Bug 1635918
Summary: | Mutating and Validating Admission Webhooks Won't Enable Without Custom Config | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ben Browning <bbrownin> |
Component: | kube-apiserver | Assignee: | David Eads <deads> |
Status: | CLOSED WONTFIX | QA Contact: | Xingxing Xia <xxia> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.11.0 | CC: | afield, aos-bugs, dahernan, jokerman, joly.pro, ksampath, mfojtik, mmccomas, nstielau |
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-07 19:51:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ben Browning
2018-10-03 23:25:12 UTC
IMHO i feel the plugins needed to be supplemented with https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers to make them activated. But I dont find the apiVersion in OpenShift, guess we have an equivalent? (In reply to Kamesh Sampath from comment #1) > IMHO i feel the plugins needed to be supplemented with > https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission- > controllers/#authenticate-apiservers to make them activated. But I dont find > the apiVersion in OpenShift, guess we have an equivalent? You'll see at the end of my comment above that is actually the workaround I use to get these enabled. However, that workaround should not be required to enable the admission webhooks. As I suspected, it seems other plugins in the DefaultOffPlugins list can't be enabled as documented either. I tested locally with AlwaysPullImages plugin and it did not rewrite the ImagePullPolicy on a newly created pod from IfNotPresent to Always. Talking with OpenShift teams, I heard "the fixes required to enable by default were explicitly kicked from 3.11. We didn't have them ready in time and they were too large... It was a large change that swept every admission plugin" Still TBD on if this will get in 3.11.z. I think it's one of many things competing for time to rebase. Just for clarity, fixing this bug does not require enabling the admission webhooks by default. This bug is that you can't enable the admission webhooks via the normal, documented method of supplying a DefaultAdmissionConfig config stanza with disabled:false. Instead, you have to supply custom WebhookAdmission config pointing to a fake kubeConfigFile to emulate the desired behavior of just enabling them. See the references to DefaultAdmissionConfig here - https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules In 3.11, that will not work to enable the plugins. The documented example will not enable the AlwaysPullImages admission plugin, for example. The reason it won't work is due to this bug. Closing this as WONTFIX for 3.11. Mutating and validating admission webhooks were not fully supported in 3.x, and the changeset to address this significant. |