this.NamespaceSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
`SideEffects:` + valueToStringGenerated(this.SideEffects) + `,`,
`}`,
}, "")
return s
@ -1813,6 +1824,36 @@ func (m *Webhook) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
case 6:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field SideEffects", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
s := SideEffectClass(dAtA[iNdEx:postIndex])
m.SideEffects = &s
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -2088,60 +2129,62 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 872 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x54, 0xcf, 0x8f, 0xdb, 0x44,
0x14, 0x8e, 0x9b, 0xac, 0x92, 0x4c, 0x12, 0xd1, 0x1d, 0x40, 0x0a, 0xab, 0xca, 0x8e, 0x72, 0x40,
0x91, 0x50, 0x6d, 0xb2, 0x20, 0x84, 0x10, 0x08, 0xad, 0x57, 0x2a, 0xac, 0xb4, 0x6d, 0xc3, 0x2c,
0xb4, 0x12, 0xe2, 0xc0, 0xc4, 0x79, 0xeb, 0x0c, 0xf1, 0x2f, 0x8d, 0xc7, 0x29, 0x7b, 0x43, 0xe2,
0x1f, 0x40, 0xe2, 0x8f, 0xe0, 0xaf, 0xe0, 0xbe, 0x37, 0x7a, 0x41, 0xf4, 0x64, 0xb1, 0xe6, 0xcc,
0x81, 0x6b, 0x4f, 0x68, 0xec, 0x49, 0x9c, 0x6c, 0xba, 0x69, 0x7a, 0xe1, 0xc0, 0xcd, 0xf3, 0xbd,
0xf9, 0xbe, 0xf7, 0xbe, 0xe7, 0xf7, 0x06, 0x7d, 0x31, 0xfb, 0x30, 0x36, 0x59, 0x68, 0xcd, 0x92,
0x31, 0xf0, 0x00, 0x04, 0xc4, 0xd6, 0x1c, 0x82, 0x49, 0xc8, 0x2d, 0x15, 0xa0, 0x11, 0xb3, 0xe8,
0xc4, 0x67, 0x71, 0xcc, 0xc2, 0x80, 0x83, 0xcb, 0x62, 0xc1, 0xa9, 0x60, 0x61, 0x60, 0xcd, 0x87,
0x63, 0x10, 0x74, 0x68, 0xb9, 0x10, 0x00, 0xa7, 0x02, 0x26, 0x66, 0xc4, 0x43, 0x11, 0xe2, 0x41,
0xc1, 0x34, 0x69, 0xc4, 0xcc, 0x17, 0x32, 0x4d, 0xc5, 0x3c, 0xb8, 0xeb, 0x32, 0x31, 0x4d, 0xc6,
0xa6, 0x13, 0xfa, 0x96, 0x1b, 0xba, 0xa1, 0x95, 0x0b, 0x8c, 0x93, 0xf3, 0xfc, 0x94, 0x1f, 0xf2,
0xaf, 0x42, 0xf8, 0xe0, 0xfd, 0xb2, 0x24, 0x9f, 0x3a, 0x53, 0x16, 0x00, 0xbf, 0xb0, 0xa2, 0x99,
0x2b, 0x81, 0xd8, 0xf2, 0x41, 0x50, 0x6b, 0xbe, 0x51, 0xce, 0x81, 0x75, 0x13, 0x8b, 0x27, 0x81,
0x60, 0x3e, 0x6c, 0x10, 0x3e, 0x78, 0x19, 0x21, 0x76, 0xa6, 0xe0, 0xd3, 0xeb, 0xbc, 0xfe, 0xef,
0x1a, 0xba, 0x73, 0x3f, 0x11, 0x54, 0xb0, 0xc0, 0x7d, 0x0c, 0xe3, 0x69, 0x18, 0xce, 0x8e, 0xc3,
0xe0, 0x9c, 0xb9, 0x49, 0x61, 0x1b, 0x7f, 0x8b, 0x1a, 0xb2, 0xc8, 0x09, 0x15, 0xb4, 0xab, 0xf5,
0xb4, 0x41, 0xeb, 0xf0, 0x5d, 0xb3, 0xec, 0xd5, 0x32, 0x97, 0x19, 0xcd, 0x5c, 0x09, 0xc4, 0xa6,
0xbc, 0x6d, 0xce, 0x87, 0xe6, 0xc3, 0xf1, 0x77, 0xe0, 0x88, 0xfb, 0x20, 0xa8, 0x8d, 0x2f, 0x53,
0xa3, 0x92, 0xa5, 0x06, 0x2a, 0x31, 0xb2, 0x54, 0xc5, 0x67, 0xa8, 0xa1, 0x32, 0xc7, 0xdd, 0x5b,
0xbd, 0xea, 0xa0, 0x75, 0x38, 0x34, 0x77, 0xfd, 0x1b, 0xa6, 0x62, 0xda, 0x35, 0x99, 0x82, 0x34,
0x9e, 0x28, 0xa1, 0xfe, 0xdf, 0x1a, 0xea, 0x6d, 0xf3, 0x75, 0xca, 0x62, 0x81, 0xbf, 0xd9, 0xf0,
0x66, 0xee, 0xe6, 0x4d, 0xb2, 0x73, 0x67, 0xb7, 0x95, 0xb3, 0xc6, 0x02, 0x59, 0xf1, 0x35, 0x43,
0x7b, 0x4c, 0x80, 0xbf, 0x30, 0x75, 0x6f, 0x77, 0x53, 0xdb, 0x0a, 0xb7, 0x3b, 0x2a, 0xe5, 0xde,
0x89, 0x14, 0x27, 0x45, 0x8e, 0xfe, 0xcf, 0x1a, 0xaa, 0x91, 0xc4, 0x03, 0xfc, 0x0e, 0x6a, 0xd2,
0x88, 0x7d, 0xc6, 0xc3, 0x24, 0x8a, 0xbb, 0x5a, 0xaf, 0x3a, 0x68, 0xda, 0x9d, 0x2c, 0x35, 0x9a,
0x47, 0xa3, 0x93, 0x02, 0x24, 0x65, 0x1c, 0x0f, 0x51, 0x8b, 0x46, 0xec, 0x11, 0x70, 0x59, 0x4a,
0x51, 0x68, 0xd3, 0x7e, 0x2d, 0x4b, 0x8d, 0xd6, 0xd1, 0xe8, 0x64, 0x01, 0x93, 0xd5, 0x3b, 0x52,
0x9f, 0x43, 0x1c, 0x26, 0xdc, 0x81, 0xb8, 0x5b, 0x2d, 0xf5, 0xc9, 0x02, 0x24, 0x65, 0xbc, 0xff,
0x8b, 0x86, 0xb0, 0xac, 0xea, 0x31, 0x13, 0xd3, 0x87, 0x11, 0x14, 0x0e, 0x62, 0xfc, 0x29, 0x42,
0xe1, 0xf2, 0xa4, 0x8a, 0x34, 0xf2, 0xf9, 0x58, 0xa2, 0xcf, 0x53, 0xa3, 0xb3, 0x3c, 0x7d, 0x79,
0x11, 0x01, 0x59, 0xa1, 0xe0, 0x11, 0xaa, 0xf1, 0xc4, 0x83, 0xee, 0xad, 0x8d, 0x9f, 0xf6, 0x92,
0xce, 0xca, 0x62, 0xec, 0xb6, 0xea, 0x60, 0xde, 0x30, 0x92, 0x2b, 0xf5, 0x7f, 0xd4, 0xd0, 0xed,
0x33, 0xe0, 0x73, 0xe6, 0x00, 0x81, 0x73, 0xe0, 0x10, 0x38, 0x80, 0x2d, 0xd4, 0x0c, 0xa8, 0x0f,
0x71, 0x44, 0x1d, 0xc8, 0x07, 0xa4, 0x69, 0xef, 0x2b, 0x6e, 0xf3, 0xc1, 0x22, 0x40, 0xca, 0x3b,
0xb8, 0x87, 0x6a, 0xf2, 0x90, 0xd7, 0xd5, 0x2c, 0xf3, 0xc8, 0xbb, 0x24, 0x8f, 0xe0, 0x3b, 0xa8,
0x16, 0x51, 0x31, 0xed, 0x56, 0xf3, 0x1b, 0x0d, 0x19, 0x1d, 0x51, 0x31, 0x25, 0x39, 0xda, 0xff,
0x43, 0x43, 0xfa, 0x23, 0xea, 0xb1, 0xc9, 0xff, 0x6e, 0x1f, 0xff, 0xd1, 0x50, 0x7f, 0xbb, 0xb3,
0xff, 0x60, 0x23, 0xfd, 0xf5, 0x8d, 0xfc, 0x7c, 0x77, 0x5b, 0xdb, 0x4b, 0xbf, 0x61, 0x27, 0x7f,
0xab, 0xa2, 0xba, 0xba, 0xbe, 0x9c, 0x0c, 0xed, 0xc6, 0xc9, 0x78, 0x82, 0xda, 0x8e, 0xc7, 0x20,
0x10, 0x85, 0xb4, 0x9a, 0xed, 0x4f, 0x5e, 0xb9, 0xf5, 0xc7, 0x2b, 0x22, 0xf6, 0x1b, 0x2a, 0x51,
0x7b, 0x15, 0x25, 0x6b, 0x89, 0x30, 0x45, 0x7b, 0x72, 0x05, 0x8a, 0x6d, 0x6e, 0x1d, 0x7e, 0xfc,
0x6a, 0xdb, 0xb4, 0xbe, 0xda, 0x65, 0x27, 0x64, 0x2c, 0x26, 0x85, 0x32, 0x3e, 0x45, 0x9d, 0x73,
0xca, 0xbc, 0x84, 0xc3, 0x28, 0xf4, 0x98, 0x73, 0xd1, 0xad, 0xe5, 0x6d, 0x78, 0x3b, 0x4b, 0x8d,
0xce, 0xbd, 0xd5, 0xc0, 0xf3, 0xd4, 0xd8, 0x5f, 0x03, 0xf2, 0xd5, 0x5f, 0x27, 0xe3, 0xef, 0xd1,
0xfe, 0x72, 0xe5, 0xce, 0xc0, 0x03, 0x47, 0x84, 0xbc, 0xbb, 0x97, 0xb7, 0xeb, 0xbd, 0x1d, 0xa7,
0x85, 0x8e, 0xc1, 0x5b, 0x50, 0xed, 0x37, 0xb3, 0xd4, 0xd8, 0x7f, 0x70, 0x5d, 0x91, 0x6c, 0x26,
0xe9, 0xff, 0xaa, 0xa1, 0xd7, 0x5f, 0xd0, 0x66, 0x4c, 0x51, 0x3d, 0x2e, 0x1e, 0x0f, 0x35, 0xb5,
0x1f, 0xed, 0xde, 0xc4, 0xeb, 0xaf, 0x8e, 0xdd, 0xca, 0x52, 0xa3, 0xbe, 0x40, 0x17, 0xba, 0x78,
0x80, 0x1a, 0x0e, 0xb5, 0x93, 0x60, 0xa2, 0x9e, 0xbd, 0xb6, 0xdd, 0x96, 0x53, 0x7e, 0x7c, 0x54,
0x60, 0x64, 0x19, 0xc5, 0x6f, 0xa1, 0x6a, 0xc2, 0x3d, 0xf5, 0xc2, 0xd4, 0xb3, 0xd4, 0xa8, 0x7e,
0x45, 0x4e, 0x89, 0xc4, 0xec, 0xbb, 0x97, 0x57, 0x7a, 0xe5, 0xe9, 0x95, 0x5e, 0x79, 0x76, 0xa5,
0x57, 0x7e, 0xc8, 0x74, 0xed, 0x32, 0xd3, 0xb5, 0xa7, 0x99, 0xae, 0x3d, 0xcb, 0x74, 0xed, 0xcf,
0x4c, 0xd7, 0x7e, 0xfa, 0x4b, 0xaf, 0x7c, 0x5d, 0x57, 0xa5, 0xfd, 0x1b, 0x00, 0x00, 0xff, 0xff,
0xeb, 0x1f, 0xdb, 0x50, 0x68, 0x09, 0x00, 0x00,
// 906 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x54, 0xcf, 0x6f, 0xe3, 0x44,
0x14, 0x8e, 0x37, 0x29, 0x49, 0x26, 0x89, 0x76, 0x3b, 0x80, 0x14, 0xaa, 0x95, 0x1d, 0xe5, 0x80,
0x22, 0xa1, 0xb5, 0x49, 0x41, 0x08, 0x21, 0x10, 0xaa, 0x0b, 0x0b, 0x95, 0xba, 0xbb, 0x61, 0x0a,
0xbb, 0x12, 0xe2, 0xc0, 0xc4, 0x79, 0x49, 0x86, 0xf8, 0x97, 0x66, 0xc6, 0x59, 0x7a, 0x43, 0xe2,
0x1f, 0x40, 0x42, 0xfc, 0x0d, 0xfc, 0x15, 0xdc, 0x7b, 0xdc, 0x0b, 0x62, 0x4f, 0x16, 0x35, 0x67,
0x0e, 0x5c, 0x7b, 0x42, 0x63, 0x3b, 0x71, 0xd2, 0x6c, 0xbb, 0xe9, 0x85, 0x03, 0x37, 0xcf, 0xf7,
0xe6, 0xfb, 0xde, 0xfb, 0x9e, 0xdf, 0x1b, 0xf4, 0xc5, 0xec, 0x7d, 0x61, 0xb2, 0xc0, 0x9a, 0x45,
0x43, 0xe0, 0x3e, 0x48, 0x10, 0xd6, 0x1c, 0xfc, 0x51, 0xc0, 0xad, 0x3c, 0x40, 0x43, 0x66, 0xd1,
0x91, 0xc7, 0x84, 0x60, 0x81, 0xcf, 0x61, 0xc2, 0x84, 0xe4, 0x54, 0xb2, 0xc0, 0xb7, 0xe6, 0xfd,
0x21, 0x48, 0xda, 0xb7, 0x26, 0xe0, 0x03, 0xa7, 0x12, 0x46, 0x66, 0xc8, 0x03, 0x19, 0xe0, 0x5e,
0xc6, 0x34, 0x69, 0xc8, 0xcc, 0x17, 0x32, 0xcd, 0x9c, 0xb9, 0x77, 0x6f, 0xc2, 0xe4, 0x34, 0x1a,
0x9a, 0x4e, 0xe0, 0x59, 0x93, 0x60, 0x12, 0x58, 0xa9, 0xc0, 0x30, 0x1a, 0xa7, 0xa7, 0xf4, 0x90,
0x7e, 0x65, 0xc2, 0x7b, 0xef, 0x16, 0x25, 0x79, 0xd4, 0x99, 0x32, 0x1f, 0xf8, 0xa9, 0x15, 0xce,
0x26, 0x0a, 0x10, 0x96, 0x07, 0x92, 0x5a, 0xf3, 0x8d, 0x72, 0xf6, 0xac, 0xab, 0x58, 0x3c, 0xf2,
0x25, 0xf3, 0x60, 0x83, 0xf0, 0xde, 0xcb, 0x08, 0xc2, 0x99, 0x82, 0x47, 0x2f, 0xf3, 0xba, 0xbf,
0x6b, 0xe8, 0xee, 0x83, 0x48, 0x52, 0xc9, 0xfc, 0xc9, 0x13, 0x18, 0x4e, 0x83, 0x60, 0x76, 0x18,
0xf8, 0x63, 0x36, 0x89, 0x32, 0xdb, 0xf8, 0x5b, 0x54, 0x53, 0x45, 0x8e, 0xa8, 0xa4, 0x6d, 0xad,
0xa3, 0xf5, 0x1a, 0xfb, 0x6f, 0x9b, 0x45, 0xaf, 0x96, 0xb9, 0xcc, 0x70, 0x36, 0x51, 0x80, 0x30,
0xd5, 0x6d, 0x73, 0xde, 0x37, 0x1f, 0x0d, 0xbf, 0x03, 0x47, 0x3e, 0x00, 0x49, 0x6d, 0x7c, 0x16,
0x1b, 0xa5, 0x24, 0x36, 0x50, 0x81, 0x91, 0xa5, 0x2a, 0x3e, 0x41, 0xb5, 0x3c, 0xb3, 0x68, 0xdf,
0xea, 0x94, 0x7b, 0x8d, 0xfd, 0xbe, 0xb9, 0xed, 0xdf, 0x30, 0x73, 0xa6, 0x5d, 0x51, 0x29, 0x48,
0xed, 0x69, 0x2e, 0xd4, 0xfd, 0x5b, 0x43, 0x9d, 0xeb, 0x7c, 0x1d, 0x33, 0x21, 0xf1, 0x37, 0x1b,
0xde, 0xcc, 0xed, 0xbc, 0x29, 0x76, 0xea, 0xec, 0x4e, 0xee, 0xac, 0xb6, 0x40, 0x56, 0x7c, 0xcd,
0xd0, 0x0e, 0x93, 0xe0, 0x2d, 0x4c, 0xdd, 0xdf, 0xde, 0xd4, 0x75, 0x85, 0xdb, 0xad, 0x3c, 0xe5,
0xce, 0x91, 0x12, 0x27, 0x59, 0x8e, 0xee, 0xcf, 0x1a, 0xaa, 0x90, 0xc8, 0x05, 0xfc, 0x16, 0xaa,
0xd3, 0x90, 0x7d, 0xc6, 0x83, 0x28, 0x14, 0x6d, 0xad, 0x53, 0xee, 0xd5, 0xed, 0x56, 0x12, 0x1b,
0xf5, 0x83, 0xc1, 0x51, 0x06, 0x92, 0x22, 0x8e, 0xfb, 0xa8, 0x41, 0x43, 0xf6, 0x18, 0xb8, 0x2a,
0x25, 0x2b, 0xb4, 0x6e, 0xdf, 0x4e, 0x62, 0xa3, 0x71, 0x30, 0x38, 0x5a, 0xc0, 0x64, 0xf5, 0x8e,
0xd2, 0xe7, 0x20, 0x82, 0x88, 0x3b, 0x20, 0xda, 0xe5, 0x42, 0x9f, 0x2c, 0x40, 0x52, 0xc4, 0xbb,
0xbf, 0x6a, 0x08, 0xab, 0xaa, 0x9e, 0x30, 0x39, 0x7d, 0x14, 0x42, 0xe6, 0x40, 0xe0, 0x8f, 0x11,
0x0a, 0x96, 0xa7, 0xbc, 0x48, 0x23, 0x9d, 0x8f, 0x25, 0x7a, 0x11, 0x1b, 0xad, 0xe5, 0xe9, 0xcb,
0xd3, 0x10, 0xc8, 0x0a, 0x05, 0x0f, 0x50, 0x85, 0x47, 0x2e, 0xb4, 0x6f, 0x6d, 0xfc, 0xb4, 0x97,
0x74, 0x56, 0x15, 0x63, 0x37, 0xf3, 0x0e, 0xa6, 0x0d, 0x23, 0xa9, 0x52, 0xf7, 0x47, 0x0d, 0xdd,
0x39, 0x01, 0x3e, 0x67, 0x0e, 0x10, 0x18, 0x03, 0x07, 0xdf, 0x01, 0x6c, 0xa1, 0xba, 0x4f, 0x3d,
0x10, 0x21, 0x75, 0x20, 0x1d, 0x90, 0xba, 0xbd, 0x9b, 0x73, 0xeb, 0x0f, 0x17, 0x01, 0x52, 0xdc,
0xc1, 0x1d, 0x54, 0x51, 0x87, 0xb4, 0xae, 0x7a, 0x91, 0x47, 0xdd, 0x25, 0x69, 0x04, 0xdf, 0x45,
0x95, 0x90, 0xca, 0x69, 0xbb, 0x9c, 0xde, 0xa8, 0xa9, 0xe8, 0x80, 0xca, 0x29, 0x49, 0xd1, 0xee,
0x1f, 0x1a, 0xd2, 0x1f, 0x53, 0x97, 0x8d, 0xfe, 0x77, 0xfb, 0xf8, 0x8f, 0x86, 0xba, 0xd7, 0x3b,
0xfb, 0x0f, 0x36, 0xd2, 0x5b, 0xdf, 0xc8, 0xcf, 0xb7, 0xb7, 0x75, 0x7d, 0xe9, 0x57, 0xec, 0xe4,
0x2f, 0x15, 0x54, 0xcd, 0xaf, 0x2f, 0x27, 0x43, 0xbb, 0x72, 0x32, 0x9e, 0xa2, 0xa6, 0xe3, 0x32,
0xf0, 0x65, 0x26, 0x9d, 0xcf, 0xf6, 0x47, 0x37, 0x6e, 0xfd, 0xe1, 0x8a, 0x88, 0xfd, 0x5a, 0x9e,
0xa8, 0xb9, 0x8a, 0x92, 0xb5, 0x44, 0x98, 0xa2, 0x1d, 0xb5, 0x02, 0xd9, 0x36, 0x37, 0xf6, 0x3f,
0xbc, 0xd9, 0x36, 0xad, 0xaf, 0x76, 0xd1, 0x09, 0x15, 0x13, 0x24, 0x53, 0xc6, 0xc7, 0xa8, 0x35,
0xa6, 0xcc, 0x8d, 0x38, 0x0c, 0x02, 0x97, 0x39, 0xa7, 0xed, 0x4a, 0xda, 0x86, 0x37, 0x93, 0xd8,
0x68, 0xdd, 0x5f, 0x0d, 0x5c, 0xc4, 0xc6, 0xee, 0x1a, 0x90, 0xae, 0xfe, 0x3a, 0x19, 0x7f, 0x8f,
0x76, 0x97, 0x2b, 0x77, 0x02, 0x2e, 0x38, 0x32, 0xe0, 0xed, 0x9d, 0xb4, 0x5d, 0xef, 0x6c, 0x39,
0x2d, 0x74, 0x08, 0xee, 0x82, 0x6a, 0xbf, 0x9e, 0xc4, 0xc6, 0xee, 0xc3, 0xcb, 0x8a, 0x64, 0x33,
0x09, 0xfe, 0x04, 0x35, 0x04, 0x1b, 0xc1, 0xa7, 0xe3, 0x31, 0x38, 0x52, 0xb4, 0x5f, 0x49, 0x5d,
0x74, 0xd5, 0x7b, 0x79, 0x52, 0xc0, 0x17, 0xb1, 0x71, 0xbb, 0x38, 0x1e, 0xba, 0x54, 0x08, 0xb2,
0x4a, 0xeb, 0xfe, 0xa6, 0xa1, 0x57, 0x5f, 0xf0, 0xb3, 0x30, 0x45, 0x55, 0x91, 0x3d, 0x41, 0xf9,
0xec, 0x7f, 0xb0, 0xfd, 0xaf, 0xb8, 0xfc, 0x76, 0xd9, 0x8d, 0x24, 0x36, 0xaa, 0x0b, 0x74, 0xa1,
0x8b, 0x7b, 0xa8, 0xe6, 0x50, 0x3b, 0xf2, 0x47, 0xf9, 0xe3, 0xd9, 0xb4, 0x9b, 0x6a, 0x57, 0x0e,
0x0f, 0x32, 0x8c, 0x2c, 0xa3, 0xf8, 0x0d, 0x54, 0x8e, 0xb8, 0x9b, 0xbf, 0x53, 0xd5, 0x24, 0x36,
0xca, 0x5f, 0x91, 0x63, 0xa2, 0x30, 0xfb, 0xde, 0xd9, 0xb9, 0x5e, 0x7a, 0x76, 0xae, 0x97, 0x9e,
0x9f, 0xeb, 0xa5, 0x1f, 0x12, 0x5d, 0x3b, 0x4b, 0x74, 0xed, 0x59, 0xa2, 0x6b, 0xcf, 0x13, 0x5d,
0xfb, 0x33, 0xd1, 0xb5, 0x9f, 0xfe, 0xd2, 0x4b, 0x5f, 0x57, 0xf3, 0xd2, 0xfe, 0x0d, 0x00, 0x00,
0xff, 0xff, 0x85, 0x06, 0x8c, 0x7f, 0xae, 0x09, 0x00, 0x00,
}

9
staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
View File

@ -208,6 +208,15 @@ message Webhook {
// Default to the empty LabelSelector, which matches everything.
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
// SideEffects states whether this webhookk has side effects.
// Acceptable values are: Unknown, None, Some, NoneOnDryRun
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
// rejected by a future step in the admission change and the side effects therefore need to be undone.
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
// sideEffects == Unknown or Some. Defaults to Unknown.
// +optional
optional string sideEffects = 6;
}
// WebhookClientConfig contains the information to make a TLS

25
staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
View File

@ -60,6 +60,22 @@ const (
Fail FailurePolicyType = "Fail"
)
type SideEffectClass string
const (
// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
SideEffectClassUnknown SideEffectClass = "Unknown"
// SideEffectClassNone means that calling the webhook will have no side effects.
SideEffectClassNone SideEffectClass = "None"
// SideEffectClassSome means that calling the webhook will possibly have side effects.
// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
SideEffectClassSome SideEffectClass = "Some"
// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
// request being reviewed has the dry-run attribute, the side effects will be suppressed.
SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun"
)
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@ -191,6 +207,15 @@ type Webhook struct {
// Default to the empty LabelSelector, which matches everything.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
// SideEffects states whether this webhookk has side effects.
// Acceptable values are: Unknown, None, Some, NoneOnDryRun
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
// rejected by a future step in the admission change and the side effects therefore need to be undone.
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
// sideEffects == Unknown or Some. Defaults to Unknown.
// +optional
SideEffects *SideEffectClass `json:"sideEffects,omitempty" protobuf:"bytes,6,opt,name=sideEffects,casttype=SideEffectClass"`
}
// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make

1
staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go generated
View File

@ -105,6 +105,7 @@ var map_Webhook = map[string]string{
"rules": "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.",
"failurePolicy": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.",
"namespaceSelector": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
"sideEffects": "SideEffects states whether this webhookk has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.",
}
func (Webhook) SwaggerDoc() map[string]string {

5
staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.deepcopy.go generated
View File

@ -252,6 +252,11 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
*out = new(v1.LabelSelector)
(*in).DeepCopyInto(*out)
}
if in.SideEffects != nil {
in, out := &in.SideEffects, &out.SideEffects
*out = new(SideEffectClass)
**out = **in
}
return
}

8
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
View File

@ -83,8 +83,12 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.Version
// note that callAttrMutatingHook updates attr
func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
if attr.IsDryRun() {
// TODO: support this
return webhookerrors.NewDryRunUnsupportedErr(h.Name)
if h.SideEffects == nil {
return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
}
if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
return webhookerrors.NewDryRunUnsupportedErr(h.Name)
}
}
// Make the webhook request

2
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go
View File

@ -36,6 +36,7 @@ func CreateAdmissionReview(attr *generic.VersionedAttributes) admissionv1beta1.A
UID: aUserInfo.GetUID(),
Username: aUserInfo.GetName(),
}
dryRun := attr.IsDryRun()
// Convert the extra information in the user object
for key, val := range aUserInfo.GetExtra() {
@ -66,6 +67,7 @@ func CreateAdmissionReview(attr *generic.VersionedAttributes) admissionv1beta1.A
OldObject: runtime.RawExtension{
Object: attr.VersionedOldObject,
},
DryRun: &dryRun,
},
}
}

52
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
View File

@ -43,6 +43,11 @@ var matchEverythingRules = []registrationv1beta1.RuleWithOperations{{
},
}}
var sideEffectsUnknown registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassUnknown
var sideEffectsNone registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassNone
var sideEffectsSome registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassSome
var sideEffectsNoneOnDryRun registrationv1beta1.SideEffectClass = registrationv1beta1.SideEffectClassNoneOnDryRun
// NewFakeDataSource returns a mock client and informer returning the given webhooks.
func NewFakeDataSource(name string, webhooks []registrationv1beta1.Webhook, mutating bool, stopCh <-chan struct{}) (clientset kubernetes.Interface, factory informers.SharedInformerFactory) {
var objs = []runtime.Object{
@ -388,26 +393,66 @@ func NewNonMutatingTestCases(url *url.URL) []Test {
Name: "no match dry run",
Webhooks: []registrationv1beta1.Webhook{{
Name: "nomatch",
ClientConfig: ccfgSVC("disallow"),
ClientConfig: ccfgSVC("allow"),
Rules: []registrationv1beta1.RuleWithOperations{{
Operations: []registrationv1beta1.OperationType{registrationv1beta1.Create},
}},
NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsSome,
}},
IsDryRun: true,
ExpectAllow: true,
},
{
Name: "match dry run",
Name: "match dry run side effects Unknown",
Webhooks: []registrationv1beta1.Webhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsUnknown,
}},
IsDryRun: true,
ErrorContains: "does not support dry run",
},
{
Name: "match dry run side effects None",
Webhooks: []registrationv1beta1.Webhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsNone,
}},
IsDryRun: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow/key1": "value1"},
},
{
Name: "match dry run side effects Some",
Webhooks: []registrationv1beta1.Webhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsSome,
}},
IsDryRun: true,
ErrorContains: "does not support dry run",
},
{
Name: "match dry run side effects NoneOnDryRun",
Webhooks: []registrationv1beta1.Webhook{{
Name: "allow",
ClientConfig: ccfgSVC("allow"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsNoneOnDryRun,
}},
IsDryRun: true,
ExpectAllow: true,
ExpectAnnotations: map[string]string{"allow/key1": "value1"},
},
{
Name: "illegal annotation format",
Webhooks: []registrationv1beta1.Webhook{{
@ -489,12 +534,13 @@ func NewMutatingTestCases(url *url.URL) []Test {
ErrorContains: "invalid character",
},
{
Name: "match & remove label dry run",
Name: "match & remove label dry run unsupported",
Webhooks: []registrationv1beta1.Webhook{{
Name: "removeLabel",
ClientConfig: ccfgSVC("removeLabel"),
Rules: matchEverythingRules,
NamespaceSelector: &metav1.LabelSelector{},
SideEffects: &sideEffectsUnknown,
}},
IsDryRun: true,
ErrorContains: "does not support dry run",

8
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go
View File

@ -98,8 +98,12 @@ func (d *validatingDispatcher) Dispatch(ctx context.Context, attr *generic.Versi
func (d *validatingDispatcher) callHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
if attr.IsDryRun() {
// TODO: support this
return webhookerrors.NewDryRunUnsupportedErr(h.Name)
if h.SideEffects == nil {
return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
}
if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
return webhookerrors.NewDryRunUnsupportedErr(h.Name)
}
}
// Make the webhook request