Merge pull request #57 from wandera/admission_api

Update to admission api v1

docs/k8s/bundle.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: initializer-config
+  name: config-injector-config
   namespace: default
 data:
   config.yaml: |-
-    container-image: wanderadock/scccmd:v0.0.2
+    container-image: ghcr.io/wandera/scccmd:v2.0.0
     default:
       label: master
       profile: development
@@ -37,7 +37,7 @@ spec:
     spec:
       containers:
       - name: config-injector-initializer
-        image: wanderadock/scccmd:v0.0.2
+        image: ghcr.io/wandera/scccmd:v2.0.0
         args:
         - webhook
         - --config-file
@@ -72,24 +72,31 @@ spec:
   selector:
     app: config-injector
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: config-injector-webhook
 webhooks:
-  - name: config.scccmd.github.com
-    failurePolicy: Fail
-    clientConfig:
-      service:
-        name: config-injector
-        namespace: default
-        path: "/inject"
-      caBundle: ''
-    rules:
-      - operations: [ "CREATE" ]
-        apiGroups: [""]
-        apiVersions: ["v1"]
-        resources: ["pods"]
-    namespaceSelector:
-      matchLabels:
-        inject: true
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: config-injector
+      namespace: config
+      path: /inject
+  matchPolicy: Exact
+  name: config.scccmd.github.com
+  namespaceSelector:
+    matchLabels:
+      inject-config: "true"
+  reinvocationPolicy: Never
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+  sideEffects: None

pkg/inject/hook.go

@@ -17,7 +17,7 @@ import (
 	"github.com/fsnotify/fsnotify"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
-	"k8s.io/api/admission/v1beta1"
+	v1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -227,7 +227,7 @@ func (wh *Webhook) Run(stop <-chan struct{}) {
 			log.Errorf("Watcher error: %v", err)
 		case <-healthC:
 			content := []byte(`ok`)
-			//#nosec G306
+			// #nosec G306
 			if err := os.WriteFile(wh.healthCheckFile, content, 0o644); err != nil {
 				log.Errorf("Health check update of %q failed: %v", wh.healthCheckFile, err)
 			}
@@ -258,16 +258,16 @@ func (wh *Webhook) serveInject(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var reviewResponse *v1beta1.AdmissionResponse
-	ar := v1beta1.AdmissionReview{}
+	var reviewResponse *v1.AdmissionResponse
+	ar := v1.AdmissionReview{}
 	if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
 		log.Errorf("Could not decode body: %v", err)
 		reviewResponse = toAdmissionResponse(err)
 	} else {
 		reviewResponse = wh.inject(&ar)
 	}
 
-	response := v1beta1.AdmissionReview{}
+	response := v1.AdmissionReview{}
 	if reviewResponse != nil {
 		response.Response = reviewResponse
 		if ar.Request != nil {
@@ -286,7 +286,7 @@ func (wh *Webhook) serveInject(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-// Check check that webhook is up.
+// Check checks that webhook is up.
 func (wh *Webhook) Check() health.Health {
 	whHealth := health.NewHealth()
 	whHealth.Up()
@@ -308,7 +308,7 @@ func (wh *Webhook) Check() health.Health {
 	return whHealth
 }
 
-func (wh *Webhook) inject(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
+func (wh *Webhook) inject(ar *v1.AdmissionReview) *v1.AdmissionResponse {
 	statusKey := wh.config.AnnotationPrefix + "status"
 	injectKey := wh.config.AnnotationPrefix + "inject"
 
@@ -335,7 +335,7 @@ func (wh *Webhook) inject(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRespons
 
 	if !injectRequired(ignoredNamespaces, wh.config.Policy, &pod.ObjectMeta, injectKey, statusKey) {
 		log.Infof("Skipping %s/%s/%s due to policy check", req.Kind, pod.Namespace, pod.Name)
-		return &v1beta1.AdmissionResponse{
+		return &v1.AdmissionResponse{
 			Allowed: true,
 		}
 	}
@@ -354,11 +354,11 @@ func (wh *Webhook) inject(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRespons
 
 	log.Debugf("AdmissionResponse: patch=%s", string(patchBytes))
 
-	reviewResponse := v1beta1.AdmissionResponse{
+	reviewResponse := v1.AdmissionResponse{
 		Allowed: true,
 		Patch:   patchBytes,
-		PatchType: func() *v1beta1.PatchType {
-			pt := v1beta1.PatchTypeJSONPatch
+		PatchType: func() *v1.PatchType {
+			pt := v1.PatchTypeJSONPatch
 			return &pt
 		}(),
 	}
@@ -386,8 +386,8 @@ func loadConfig(injectFile string) (*WebhookConfig, error) {
 	return &c, nil
 }
 
-func toAdmissionResponse(err error) *v1beta1.AdmissionResponse {
-	return &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: err.Error()}}
+func toAdmissionResponse(err error) *v1.AdmissionResponse {
+	return &v1.AdmissionResponse{Result: &metav1.Status{Message: err.Error()}}
 }
 
 func init() {

pkg/inject/hook_test.go

@@ -16,7 +16,7 @@ import (
 	"github.com/wandera/scccmd/internal/testcerts"
 	"github.com/wandera/scccmd/internal/testutil"
 	"gopkg.in/yaml.v2"
-	"k8s.io/api/admission/v1beta1"
+	"k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -212,13 +212,13 @@ func makeTestData(t testing.TB, skip bool) []byte {
 		t.Fatalf("Could not create test pod: %v", err)
 	}
 
-	review := v1beta1.AdmissionReview{
-		Request: &v1beta1.AdmissionRequest{
+	review := v1.AdmissionReview{
+		Request: &v1.AdmissionRequest{
 			Kind: metav1.GroupVersionKind{},
 			Object: runtime.RawExtension{
 				Raw: raw,
 			},
-			Operation: v1beta1.Create,
+			Operation: v1.Create,
 		},
 	}
 	reviewJSON, err := json.Marshal(review)
@@ -433,7 +433,7 @@ func TestRunAndServe(t *testing.T) {
 			if err != nil {
 				t.Fatalf("could not read body: %v", err)
 			}
-			var gotReview v1beta1.AdmissionReview
+			var gotReview v1.AdmissionReview
 			if err := json.Unmarshal(gotBody, &gotReview); err != nil {
 				t.Fatalf("could not decode response body: %v", err)
 			}