Skip to content

Commit

Permalink
set webhooks OwnerReferences to namespace
Browse files Browse the repository at this point in the history
  • Loading branch information
novahe committed Apr 20, 2021
1 parent b80a192 commit 1b3b751
Show file tree
Hide file tree
Showing 6 changed files with 96 additions and 40 deletions.
12 changes: 9 additions & 3 deletions webhook/configmaps/configmaps.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,9 +137,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b

webhook := configuredWebhook.DeepCopy()

// Clear out any previous (bad) OwnerReferences.
// See: https://github.com/knative/serving/issues/5845
webhook.OwnerReferences = nil
// Set the owner to namespace.
if len(webhook.OwnerReferences) == 0 {
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %v", err)
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
}

for i, wh := range webhook.Webhooks {
if wh.Name != webhook.Name {
Expand Down
30 changes: 21 additions & 9 deletions webhook/configmaps/table_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,14 @@ func TestReconcile(t *testing.T) {
},
}

ns := &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: system.Namespace(),
},
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
expectedOwnerReferences := []metav1.OwnerReference{nsRef}

ruleScope := admissionregistrationv1.NamespacedScope

// These are the rules we expect given the context of "validations".
Expand Down Expand Up @@ -104,7 +112,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, missing service reference",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -118,7 +126,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, missing other stuff",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -137,7 +145,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand All @@ -159,7 +168,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, added fields are incorrect",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -191,7 +200,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand All @@ -217,7 +227,7 @@ func TestReconcile(t *testing.T) {
WithReactors: []clientgotesting.ReactionFunc{
InduceFailure("update", "validatingwebhookconfigurations"),
},
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -249,7 +259,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand All @@ -271,10 +282,11 @@ func TestReconcile(t *testing.T) {
}, {
Name: ":fire: everything is fine :fire:",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand Down
12 changes: 9 additions & 3 deletions webhook/resourcesemantics/defaulting/defaulting.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
jsonpatch "gomodules.xyz/jsonpatch/v2"
admissionv1 "k8s.io/api/admission/v1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
Expand Down Expand Up @@ -172,9 +173,14 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt

current := configuredWebhook.DeepCopy()

// Clear out any previous (bad) OwnerReferences.
// See: https://github.com/knative/serving/issues/5845
current.OwnerReferences = nil
if len(current.OwnerReferences) == 0 {
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %v", err)
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
current.OwnerReferences = []metav1.OwnerReference{nsRef}
}

for i, wh := range current.Webhooks {
if wh.Name != current.Name {
Expand Down
34 changes: 23 additions & 11 deletions webhook/resourcesemantics/defaulting/table_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,13 @@ func TestReconcile(t *testing.T) {
certresources.CACert: []byte("present"),
},
}
ns := &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: system.Namespace(),
},
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
expectedOwnerReferences := []metav1.OwnerReference{nsRef}

// This is the namespace selector setup
namespaceSelector := &metav1.LabelSelector{
Expand Down Expand Up @@ -131,7 +138,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and MWH exist, missing service reference",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -145,7 +152,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and MWH exist, missing other stuff",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -164,7 +171,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.MutatingWebhook{{
Name: name,
Expand All @@ -187,7 +195,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and MWH exist, added fields are incorrect",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -219,7 +227,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.MutatingWebhook{{
Name: name,
Expand All @@ -246,7 +255,7 @@ func TestReconcile(t *testing.T) {
WithReactors: []clientgotesting.ReactionFunc{
InduceFailure("update", "mutatingwebhookconfigurations"),
},
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -278,7 +287,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.MutatingWebhook{{
Name: name,
Expand All @@ -301,10 +311,11 @@ func TestReconcile(t *testing.T) {
}, {
Name: ":fire: everything is fine :fire:",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.MutatingWebhook{{
Name: name,
Expand Down Expand Up @@ -336,7 +347,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and MWH exist, correcting namespaceSelector",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -371,7 +382,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.MutatingWebhook{{
Name: name,
Expand Down
13 changes: 10 additions & 3 deletions webhook/resourcesemantics/validation/reconcile_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"github.com/gobuffalo/flect"
"go.uber.org/zap"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
Expand Down Expand Up @@ -135,9 +136,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b

current := configuredWebhook.DeepCopy()

// Clear out any previous (bad) OwnerReferences.
// See: https://github.com/knative/serving/issues/5845
current.OwnerReferences = nil
// Set the owner to namespace.
if len(current.OwnerReferences) == 0 {
ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to fetch namespace: %v", err)
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
current.OwnerReferences = []metav1.OwnerReference{nsRef}
}

for i, wh := range current.Webhooks {
if wh.Name != current.Name {
Expand Down
35 changes: 24 additions & 11 deletions webhook/resourcesemantics/validation/reconcile_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,14 @@ func TestReconcile(t *testing.T) {
},
}

ns := &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: system.Namespace(),
},
}
nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
expectedOwnerReferences := []metav1.OwnerReference{nsRef}

// This is the namespace selector setup
namespaceSelector := &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Expand Down Expand Up @@ -131,7 +139,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, missing service reference",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -145,7 +153,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, missing other stuff",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -164,7 +172,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand All @@ -187,7 +196,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, added fields are incorrect",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -219,7 +228,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand All @@ -246,7 +256,7 @@ func TestReconcile(t *testing.T) {
WithReactors: []clientgotesting.ReactionFunc{
InduceFailure("update", "validatingwebhookconfigurations"),
},
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -278,7 +288,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand All @@ -301,10 +312,11 @@ func TestReconcile(t *testing.T) {
}, {
Name: ":fire: everything is fine :fire:",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand Down Expand Up @@ -336,7 +348,7 @@ func TestReconcile(t *testing.T) {
}, {
Name: "secret and VWH exist, correcting namespaceSelector",
Key: key,
Objects: []runtime.Object{secret,
Objects: []runtime.Object{secret, ns,
&admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -371,7 +383,8 @@ func TestReconcile(t *testing.T) {
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: &admissionregistrationv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Name: name,
OwnerReferences: expectedOwnerReferences,
},
Webhooks: []admissionregistrationv1.ValidatingWebhook{{
Name: name,
Expand Down

0 comments on commit 1b3b751

Please sign in to comment.