Generic webhook admission controller support

[whitlockjc]

A few weeks ago on Slack I brought up the idea of writing a generic webhook admission controller. Much like authentication, authorization and even the ImagePolicyWebhook admission controller, the idea would be that Kubernetes could call out to some external resource that itself implements the necessary bits based on their need as an admission controller. The implementation details are not fully fleshed out but the plan would be to start out small with support for some very specific Kubernetes types and later attempt to support all Kubernetes types either explicitly or through some generic fashion.

The reasons something like this might be useful are two fold:

1. Getting custom admission controllers into Kubernetes right now requires building a custom version of Kubernetes (This topic has come up a lot and is not the sole purpose of this feature)
2. Using a webhook for something like this would allow the cluster owner to implement the admission controller however they deem fit, in whatever language they want (Even if the first reason was taken care of, this could still be reason enough to implement such a thing)

Webhooks in Kubernetes are already used in authentication, authorization and even in the ImagePolicyWebhook admission controller so this is not something that's not been done before. But I do realize that implementing this admission controller right will be quite the undertaking.

The purpose of this feature request was not to ask the Kubernetes team to work on this, I've already started working on this locally, but to give an official place for interested parties to discuss this and link related issues to.

While discussing this on Slack, there were a number of concerns and related issues that I feel should be mentioned:

• Places for hooks #3585
• [WIP] Add admission control changes proposal #34131

There were also a few interested parties that I thought made sense to cc:

• @deads2k
• @derekwaynecarr
• @erictune
• @justinsb
• @ncdc
• @thockin
• @tsandall

I will add more details and discussion as necessary. Please feel free to contribute to this discussion.

[whitlockjc]

/cc @lxpollitt

[whitlockjc]

I've begun work on this, sorry for the delay.

[whitlockjc]

I have a proposed solution to this. I think we could make the existing ImagePolicyWebhook generic and reuse most of it as-is. This makes the work much simpler and since we'd be repurposing an existing admission controller, it should be much less risk.

This is how I will build this PR unless someone disagrees.

[whitlockjc]

/cc @lavalamp

[deads2k]

I have a proposed solution to this. I think we could make the existing ImagePolicyWebhook generic and reuse most of it as-is. This makes the work much simpler and since we'd be repurposing an existing admission controller, it should be much less risk.

This is how I will build this PR unless someone disagrees.

I don't see a reason to repurpose an existing admission plugin. We want something distinctly different with different needs in terms of API and serialization. In fact, the existing API structure of the ImagePolicyWebhook is not harmonious with generic admission logic.

[whitlockjc]

I am not suggesting we make the existing one any different than it is now, I'm just saying the majority of the underlying work to implement a generic webhook admission controller could be accomplished with the existing code. Configuration, webhook logic and such would be the same for example.

[soellman]

This would totally address my needs.. I want to create an admission controller with custom logic but don't really want to roll my own apiserver. I'm looking forward to it!