vendor dependencies

2026-04-07 02:07:58 +00:00 · 2019-04-24 11:06:03 +02:00 · 2019-04-24 11:06:03 +02:00 · 72abf135d6
commit 72abf135d6
parent 604208ef4f
1156 changed files with 78178 additions and 105799 deletions
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go
@ -24,77 +24,106 @@ import (
 	"time"

 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"k8s.io/klog"

 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	"k8s.io/api/admissionregistration/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apiserver/pkg/admission"
 	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
-	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	webhookerrors "k8s.io/apiserver/pkg/admission/plugin/webhook/errors"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/request"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/util"
+	"k8s.io/apiserver/pkg/util/webhook"
 )

 type mutatingDispatcher struct {
-	cm     *config.ClientManager
+	cm     *webhook.ClientManager
 	plugin *Plugin
 }

-func newMutatingDispatcher(p *Plugin) func(cm *config.ClientManager) generic.Dispatcher {
-	return func(cm *config.ClientManager) generic.Dispatcher {
+func newMutatingDispatcher(p *Plugin) func(cm *webhook.ClientManager) generic.Dispatcher {
+	return func(cm *webhook.ClientManager) generic.Dispatcher {
 		return &mutatingDispatcher{cm, p}
 	}
 }

 var _ generic.Dispatcher = &mutatingDispatcher{}

-func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.VersionedAttributes, relevantHooks []*v1beta1.Webhook) error {
+func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.VersionedAttributes, o admission.ObjectInterfaces, relevantHooks []*v1beta1.Webhook) error {
 	for _, hook := range relevantHooks {
 		t := time.Now()
-		err := a.callAttrMutatingHook(ctx, hook, attr)
+		err := a.callAttrMutatingHook(ctx, hook, attr, o)
 		admissionmetrics.Metrics.ObserveWebhook(time.Since(t), err != nil, attr.Attributes, "admit", hook.Name)
 		if err == nil {
 			continue
 		}

 		ignoreClientCallFailures := hook.FailurePolicy != nil && *hook.FailurePolicy == v1beta1.Ignore
-		if callErr, ok := err.(*webhookerrors.ErrCallingWebhook); ok {
+		if callErr, ok := err.(*webhook.ErrCallingWebhook); ok {
 			if ignoreClientCallFailures {
-				glog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr)
+				klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr)
 				utilruntime.HandleError(callErr)
 				continue
 			}
-			glog.Warningf("Failed calling webhook, failing closed %v: %v", hook.Name, err)
+			klog.Warningf("Failed calling webhook, failing closed %v: %v", hook.Name, err)
 		}
 		return apierrors.NewInternalError(err)
 	}

 	// convert attr.VersionedObject to the internal version in the underlying admission.Attributes
 	if attr.VersionedObject != nil {
-		return a.plugin.scheme.Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil)
+		return o.GetObjectConvertor().Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil)
 	}
 	return nil
 }

 // note that callAttrMutatingHook updates attr
-func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
+func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes, o admission.ObjectInterfaces) error {
+	if attr.IsDryRun() {
+		if h.SideEffects == nil {
+			return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
+		}
+		if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
+			return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		}
+	}
+
+	// Currently dispatcher only supports `v1beta1` AdmissionReview
+	// TODO: Make the dispatcher capable of sending multiple AdmissionReview versions
+	if !util.HasAdmissionReviewVersion(v1beta1.SchemeGroupVersion.Version, h) {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("webhook does not accept v1beta1 AdmissionReview")}
+	}
+
 	// Make the webhook request
 	request := request.CreateAdmissionReview(attr)
-	client, err := a.cm.HookClient(h)
+	client, err := a.cm.HookClient(util.HookClientConfigForWebhook(h))
 	if err != nil {
-		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
 	}
 	response := &admissionv1beta1.AdmissionReview{}
-	if err := client.Post().Context(ctx).Body(&request).Do().Into(response); err != nil {
-		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
+	r := client.Post().Context(ctx).Body(&request)
+	if h.TimeoutSeconds != nil {
+		r = r.Timeout(time.Duration(*h.TimeoutSeconds) * time.Second)
+	}
+	if err := r.Do().Into(response); err != nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
 	}

 	if response.Response == nil {
-		return &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook response was absent")}
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook response was absent")}
+	}
+
+	for k, v := range response.Response.AuditAnnotations {
+		key := h.Name + "/" + k
+		if err := attr.AddAnnotation(key, v); err != nil {
+			klog.Warningf("Failed to set admission audit annotation %s to %s for mutating webhook %s: %v", key, v, h.Name, err)
+		}
 	}

 	if !response.Response.Allowed {
@ -118,7 +147,8 @@ func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta
 		return apierrors.NewInternalError(fmt.Errorf("admission webhook %q attempted to modify the object, which is not supported for this operation", h.Name))
 	}

-	objJS, err := runtime.Encode(a.plugin.jsonSerializer, attr.VersionedObject)
+	jsonSerializer := json.NewSerializer(json.DefaultMetaFactory, o.GetObjectCreater(), o.GetObjectTyper(), false)
+	objJS, err := runtime.Encode(jsonSerializer, attr.VersionedObject)
 	if err != nil {
 		return apierrors.NewInternalError(err)
 	}
@ -133,17 +163,17 @@ func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta
 		// They are represented as Unstructured.
 		newVersionedObject = &unstructured.Unstructured{}
 	} else {
-		newVersionedObject, err = a.plugin.scheme.New(attr.GetKind())
+		newVersionedObject, err = o.GetObjectCreater().New(attr.GetKind())
 		if err != nil {
 			return apierrors.NewInternalError(err)
 		}
 	}
 	// TODO: if we have multiple mutating webhooks, we can remember the json
 	// instead of encoding and decoding for each one.
-	if _, _, err := a.plugin.jsonSerializer.Decode(patchedJS, nil, newVersionedObject); err != nil {
+	if _, _, err := jsonSerializer.Decode(patchedJS, nil, newVersionedObject); err != nil {
 		return apierrors.NewInternalError(err)
 	}
 	attr.VersionedObject = newVersionedObject
-	a.plugin.scheme.Default(attr.VersionedObject)
+	o.GetObjectDefaulter().Default(attr.VersionedObject)
 	return nil
 }
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/plugin.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/plugin.go
@ -17,18 +17,15 @@ limitations under the License.
 package mutating

 import (
-	"fmt"
 	"io"

-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/configuration"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 )

 const (
-	// Name of admission plug-in
+	// PluginName indicates the name of admission plug-in
 	PluginName = "MutatingAdmissionWebhook"
 )

@ -47,9 +44,6 @@ func Register(plugins *admission.Plugins) {
 // Plugin is an implementation of admission.Interface.
 type Plugin struct {
 	*generic.Webhook
-
-	scheme         *runtime.Scheme
-	jsonSerializer *json.Serializer
 }

 var _ admission.MutationInterface = &Plugin{}
@ -67,30 +61,15 @@ func NewMutatingWebhook(configFile io.Reader) (*Plugin, error) {
 	return p, nil
 }

-// SetScheme sets a serializer(NegotiatedSerializer) which is derived from the scheme
-func (a *Plugin) SetScheme(scheme *runtime.Scheme) {
-	a.Webhook.SetScheme(scheme)
-	if scheme != nil {
-		a.scheme = scheme
-		a.jsonSerializer = json.NewSerializer(json.DefaultMetaFactory, scheme, scheme, false)
-	}
-}
-
 // ValidateInitialization implements the InitializationValidator interface.
 func (a *Plugin) ValidateInitialization() error {
 	if err := a.Webhook.ValidateInitialization(); err != nil {
 		return err
 	}
-	if a.scheme == nil {
-		return fmt.Errorf("scheme is not properly setup")
-	}
-	if a.jsonSerializer == nil {
-		return fmt.Errorf("jsonSerializer is not properly setup")
-	}
 	return nil
 }

 // Admit makes an admission decision based on the request attributes.
-func (a *Plugin) Admit(attr admission.Attributes) error {
-	return a.Webhook.Dispatch(attr)
+func (a *Plugin) Admit(attr admission.Attributes, o admission.ObjectInterfaces) error {
+	return a.Webhook.Dispatch(attr, o)
 }