Add a good practices page for mutating webhook design #49626
Conversation
k8s-ci-robot
added
sig/docs
k8s-ci-robot
added
cncf-cla: yes
|
One question for reviewers: Some of the good practices that I moved seem relevant to validating webhooks as well. Should I keep the old content on the original page to avoid a loss of info? |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Thanks for this PR. I recommend a copy editing round (see inline feedback), as well as a fact check.
Although this is a move of existing content, I recommend getting the styling right where we can.
It's not obligatory to fix any of the moved stuff. The net new text should follow our style guide where possible though.
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
| ```shell | ||
| kubectl get mutatingwebhookconfigurations | ||
| ``` | ||
| The output lists any mutating admission controllers in the cluster. |
There was a problem hiding this comment.
We used to support configuring these statically by passing a plugin configuration file to the kube-apiserver.
At technical review time or earlier, let's validate the the old method is completely omitted. Otherwise, this text isn't 100% accurate.
There was a problem hiding this comment.
Is this the bit that's listed here: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers? Or is that different?
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
Once this merges, you are welcome - but not forced! - to file an issue about the remaining gaps. |
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
content/en/docs/concepts/security/mutating-webhooks-good-practices.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I might put this in the Cluster Administration section, and have https://kubernetes.io/docs/concepts/security/ also link there.
There was a problem hiding this comment.
I'll do this before submission so that it doesn't muddle up the reviews
There was a problem hiding this comment.
Please do that @shannonxtreme
LGTM noted but:
/lgtm cancel
There was a problem hiding this comment.
sorry, I didn't notice this comment
There was a problem hiding this comment.
It's fine, we can use that recorded LGTM to skip detailed reviews later.
|
@shannonxtreme my best practice is to avoid mutating webhooks, because they confuse gitops tools. It's likely that ArgoCD will think that a resource is out of sync, and revert the changes made by the mutating webhooks. We even avoid that gitops tool change the desired state stored in git. It's called the Rendered Manifests Pattern: https://akuity.io/blog/the-rendered-manifests-pattern What about adding the RMP to the instruction section? Additional note: some parts of the doc could link to the API conventions. The API conventions doc is the "single source of truth" about how to design or interact with Kubernetes APIs. |
It will be a great addition to the article. Maybe we can start with merging this iteration. The article already stating some practices how to avoid using webhook, adding more is definitely beneficial. |
|
You might find #46798 useful too @shannonxtreme; feel free to use elements of that PR (with appropriate credit!) |
|
Also this one: https://github.com/kubernetes/website/pull/46798/files#r1946911968 It would be nice to merge this PR so we can iterate |
|
@SergeyKanzhelev I decided not to add the content from kubernetes/enhancements#5068 (comment) in this version of the doc as it would tie up the reviews a bit more. Let's merge this MVP and build on it! |
shannonxtreme
force-pushed
the
mutating-webhook-good-practices
branch
from
4776142 to
58a1ab9
Compare
|
@sftim @SergeyKanzhelev this is ready for another review. There are some unresolved comments in this PR that should either be a follow-up or need more info. I've listed them here:
|
k8s-ci-robot
added
the
needs-rebase
shannonxtreme
force-pushed
the
mutating-webhook-good-practices
branch
from
58a1ab9 to
f50edb3
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
- Link to new page from dynamic admission control page - Retain TODOs for info that'll be migration from existing page
shannonxtreme
force-pushed
the
mutating-webhook-good-practices
branch
from
f50edb3 to
0f8533d
Compare
…ices page Moved content as-is (no text changes) for a more readable diff between commits. The following sections werent moved: * Idempotence main section (better content in new page) * Intercepting all versions of an object (better content in new page) * Guaranteeing the final state of an object is seen * Avoiding operating in the kube-system namespace
- Remove h4 section headers for idempotence - Wrap lines at 80 chars - Update pod to Pod, deployment to Deployment - Move the outcome of idempotency examples to the correct list item - Update links to go to the correct places
Source PR: kubernetes#46798 Co-authored-by: Shaun Crampton <[email protected]> Co-authored-by: Kat Cosgrove <[email protected]> Co-authored-by: Tim Bannister <[email protected]>
shannonxtreme
force-pushed
the
mutating-webhook-good-practices
branch
from
0f8533d to
fc27b94
Compare
|
@sftim I renamed the page and updated the index files for cluster admin and security Also updated the link from the admission control concept |
|
Relying on existing LGTM from #49626 (comment) /lgtm Thanks @shannonxtreme |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: bc78893f8aea7c34d9d448c107117a29dbbbdf0f
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Add a good practices page for designing and running mutating admission webhooks
Doc plan: https://docs.google.com/document/d/1pg80Qn3Uz2SupCHjuQ_CRhnh9m3q9a3KU_PGV3ecVFE/edit?pli=1&tab=t.0
Overview of changes
Create a new page based on the discussion in the doc plan
Move existing best practices from Dynamic Admission Control page
Deleted any existing practices that were significantly expanded on in the new page
Added guidance to compare types of admission control mechanisms and choose the best one
I used an HTML table to do lists and to organize the info more clearly.
Outstanding questions and omitted sections
The following good practices didn't have enough information, so I omitted them from this iteration:
Co-authors/contributors
Closes: #47465
/sig docs
/language en