support annotations for admission webhook

[CaoShuFeng]

Depends on: #58143
Release note:

Support annotations for remote admission webhooks.

[CaoShuFeng]

@liggitt @tallclair @sttts This is also ready for review.
I had deployed a little remote admission controller to test it.

[sttts]

there should be a specified format. What are the keys?

[CaoShuFeng]

This Annotation is a little bit different from annotation in admission attribute.
It doesn't contain the fully qualified plugin name.

I use this plugin name to call attributesRecord.SetAnnotations().

[CaoShuFeng]

Done.

[sttts]

plugin_name + ".admission.k8s.io/" + key ?

[sttts]

We also have to check that the key is a DNS segment.

[CaoShuFeng]

We also have to check that the key is a DNS segment.

Done.

plugin_name + ".admission.k8s.io/" + key ?

plugin_name is already fully qualified.
Webhook plugin do not use .admission.k8s.io in their plugin name, I think.

[sttts]

can this be queried by plugins in the chain? I don't like to open up this channel without good reasons.

[sttts]

this is ugly

[CaoShuFeng]

What about we move this mutex into SetAnnotations()?

[sttts]

yes. And get rid of the single k/v SetAnnotations variant, but only for a whole map.

[CaoShuFeng]

Done.

[sttts]

these names can theoretically overlap with the built in names. I guess we need h.Name + ".mutatingwebhook".

[CaoShuFeng]

This h.Name is already full qualified, like imagepolicy.kubernetes.io.
This name is set by cluster administrator.
What about we trust cluster administrator that he will not set a name overlap with the built in names?

kubernetes/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go

Line 126 in f3942e7

// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where

[sttts]

Not sure it's obvious that this name shows up in auditing. But imagepolicy.kubernetes.io.mutatingwebhook.admission.k8s.io is not nice either.

[CaoShuFeng]

What about we ignore h.Name?
And allow remote admission to set pluginName themselves?
If so, remote admsssion will be consistent with the build-in admission.

[sttts]

we could also enforce that webhooks use *.mutatingwebhook.admission.k8s.io as key.

[CaoShuFeng]

Done.

[CaoShuFeng]

/test pull-kubernetes-e2e-kops-aws

[tallclair]

Should we consider this an admission error, or just log the error to the debug log? I guess considering it an admission error is failing closed.

[tallclair]

Actually, looking more closely I think this should be:

&webhookerrors.ErrCallingWebhook{WebhookName: h.name, Reason: err}

This type of error is either ignored or blocking depending on the webhook configuration. It is important to be able to ignore errors to avoid a misconfigured webhook from locking up the cluster.

[CaoShuFeng]

or just log the error to the debug log?

Done.

&webhookerrors.ErrCallingWebhook{WebhookName: h.name, Reason: err}

ErrCallingWebhook is returned for transport-layer errors calling webhooks. It represents a failure to talk to the webhook. So I log the error to the debug log rather than use ErrCallingWebhook

[CaoShuFeng]

Actually, looking more closely I think this should be:
&webhookerrors.ErrCallingWebhook{WebhookName: h.name, Reason: err}

Done. And I removed the transport-layer description about ErrCallingWebhook in comment.
Thanks.

[tallclair]

Instead of adding yet another argument to this, prefer exposing FakeAttributes and FakeAttributes.Annotations (or if you prefer, FakeAttributes.GetAnnotations)

[CaoShuFeng]

Done.

[tallclair]

nit: initialize the map in this case, especially if exposing it directly.

[tallclair]

Add more about the intent, e.g. Annotations may be provided by the admission webhook to add additional context to the audit log for this request

[CaoShuFeng]

Done.

[tallclair]

ditto (ErrCallingWebhook)

[CaoShuFeng]

@tallclair Thanks for you review.
What do you think about current behavior?

[tallclair]

/milestone v1.12
/status approved-for-milestone

[tallclair]

/retest

[tallclair]

/lgtm

[sttts]

/assign @liggitt

for api approval.

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process

@CaoShuFeng @liggitt @tallclair

Pull Request Labels

• sig/api-machinery sig/auth: Pull Request will be escalated to these SIGs if needed.
• priority/important-longterm: Escalate to the pull request owners; move out of the milestone after 1 attempt.
• kind/feature: New functionality.

Help

• Additional instructions
• Commands for setting labels

[liggitt]

will this be confused with the Annotations field on the API object being admitted? If we leave this named "Annotations", the documentation needs to be very clear that this is only audit logging. Alternately we could name it something like AuditAnnotations.

[liggitt]

We should also (in a separate PR) clarify the documentation on the audit.Event type that the map does not contain the annotations of the submitted object

[tallclair]

Agreed. I thought we discussed calling it ExtraAuditInfo, but can't find the reference. AuditAnnotations is ok too.

[CaoShuFeng]

AuditAnnotations is ok too.

Done.

We should also (in a separate PR) clarify the documentation on the audit.Event type that the map does not contain the annotations of the submitted object

Will do this after #65891 gets merged.

[liggitt]

#65891 is merged, can we queue up the change to the audit.Event annotations field doc?

[CaoShuFeng]

Done.
#67386

[liggitt]

replace "will fill in" with "will prefix the keys"

[CaoShuFeng]

Done.

[liggitt]

if the key already is already namespaced to the webhook, noop?

edit: that would require the webhook to know the name by which it was registered, which isn't great, so forget that

[liggitt]

erroring on an existing key means that a mutating and validating webhook with the same name cannot set the same key, since they share a namespace

[CaoShuFeng]

erroring on an existing key means that a mutating and validating webhook with the same name cannot set the same key, since they share a namespace

Local mutating and validating admission may have same problem.
What about we trust the cluster admin here?

[liggitt]

message should say "validating webhook"

[CaoShuFeng]

Done.

[liggitt]

I'm not sure this should be a fatal error... the in-tree annotation error handling just logs a warning:

kubernetes/plugin/pkg/admission/security/podsecuritypolicy/admission.go

Lines 168 to 170 in 4d5d266

	if err := a.AddAnnotation(key, pspName); err != nil {
	glog.Warningf("failed to set admission audit annotation %s to %s: %v", key, pspName, err)
	}

[CaoShuFeng]

Updated to glog.Warningf and make them consistent with each other.

[CaoShuFeng]

/test pull-kubernetes-e2e-kops-aws

[liggitt]

should probably indicate the reason why in the warning message like the other places we do this (e.g. glog.Warningf("Failed to set annotations[%q] to %q for audit:%q, it has already been set to %q", key, value, ae.AuditID, ae.Annotations[key]))

[CaoShuFeng]

Done.

[jimangel]

@CaoShuFeng do you have a PR for the 1.12 docs branch for this? Thanks!

[CaoShuFeng]

@CaoShuFeng do you have a PR for the 1.12 docs branch for this? Thanks!

Will work on it.

[k8s-ci-robot]

@CaoShuFeng: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-unit	ad223e87a26cc4fd0f1017a93d55a5e10b879215	link	/test pull-kubernetes-unit

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[liggitt]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CaoShuFeng, liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/apis/OWNERS [liggitt]
• staging/src/k8s.io/api/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.