Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1605229

Summary: MutatingAdmissionWebhook hardcoded to return as ERROR
Product: OpenShift Container Platform Reporter: jolee
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED WONTFIX QA Contact: Xingxing Xia <xxia>
Severity: low Docs Contact:
Priority: low    
Version: 3.9.0CC: aos-bugs, denverjanke, jack.ottofaro, jmatthew, jokerman, jolee, maszulik, mfojtik, mmccomas
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-05 15:29:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jolee 2018-07-20 13:39:39 UTC 
Description of problem:

Using MutatingAdmissionWebhook the message is reflected in the response but the status code/reason suggests to the end user that there is an error rather than being a valid informational message. 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Stefan Schimanski 2018-08-09 11:29:28 UTC 
Which message exactly? This needs more detail.
Comment 4 denverjanke 2018-10-06 10:46:01 UTC 
Regardless of the status code returned by an admission webhook, a 500 error code is returned to the client. Only the 'message' is retained.

Eg. When trying to create a project (namespace) the below json is returned from the webhook.

{
  "kind": "AdmissionReview",
  "apiVersion": "admission.k8s.io/v1beta1",
  "response": {
    "uid": "<request uid>",
    "allowed": false,
    "status": {
      "status": "Failure",
      "message": "Not a valid project name",
      "reason": "Invalid",
      "details": {
          "name": "test"
      },
      "code": 422
    }
  }
}

But the below json is returned to the client.

[{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: admission webhook \"validator.example.com\" denied the request: Not a valid project name",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "admission webhook \"validator.example.com\" denied the request: Not a valid project name"
      }
    ]
  },
  "code": 500
}]
Comment 5 Stefan Schimanski 2018-10-08 10:44:45 UTC 
Worked on upstream: https://github.com/kubernetes/kubernetes/pull/69520
Comment 6 Jack Ottofaro 2019-07-08 15:29:14 UTC 
upstream fix: https://github.com/kubernetes/kubernetes/pull/72751
Comment 7 Stefan Schimanski 2019-07-10 13:51:15 UTC 
This will be in 4.3 through the rebase onto 1.15 if there are no strong reasons for a backport.