Giant Swarm AWS Management Cluster admission controller that implements the following rules:
Mutating Webhook:
-
In an
AWSCluster
resource, the AWS Operator Version is defaulted based on theRelease
CR if it is not set. -
In an
AWSCluster
resource, the Release Version is defaulted based on theCluster
CR if it is not set. -
In an
AWSCluster
resource, the Credential Secret is defaulted if it is not set. -
In an
AWSCluster
resource, the Region is defaulted if it is not set. -
In an
AWSCluster
resource, the Description is defaulted if it is not set. -
In an
AWSCluster
resource, the DNS Domain is defaulted if it is not set. -
In an
AWSCluster
resource, the Pod CIDR is defaulted if it is not set. -
In an
AWSCluster
resource, in a pre-HA version, the Master attribute is defaulted if it is not set. -
In a
Cluster
resource, the Release Version is defaulted to the newest active production version if it is not set. -
In a
Cluster
resource, the Cluster Operator Version is defaulted based on theRelease
CR if it is not set. -
In a
Cluster
resource, the Cluster Operator Version is defaulted based on the new release version during an upgrade. -
In a
G8sControlplane
resource, the Cluster Operator Version is defaulted based on theCluster
CR if it is not set. -
In a
G8sControlplane
resource, the Release Version is defaulted based on theCluster
CR if it is not set. -
In a
G8sControlPlane
resource, when the.spec.replicas
is changed from 1 to 3, the Availability Zones of the accordingAWSControlPlane
will be defaulted if needed. -
In a
G8sControlPlane
resource, the replicas attribute will be defaulted if it is not defined.- For HA-Versions, in case the matching
AWSControlPlane
already exists, the number of AZs determines the value ofreplicas
. In case no suchAWSControlPlane
exists, the default number of AZs is assigned. - For pre-HA versions, replicas is always set to 1 for a single master cluster.
- For HA-Versions, in case the matching
-
In a
G8sControlPlane
resource, the infrastructure reference will be set to point to the matchingAWSControlPlane
. -
In an
AWSControlplane
resource, the AWS Operator Version is defaulted based on theAWSCluster
CR if it is not set. -
In an
AWSControlplane
resource, the Release Version is defaulted based on theCluster
CR if it is not set. -
In an
AWSControlPlane
resource, the Availability Zones will be defaulted if they arenil
.- For HA-Versions, in case the matching
G8sControlPlane
already exists, the number of AZs is determined by the number ofreplicas
defined there. In case no suchG8sControlPlane
exists, the default number of AZs is assigned. - For Pre-HA-Versions, in case the matching
AWSCluster
already exists, the AZ is taken from there.
- For HA-Versions, in case the matching
-
In an
AWSControlPlane
resource, the Instance Type will be defaulted if it is not defined.- For HA-Versions, the default Instance Type is chosen.
- For Pre-HA-Versions, in case the matching
AWSCluster
already exists, the Instance Type is taken from there.
-
In an
AWSMachinedeployment
resource, the Availability Zones will be defaulted if they arenil
. The default number of
AZs is assigned based on the master AZs taken from theAWSControlPlane
CR. -
In an
AWSMachinedeployment
resource, the AWS Operator Version is defaulted based on theAWSCluster
CR if it is not set. -
When a new
AWSMachineDeployment
is created, details are logged. -
In an
AWSMachinedeployment
resource, the Release Version is defaulted based on theCluster
CR if it is not set. -
In a
Machinedeployment
resource, the Release Version is defaulted based on theCluster
CR if it is not set. -
In a
Machinedeployment
resource, the Cluster Operator Version is defaulted based on theCluster
CR if it is not set.
Validating Webhook:
-
In a
G8sControlPlane
resource, it validates the Master Node Replicas are a valid count (Right now either 1 or 3). -
In a
G8sControlPlane
resource, it validates the Master Node Replicas are matching the number of Availability Zones in theAWSControlPlane
resource. -
In an
AWSControlPlane
resource, it validates the Master Instance Type is a valid Instance Type for the installation. -
In an
AWSControlPlane
resource, it validates that the order of Master Node Availability Zones does not change on update. -
In an
AWSControlPlane
resource, it validates that the number of distinct Master Node Availability Zones is maximal. -
In an
AWSControlPlane
resource, it validates the Master Node Availability Zones are valid AZs for the installation. -
In an
AWSControlPlane
resource, it validates the Master Node Availability Zones are a valid count (Right now either 1 or 3). -
In an
AWSControlPlane
resource, it validates the Master Node Availability Zones are matching the number of Replicas in theG8sControlPlane
resource. -
In an
AWSMachineDeployment
resource, it validates the Machine Deployment ID is matching againstMachineDeployment
resource. -
In an
AWSMachineDeployment
resource, on creation it validates that theCluster
is not deleted. -
In an
AWSMachinedeployment
resource, it validates that themax
number of nodes is not 0 and greater or equal tomin
. -
In a
Cluster
resource, the release version label can only be changed to an existing and non-deprecated release by admin users and users in restricted groups. -
In a
Cluster
resource, the release version label can only be changed to a major version that is greater than the current one -
In a
Cluster
resource, the release version label can only be changed if the cluster is in a transitioned condition. ("updated" or "created") but does not skip major versions by admin users and users in restricted groups. -
In a
Cluster
resource, the non-version label values are not allowed to be deleted or renamed by admin users and users in restricted groups. -
In a
Cluster
resource, thegiantswarm.io
label keys are not allowed to be deleted or renamed by admin users and users in restricted groups. -
In a
MachineDeployment
resource, on creation it validates that theCluster
is not deleted. -
In a
NetworkPool
resource, it validates the .Spec.CIDRBlock from other NetworkPools and also checks if there's overlapping from Docker CIDR, Kubernetes cluster IP range or tenant cluster CIDR.
The certificates for the webhook are created with CertManager and injected through the CA Injector.
Firecracker Team
Testing the core-conversion-webhook in a kind cluster on your local machine:
kind create cluster
# Build a linux image
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build .
docker build . -t core-conversion-webhook:dev
kind load docker-image core-conversion-webhook:dev
# Make sure the Custom Resource Definitions are in place
opsctl ensure crds -k "$(kind get kubeconfig)" -p aws
# Insert the certificate
kubectl apply --context kind-kind -f local_dev/certmanager.yml
## Wait until certmanager is up
kubectl apply --context kind-kind -f local_dev/clusterissuer.yml
helm template core-conversion-webhook -f helm/core-conversion-webhook/ci/default-values.yaml helm/core-conversion-webhook > local_dev/deploy.yaml
## Replace image name with core-conversion-webhook:dev
kubectl apply --context kind-kind -f local_dev/deploy.yaml
kind delete cluster
See Releases
- Bugs: issues
- Please visit https://www.giantswarm.io/responsible-disclosure for information on reporting security issues.
See CONTRIBUTING for details on submitting patches, the contribution workflow as well as reporting bugs.
See docs/Release.md
See docs/webhook.md
See docs/tests.md