From 6c0724648fc44aa9dffefb3a8633bad1ef07b96c Mon Sep 17 00:00:00 2001 From: Arvind Thirumurugan Date: Tue, 6 Feb 2024 16:45:45 -0800 Subject: [PATCH] fix: change failure policy, timeout for validating webhooks (#664) * change failure policy, timeout for validating webhooks * address comment --- pkg/webhook/webhook.go | 56 ++++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index db434a83d..73036688b 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -100,11 +100,13 @@ const ( var ( admissionReviewVersions = []string{admv1.SchemeGroupVersion.Version, admv1beta1.SchemeGroupVersion.Version} - failPolicy = admv1.Ignore - sideEffortsNone = admv1.SideEffectClassNone - namespacedScope = admv1.NamespacedScope - clusterScope = admv1.ClusterScope - webhookTimeoutSeconds = pointer.Int32(1) + ignoreFailurePolicy = admv1.Ignore + failFailurePolicy = admv1.Fail + sideEffortsNone = admv1.SideEffectClassNone + namespacedScope = admv1.NamespacedScope + clusterScope = admv1.ClusterScope + oneSecondWebhookTimeout = pointer.Int32(1) + fiveSecondWebhookTimeout = pointer.Int32(5) ) var AddToManagerFuncs []func(manager.Manager) error @@ -224,7 +226,7 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook { { Name: "fleet.pod.validating", ClientConfig: w.createClientConfig(pod.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &failFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -235,12 +237,12 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook { Rule: createRule([]string{corev1.SchemeGroupVersion.Group}, []string{corev1.SchemeGroupVersion.Version}, []string{podResourceName}, &namespacedScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: fiveSecondWebhookTimeout, }, { Name: "fleet.clusterresourceplacementv1alpha1.validating", ClientConfig: w.createClientConfig(clusterresourceplacement.V1Alpha1CRPValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &failFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -252,12 +254,12 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook { Rule: createRule([]string{fleetv1alpha1.GroupVersion.Group}, []string{fleetv1alpha1.GroupVersion.Version}, []string{fleetv1alpha1.ClusterResourcePlacementResource}, &clusterScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: fiveSecondWebhookTimeout, }, { Name: "fleet.clusterresourceplacementv1beta1.validating", ClientConfig: w.createClientConfig(clusterresourceplacement.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &failFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -269,12 +271,12 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook { Rule: createRule([]string{placementv1beta1.GroupVersion.Group}, []string{placementv1beta1.GroupVersion.Version}, []string{placementv1beta1.ClusterResourcePlacementResource}, &clusterScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: fiveSecondWebhookTimeout, }, { Name: "fleet.replicaset.validating", ClientConfig: w.createClientConfig(replicaset.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &failFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -285,7 +287,7 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook { Rule: createRule([]string{appsv1.SchemeGroupVersion.Group}, []string{appsv1.SchemeGroupVersion.Version}, []string{replicaSetResourceName}, &namespacedScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: fiveSecondWebhookTimeout, }, } @@ -409,7 +411,7 @@ func (w *Config) buildFleetGuardRailValidatingWebhooks() []admv1.ValidatingWebho { Name: "fleet.customresourcedefinition.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -418,12 +420,12 @@ func (w *Config) buildFleetGuardRailValidatingWebhooks() []admv1.ValidatingWebho Rule: createRule([]string{apiextensionsv1.SchemeGroupVersion.Group}, []string{apiextensionsv1.SchemeGroupVersion.Version}, []string{crdResourceName}, &clusterScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, { Name: "fleet.membercluster.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -432,12 +434,12 @@ func (w *Config) buildFleetGuardRailValidatingWebhooks() []admv1.ValidatingWebho Rule: createRule([]string{clusterv1beta1.GroupVersion.Group}, []string{clusterv1beta1.GroupVersion.Version}, []string{memberClusterResourceName, memberClusterResourceName + "/status"}, &clusterScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, { Name: "fleet.v1alpha1.membercluster.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -446,42 +448,42 @@ func (w *Config) buildFleetGuardRailValidatingWebhooks() []admv1.ValidatingWebho Rule: createRule([]string{fleetv1alpha1.GroupVersion.Group}, []string{fleetv1alpha1.GroupVersion.Version}, []string{memberClusterResourceName, memberClusterResourceName + "/status"}, &clusterScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, { Name: "fleet.fleetmembernamespacedresources.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, NamespaceSelector: fleetMemberNamespaceSelector, Rules: namespacedResourcesRules, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, { Name: "fleet.fleetsystemnamespacedresources.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, NamespaceSelector: fleetSystemNamespaceSelector, Rules: namespacedResourcesRules, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, { Name: "fleet.kubenamespacedresources.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, NamespaceSelector: kubeNamespaceSelector, Rules: namespacedResourcesRules, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, { Name: "fleet.namespace.validating", ClientConfig: w.createClientConfig(fleetresourcehandler.ValidationPath), - FailurePolicy: &failPolicy, + FailurePolicy: &ignoreFailurePolicy, SideEffects: &sideEffortsNone, AdmissionReviewVersions: admissionReviewVersions, Rules: []admv1.RuleWithOperations{ @@ -490,7 +492,7 @@ func (w *Config) buildFleetGuardRailValidatingWebhooks() []admv1.ValidatingWebho Rule: createRule([]string{corev1.SchemeGroupVersion.Group}, []string{corev1.SchemeGroupVersion.Version}, []string{namespaceResourceName}, &clusterScope), }, }, - TimeoutSeconds: webhookTimeoutSeconds, + TimeoutSeconds: oneSecondWebhookTimeout, }, }