Set sideEffects for pod-identity-webhook mutatingwebhook
nak3 opened this issue · 4 comments
nak3 commented
Bug description
When MutatingWebhookConfiguration/pod-identity-webhook
is deployed, its sideEffects is Unknown
(=v1beta1's default).`
MutatingWebhookConfiguration/pod-identity-webhook
- apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
service.beta.openshift.io/inject-cabundle: "true"
creationTimestamp: "2020-07-29T05:07:55Z"
generation: 2
managedFields:
- apiVersion: admissionregistration.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:service.beta.openshift.io/inject-cabundle: {}
f:webhooks:
.: {}
k:{"name":"pod-identity-webhook.amazonaws.com"}:
.: {}
f:admissionReviewVersions: {}
f:clientConfig:
.: {}
f:service:
.: {}
f:name: {}
f:namespace: {}
f:path: {}
f:port: {}
f:failurePolicy: {}
f:matchPolicy: {}
f:name: {}
f:namespaceSelector: {}
f:objectSelector: {}
f:reinvocationPolicy: {}
f:rules: {}
f:sideEffects: {}
f:timeoutSeconds: {}
manager: cloud-credential-operator
operation: Update
time: "2020-07-29T05:07:55Z"
- apiVersion: admissionregistration.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:webhooks:
k:{"name":"pod-identity-webhook.amazonaws.com"}:
f:clientConfig:
f:caBundle: {}
manager: service-ca-operator
operation: Update
time: "2020-07-29T05:07:55Z"
name: pod-identity-webhook
resourceVersion: "13547"
selfLink: /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/pod-identity-webhook
uid: c6ebf9c9-a279-43ae-8d91-1aecd00414a9
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJTWtQSm96S3BGd1V3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRVNU5UazVPRGszTlRBZQpGdzB5TURBM01qa3dOVEF5TlRSYUZ3MHlNakE1TWpjd05UQXlOVFZhTURZeE5EQXlCZ05WQkFNTUsyOXdaVzV6CmFHbG1kQzF6WlhKMmFXTmxMWE5sY25acGJtY3RjMmxuYm1WeVFERTFPVFU1T1RnNU56VXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzVPbG5GTEcxMjB1ZUtKOVVPS2lJMGJhSnNmQ0t1M0dxMwpjWHliME8xMmh1MTRoQ043bE1BdjFQQTAvSFhBWGFEdnJkd25vQ3Q0VnlRQ0dJWERwUDBmOEpiUmhUT1o5V05sCit6TFkvZjJaeERUdXZBOFNaR1Bhem1CdXdSWnY1Y25xRVJMRG1BaEFDaEVrQ0Q2R2g2bHVVRXpUbU9wRHo4TFEKNVdMTnJJZGhxV0xHTTZjcHg0ZHI1LytPSE5VK1FWVlJKcnV3THc5QUc0VnFhRHY3WVF6UVorbVJibmJJekZPegozZU45U25SS1JKVHY4eVJ2bG5HZEx4MGNuc3RyVWtsSUwvU1pmT3hpN3ZESzVUY3h2OUFBMENsMnpadnVpV1JUCm1pNXV5TDgvWFUzUm1TSW1DK01HdUt1eERZZ01xMit5dmJnMFdUdXpLQ2tVeWlNVDAwRzdBZ01CQUFHall6QmgKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlFlUmN3NApIb0xRVEVnOHQwbHMrUHhlYjJwbHFqQWZCZ05WSFNNRUdEQVdnQlFlUmN3NEhvTFFURWc4dDBscytQeGViMnBsCnFqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYUEMwK3dMWStldmFRejJrbUp0U211a3VjN2RJNUo4NlQzeDYKV1c2cE9YbnNrak5adHRCR0Y4OXZzWTRTbmp1YmtKb3FaUktIVzV4ZGEzVURDckgyY2JGWVFiK0xSWE9pdG9RSgowK2VicTZ1WWRadTFGdXhObG51enF5SndFR29hQnRhblN4cHpxQUFWMmxCaUF3eTY0MEF2b1JXSXcyVkVJdUNLCnp1QkdNVXZKaXpWSGI0bkorNVk2ZVhoWXErNjZHeDBxUXkrMmRWK2trL3VmVklIaVhNVjBJbDJMZ0t0elJVaEcKMEV2dUlBeTBsbGdhaW05NzhpVmVHUElsYXpBeG1WL21XSkRLU21CSnk5cVJnSEt0ZHRYOHgwZ1FKTWc1QVNUbApaM1pBU0wxNXQ5cFg2THpYUGoxSUV0UHZtMU1xOERxdGxjbmYrbE1Yb3AwaHc5MTJuQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: pod-identity-webhook
namespace: openshift-cloud-credential-operator
path: /mutate
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: pod-identity-webhook.amazonaws.com
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
scope: '*'
sideEffects: Unknown
timeoutSeconds: 30
Due to this, when we deploy another webhook for dryRun in the cluster, it does not work.
Please see: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects
Unknown: no information is known about the side effects of calling the webhook. If a request with dryRun: true would trigger a call to this webhook, the request will instead fail, and the webhook will not be called.
nak3 commented
Some more context.
- We(Knative Serving) are runing CI on OCP 4.5 and 4.6.
- Although OCP 4.5 passed the webhook test, only OCP 4.6 does not pass the exact same test.
- We tried to dump all webhook on the cluster by openshift/knative-serving#513 and found
pod-identity-webhook
has thesideEffects: Unknown
only on 4.6.