Set sideEffects for pod-identity-webhook mutatingwebhook

Question

Set sideEffects for pod-identity-webhook mutatingwebhook

nak3 opened this issue 4 years ago · 4 comments

Bug description

When MutatingWebhookConfiguration/pod-identity-webhook is deployed, its sideEffects is Unknown (=v1beta1's default).`

MutatingWebhookConfiguration/pod-identity-webhook

- apiVersion: admissionregistration.k8s.io/v1
  kind: MutatingWebhookConfiguration
  metadata:
    annotations:
      service.beta.openshift.io/inject-cabundle: "true"
    creationTimestamp: "2020-07-29T05:07:55Z"
    generation: 2
    managedFields:
    - apiVersion: admissionregistration.k8s.io/v1beta1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:service.beta.openshift.io/inject-cabundle: {}
        f:webhooks:
          .: {}
          k:{"name":"pod-identity-webhook.amazonaws.com"}:
            .: {}
            f:admissionReviewVersions: {}
            f:clientConfig:
              .: {}
              f:service:
                .: {}
                f:name: {}
                f:namespace: {}
                f:path: {}
                f:port: {}
            f:failurePolicy: {}
            f:matchPolicy: {}
            f:name: {}
            f:namespaceSelector: {}
            f:objectSelector: {}
            f:reinvocationPolicy: {}
            f:rules: {}
            f:sideEffects: {}
            f:timeoutSeconds: {}
      manager: cloud-credential-operator
      operation: Update
      time: "2020-07-29T05:07:55Z"
    - apiVersion: admissionregistration.k8s.io/v1
      fieldsType: FieldsV1
      fieldsV1:
        f:webhooks:
          k:{"name":"pod-identity-webhook.amazonaws.com"}:
            f:clientConfig:
              f:caBundle: {}
      manager: service-ca-operator
      operation: Update
      time: "2020-07-29T05:07:55Z"
    name: pod-identity-webhook
    resourceVersion: "13547"
    selfLink: /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/pod-identity-webhook
    uid: c6ebf9c9-a279-43ae-8d91-1aecd00414a9
  webhooks:
  - admissionReviewVersions:
    - v1beta1
    clientConfig:
      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJTWtQSm96S3BGd1V3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRVNU5UazVPRGszTlRBZQpGdzB5TURBM01qa3dOVEF5TlRSYUZ3MHlNakE1TWpjd05UQXlOVFZhTURZeE5EQXlCZ05WQkFNTUsyOXdaVzV6CmFHbG1kQzF6WlhKMmFXTmxMWE5sY25acGJtY3RjMmxuYm1WeVFERTFPVFU1T1RnNU56VXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzVPbG5GTEcxMjB1ZUtKOVVPS2lJMGJhSnNmQ0t1M0dxMwpjWHliME8xMmh1MTRoQ043bE1BdjFQQTAvSFhBWGFEdnJkd25vQ3Q0VnlRQ0dJWERwUDBmOEpiUmhUT1o5V05sCit6TFkvZjJaeERUdXZBOFNaR1Bhem1CdXdSWnY1Y25xRVJMRG1BaEFDaEVrQ0Q2R2g2bHVVRXpUbU9wRHo4TFEKNVdMTnJJZGhxV0xHTTZjcHg0ZHI1LytPSE5VK1FWVlJKcnV3THc5QUc0VnFhRHY3WVF6UVorbVJibmJJekZPegozZU45U25SS1JKVHY4eVJ2bG5HZEx4MGNuc3RyVWtsSUwvU1pmT3hpN3ZESzVUY3h2OUFBMENsMnpadnVpV1JUCm1pNXV5TDgvWFUzUm1TSW1DK01HdUt1eERZZ01xMit5dmJnMFdUdXpLQ2tVeWlNVDAwRzdBZ01CQUFHall6QmgKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlFlUmN3NApIb0xRVEVnOHQwbHMrUHhlYjJwbHFqQWZCZ05WSFNNRUdEQVdnQlFlUmN3NEhvTFFURWc4dDBscytQeGViMnBsCnFqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYUEMwK3dMWStldmFRejJrbUp0U211a3VjN2RJNUo4NlQzeDYKV1c2cE9YbnNrak5adHRCR0Y4OXZzWTRTbmp1YmtKb3FaUktIVzV4ZGEzVURDckgyY2JGWVFiK0xSWE9pdG9RSgowK2VicTZ1WWRadTFGdXhObG51enF5SndFR29hQnRhblN4cHpxQUFWMmxCaUF3eTY0MEF2b1JXSXcyVkVJdUNLCnp1QkdNVXZKaXpWSGI0bkorNVk2ZVhoWXErNjZHeDBxUXkrMmRWK2trL3VmVklIaVhNVjBJbDJMZ0t0elJVaEcKMEV2dUlBeTBsbGdhaW05NzhpVmVHUElsYXpBeG1WL21XSkRLU21CSnk5cVJnSEt0ZHRYOHgwZ1FKTWc1QVNUbApaM1pBU0wxNXQ5cFg2THpYUGoxSUV0UHZtMU1xOERxdGxjbmYrbE1Yb3AwaHc5MTJuQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
      service:
        name: pod-identity-webhook
        namespace: openshift-cloud-credential-operator
        path: /mutate
        port: 443
    failurePolicy: Ignore
    matchPolicy: Exact
    name: pod-identity-webhook.amazonaws.com
    namespaceSelector: {}
    objectSelector: {}
    reinvocationPolicy: Never
    rules:
    - apiGroups:
      - ""
      apiVersions:
      - v1
      operations:
      - CREATE
      resources:
      - pods
      scope: '*'
    sideEffects: Unknown
    timeoutSeconds: 30

Due to this, when we deploy another webhook for dryRun in the cluster, it does not work.

Please see: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects

Unknown: no information is known about the side effects of calling the webhook. If a request with dryRun: true would trigger a call to this webhook, the request will instead fail, and the webhook will not be called.

Answer 1 · 2020-07-29T11:27:02.000Z

cc @sjenning

Answer 2 · 2020-07-29T11:36:18.000Z

Some more context.

We(Knative Serving) are runing CI on OCP 4.5 and 4.6.
Although OCP 4.5 passed the webhook test, only OCP 4.6 does not pass the exact same test.
We tried to dump all webhook on the cluster by openshift/knative-serving#513 and found pod-identity-webhook has the sideEffects: Unknown only on 4.6.

Answer 3 · 2020-08-03T08:17:19.000Z

Hi @sjenning any news about this?

Answer 4 · 2020-09-22T17:11:31.000Z

Should be fixed by #249