Skip to content

feat: add managed resource webhook #1152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nwnt merged 9 commits into from
Jul 9, 2025
Merged

feat: add managed resource webhook #1152

nwnt merged 9 commits into from
Jul 9, 2025

Conversation

@nwnt
Copy link
Contributor

@nwnt nwnt commented Jul 1, 2025

Description of your changes

Fixes :
Enable the fleet dataplane to deny any create/update/delete operations on ARM managed resources. At the moment, CRP, Namespace, ResourceQuota, and NetworkPolicy can be managed resources.

I have:

  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

make local-unit-test ran successfully

Special notes for your reviewer

Arvindthiru
Arvindthiru reviewed Jul 1, 2025
View reviewed changes
@Arvindthiru
Copy link
Contributor

Arvindthiru commented Jul 1, 2025

The UT gate is failing because of this test https://github.com/Azure/fleet/blob/main/pkg/webhook/webhook_test.go#L28

https://github.com/Azure/fleet/actions/runs/16003096328/job/45142931406?pr=1152 PTAL

Arvindthiru
Arvindthiru reviewed Jul 1, 2025
View reviewed changes
@Arvindthiru
Copy link
Contributor

Arvindthiru commented Jul 1, 2025

We should also add E2Es here https://github.com/Azure/fleet/blob/main/test/e2e/webhook_test.go

jim-minter
jim-minter reviewed Jul 1, 2025
View reviewed changes
@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch 2 times, most recently from de8bc2a to 35cc8f0 Compare July 2, 2025 00:24
@nwnt nwnt changed the title feat: add managed resource webhook feat: add managed resource webhook Jul 2, 2025
Arvindthiru
Arvindthiru reviewed Jul 2, 2025
View reviewed changes
@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch from 4475ea8 to 660c99d Compare July 3, 2025 21:18
@stevekuznetsov
Copy link

stevekuznetsov commented Jul 4, 2025

You may want to look into ValidatingAdmissionPolicy - webhooks are a huge lift (and, if they are blocking, an uptime risk for the api server). VAP is extremely lightweight.

Arvindthiru
Arvindthiru reviewed Jul 7, 2025
View reviewed changes
Arvindthiru
Arvindthiru reviewed Jul 7, 2025
View reviewed changes
Arvindthiru
Arvindthiru reviewed Jul 7, 2025
View reviewed changes
Arvindthiru
Arvindthiru reviewed Jul 7, 2025
View reviewed changes
@nwnt
Copy link
Contributor Author

nwnt commented Jul 7, 2025

You may want to look into ValidatingAdmissionPolicy - webhooks are a huge lift (and, if they are blocking, an uptime risk for the api server). VAP is extremely lightweight.

@stevekuznetsov thanks for the input. We'll go ahead with this approach for now and will be validating if it can be simplified further with the way you suggest.

@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch from 7952439 to 334f248 Compare July 7, 2025 21:13
Arvindthiru
Arvindthiru reviewed Jul 8, 2025
View reviewed changes
Arvindthiru
Arvindthiru reviewed Jul 8, 2025
View reviewed changes
@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch from 334f248 to 9103561 Compare July 8, 2025 01:38
@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch from 9103561 to c35147c Compare July 8, 2025 01:41
Arvindthiru
Arvindthiru reviewed Jul 8, 2025
View reviewed changes
pkg/webhook/managedresource/managedresource_validating_webhook.go
Comment on lines +80 to +87
if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&raw, &obj, nil); err != nil {
return nil, nil, err
}
o, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
if err != nil {
return nil, nil, err
}
u := unstructured.Unstructured{Object: o}
Copy link
Contributor

@Arvindthiru Arvindthiru Jul 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We achieve the same using https://github.com/Azure/fleet/blob/main/pkg/webhook/clusterresourceplacement/v1alpha1_clusterresourceplacement_validating_webhook.go#L41. But this can be handled in a follow up PR

Copy link
Contributor Author

@nwnt nwnt Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think using a converter doesn't improve much here. It's probably even simpler to not have a decoder just to convert from raw to runtime.Object.

Arvindthiru
Arvindthiru previously approved these changes Jul 8, 2025
View reviewed changes
Copy link
Contributor

@Arvindthiru Arvindthiru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Arvindthiru
Arvindthiru reviewed Jul 8, 2025
View reviewed changes
Arvindthiru
Arvindthiru reviewed Jul 8, 2025
View reviewed changes
Arvindthiru
Arvindthiru reviewed Jul 8, 2025
View reviewed changes
@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch from 2b17a21 to 044e29c Compare July 8, 2025 19:14
Address the comment
d39c3b3 
Signed-off-by: Nont <[email protected]>
@nwnt nwnt force-pushed the nwnt/add-managed-resource-webhook branch from 044e29c to d39c3b3 Compare July 8, 2025 20:13
@nwnt nwnt merged commit d7bed83 into Azure:main Jul 9, 2025
21 of 22 checks passed
@nwnt nwnt deleted the nwnt/add-managed-resource-webhook branch July 9, 2025 02:06
@nwnt nwnt mentioned this pull request Aug 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jim-minter jim-minter jim-minter left review comments

@Arvindthiru Arvindthiru Arvindthiru approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nwnt @Arvindthiru @stevekuznetsov @jim-minter