[jira] [Updated] (YUNIKORN-871) Admission controller should only validate yunikorn configmap changes

Peter Bacsko (Jira) Mon, 04 Oct 2021 05:16:13 -0700


     [ 
https://issues.apache.org/jira/browse/YUNIKORN-871?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Peter Bacsko updated YUNIKORN-871:
----------------------------------
    Description: 
Currently, the admission controller is watching all namespaces and tries to 
validate all configmap changes. But we only need to validate the 
yunikorn-related changes.

Example:
{noformat}
$ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
...
2021-10-04T11:52:19.379Z        INFO    webhook/webhook.go:83   the admission 
controller started        {"port": 9089, "listeningOn": ["/mutate", 
"/validate-conf"]}
$ kubectl create namespace testnamespace
namespace/testnamespace created
$ kubectl create configmap my-config --from-literal=mykey=myval 
--namespace=testnamespace
configmap/my-config created
$ kubectl get cm
NAME               DATA   AGE
yunikorn-configs   1      11m
$ kubectl get cm --namespace=testnamespace
NAME        DATA   AGE
my-config   1      17s
$ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
...
2021-10-04T11:52:19.379Z        INFO    webhook/webhook.go:83   the admission 
controller started        {"port": 9089, "listeningOn": ["/mutate", 
"/validate-conf"]}
2021-10-04T12:03:57.806Z        INFO    webhook/admission_controller.go:304     
AdmissionReviewResponse {"allowed": true}
{noformat}
 
 We need something like the following in {{validations.yaml.template}}:
{noformat}
namespaceSelector:
 matchLabels:
   yunikorn
{noformat}

This problem was originally found by [~kmarton].

  was:
Currently, the admission controller is watching all namespaces and tries to 
validate all configmap changes. But we only need to validate the 
yunikorn-related changes.

Example:
{noformat}
$ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
...
2021-10-04T11:52:19.379Z        INFO    webhook/webhook.go:83   the admission 
controller started        {"port": 9089, "listeningOn": ["/mutate", 
"/validate-conf"]}
$ kubectl create namespace testnamespace
namespace/testnamespace created
$ kubectl create configmap my-config --from-literal=mykey=myval 
--namespace=testnamespace
configmap/my-config created
$ kubectl get cm
NAME               DATA   AGE
yunikorn-configs   1      11m
$ kubectl get cm --namespace=testnamespace
NAME        DATA   AGE
my-config   1      17s
$ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
...
2021-10-04T11:52:19.379Z        INFO    webhook/webhook.go:83   the admission 
controller started        {"port": 9089, "listeningOn": ["/mutate", 
"/validate-conf"]}
2021-10-04T12:03:57.806Z        INFO    webhook/admission_controller.go:304     
AdmissionReviewResponse {"allowed": true}
{noformat}
 
 We need something like the following in {{validations.yaml.template}}:
{noformat}
namespaceSelector:
 matchLabels:
   yunikorn
{noformat}


> Admission controller should only validate yunikorn configmap changes
> --------------------------------------------------------------------
>
>                 Key: YUNIKORN-871
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-871
>             Project: Apache YuniKorn
>          Issue Type: Bug
>          Components: shim - kubernetes
>            Reporter: Peter Bacsko
>            Priority: Major
>
> Currently, the admission controller is watching all namespaces and tries to 
> validate all configmap changes. But we only need to validate the 
> yunikorn-related changes.
> Example:
> {noformat}
> $ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
> ...
> 2021-10-04T11:52:19.379Z      INFO    webhook/webhook.go:83   the admission 
> controller started        {"port": 9089, "listeningOn": ["/mutate", 
> "/validate-conf"]}
> $ kubectl create namespace testnamespace
> namespace/testnamespace created
> $ kubectl create configmap my-config --from-literal=mykey=myval 
> --namespace=testnamespace
> configmap/my-config created
> $ kubectl get cm
> NAME               DATA   AGE
> yunikorn-configs   1      11m
> $ kubectl get cm --namespace=testnamespace
> NAME        DATA   AGE
> my-config   1      17s
> $ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
> ...
> 2021-10-04T11:52:19.379Z      INFO    webhook/webhook.go:83   the admission 
> controller started        {"port": 9089, "listeningOn": ["/mutate", 
> "/validate-conf"]}
> 2021-10-04T12:03:57.806Z      INFO    webhook/admission_controller.go:304     
> AdmissionReviewResponse {"allowed": true}
> {noformat}
>  
>  We need something like the following in {{validations.yaml.template}}:
> {noformat}
> namespaceSelector:
>  matchLabels:
>    yunikorn
> {noformat}
> This problem was originally found by [~kmarton].



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (YUNIKORN-871) Admission controller should only validate yunikorn configmap changes

Reply via email to