|
1 | | -# Add support for admission webhooks in OLM |
| 1 | +# Webhook Proposal |
2 | 2 |
|
3 | | -Status: Pending |
4 | | - |
5 | | -Version: v1alpha1 |
6 | | - |
7 | | -Implementation owner: TBD |
8 | | - |
9 | | -## Abstract |
10 | | - |
11 | | -Proposal to add the capability for OLM to support admission webhooks. |
12 | | - |
13 | | -## Motivation |
14 | | - |
15 | | -Operator authors may require an admission webhook for their operator and would like that operator to be supported under OLM. |
16 | | - |
17 | | -## Proposal |
18 | | - |
19 | | -### Required changes |
20 | | - |
21 | | -In order to support webhooks, three new types need to be added to OLM. A complete webhook configuration utilizes a deployment, a service, and the webhook configuration. The service plus the two different webhook types would constitute all the new types that need implementing and configured. The configuring portion of the new resources will be added to the CSV. However, only the minimal portions as outlined below will be required as the rest can be generated by OLM. |
22 | | - |
23 | | -The new types can be added to the existing [StrategyDetailsDeployment](https://github.com/operator-framework/operator-lifecycle-manager/blob/4de8dd1a71001df91a5bd9517435a5aeba240920/pkg/controller/install/deployment.go#L33) type given that a webhook requires a deployment for operation. |
24 | | - |
25 | | -The [validating webhook](https://github.com/kubernetes/kubernetes/blob/ae3c44d043769305c6add665cd81c16319479ba7/pkg/apis/admissionregistration/types.go#L169) and [mutating webhook](https://github.com/kubernetes/kubernetes/blob/ae3c44d043769305c6add665cd81c16319479ba7/pkg/apis/admissionregistration/types.go#L293) types are extremely similar. Because of this similarity and due to the user not needing to provide service details new OLM specific types are to be created that include the critical fields. |
26 | | - |
27 | | -### CSV webhook configuration example |
28 | | - |
29 | | -(The following example has standard unaffected parts of configuration abbreviated.) |
30 | | - |
31 | | -```yaml |
32 | | -... |
33 | | - install: |
34 | | - strategy: deployment |
35 | | - spec: |
36 | | - clusterPermissions: |
37 | | - - serviceAccountName: my-operator |
38 | | - rules: |
39 | | - - apiGroups: |
40 | | - - "*" |
41 | | - ... |
42 | | - permissions: |
43 | | - - serviceAccountName: my-operator |
44 | | - rules: |
45 | | - - apiGroups: |
46 | | - - "" |
47 | | - ... |
48 | | - deployments: |
49 | | - - name: webhook-deployment |
50 | | - spec: |
51 | | - replicas: 1 |
52 | | - selector: |
53 | | - matchLabels: |
54 | | - name: mywebhook |
55 | | - template: |
56 | | - metadata: |
57 | | - labels: |
58 | | - name: mywebhook |
59 | | - spec: |
60 | | - serviceAccountName: my-operator |
61 | | - containers: |
62 | | - - name: webhook |
63 | | - image: operator-framework/fake-webhook-image:latest |
64 | | - imagePullPolicy: IfNotPresent |
65 | | - ports: |
66 | | - - containerPort: 443 |
67 | | - env: |
68 | | - - name: NAMESPACE |
69 | | - valueFrom: |
70 | | - fieldRef: |
71 | | - fieldPath: metadata.annotations['olm.targetNamespaces'] |
72 | | - - name: operator |
73 | | - image: operator-framework/fake-operator:latest |
74 | | - imagePullPolicy: IfNotPresent |
75 | | - env: |
76 | | - - name: NAMESPACE |
77 | | - valueFrom: |
78 | | - fieldRef: |
79 | | - fieldPath: metadata.annotations['olm.targetNamespaces'] |
80 | | - - name: MY_POD_NAME |
81 | | - valueFrom: |
82 | | - fieldRef: |
83 | | - fieldPath: metadata.name |
84 | | - webhooks: |
85 | | - - name: olm-validation |
86 | | - type: ValidatingAdmissionWebhook |
87 | | - spec: |
88 | | - rules: |
89 | | - - apiGroups: |
90 | | - - "operators.olm.com" |
91 | | - apiVersions: |
92 | | - - v1alpha1 |
93 | | - operations: |
94 | | - - create |
95 | | - resources: |
96 | | - - clusterserviceversions |
97 | | - selector: |
98 | | - name: mywebhook |
99 | | - webhookPath: "/admit" |
100 | | - - name: olm-mutation |
101 | | - type: MutatingAdmissionWebhook |
102 | | - spec: |
103 | | - ... |
104 | | -``` |
105 | | - |
106 | | -Notable omissions in the above example include: |
107 | | - |
108 | | -- volume and volumeMounts in the deployment for the certificates |
109 | | -- services |
110 | | -- clientConfig in the webhooks section (path was retained via webhookPath) |
111 | | - |
112 | | -### Securing webhook via certificates |
113 | | - |
114 | | -The certificate creation and lifecycle management is planned to utilize the same certs package that is already in OLM managing the certificates for api services. |
| 3 | +The latest version of the webhook proposal can be found in the new Operator Enhancement Repo [here](https://github.com/operator-framework/enhancements/blob/master/enhancements/olm-admission-webhooks.md). |
0 commit comments