-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[experimental] Move admission webhook into skipper for better validation #2478
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,6 +69,7 @@ import ( | |
"github.com/zalando/skipper/secrets/certregistry" | ||
"github.com/zalando/skipper/swarm" | ||
"github.com/zalando/skipper/tracing" | ||
"github.com/zalando/skipper/webhook" | ||
) | ||
|
||
const ( | ||
|
@@ -947,6 +948,21 @@ type Options struct { | |
OpenPolicyAgentMaxMemoryBodyParsing int64 | ||
|
||
PassiveHealthCheck map[string]string | ||
// EnableValidationWebhook runs skipper in admission webhook mode | ||
// *IMPORTANT* This mode runs only the validation webhook server and does not start the proxy | ||
EnableValidationWebhook bool | ||
|
||
// ValidationWebhookTLSCertFile is the path to the certificate file for the admission webhook server | ||
ValidationWebhookTLSCertFile string | ||
|
||
// ValidationWebhookTLSKeyFile is the path to the private key file for the admission webhook server | ||
ValidationWebhookTLSKeyFile string | ||
|
||
// ValidationWebhookAddr is the address to listen on for the admission webhook server | ||
ValidationWebhookAddr string | ||
|
||
// ValidationWebhookLogLevel is the log level for the admission webhook server | ||
ValidationWebhookLogLevel string | ||
} | ||
|
||
func (o *Options) KubernetesDataClientOptions() kubernetes.Options { | ||
|
@@ -2058,6 +2074,16 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error { | |
routing := routing.New(ro) | ||
defer routing.Close() | ||
|
||
if o.EnableValidationWebhook { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Here I see the code starting some alternative mode of skipper binary. So I would expect something like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In the next line you can see 'webhook.Run()' There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, I see There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why should they run together? Every mode is a separate one and everyone run it's own required place and own required options |
||
webhook.Run( | ||
o.ValidationWebhookLogLevel, | ||
o.ValidationWebhookAddr, | ||
o.ValidationWebhookTLSCertFile, | ||
o.ValidationWebhookTLSKeyFile, | ||
o.filterRegistry(), | ||
) | ||
} | ||
|
||
proxyFlags := proxy.Flags(o.ProxyOptions) | o.ProxyFlags | ||
proxyParams := proxy.Params{ | ||
Routing: routing, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you want to rename it to validation instead of admission.
That's at least what we intend to do even if it runs at admission. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook