Bug 1605229 – MutatingAdmissionWebhook hardcoded to return as ERROR

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1605229 - MutatingAdmissionWebhook hardcoded to return as ERROR

Summary:	MutatingAdmissionWebhook hardcoded to return as ERROR

Status:	NEW

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Master (Show other bugs)
Sub Component:
Version:	3.9.0
Hardware:	Unspecified Unspecified

Priority	low Severity low
Target Milestone:	---
Target Release:	3.9.z
Assigned To:	Stefan Schimanski
QA Contact:	Xingxing Xia
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-07-20 09:39 EDT by jolee
Modified:	2018-10-08 06:44 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description jolee 2018-07-20 09:39:39 EDT

Description of problem:

Using MutatingAdmissionWebhook the message is reflected in the response but the status code/reason suggests to the end user that there is an error rather than being a valid informational message. 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Stefan Schimanski 2018-08-09 07:29:28 EDT

Which message exactly? This needs more detail.

Comment 4 denverjanke 2018-10-06 06:46:01 EDT

Regardless of the status code returned by an admission webhook, a 500 error code is returned to the client. Only the 'message' is retained.

Eg. When trying to create a project (namespace) the below json is returned from the webhook.

{
  "kind": "AdmissionReview",
  "apiVersion": "admission.k8s.io/v1beta1",
  "response": {
    "uid": "<request uid>",
    "allowed": false,
    "status": {
      "status": "Failure",
      "message": "Not a valid project name",
      "reason": "Invalid",
      "details": {
          "name": "test"
      },
      "code": 422
    }
  }
}

But the below json is returned to the client.

[{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: admission webhook \"validator.example.com\" denied the request: Not a valid project name",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "admission webhook \"validator.example.com\" denied the request: Not a valid project name"
      }
    ]
  },
  "code": 500
}]

Comment 5 Stefan Schimanski 2018-10-08 06:44:45 EDT

Worked on upstream: https://github.com/kubernetes/kubernetes/pull/69520

Note You need to log in before you can comment on or make changes to this bug.