update admission webhook to accept client config

2025-12-01 22:03:54 +00:00 · 2017-10-18 12:57:59 -04:00
parent 78ada62c30
commit 0859798e8e
18 changed files with 202 additions and 110 deletions
--- a/plugin/pkg/admission/gc/gc_admission_test.go
+++ b/plugin/pkg/admission/gc/gc_admission_test.go
@@ -86,7 +86,7 @@ func newGCPermissionsEnforcement() (*gcPermissionsEnforcement, error) {
 		whiteList: whiteList,
 	}

-	genericPluginInitializer, err := initializer.New(nil, nil, fakeAuthorizer{}, nil, nil, nil)
+	genericPluginInitializer, err := initializer.New(nil, nil, fakeAuthorizer{}, nil, nil)
 	if err != nil {
 		return nil, err
 	}
--- a/plugin/pkg/admission/webhook/BUILD
+++ b/plugin/pkg/admission/webhook/BUILD
@@ -53,6 +53,7 @@ go_test(
        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
    ],
 )

--- a/plugin/pkg/admission/webhook/admission.go
+++ b/plugin/pkg/admission/webhook/admission.go
@@ -21,10 +21,7 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"net"
-	"net/http"
 	"sync"
-	"time"

 	"github.com/golang/glog"

@@ -105,19 +102,18 @@ type GenericAdmissionWebhook struct {
 	hookSource           WebhookSource
 	serviceResolver      admissioninit.ServiceResolver
 	negotiatedSerializer runtime.NegotiatedSerializer
-	clientCert           []byte
-	clientKey            []byte
-	proxyTransport       *http.Transport
+
+	restClientConfig *rest.Config
 }

 var (
 	_ = admissioninit.WantsServiceResolver(&GenericAdmissionWebhook{})
-	_ = genericadmissioninit.WantsClientCert(&GenericAdmissionWebhook{})
+	_ = genericadmissioninit.WantsWebhookRESTClientConfig(&GenericAdmissionWebhook{})
 	_ = genericadmissioninit.WantsExternalKubeClientSet(&GenericAdmissionWebhook{})
 )

-func (a *GenericAdmissionWebhook) SetProxyTransport(pt *http.Transport) {
-	a.proxyTransport = pt
+func (a *GenericAdmissionWebhook) SetWebhookRESTClientConfig(in *rest.Config) {
+	a.restClientConfig = in
 }

 // SetServiceResolver sets a service resolver for the webhook admission plugin.
@@ -137,18 +133,13 @@ func (a *GenericAdmissionWebhook) SetScheme(scheme *runtime.Scheme) {
 	}
 }

-func (a *GenericAdmissionWebhook) SetClientCert(cert, key []byte) {
-	a.clientCert = cert
-	a.clientKey = key
-}
-
 func (a *GenericAdmissionWebhook) SetExternalKubeClientSet(client clientset.Interface) {
 	a.hookSource = configuration.NewExternalAdmissionHookConfigurationManager(client.Admissionregistration().ExternalAdmissionHookConfigurations())
 }

 func (a *GenericAdmissionWebhook) Validate() error {
-	if a.clientCert == nil || a.clientKey == nil {
-		return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a client certificate and the private key to be provided")
+	if a.restClientConfig == nil {
+		return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a restClientConfig to be provided")
 	}
 	if a.hookSource == nil {
 		return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a Kubernetes client to be provided")
@@ -280,27 +271,12 @@ func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.ExternalAdmissionHook)
 		return nil, err
 	}

-	var dial func(network, addr string) (net.Conn, error)
-	if a.proxyTransport != nil && a.proxyTransport.Dial != nil {
-		dial = a.proxyTransport.Dial
-	}
-
 	// TODO: cache these instead of constructing one each time
-	cfg := &rest.Config{
-		Host:    u.Host,
-		APIPath: path.Join(u.Path, h.ClientConfig.URLPath),
-		TLSClientConfig: rest.TLSClientConfig{
-			ServerName: h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + ".svc",
-			CAData:     h.ClientConfig.CABundle,
-			CertData:   a.clientCert,
-			KeyData:    a.clientKey,
-		},
-		UserAgent: "kube-apiserver-admission",
-		Timeout:   30 * time.Second,
-		ContentConfig: rest.ContentConfig{
-			NegotiatedSerializer: a.negotiatedSerializer,
-		},
-		Dial: dial,
-	}
+	cfg := rest.CopyConfig(a.restClientConfig)
+	cfg.Host = u.Host
+	cfg.APIPath = path.Join(u.Path, h.ClientConfig.URLPath)
+	cfg.TLSClientConfig.ServerName = h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + ".svc"
+	cfg.TLSClientConfig.CAData = h.ClientConfig.CABundle
+	cfg.ContentConfig.NegotiatedSerializer = a.negotiatedSerializer
 	return rest.UnversionedRESTClientFor(cfg)
 }
--- a/plugin/pkg/admission/webhook/admission_test.go
+++ b/plugin/pkg/admission/webhook/admission_test.go
@@ -32,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/client-go/rest"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"

@@ -89,8 +90,10 @@ func TestAdmit(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	wh.clientCert = clientCert
-	wh.clientKey = clientKey
+	wh.restClientConfig = &rest.Config{}
+	wh.restClientConfig.TLSClientConfig.CAData = caCert
+	wh.restClientConfig.TLSClientConfig.CertData = clientCert
+	wh.restClientConfig.TLSClientConfig.KeyData = clientKey

 	// Set up a test object for the call
 	kind := api.Kind("Pod").WithVersion("v1")