-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Remove namespaceSelector from webhook definition #879
fix: Remove namespaceSelector from webhook definition #879
Conversation
Skipping CI for Draft Pull Request. |
d1f74be
to
abaf479
Compare
abaf479
to
7f26a60
Compare
webhooks/ssp_webhook.go
Outdated
@@ -53,6 +66,65 @@ func Setup(mgr ctrl.Manager) error { | |||
Complete() | |||
} | |||
|
|||
// The OLM limits the webhook scope to the namespaces that are defined in the OperatorGroup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that an issue for core KubeVirt too? How do we avoid the creation of multiple KubeVirt CRs when deployed via HCO? Does it use the same approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not. SSP ValidatingWebhookConfiguration
is created by OLM. The webhook for Kubevirt
resource is created by virt-operator
and it only checks deletion, not create or update.
7f26a60
to
ca40f1f
Compare
ca40f1f
to
9098e78
Compare
// that watches ValidatingWebhookConfiguration created by OLM, | ||
// and removes any namespaceSelector defined in it. | ||
// | ||
// The OLM limits the webhook scope to the namespaces that are defined in the OperatorGroup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Btw. is this a bug than should be opened on OLM?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not an OLM bug. Our downstream CSV manifest has intentionally set installModes
field to OwnNamespace
and SingleNamespace
. We want to limit the scope of our operators.
SSP webhook is special compared to regular webhooks, that it should also prevent the creation of SSP CRs in other namespaces, so it needs to be triggered if these objects are created in different namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand, but isn't that a valid use case the we should be able to map in OLM?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know. It looks like a design choice that should be discussed with OLM team.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you be able to investigate it? Do other repos in the kubevirt org have the same issue (e.g. HCO)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HCO has the same issue. My previous revision of this PR was copied from: https://github.com/kubevirt/hyperconverged-cluster-operator/blob/7ac82e83ad975bf369f7ad1425936047ae892eba/pkg/webhooks/setup.go#L71
Kubevirt does not have a webhook that checks Kubevirt
resource, and I'm not sure about CDI.
It("should not remove namespaceSelector from non SSP webhook", func() { | ||
webhookConfig.Webhooks[0].Rules[0].APIGroups = []string{"non-ssp-api-group"} | ||
|
||
Expect(fakeClient.Create(context.Background(), webhookConfig)).To(Succeed()) | ||
|
||
_, err := testController.Reconcile(context.Background(), testRequest) | ||
Expect(err).ToNot(HaveOccurred()) | ||
|
||
updatedConfig := &admissionv1.ValidatingWebhookConfiguration{} | ||
Expect(fakeClient.Get(context.Background(), client.ObjectKeyFromObject(webhookConfig), updatedConfig)).To(Succeed()) | ||
|
||
Expect(updatedConfig).To(Equal(webhookConfig)) | ||
}) | ||
|
||
It("should not remove namespaceSelector from webhook without labels", func() { | ||
webhookConfig.Labels = nil | ||
|
||
Expect(fakeClient.Create(context.Background(), webhookConfig)).To(Succeed()) | ||
|
||
_, err := testController.Reconcile(context.Background(), testRequest) | ||
Expect(err).ToNot(HaveOccurred()) | ||
|
||
updatedConfig := &admissionv1.ValidatingWebhookConfiguration{} | ||
Expect(fakeClient.Get(context.Background(), client.ObjectKeyFromObject(webhookConfig), updatedConfig)).To(Succeed()) | ||
|
||
Expect(updatedConfig).To(Equal(webhookConfig)) | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maye put these two into a table?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer not to. It is only 2 tests. If there were more similar test cases, then I would do it.
3878186
to
c30f13a
Compare
The ValidatingWebhookConfiguration created by OLM can have namespaceSelector field set. We don't want that, because the webhook checks that there is only one SSP resource in the cluster. This commit adds a controller that watches ValidatingWebhookConfigurations and removes the namespaceSelector, if the object has a specific label. Signed-off-by: Andrej Krejcir <[email protected]>
c30f13a
to
948eeaa
Compare
Quality Gate passedIssues Measures |
/retest |
1 similar comment
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
if changed := updateWebhookConfiguration(webhookConfig); !changed { | ||
return reconcile.Result{}, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit
if changed := updateWebhookConfiguration(webhookConfig); !changed { | |
return reconcile.Result{}, nil | |
} | |
if !updateWebhookConfiguration(webhookConfig) { | |
return reconcile.Result{}, nil | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really small. I don't want to retrigger CI because of it.
// that watches ValidatingWebhookConfiguration created by OLM, | ||
// and removes any namespaceSelector defined in it. | ||
// | ||
// The OLM limits the webhook scope to the namespaces that are defined in the OperatorGroup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you be able to investigate it? Do other repos in the kubevirt org have the same issue (e.g. HCO)?
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 0xFelix The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@jcanocan can you please take another look? |
/lgtm |
What this PR does / why we need it:
The
ValidatingWebhookConfiguration
created by OLM can havenamespaceSelector
field set. We don't want it, because the webhook checks that there is only one SSP resource in the cluster.Which issue(s) this PR fixes:
Jira: https://issues.redhat.com/browse/CNV-36636
Release note: