From 428868003f6c3f9ad327b4422c748aab222a7a7d Mon Sep 17 00:00:00 2001 From: Min Jin Date: Wed, 29 Jan 2025 15:48:53 -0800 Subject: [PATCH] switching to v1 admission review Signed-off-by: Min Jin --- deploy/mutatingwebhook.yaml | 2 +- pkg/handler/handler.go | 28 +++++++++++----------- pkg/handler/handler_test.go | 46 ++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 37 deletions(-) diff --git a/deploy/mutatingwebhook.yaml b/deploy/mutatingwebhook.yaml index 32b39e1df..7fdd68183 100644 --- a/deploy/mutatingwebhook.yaml +++ b/deploy/mutatingwebhook.yaml @@ -24,4 +24,4 @@ webhooks: apiVersions: ["v1"] resources: ["pods"] sideEffects: None - admissionReviewVersions: ["v1beta1"] + admissionReviewVersions: ["v1"] diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go index f9eb2e636..fc316fd8c 100644 --- a/pkg/handler/handler.go +++ b/pkg/handler/handler.go @@ -30,7 +30,8 @@ import ( "github.com/aws/amazon-eks-pod-identity-webhook/pkg" "github.com/aws/amazon-eks-pod-identity-webhook/pkg/cache" - "k8s.io/api/admission/v1beta1" + "k8s.io/api/admission/v1" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -41,6 +42,7 @@ import ( func init() { _ = corev1.AddToScheme(runtimeScheme) + _ = admissionregistrationv1.AddToScheme(runtimeScheme) _ = admissionregistrationv1beta1.AddToScheme(runtimeScheme) } @@ -480,8 +482,8 @@ func (m *Modifier) buildPodPatchConfig(pod *corev1.Pod) *podPatchConfig { } // MutatePod takes a AdmissionReview, mutates the pod, and returns an AdmissionResponse -func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse { - badRequest := &v1beta1.AdmissionResponse{ +func (m *Modifier) MutatePod(ar *v1.AdmissionReview) *v1.AdmissionResponse { + badRequest := &v1.AdmissionResponse{ Result: &metav1.Status{ Message: "bad content", }, @@ -498,7 +500,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp if err := json.Unmarshal(req.Object.Raw, &pod); err != nil { klog.Errorf("Could not unmarshal raw object: %v", err) klog.Errorf("Object: %v", string(req.Object.Raw)) - return &v1beta1.AdmissionResponse{ + return &v1.AdmissionResponse{ Result: &metav1.Status{ Message: err.Error(), }, @@ -511,7 +513,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp if patchConfig == nil { klog.V(4).Infof("Pod was not mutated. Reason: "+ "Service account did not have the right annotations or was not found in the cache. %s", logContext(pod.Name, pod.GenerateName, pod.Spec.ServiceAccountName, pod.Namespace)) - return &v1beta1.AdmissionResponse{ + return &v1.AdmissionResponse{ Allowed: true, } } @@ -520,7 +522,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp patchBytes, err := json.Marshal(patch) if err != nil { klog.Errorf("Error marshaling pod update: %v", err.Error()) - return &v1beta1.AdmissionResponse{ + return &v1.AdmissionResponse{ Result: &metav1.Status{ Message: err.Error(), }, @@ -535,11 +537,11 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp "Required volume mounts and env variables were already present. %s", logContext(pod.Name, pod.GenerateName, pod.Spec.ServiceAccountName, pod.Namespace)) } - return &v1beta1.AdmissionResponse{ + return &v1.AdmissionResponse{ Allowed: true, Patch: patchBytes, - PatchType: func() *v1beta1.PatchType { - pt := v1beta1.PatchTypeJSONPatch + PatchType: func() *v1.PatchType { + pt := v1.PatchTypeJSONPatch return &pt }(), } @@ -562,11 +564,11 @@ func (m *Modifier) Handle(w http.ResponseWriter, r *http.Request) { return } - var admissionResponse *v1beta1.AdmissionResponse - ar := v1beta1.AdmissionReview{} + var admissionResponse *v1.AdmissionResponse + ar := v1.AdmissionReview{} if _, _, err := deserializer.Decode(body, nil, &ar); err != nil { klog.Errorf("Can't decode body: %v", err) - admissionResponse = &v1beta1.AdmissionResponse{ + admissionResponse = &v1.AdmissionResponse{ Result: &metav1.Status{ Message: err.Error(), }, @@ -575,7 +577,7 @@ func (m *Modifier) Handle(w http.ResponseWriter, r *http.Request) { admissionResponse = m.MutatePod(&ar) } - admissionReview := v1beta1.AdmissionReview{} + admissionReview := v1.AdmissionReview{} if admissionResponse != nil { admissionReview.Response = admissionResponse if ar.Request != nil { diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go index 62c502f1d..c332c6d93 100644 --- a/pkg/handler/handler_test.go +++ b/pkg/handler/handler_test.go @@ -18,23 +18,23 @@ package handler import ( "bytes" "encoding/json" - "github.com/aws/amazon-eks-pod-identity-webhook/pkg/containercredentials" - "github.com/stretchr/testify/assert" "io" "io/ioutil" - "k8s.io/apimachinery/pkg/types" "net/http" "net/http/httptest" "reflect" "testing" "github.com/aws/amazon-eks-pod-identity-webhook/pkg/cache" - "k8s.io/api/admission/v1beta1" + "github.com/aws/amazon-eks-pod-identity-webhook/pkg/containercredentials" + "github.com/stretchr/testify/assert" + admissionv1 "k8s.io/api/admission/v1" authenticationv1 "k8s.io/api/authentication/v1" "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" ) const uuid = "918ef1dc-928f-4525-99ef-988389f263c3" @@ -54,18 +54,18 @@ func TestMutatePod(t *testing.T) { ) cases := []struct { caseName string - input *v1beta1.AdmissionReview - response *v1beta1.AdmissionResponse + input *admissionv1.AdmissionReview + response *admissionv1.AdmissionResponse }{ { "nilBody", nil, - &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, + &admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, }, { "NoRequest", - &v1beta1.AdmissionReview{Request: nil}, - &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, + &admissionv1.AdmissionReview{Request: nil}, + &admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, }, { "ValidRequest", @@ -114,7 +114,7 @@ func TestMutatePod_MutationNotNeeded(t *testing.T) { assert.Nil(t, response.Patch) } -var jsonPatchType = v1beta1.PatchType("JSONPatch") +var jsonPatchType = admissionv1.PatchType("JSONPatch") var rawPodWithoutVolume = []byte(` { @@ -138,8 +138,8 @@ var rawPodWithoutVolume = []byte(` var validPatchIfNoVolumesPresent = []byte(`[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":3600,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]`) -func getValidHandlerResponse(uuid string) *v1beta1.AdmissionResponse { - return &v1beta1.AdmissionResponse{ +func getValidHandlerResponse(uuid string) *admissionv1.AdmissionResponse { + return &admissionv1.AdmissionResponse{ UID: types.UID(uuid), Allowed: true, Patch: validPatchIfNoVolumesPresent, @@ -147,9 +147,9 @@ func getValidHandlerResponse(uuid string) *v1beta1.AdmissionResponse { } } -func getValidReview(pod []byte) *v1beta1.AdmissionReview { - return &v1beta1.AdmissionReview{ - Request: &v1beta1.AdmissionRequest{ +func getValidReview(pod []byte) *admissionv1.AdmissionReview { + return &admissionv1.AdmissionReview{ + Request: &admissionv1.AdmissionRequest{ UID: uuid, Kind: metav1.GroupVersionKind{ Version: "v1", @@ -171,7 +171,7 @@ func getValidReview(pod []byte) *v1beta1.AdmissionReview { } } -func serializeAdmissionReview(t *testing.T, want *v1beta1.AdmissionReview) []byte { +func serializeAdmissionReview(t *testing.T, want *admissionv1.AdmissionReview) []byte { wantedBytes, err := json.Marshal(want) if err != nil { t.Errorf("Failed to marshal desired response: %v", err) @@ -209,21 +209,21 @@ func TestModifierHandler(t *testing.T) { "nilBody", nil, "application/json", - serializeAdmissionReview(t, &v1beta1.AdmissionReview{ - Response: &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, + serializeAdmissionReview(t, &admissionv1.AdmissionReview{ + Response: &admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, }), }, { "NoRequest", - serializeAdmissionReview(t, &v1beta1.AdmissionReview{Request: nil}), + serializeAdmissionReview(t, &admissionv1.AdmissionReview{Request: nil}), "application/json", - serializeAdmissionReview(t, &v1beta1.AdmissionReview{ - Response: &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, + serializeAdmissionReview(t, &admissionv1.AdmissionReview{ + Response: &admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}}, }), }, { "BadContentType", - serializeAdmissionReview(t, &v1beta1.AdmissionReview{Request: nil}), + serializeAdmissionReview(t, &admissionv1.AdmissionReview{Request: nil}), "application/xml", []byte("Invalid Content-Type, expected `application/json`\n"), }, @@ -243,7 +243,7 @@ func TestModifierHandler(t *testing.T) { "ValidRequestSuccessWithoutVolumes", serializeAdmissionReview(t, getValidReview(rawPodWithoutVolume)), "application/json", - serializeAdmissionReview(t, &v1beta1.AdmissionReview{Response: getValidHandlerResponse(uuid)}), + serializeAdmissionReview(t, &admissionv1.AdmissionReview{Response: getValidHandlerResponse(uuid)}), }, }