Admission request/response handling

AdmissionResponse allows mutating webhook to send apiserver a json patch to mutate the object. This reflects the imperative nature of AdmissionReview. It adds AdmissionRequest and AdmissionResponse in place of status/spec. The AdmissionResponse the allows the mutating webhook to send back a json path with the mutated version of the requested object. Fixed the integration test to clean up properly. Switched test image to 1.8v5 to reflect API changes. Make sure to cache test framework client for cleaup test code. Switched to pointer for patch type. Factored in @liggitt's feedback. Factored in @lavalamp's feedback.
2017-11-06 15:41:26 -08:00 · 2017-11-06 15:41:26 -08:00 · dac3c2e168
parent 3ec7487c0f
commit dac3c2e168
18 changed files with 1126 additions and 763 deletions
--- a/pkg/apis/admission/BUILD
+++ b/pkg/apis/admission/BUILD
@ -19,6 +19,7 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )

--- a/pkg/apis/admission/types.go
+++ b/pkg/apis/admission/types.go
@ -19,38 +19,34 @@ package admission
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/apis/authentication"
 )

 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

-// AdmissionReview describes an admission request.
+// AdmissionReview describes an admission review request/response.
 type AdmissionReview struct {
 	metav1.TypeMeta

-	// Spec describes the attributes for the admission request.
-	// Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the
-	// cost of deserializing it.
-	Spec AdmissionReviewSpec
-	// Status is filled in by the webhook and indicates whether the admission request should be permitted.
-	Status AdmissionReviewStatus
+	// Request describes the attributes for the admission request.
+	// +optional
+	Request *AdmissionRequest
+
+	// Response describes the attributes for the admission response.
+	// +optional
+	Response *AdmissionResponse
 }

-// AdmissionReviewSpec describes the admission.Attributes for the admission request.
-type AdmissionReviewSpec struct {
+// AdmissionRequest describes the admission.Attributes for the admission request.
+type AdmissionRequest struct {
+	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	UID types.UID
 	// Kind is the type of object being manipulated.  For example: Pod
 	Kind metav1.GroupVersionKind
-	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
-	// rely on the server to generate the name.  If that is the case, this method will return the empty string.
-	Name string
-	// Namespace is the namespace associated with the request (if any).
-	Namespace string
-	// Object is the object from the incoming request prior to default values being applied
-	Object runtime.Object
-	// OldObject is the existing object. Only populated for UPDATE requests.
-	OldObject runtime.Object
-	// Operation is the operation being performed
-	Operation Operation
 	// Resource is the name of the resource being requested.  This is not the kind.  For example: pods
 	Resource metav1.GroupVersionResource
 	// SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
@ -58,21 +54,54 @@ type AdmissionReviewSpec struct {
 	// /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
 	// pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
 	// "binding", and kind "Binding".
+	// +optional
 	SubResource string
+	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this method will return the empty string.
+	// +optional
+	Name string
+	// Namespace is the namespace associated with the request (if any).
+	// +optional
+	Namespace string
+	// Operation is the operation being performed
+	Operation Operation
 	// UserInfo is information about the requesting user
 	UserInfo authentication.UserInfo
+	// Object is the object from the incoming request prior to default values being applied
+	// +optional
+	Object runtime.Object
+	// OldObject is the existing object. Only populated for UPDATE requests.
+	// +optional
+	OldObject runtime.Object
 }

-// AdmissionReviewStatus describes the status of the admission request.
-type AdmissionReviewStatus struct {
+// AdmissionResponse describes an admission response.
+type AdmissionResponse struct {
+	// UID is an identifier for the individual request/response.
+	// This should be copied over from the corresponding AdmissionRequest.
+	UID types.UID
 	// Allowed indicates whether or not the admission request was permitted.
 	Allowed bool
 	// Result contains extra details into why an admission request was denied.
 	// This field IS NOT consulted in any way if "Allowed" is "true".
 	// +optional
 	Result *metav1.Status
+	// Patch contains the actual patch. Currently we only support a response in the form of JSONPatch, RFC 6902.
+	// +optional
+	Patch []byte
+	// PatchType indicates the form the Patch will take. Currently we only support "JSONPatch".
+	// +optional
+	PatchType *PatchType
 }

+// PatchType is the type of patch being used to represent the mutated object
+type PatchType string
+
+// PatchType constants.
+const (
+	PatchTypeJSONPatch PatchType = "JSONPatch"
+)
+
 // Operation is the type of resource operation being checked for admission control
 type Operation string

--- a/pkg/apis/admission/v1alpha1/BUILD
+++ b/pkg/apis/admission/v1alpha1/BUILD
@ -21,6 +21,7 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )

--- a/pkg/apis/admission/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/admission/v1alpha1/zz_generated.conversion.go
@ -25,6 +25,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
 	admission "k8s.io/kubernetes/pkg/apis/admission"
 	unsafe "unsafe"
 )
@ -37,22 +38,106 @@ func init() {
 // Public to allow building arbitrary schemes.
 func RegisterConversions(scheme *runtime.Scheme) error {
 	return scheme.AddGeneratedConversionFuncs(
+		Convert_v1alpha1_AdmissionRequest_To_admission_AdmissionRequest,
+		Convert_admission_AdmissionRequest_To_v1alpha1_AdmissionRequest,
+		Convert_v1alpha1_AdmissionResponse_To_admission_AdmissionResponse,
+		Convert_admission_AdmissionResponse_To_v1alpha1_AdmissionResponse,
 		Convert_v1alpha1_AdmissionReview_To_admission_AdmissionReview,
 		Convert_admission_AdmissionReview_To_v1alpha1_AdmissionReview,
-		Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec,
-		Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec,
-		Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus,
-		Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus,
 	)
 }

+func autoConvert_v1alpha1_AdmissionRequest_To_admission_AdmissionRequest(in *v1alpha1.AdmissionRequest, out *admission.AdmissionRequest, s conversion.Scope) error {
+	out.UID = types.UID(in.UID)
+	out.Kind = in.Kind
+	out.Resource = in.Resource
+	out.SubResource = in.SubResource
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	out.Operation = admission.Operation(in.Operation)
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.UserInfo, &out.UserInfo, 0); err != nil {
+		return err
+	}
+	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.Object, &out.Object, s); err != nil {
+		return err
+	}
+	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.OldObject, &out.OldObject, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_AdmissionRequest_To_admission_AdmissionRequest is an autogenerated conversion function.
+func Convert_v1alpha1_AdmissionRequest_To_admission_AdmissionRequest(in *v1alpha1.AdmissionRequest, out *admission.AdmissionRequest, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AdmissionRequest_To_admission_AdmissionRequest(in, out, s)
+}
+
+func autoConvert_admission_AdmissionRequest_To_v1alpha1_AdmissionRequest(in *admission.AdmissionRequest, out *v1alpha1.AdmissionRequest, s conversion.Scope) error {
+	out.UID = types.UID(in.UID)
+	out.Kind = in.Kind
+	out.Resource = in.Resource
+	out.SubResource = in.SubResource
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	out.Operation = v1alpha1.Operation(in.Operation)
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.UserInfo, &out.UserInfo, 0); err != nil {
+		return err
+	}
+	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.Object, &out.Object, s); err != nil {
+		return err
+	}
+	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.OldObject, &out.OldObject, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_admission_AdmissionRequest_To_v1alpha1_AdmissionRequest is an autogenerated conversion function.
+func Convert_admission_AdmissionRequest_To_v1alpha1_AdmissionRequest(in *admission.AdmissionRequest, out *v1alpha1.AdmissionRequest, s conversion.Scope) error {
+	return autoConvert_admission_AdmissionRequest_To_v1alpha1_AdmissionRequest(in, out, s)
+}
+
+func autoConvert_v1alpha1_AdmissionResponse_To_admission_AdmissionResponse(in *v1alpha1.AdmissionResponse, out *admission.AdmissionResponse, s conversion.Scope) error {
+	out.UID = types.UID(in.UID)
+	out.Allowed = in.Allowed
+	out.Result = (*v1.Status)(unsafe.Pointer(in.Result))
+	out.Patch = *(*[]byte)(unsafe.Pointer(&in.Patch))
+	out.PatchType = (*admission.PatchType)(unsafe.Pointer(in.PatchType))
+	return nil
+}
+
+// Convert_v1alpha1_AdmissionResponse_To_admission_AdmissionResponse is an autogenerated conversion function.
+func Convert_v1alpha1_AdmissionResponse_To_admission_AdmissionResponse(in *v1alpha1.AdmissionResponse, out *admission.AdmissionResponse, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AdmissionResponse_To_admission_AdmissionResponse(in, out, s)
+}
+
+func autoConvert_admission_AdmissionResponse_To_v1alpha1_AdmissionResponse(in *admission.AdmissionResponse, out *v1alpha1.AdmissionResponse, s conversion.Scope) error {
+	out.UID = types.UID(in.UID)
+	out.Allowed = in.Allowed
+	out.Result = (*v1.Status)(unsafe.Pointer(in.Result))
+	out.Patch = *(*[]byte)(unsafe.Pointer(&in.Patch))
+	out.PatchType = (*v1alpha1.PatchType)(unsafe.Pointer(in.PatchType))
+	return nil
+}
+
+// Convert_admission_AdmissionResponse_To_v1alpha1_AdmissionResponse is an autogenerated conversion function.
+func Convert_admission_AdmissionResponse_To_v1alpha1_AdmissionResponse(in *admission.AdmissionResponse, out *v1alpha1.AdmissionResponse, s conversion.Scope) error {
+	return autoConvert_admission_AdmissionResponse_To_v1alpha1_AdmissionResponse(in, out, s)
+}
+
 func autoConvert_v1alpha1_AdmissionReview_To_admission_AdmissionReview(in *v1alpha1.AdmissionReview, out *admission.AdmissionReview, s conversion.Scope) error {
-	if err := Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(&in.Spec, &out.Spec, s); err != nil {
-		return err
-	}
-	if err := Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(&in.Status, &out.Status, s); err != nil {
-		return err
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		*out = new(admission.AdmissionRequest)
+		if err := Convert_v1alpha1_AdmissionRequest_To_admission_AdmissionRequest(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Request = nil
 	}
+	out.Response = (*admission.AdmissionResponse)(unsafe.Pointer(in.Response))
 	return nil
 }

@ -62,12 +147,16 @@ func Convert_v1alpha1_AdmissionReview_To_admission_AdmissionReview(in *v1alpha1.
 }

 func autoConvert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in *admission.AdmissionReview, out *v1alpha1.AdmissionReview, s conversion.Scope) error {
-	if err := Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(&in.Spec, &out.Spec, s); err != nil {
-		return err
-	}
-	if err := Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(&in.Status, &out.Status, s); err != nil {
-		return err
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		*out = new(v1alpha1.AdmissionRequest)
+		if err := Convert_admission_AdmissionRequest_To_v1alpha1_AdmissionRequest(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Request = nil
 	}
+	out.Response = (*v1alpha1.AdmissionResponse)(unsafe.Pointer(in.Response))
 	return nil
 }

@ -75,75 +164,3 @@ func autoConvert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in *admis
 func Convert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in *admission.AdmissionReview, out *v1alpha1.AdmissionReview, s conversion.Scope) error {
 	return autoConvert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in, out, s)
 }
-
-func autoConvert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(in *v1alpha1.AdmissionReviewSpec, out *admission.AdmissionReviewSpec, s conversion.Scope) error {
-	out.Kind = in.Kind
-	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.Object, &out.Object, s); err != nil {
-		return err
-	}
-	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.OldObject, &out.OldObject, s); err != nil {
-		return err
-	}
-	out.Operation = admission.Operation(in.Operation)
-	out.Name = in.Name
-	out.Namespace = in.Namespace
-	out.Resource = in.Resource
-	out.SubResource = in.SubResource
-	// TODO: Inefficient conversion - can we improve it?
-	if err := s.Convert(&in.UserInfo, &out.UserInfo, 0); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec is an autogenerated conversion function.
-func Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(in *v1alpha1.AdmissionReviewSpec, out *admission.AdmissionReviewSpec, s conversion.Scope) error {
-	return autoConvert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(in, out, s)
-}
-
-func autoConvert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(in *admission.AdmissionReviewSpec, out *v1alpha1.AdmissionReviewSpec, s conversion.Scope) error {
-	out.Kind = in.Kind
-	out.Name = in.Name
-	out.Namespace = in.Namespace
-	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.Object, &out.Object, s); err != nil {
-		return err
-	}
-	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.OldObject, &out.OldObject, s); err != nil {
-		return err
-	}
-	out.Operation = v1alpha1.Operation(in.Operation)
-	out.Resource = in.Resource
-	out.SubResource = in.SubResource
-	// TODO: Inefficient conversion - can we improve it?
-	if err := s.Convert(&in.UserInfo, &out.UserInfo, 0); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec is an autogenerated conversion function.
-func Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(in *admission.AdmissionReviewSpec, out *v1alpha1.AdmissionReviewSpec, s conversion.Scope) error {
-	return autoConvert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(in, out, s)
-}
-
-func autoConvert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(in *v1alpha1.AdmissionReviewStatus, out *admission.AdmissionReviewStatus, s conversion.Scope) error {
-	out.Allowed = in.Allowed
-	out.Result = (*v1.Status)(unsafe.Pointer(in.Result))
-	return nil
-}
-
-// Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus is an autogenerated conversion function.
-func Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(in *v1alpha1.AdmissionReviewStatus, out *admission.AdmissionReviewStatus, s conversion.Scope) error {
-	return autoConvert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(in, out, s)
-}
-
-func autoConvert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(in *admission.AdmissionReviewStatus, out *v1alpha1.AdmissionReviewStatus, s conversion.Scope) error {
-	out.Allowed = in.Allowed
-	out.Result = (*v1.Status)(unsafe.Pointer(in.Result))
-	return nil
-}
-
-// Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus is an autogenerated conversion function.
-func Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(in *admission.AdmissionReviewStatus, out *v1alpha1.AdmissionReviewStatus, s conversion.Scope) error {
-	return autoConvert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(in, out, s)
-}
--- a/pkg/apis/admission/zz_generated.deepcopy.go
+++ b/pkg/apis/admission/zz_generated.deepcopy.go
@ -25,12 +25,96 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
+	*out = *in
+	out.Kind = in.Kind
+	out.Resource = in.Resource
+	in.UserInfo.DeepCopyInto(&out.UserInfo)
+	if in.Object == nil {
+		out.Object = nil
+	} else {
+		out.Object = in.Object.DeepCopyObject()
+	}
+	if in.OldObject == nil {
+		out.OldObject = nil
+	} else {
+		out.OldObject = in.OldObject.DeepCopyObject()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequest.
+func (in *AdmissionRequest) DeepCopy() *AdmissionRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionResponse) DeepCopyInto(out *AdmissionResponse) {
+	*out = *in
+	if in.Result != nil {
+		in, out := &in.Result, &out.Result
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Status)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Patch != nil {
+		in, out := &in.Patch, &out.Patch
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.PatchType != nil {
+		in, out := &in.PatchType, &out.PatchType
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PatchType)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionResponse.
+func (in *AdmissionResponse) DeepCopy() *AdmissionResponse {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionResponse)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdmissionReview) DeepCopyInto(out *AdmissionReview) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AdmissionRequest)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Response != nil {
+		in, out := &in.Response, &out.Response
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AdmissionResponse)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }

@ -52,57 +136,3 @@ func (in *AdmissionReview) DeepCopyObject() runtime.Object {
 		return nil
 	}
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReviewSpec) DeepCopyInto(out *AdmissionReviewSpec) {
-	*out = *in
-	out.Kind = in.Kind
-	if in.Object == nil {
-		out.Object = nil
-	} else {
-		out.Object = in.Object.DeepCopyObject()
-	}
-	if in.OldObject == nil {
-		out.OldObject = nil
-	} else {
-		out.OldObject = in.OldObject.DeepCopyObject()
-	}
-	out.Resource = in.Resource
-	in.UserInfo.DeepCopyInto(&out.UserInfo)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReviewSpec.
-func (in *AdmissionReviewSpec) DeepCopy() *AdmissionReviewSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReviewSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReviewStatus) DeepCopyInto(out *AdmissionReviewStatus) {
-	*out = *in
-	if in.Result != nil {
-		in, out := &in.Result, &out.Result
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Status)
-			(*in).DeepCopyInto(*out)
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReviewStatus.
-func (in *AdmissionReviewStatus) DeepCopy() *AdmissionReviewStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReviewStatus)
-	in.DeepCopyInto(out)
-	return out
-}
--- a/staging/src/k8s.io/api/admission/v1alpha1/BUILD
+++ b/staging/src/k8s.io/api/admission/v1alpha1/BUILD
@ -18,6 +18,7 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )

--- a/staging/src/k8s.io/api/admission/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/admission/v1alpha1/generated.pb.go
--- a/staging/src/k8s.io/api/admission/v1alpha1/generated.proto
+++ b/staging/src/k8s.io/api/admission/v1alpha1/generated.proto
@ -30,33 +30,27 @@ import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
 // Package-wide variables from generator "generated".
 option go_package = "v1alpha1";

-// AdmissionReview describes an admission request.
-message AdmissionReview {
-  // Spec describes the attributes for the admission request.
-  // Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the
-  // cost of deserializing it.
-  // +optional
-  optional AdmissionReviewSpec spec = 1;
+// AdmissionRequest describes the admission.Attributes for the admission request.
+message AdmissionRequest {
+  // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+  // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+  // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+  // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+  optional string uid = 1;

-  // Status is filled in by the webhook and indicates whether the admission request should be permitted.
-  // +optional
-  optional AdmissionReviewStatus status = 2;
-}
-
-// AdmissionReviewSpec describes the admission.Attributes for the admission request.
-message AdmissionReviewSpec {
  // Kind is the type of object being manipulated.  For example: Pod
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 1;
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;

-  // Object is the object from the incoming request prior to default values being applied
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 2;
+  // Resource is the name of the resource being requested.  This is not the kind.  For example: pods
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;

-  // OldObject is the existing object. Only populated for UPDATE requests.
+  // SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
+  // resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
+  // /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
+  // pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
+  // "binding", and kind "Binding".
  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 3;
-
-  // Operation is the operation being performed
-  optional string operation = 4;
+  optional string subResource = 4;

  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
  // rely on the server to generate the name.  If that is the case, this method will return the empty string.
@ -67,29 +61,52 @@ message AdmissionReviewSpec {
  // +optional
  optional string namespace = 6;

-  // Resource is the name of the resource being requested.  This is not the kind.  For example: pods
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 7;
-
-  // SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
-  // resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
-  // /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
-  // pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
-  // "binding", and kind "Binding".
-  // +optional
-  optional string subResource = 8;
+  // Operation is the operation being performed
+  optional string operation = 7;

  // UserInfo is information about the requesting user
-  optional k8s.io.api.authentication.v1.UserInfo userInfo = 9;
+  optional k8s.io.api.authentication.v1.UserInfo userInfo = 8;
+
+  // Object is the object from the incoming request prior to default values being applied
+  // +optional
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
+
+  // OldObject is the existing object. Only populated for UPDATE requests.
+  // +optional
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
 }

-// AdmissionReviewStatus describes the status of the admission request.
-message AdmissionReviewStatus {
+// AdmissionResponse describes an admission response.
+message AdmissionResponse {
+  // UID is an identifier for the individual request/response.
+  // This should be copied over from the corresponding AdmissionRequest.
+  optional string uid = 1;
+
  // Allowed indicates whether or not the admission request was permitted.
-  optional bool allowed = 1;
+  optional bool allowed = 2;

  // Result contains extra details into why an admission request was denied.
  // This field IS NOT consulted in any way if "Allowed" is "true".
  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 2;
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
+
+  // The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+  // +optional
+  optional bytes patch = 4;
+
+  // The type of Patch. Currently we only allow "JSONPatch".
+  // +optional
+  optional string patchType = 5;
+}
+
+// AdmissionReview describes an admission review request/response.
+message AdmissionReview {
+  // Request describes the attributes for the admission request.
+  // +optional
+  optional AdmissionRequest request = 1;
+
+  // Response describes the attributes for the admission response.
+  // +optional
+  optional AdmissionResponse response = 2;
 }

--- a/staging/src/k8s.io/api/admission/v1alpha1/types.go
+++ b/staging/src/k8s.io/api/admission/v1alpha1/types.go
@ -20,34 +20,40 @@ import (
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 )

 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

-// AdmissionReview describes an admission request.
+// AdmissionReview describes an admission review request/response.
 type AdmissionReview struct {
 	metav1.TypeMeta `json:",inline"`
-	// Spec describes the attributes for the admission request.
-	// Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the
-	// cost of deserializing it.
+	// Request describes the attributes for the admission request.
 	// +optional
-	Spec AdmissionReviewSpec `json:"spec,omitempty" protobuf:"bytes,1,opt,name=spec"`
-	// Status is filled in by the webhook and indicates whether the admission request should be permitted.
+	Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
+	// Response describes the attributes for the admission response.
 	// +optional
-	Status AdmissionReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
+	Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
 }

-// AdmissionReviewSpec describes the admission.Attributes for the admission request.
-type AdmissionReviewSpec struct {
+// AdmissionRequest describes the admission.Attributes for the admission request.
+type AdmissionRequest struct {
+	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
 	// Kind is the type of object being manipulated.  For example: Pod
-	Kind metav1.GroupVersionKind `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
-	// Object is the object from the incoming request prior to default values being applied
-	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,2,opt,name=object"`
-	// OldObject is the existing object. Only populated for UPDATE requests.
+	Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// Resource is the name of the resource being requested.  This is not the kind.  For example: pods
+	Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"`
+	// SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
+	// resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
+	// /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
+	// pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
+	// "binding", and kind "Binding".
 	// +optional
-	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,3,opt,name=oldObject"`
-	// Operation is the operation being performed
-	Operation Operation `json:"operation,omitempty" protobuf:"bytes,4,opt,name=operation"`
+	SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"`
 	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
 	// rely on the server to generate the name.  If that is the case, this method will return the empty string.
 	// +optional
@ -55,29 +61,49 @@ type AdmissionReviewSpec struct {
 	// Namespace is the namespace associated with the request (if any).
 	// +optional
 	Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
-	// Resource is the name of the resource being requested.  This is not the kind.  For example: pods
-	Resource metav1.GroupVersionResource `json:"resource,omitempty" protobuf:"bytes,7,opt,name=resource"`
-	// SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
-	// resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
-	// /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
-	// pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
-	// "binding", and kind "Binding".
-	// +optional
-	SubResource string `json:"subResource,omitempty" protobuf:"bytes,8,opt,name=subResource"`
+	// Operation is the operation being performed
+	Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"`
 	// UserInfo is information about the requesting user
-	UserInfo authenticationv1.UserInfo `json:"userInfo,omitempty" protobuf:"bytes,9,opt,name=userInfo"`
+	UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"`
+	// Object is the object from the incoming request prior to default values being applied
+	// +optional
+	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"`
+	// OldObject is the existing object. Only populated for UPDATE requests.
+	// +optional
+	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
 }

-// AdmissionReviewStatus describes the status of the admission request.
-type AdmissionReviewStatus struct {
+// AdmissionResponse describes an admission response.
+type AdmissionResponse struct {
+	// UID is an identifier for the individual request/response.
+	// This should be copied over from the corresponding AdmissionRequest.
+	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+
 	// Allowed indicates whether or not the admission request was permitted.
-	Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
+	Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"`
+
 	// Result contains extra details into why an admission request was denied.
 	// This field IS NOT consulted in any way if "Allowed" is "true".
 	// +optional
-	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
+	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+
+	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// +optional
+	Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
+
+	// The type of Patch. Currently we only allow "JSONPatch".
+	// +optional
+	PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"`
 }

+// PatchType is the type of patch being used to represent the mutated object
+type PatchType string
+
+// PatchType constants.
+const (
+	PatchTypeJSONPatch PatchType = "JSONPatch"
+)
+
 // Operation is the type of resource operation being checked for admission control
 type Operation string

--- a/staging/src/k8s.io/api/admission/v1alpha1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/admission/v1alpha1/types_swagger_doc_generated.go
@ -27,41 +27,45 @@ package v1alpha1
 // Those methods can be generated by using hack/update-generated-swagger-docs.sh

 // AUTO-GENERATED FUNCTIONS START HERE
+var map_AdmissionRequest = map[string]string{
+	"":            "AdmissionRequest describes the admission.Attributes for the admission request.",
+	"uid":         "UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
+	"kind":        "Kind is the type of object being manipulated.  For example: Pod",
+	"resource":    "Resource is the name of the resource being requested.  This is not the kind.  For example: pods",
+	"subResource": "SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind. For instance, /pods has the resource \"pods\" and the kind \"Pod\", while /pods/foo/status has the resource \"pods\", the sub resource \"status\", and the kind \"Pod\" (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource \"pods\", subresource \"binding\", and kind \"Binding\".",
+	"name":        "Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this method will return the empty string.",
+	"namespace":   "Namespace is the namespace associated with the request (if any).",
+	"operation":   "Operation is the operation being performed",
+	"userInfo":    "UserInfo is information about the requesting user",
+	"object":      "Object is the object from the incoming request prior to default values being applied",
+	"oldObject":   "OldObject is the existing object. Only populated for UPDATE requests.",
+}
+
+func (AdmissionRequest) SwaggerDoc() map[string]string {
+	return map_AdmissionRequest
+}
+
+var map_AdmissionResponse = map[string]string{
+	"":          "AdmissionResponse describes an admission response.",
+	"uid":       "UID is an identifier for the individual request/response. This should be copied over from the corresponding AdmissionRequest.",
+	"allowed":   "Allowed indicates whether or not the admission request was permitted.",
+	"status":    "Result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
+	"patch":     "The patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
+	"patchType": "The type of Patch. Currently we only allow \"JSONPatch\".",
+}
+
+func (AdmissionResponse) SwaggerDoc() map[string]string {
+	return map_AdmissionResponse
+}
+
 var map_AdmissionReview = map[string]string{
-	"":       "AdmissionReview describes an admission request.",
-	"spec":   "Spec describes the attributes for the admission request. Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the cost of deserializing it.",
-	"status": "Status is filled in by the webhook and indicates whether the admission request should be permitted.",
+	"":         "AdmissionReview describes an admission review request/response.",
+	"request":  "Request describes the attributes for the admission request.",
+	"response": "Response describes the attributes for the admission response.",
 }

 func (AdmissionReview) SwaggerDoc() map[string]string {
 	return map_AdmissionReview
 }

-var map_AdmissionReviewSpec = map[string]string{
-	"":            "AdmissionReviewSpec describes the admission.Attributes for the admission request.",
-	"kind":        "Kind is the type of object being manipulated.  For example: Pod",
-	"object":      "Object is the object from the incoming request prior to default values being applied",
-	"oldObject":   "OldObject is the existing object. Only populated for UPDATE requests.",
-	"operation":   "Operation is the operation being performed",
-	"name":        "Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this method will return the empty string.",
-	"namespace":   "Namespace is the namespace associated with the request (if any).",
-	"resource":    "Resource is the name of the resource being requested.  This is not the kind.  For example: pods",
-	"subResource": "SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind. For instance, /pods has the resource \"pods\" and the kind \"Pod\", while /pods/foo/status has the resource \"pods\", the sub resource \"status\", and the kind \"Pod\" (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource \"pods\", subresource \"binding\", and kind \"Binding\".",
-	"userInfo":    "UserInfo is information about the requesting user",
-}
-
-func (AdmissionReviewSpec) SwaggerDoc() map[string]string {
-	return map_AdmissionReviewSpec
-}
-
-var map_AdmissionReviewStatus = map[string]string{
-	"":        "AdmissionReviewStatus describes the status of the admission request.",
-	"allowed": "Allowed indicates whether or not the admission request was permitted.",
-	"status":  "Result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
-}
-
-func (AdmissionReviewStatus) SwaggerDoc() map[string]string {
-	return map_AdmissionReviewStatus
-}
-
 // AUTO-GENERATED FUNCTIONS END HERE
--- a/staging/src/k8s.io/api/admission/v1alpha1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/admission/v1alpha1/zz_generated.deepcopy.go
@ -25,12 +25,88 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
+	*out = *in
+	out.Kind = in.Kind
+	out.Resource = in.Resource
+	in.UserInfo.DeepCopyInto(&out.UserInfo)
+	in.Object.DeepCopyInto(&out.Object)
+	in.OldObject.DeepCopyInto(&out.OldObject)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequest.
+func (in *AdmissionRequest) DeepCopy() *AdmissionRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionResponse) DeepCopyInto(out *AdmissionResponse) {
+	*out = *in
+	if in.Result != nil {
+		in, out := &in.Result, &out.Result
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Status)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Patch != nil {
+		in, out := &in.Patch, &out.Patch
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.PatchType != nil {
+		in, out := &in.PatchType, &out.PatchType
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PatchType)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionResponse.
+func (in *AdmissionResponse) DeepCopy() *AdmissionResponse {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionResponse)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdmissionReview) DeepCopyInto(out *AdmissionReview) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AdmissionRequest)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Response != nil {
+		in, out := &in.Response, &out.Response
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AdmissionResponse)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }

@ -52,49 +128,3 @@ func (in *AdmissionReview) DeepCopyObject() runtime.Object {
 		return nil
 	}
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReviewSpec) DeepCopyInto(out *AdmissionReviewSpec) {
-	*out = *in
-	out.Kind = in.Kind
-	in.Object.DeepCopyInto(&out.Object)
-	in.OldObject.DeepCopyInto(&out.OldObject)
-	out.Resource = in.Resource
-	in.UserInfo.DeepCopyInto(&out.UserInfo)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReviewSpec.
-func (in *AdmissionReviewSpec) DeepCopy() *AdmissionReviewSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReviewSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReviewStatus) DeepCopyInto(out *AdmissionReviewStatus) {
-	*out = *in
-	if in.Result != nil {
-		in, out := &in.Result, &out.Result
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Status)
-			(*in).DeepCopyInto(*out)
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReviewStatus.
-func (in *AdmissionReviewStatus) DeepCopy() *AdmissionReviewStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReviewStatus)
-	in.DeepCopyInto(out)
-	return out
-}
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/BUILD
@ -13,6 +13,7 @@ go_library(
        "//vendor/k8s.io/api/authentication/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
    ],
 )
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go
@ -21,6 +21,7 @@ import (
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apiserver/pkg/admission"
 )

@ -42,28 +43,29 @@ func CreateAdmissionReview(attr admission.Attributes) admissionv1alpha1.Admissio
 	}

 	return admissionv1alpha1.AdmissionReview{
-		Spec: admissionv1alpha1.AdmissionReviewSpec{
-			Name:      attr.GetName(),
-			Namespace: attr.GetNamespace(),
+		Request: &admissionv1alpha1.AdmissionRequest{
+			UID: uuid.NewUUID(),
+			Kind: metav1.GroupVersionKind{
+				Group:   gvk.Group,
+				Kind:    gvk.Kind,
+				Version: gvk.Version,
+			},
 			Resource: metav1.GroupVersionResource{
 				Group:    gvr.Group,
 				Resource: gvr.Resource,
 				Version:  gvr.Version,
 			},
 			SubResource: attr.GetSubresource(),
+			Name:        attr.GetName(),
+			Namespace:   attr.GetNamespace(),
 			Operation:   admissionv1alpha1.Operation(attr.GetOperation()),
+			UserInfo:    userInfo,
 			Object: runtime.RawExtension{
 				Object: attr.GetObject(),
 			},
 			OldObject: runtime.RawExtension{
 				Object: attr.GetOldObject(),
 			},
-			Kind: metav1.GroupVersionKind{
-				Group:   gvk.Group,
-				Kind:    gvk.Kind,
-				Version: gvk.Version,
-			},
-			UserInfo: userInfo,
 		},
 	}
 }
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission.go
@ -308,9 +308,11 @@ func (a *GenericAdmissionWebhook) callHook(ctx context.Context, h *v1alpha1.Webh
 		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
 	}

-	if response.Status.Allowed {
+	if response.Response == nil {
+		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook response was absent")}
+	}
+	if response.Response.Allowed {
 		return nil
 	}
-
-	return webhookerrors.ToStatusErr(h.Name, response.Status.Result)
+	return webhookerrors.ToStatusErr(h.Name, response.Response.Result)
 }
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission_test.go
@ -360,6 +360,28 @@ func TestAdmit(t *testing.T) {
 			},
 			errorContains: "without explanation",
 		},
+		"absent response and fail open": {
+			hookSource: fakeHookSource{
+				hooks: []registrationv1alpha1.Webhook{{
+					Name:          "nilResponse",
+					ClientConfig:  ccfgURL("nilResponse"),
+					FailurePolicy: &policyIgnore,
+					Rules:         matchEverythingRules,
+				}},
+			},
+			expectAllow: true,
+		},
+		"absent response and fail closed": {
+			hookSource: fakeHookSource{
+				hooks: []registrationv1alpha1.Webhook{{
+					Name:          "nilResponse",
+					ClientConfig:  ccfgURL("nilResponse"),
+					FailurePolicy: &policyFail,
+					Rules:         matchEverythingRules,
+				}},
+			},
+			errorContains: "Webhook response was absent",
+		},
 		// No need to test everything with the url case, since only the
 		// connection is different.
 	}
@ -587,14 +609,14 @@ func webhookHandler(w http.ResponseWriter, r *http.Request) {
 	case "/disallow":
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(&v1alpha1.AdmissionReview{
-			Status: v1alpha1.AdmissionReviewStatus{
+			Response: &v1alpha1.AdmissionResponse{
 				Allowed: false,
 			},
 		})
 	case "/disallowReason":
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(&v1alpha1.AdmissionReview{
-			Status: v1alpha1.AdmissionReviewStatus{
+			Response: &v1alpha1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
 					Message: "you shall not pass",
@ -604,10 +626,13 @@ func webhookHandler(w http.ResponseWriter, r *http.Request) {
 	case "/allow":
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(&v1alpha1.AdmissionReview{
-			Status: v1alpha1.AdmissionReviewStatus{
+			Response: &v1alpha1.AdmissionResponse{
 				Allowed: true,
 			},
 		})
+	case "/nilResposne":
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(&v1alpha1.AdmissionReview{})
 	default:
 		http.NotFound(w, r)
 	}
--- a/test/e2e/apimachinery/webhook.go
+++ b/test/e2e/apimachinery/webhook.go
@ -71,19 +71,14 @@ var serverWebhookVersion = utilversion.MustParseSemantic("v1.8.0")

 var _ = SIGDescribe("AdmissionWebhook", func() {
 	var context *certContext
-	var ns string
-	var c clientset.Interface
 	f := framework.NewDefaultFramework("webhook")
-	framework.AddCleanupAction(func() {
-		// Cleanup actions will be called even when the tests are skipped and leaves namespace unset.
-		if len(ns) > 0 {
-			cleanWebhookTest(c, ns)
-		}
-	})
+
+	var client clientset.Interface
+	var namespaceName string

 	BeforeEach(func() {
-		c = f.ClientSet
-		ns = f.Namespace.Name
+		client = f.ClientSet
+		namespaceName = f.Namespace.Name

 		// Make sure the relevant provider supports admission webhook
 		framework.SkipUnlessServerVersionGTE(serverWebhookVersion, f.ClientSet.Discovery())
@ -95,14 +90,16 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
 		}

 		By("Setting up server cert")
-		namespaceName := f.Namespace.Name
 		context = setupServerCert(namespaceName, serviceName)
 		createAuthReaderRoleBinding(f, namespaceName)

 		// Note that in 1.9 we will have backwards incompatible change to
 		// admission webhooks, so the image will be updated to 1.9 sometime in
 		// the development 1.9 cycle.
-		deployWebhookAndService(f, "gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v3", context)
+		deployWebhookAndService(f, "gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v5", context)
+	})
+	AfterEach(func() {
+		cleanWebhookTest(client, namespaceName)
 	})

 	It("Should be able to deny pod and configmap creation", func() {
@ -573,6 +570,7 @@ func updateConfigMap(c clientset.Interface, ns, name string, update updateConfig

 func cleanWebhookTest(client clientset.Interface, namespaceName string) {
 	_ = client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Delete(webhookConfigName, nil)
+	_ = client.AdmissionregistrationV1alpha1().ValidatingWebhookConfigurations().Delete(crdWebhookConfigName, nil)
 	_ = client.CoreV1().Services(namespaceName).Delete(serviceName, nil)
 	_ = client.ExtensionsV1beta1().Deployments(namespaceName).Delete(deploymentName, nil)
 	_ = client.CoreV1().Secrets(namespaceName).Delete(secretName, nil)
--- a/test/images/webhook/Makefile
+++ b/test/images/webhook/Makefile
@ -14,7 +14,7 @@

 build:
 	CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o webhook .
-	docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v3 .
+	docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v5 .
 	rm -rf webhook
 push:
-	gcloud docker -- push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v3
+	gcloud docker -- push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v5
--- a/test/images/webhook/main.go
+++ b/test/images/webhook/main.go
@ -44,8 +44,8 @@ func (c *Config) addFlags() {
 		"File containing the default x509 private key matching --tls-cert-file.")
 }

-func toAdmissionReviewStatus(err error) *v1alpha1.AdmissionReviewStatus {
-	return &v1alpha1.AdmissionReviewStatus{
+func toAdmissionResponse(err error) *v1alpha1.AdmissionResponse {
+	return &v1alpha1.AdmissionResponse{
 		Result: &metav1.Status{
 			Message: err.Error(),
 		},
@ -53,101 +53,101 @@ func toAdmissionReviewStatus(err error) *v1alpha1.AdmissionReviewStatus {
 }

 // only allow pods to pull images from specific registry.
-func admitPods(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionReviewStatus {
+func admitPods(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
 	glog.V(2).Info("admitting pods")
 	podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
-	if ar.Spec.Resource != podResource {
+	if ar.Request.Resource != podResource {
 		err := fmt.Errorf("expect resource to be %s", podResource)
 		glog.Error(err)
-		return toAdmissionReviewStatus(err)
+		return toAdmissionResponse(err)
 	}

-	raw := ar.Spec.Object.Raw
+	raw := ar.Request.Object.Raw
 	pod := corev1.Pod{}
 	deserializer := codecs.UniversalDeserializer()
 	if _, _, err := deserializer.Decode(raw, nil, &pod); err != nil {
 		glog.Error(err)
-		return toAdmissionReviewStatus(err)
+		return toAdmissionResponse(err)
 	}
-	reviewStatus := v1alpha1.AdmissionReviewStatus{}
-	reviewStatus.Allowed = true
+	reviewResponse := v1alpha1.AdmissionResponse{}
+	reviewResponse.Allowed = true

 	var msg string
 	for k, v := range pod.Labels {
 		if k == "webhook-e2e-test" && v == "webhook-disallow" {
-			reviewStatus.Allowed = false
+			reviewResponse.Allowed = false
 			msg = msg + "the pod contains unwanted label; "
 		}
 	}
 	for _, container := range pod.Spec.Containers {
 		if strings.Contains(container.Name, "webhook-disallow") {
-			reviewStatus.Allowed = false
+			reviewResponse.Allowed = false
 			msg = msg + "the pod contains unwanted container name; "
 		}
 	}
-	if !reviewStatus.Allowed {
-		reviewStatus.Result = &metav1.Status{Message: strings.TrimSpace(msg)}
+	if !reviewResponse.Allowed {
+		reviewResponse.Result = &metav1.Status{Message: strings.TrimSpace(msg)}
 	}
-	return &reviewStatus
+	return &reviewResponse
 }

 // deny configmaps with specific key-value pair.
-func admitConfigMaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionReviewStatus {
+func admitConfigMaps(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
 	glog.V(2).Info("admitting configmaps")
 	configMapResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
-	if ar.Spec.Resource != configMapResource {
+	if ar.Request.Resource != configMapResource {
 		glog.Errorf("expect resource to be %s", configMapResource)
 		return nil
 	}

-	raw := ar.Spec.Object.Raw
+	raw := ar.Request.Object.Raw
 	configmap := corev1.ConfigMap{}
 	deserializer := codecs.UniversalDeserializer()
 	if _, _, err := deserializer.Decode(raw, nil, &configmap); err != nil {
 		glog.Error(err)
-		return toAdmissionReviewStatus(err)
+		return toAdmissionResponse(err)
 	}
-	reviewStatus := v1alpha1.AdmissionReviewStatus{}
-	reviewStatus.Allowed = true
+	reviewResponse := v1alpha1.AdmissionResponse{}
+	reviewResponse.Allowed = true
 	for k, v := range configmap.Data {
 		if k == "webhook-e2e-test" && v == "webhook-disallow" {
-			reviewStatus.Allowed = false
-			reviewStatus.Result = &metav1.Status{
+			reviewResponse.Allowed = false
+			reviewResponse.Result = &metav1.Status{
 				Reason: "the configmap contains unwanted key and value",
 			}
 		}
 	}
-	return &reviewStatus
+	return &reviewResponse
 }

-func admitCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionReviewStatus {
+func admitCRD(ar v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse {
 	glog.V(2).Info("admitting crd")
 	cr := struct {
 		metav1.ObjectMeta
 		Data map[string]string
 	}{}

-	raw := ar.Spec.Object.Raw
+	raw := ar.Request.Object.Raw
 	err := json.Unmarshal(raw, &cr)
 	if err != nil {
 		glog.Error(err)
-		return toAdmissionReviewStatus(err)
+		return toAdmissionResponse(err)
 	}

-	reviewStatus := v1alpha1.AdmissionReviewStatus{}
-	reviewStatus.Allowed = true
+	reviewResponse := v1alpha1.AdmissionResponse{}
+	reviewResponse.Allowed = true
 	for k, v := range cr.Data {
 		if k == "webhook-e2e-test" && v == "webhook-disallow" {
-			reviewStatus.Allowed = false
-			reviewStatus.Result = &metav1.Status{
+			reviewResponse.Allowed = false
+			reviewResponse.Result = &metav1.Status{
 				Reason: "the custom resource contains unwanted data",
 			}
 		}
 	}
-	return &reviewStatus
+	return &reviewResponse
 }

-type admitFunc func(v1alpha1.AdmissionReview) *v1alpha1.AdmissionReviewStatus
+type admitFunc func(v1alpha1.AdmissionReview) *v1alpha1.AdmissionResponse

 func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
 	var body []byte
@ -164,21 +164,23 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
 		return
 	}

-	var reviewStatus *v1alpha1.AdmissionReviewStatus
+	var reviewResponse *v1alpha1.AdmissionResponse
 	ar := v1alpha1.AdmissionReview{}
 	deserializer := codecs.UniversalDeserializer()
 	if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
 		glog.Error(err)
-		reviewStatus = toAdmissionReviewStatus(err)
+		reviewResponse = toAdmissionResponse(err)
 	} else {
-		reviewStatus = admit(ar)
+		reviewResponse = admit(ar)
 	}

-	if reviewStatus != nil {
-		ar.Status = *reviewStatus
+	response := v1alpha1.AdmissionReview{}
+	if reviewResponse != nil {
+		response.Response = reviewResponse
+		response.Response.UID = ar.Request.UID
 	}

-	resp, err := json.Marshal(ar)
+	resp, err := json.Marshal(response)
 	if err != nil {
 		glog.Error(err)
 	}