disable the service webhook for classic clusters

mjlshen · mjlshen · commit 49c661ccc196 · 2024-05-16T10:05:07.000-04:00
* Accomplished by adding a ClassicEnabled configuration option to each
  webhook

Signed-off-by: Michael Shen &lt;mshen@redhat.com&gt;
diff --git a/README.md b/README.md
@@ -82,7 +82,9 @@ type Webhook interface {
 	// SyncSetLabelSelector returns the label selector to use in the SyncSet.
 	// Return utils.DefaultLabelSelector() to stick with the default
 	SyncSetLabelSelector() metav1.LabelSelector
-	// HypershiftEnabled will return boolean value for hypershift enabled configurations
+	// ClassicEnabled will return true if the webhook should be deployed to OSD/ROSA Classic clusters
+	ClassicEnabled() bool
+	// HypershiftEnabled will return true if the webhook should be deployed to ROSA HCP clusters
 	HypershiftEnabled() bool
 }
 ```
@@ -117,7 +119,7 @@ The [utils package](pkg/webhooks/utils/utils.go) provides a string slice content
 
 ### Mutating Webhooks
 
-Despite its name, this repository has basic support for deploying mutating webhooks alongside validating ones due to their similarity. The differences between the two webhook types boil down to the types of decisions (`Response`s) they're allowed to return to the API server. Just like validating webhooks, mutating webhooks can decide that a request is `Allowed`, `Denied`, or `Errored` (see *[Building a Response](#building-a-response)* below). Unlike validating webhooks, however, mutating webhooks may instead decide that a request can be allowed only if some changes are made (i.e., `Patched`). `Patched` decisions contain a RFC 6902 ([JSONPatch](https://jsonpatch.com/)) string that describes the necessary mutations. 
+Despite its name, this repository has basic support for deploying mutating webhooks alongside validating ones due to their similarity. The differences between the two webhook types boil down to the types of decisions (`Response`s) they're allowed to return to the API server. Just like validating webhooks, mutating webhooks can decide that a request is `Allowed`, `Denied`, or `Errored` (see *[Building a Response](#building-a-response)* below). Unlike validating webhooks, however, mutating webhooks may instead decide that a request can be allowed only if some changes are made (i.e., `Patched`). `Patched` decisions contain a RFC 6902 ([JSONPatch](https://jsonpatch.com/)) string that describes the necessary mutations.
 
 For example, the [service-mutation webhook](pkg/webhooks/service/service.go) enforces an AWS managed policy requirement that ELBs are tagged with `red-hat-managed=true` by mutating all CREATE and UPDATE operations on LoadBalancer-type `Services` such that they contain the annotation `service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: red-hat-managed=true`. For a CREATE operation on a `Service` that's missing the necessary annotation, the JSONPatch embedded within the `Patched` Response might look like:
 
diff --git a/build/resources.go b/build/resources.go
@@ -806,6 +806,10 @@ func main() {
 			}
 			seen[hook().GetURI()] = true
 
+			if !hook().ClassicEnabled() {
+				continue
+			}
+
 			// no rules...?
 			if len(hook().Rules()) == 0 {
 				continue
diff --git a/build/selectorsyncset.yaml b/build/selectorsyncset.yaml
@@ -721,37 +721,6 @@ objects:
           scope: Cluster
         sideEffects: None
         timeoutSeconds: 2
-    - apiVersion: admissionregistration.k8s.io/v1
-      kind: MutatingWebhookConfiguration
-      metadata:
-        annotations:
-          service.beta.openshift.io/inject-cabundle: "true"
-        creationTimestamp: null
-        name: sre-service-mutation
-      webhooks:
-      - admissionReviewVersions:
-        - v1
-        clientConfig:
-          service:
-            name: validation-webhook
-            namespace: openshift-validation-webhook
-            path: /service-mutation
-        failurePolicy: Ignore
-        matchPolicy: Equivalent
-        name: service-mutation.managed.openshift.io
-        rules:
-        - apiGroups:
-          - ""
-          apiVersions:
-          - v1
-          operations:
-          - CREATE
-          - UPDATE
-          resources:
-          - services
-          scope: Namespaced
-        sideEffects: None
-        timeoutSeconds: 2
     - apiVersion: admissionregistration.k8s.io/v1
       kind: ValidatingWebhookConfiguration
       metadata:
diff --git a/pkg/config/namespaces.go b/pkg/config/namespaces.go
diff --git a/pkg/webhooks/clusterlogging/clusterlogging.go b/pkg/webhooks/clusterlogging/clusterlogging.go
@@ -281,6 +281,8 @@ func (s *ClusterloggingWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return customLabelSelector
 }
 
+func (s *ClusterloggingWebhook) ClassicEnabled() bool { return true }
+
 func (s *ClusterloggingWebhook) HypershiftEnabled() bool { return false }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/clusterrolebinding/clusterrolebinding.go b/pkg/webhooks/clusterrolebinding/clusterrolebinding.go
@@ -243,4 +243,6 @@ func (s *ClusterRoleBindingWebHook) SyncSetLabelSelector() metav1.LabelSelector
 	return utils.DefaultLabelSelector()
 }
 
+func (s *ClusterRoleBindingWebHook) ClassicEnabled() bool { return true }
+
 func (s *ClusterRoleBindingWebHook) HypershiftEnabled() bool { return true }
diff --git a/pkg/webhooks/customresourcedefinitions/customresourcedefinitions.go b/pkg/webhooks/customresourcedefinitions/customresourcedefinitions.go
@@ -193,4 +193,6 @@ func (s *customresourcedefinitionsruleWebhook) SyncSetLabelSelector() metav1.Lab
 	return utils.DefaultLabelSelector()
 }
 
+func (s *customresourcedefinitionsruleWebhook) ClassicEnabled() bool { return true }
+
 func (s *customresourcedefinitionsruleWebhook) HypershiftEnabled() bool { return false }
diff --git a/pkg/webhooks/hiveownership/hiveownership.go b/pkg/webhooks/hiveownership/hiveownership.go
@@ -130,6 +130,8 @@ func (s *HiveOwnershipWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *HiveOwnershipWebhook) ClassicEnabled() bool { return true }
+
 func (s *HiveOwnershipWebhook) HypershiftEnabled() bool { return false }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/imagecontentpolicies/imagecontentpolicies.go b/pkg/webhooks/imagecontentpolicies/imagecontentpolicies.go
@@ -165,6 +165,10 @@ func (w *ImageContentPoliciesWebhook) SyncSetLabelSelector() metav1.LabelSelecto
 	return utils.DefaultLabelSelector()
 }
 
+func (w *ImageContentPoliciesWebhook) ClassicEnabled() bool {
+	return true
+}
+
 func (w *ImageContentPoliciesWebhook) HypershiftEnabled() bool {
 	return true
 }
diff --git a/pkg/webhooks/ingressconfig/ingressconfig.go b/pkg/webhooks/ingressconfig/ingressconfig.go
@@ -122,6 +122,8 @@ func (w *IngressConfigWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (w *IngressConfigWebhook) ClassicEnabled() bool { return true }
+
 // HypershiftEnabled will return boolean value for hypershift enabled configurations
 func (w *IngressConfigWebhook) HypershiftEnabled() bool { return true }
 
diff --git a/pkg/webhooks/ingresscontroller/ingresscontroller.go b/pkg/webhooks/ingresscontroller/ingresscontroller.go
@@ -192,6 +192,8 @@ func (s *IngressControllerWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return customLabelSelector
 }
 
+func (s *IngressControllerWebhook) ClassicEnabled() bool { return true }
+
 func (s *IngressControllerWebhook) HypershiftEnabled() bool { return false }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/namespace/namespace.go b/pkg/webhooks/namespace/namespace.go
@@ -317,6 +317,8 @@ func (s *NamespaceWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *NamespaceWebhook) ClassicEnabled() bool { return true }
+
 func (s *NamespaceWebhook) HypershiftEnabled() bool { return true }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/networkpolicies/networkpolicies.go b/pkg/webhooks/networkpolicies/networkpolicies.go
@@ -205,4 +205,6 @@ func (s *networkpoliciesruleWebhook) SyncSetLabelSelector() metav1.LabelSelector
 	return utils.DefaultLabelSelector()
 }
 
+func (s *networkpoliciesruleWebhook) ClassicEnabled() bool { return true }
+
 func (s *networkpoliciesruleWebhook) HypershiftEnabled() bool { return false }
diff --git a/pkg/webhooks/node/node.go b/pkg/webhooks/node/node.go
@@ -205,6 +205,8 @@ func (s *NodeWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *NodeWebhook) ClassicEnabled() bool { return true }
+
 func (s *NodeWebhook) HypershiftEnabled() bool { return false }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/pod/pod.go b/pkg/webhooks/pod/pod.go
@@ -171,6 +171,8 @@ func (s *PodWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *PodWebhook) ClassicEnabled() bool { return true }
+
 func (s *PodWebhook) HypershiftEnabled() bool { return false }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/prometheusrule/prometheusrule.go b/pkg/webhooks/prometheusrule/prometheusrule.go
@@ -221,4 +221,6 @@ func (s *prometheusruleWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *prometheusruleWebhook) ClassicEnabled() bool { return true }
+
 func (s *prometheusruleWebhook) HypershiftEnabled() bool { return false }
diff --git a/pkg/webhooks/register.go b/pkg/webhooks/register.go
@@ -47,7 +47,9 @@ type Webhook interface {
 	// SyncSetLabelSelector returns the label selector to use in the SyncSet.
 	// Return utils.DefaultLabelSelector() to stick with the default
 	SyncSetLabelSelector() metav1.LabelSelector
-	// HypershiftEnabled will return boolean value for hypershift enabled configurations
+	// ClassicEnabled will return true if the webhook should be deployed to OSD/ROSA Classic clusters
+	ClassicEnabled() bool
+	// HypershiftEnabled will return true if the webhook should be deployed to ROSA HCP clusters
 	HypershiftEnabled() bool
 }
 
diff --git a/pkg/webhooks/regularuser/common/regularuser.go b/pkg/webhooks/regularuser/common/regularuser.go
@@ -377,6 +377,8 @@ func (s *RegularuserWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *RegularuserWebhook) ClassicEnabled() bool { return true }
+
 func (s *RegularuserWebhook) HypershiftEnabled() bool { return true }
 
 // NewWebhook creates a new webhook
diff --git a/pkg/webhooks/scc/scc.go b/pkg/webhooks/scc/scc.go
@@ -205,4 +205,6 @@ func (s *SCCWebHook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *SCCWebHook) ClassicEnabled() bool { return true }
+
 func (s *SCCWebHook) HypershiftEnabled() bool { return true }
diff --git a/pkg/webhooks/sdnmigration/sdnmigration.go b/pkg/webhooks/sdnmigration/sdnmigration.go
@@ -145,6 +145,8 @@ func (w *NetworkConfigWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (w *NetworkConfigWebhook) ClassicEnabled() bool { return true }
+
 // HypershiftEnabled will return boolean value for hypershift enabled configurations
 func (w *NetworkConfigWebhook) HypershiftEnabled() bool { return false }
 
diff --git a/pkg/webhooks/service/service.go b/pkg/webhooks/service/service.go
@@ -218,6 +218,8 @@ func (s *ServiceWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *ServiceWebhook) ClassicEnabled() bool { return false }
+
 // HypershiftEnabled indicates that this webhook is compatible with hosted
 // control plane clusters
 func (s *ServiceWebhook) HypershiftEnabled() bool { return true }
diff --git a/pkg/webhooks/serviceaccount/serviceaccount.go b/pkg/webhooks/serviceaccount/serviceaccount.go
@@ -241,4 +241,6 @@ func (s *serviceAccountWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
+func (s *serviceAccountWebhook) ClassicEnabled() bool { return true }
+
 func (s *serviceAccountWebhook) HypershiftEnabled() bool { return true }
diff --git a/pkg/webhooks/techpreviewnoupgrade/techpreviewnoupgrade.go b/pkg/webhooks/techpreviewnoupgrade/techpreviewnoupgrade.go
@@ -84,6 +84,8 @@ func (s *TechPreviewNoUpgradeWebhook) SyncSetLabelSelector() metav1.LabelSelecto
 	return utils.DefaultLabelSelector()
 }
 
+func (s *TechPreviewNoUpgradeWebhook) ClassicEnabled() bool { return true }
+
 func (s *TechPreviewNoUpgradeWebhook) HypershiftEnabled() bool { return true }
 
 func (s *TechPreviewNoUpgradeWebhook) renderFeatureGate(request admissionctl.Request) (*configv1.FeatureGate, error) {

Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,8 @@ func (s *ClusterloggingWebhook) SyncSetLabelSelector() metav1.LabelSelector {`
`281`	`281`	`return customLabelSelector`
`282`	`282`	`}`
`283`	`283`
	`284`	`+func (s *ClusterloggingWebhook) ClassicEnabled() bool { return true }`
	`285`	`+`
`284`	`286`	`func (s *ClusterloggingWebhook) HypershiftEnabled() bool { return false }`
`285`	`287`
`286`	`288`	`// NewWebhook creates a new webhook`
Original file line number	Diff line number	Diff line change
`@@ -243,4 +243,6 @@ func (s *ClusterRoleBindingWebHook) SyncSetLabelSelector() metav1.LabelSelector`
`243`	`243`	`return utils.DefaultLabelSelector()`
`244`	`244`	`}`
`245`	`245`
	`246`	`+func (s *ClusterRoleBindingWebHook) ClassicEnabled() bool { return true }`
	`247`	`+`
`246`	`248`	`func (s *ClusterRoleBindingWebHook) HypershiftEnabled() bool { return true }`
Original file line number	Diff line number	Diff line change
`@@ -193,4 +193,6 @@ func (s *customresourcedefinitionsruleWebhook) SyncSetLabelSelector() metav1.Lab`
`193`	`193`	`return utils.DefaultLabelSelector()`
`194`	`194`	`}`
`195`	`195`
	`196`	`+func (s *customresourcedefinitionsruleWebhook) ClassicEnabled() bool { return true }`
	`197`	`+`
`196`	`198`	`func (s *customresourcedefinitionsruleWebhook) HypershiftEnabled() bool { return false }`
Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,8 @@ func (s *HiveOwnershipWebhook) SyncSetLabelSelector() metav1.LabelSelector {`
`130`	`130`	`return utils.DefaultLabelSelector()`
`131`	`131`	`}`
`132`	`132`
	`133`	`+func (s *HiveOwnershipWebhook) ClassicEnabled() bool { return true }`
	`134`	`+`
`133`	`135`	`func (s *HiveOwnershipWebhook) HypershiftEnabled() bool { return false }`
`134`	`136`
`135`	`137`	`// NewWebhook creates a new webhook`
Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,10 @@ func (w *ImageContentPoliciesWebhook) SyncSetLabelSelector() metav1.LabelSelecto`
`165`	`165`	`return utils.DefaultLabelSelector()`
`166`	`166`	`}`
`167`	`167`
	`168`	`+func (w *ImageContentPoliciesWebhook) ClassicEnabled() bool {`
	`169`	`+ return true`
	`170`	`+}`
	`171`	`+`
`168`	`172`	`func (w *ImageContentPoliciesWebhook) HypershiftEnabled() bool {`
`169`	`173`	`return true`
`170`	`174`	`}`
Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,8 @@ func (w *IngressConfigWebhook) SyncSetLabelSelector() metav1.LabelSelector {`
`122`	`122`	`return utils.DefaultLabelSelector()`
`123`	`123`	`}`
`124`	`124`
	`125`	`+func (w *IngressConfigWebhook) ClassicEnabled() bool { return true }`
	`126`	`+`
`125`	`127`	`// HypershiftEnabled will return boolean value for hypershift enabled configurations`
`126`	`128`	`func (w *IngressConfigWebhook) HypershiftEnabled() bool { return true }`
`127`	`129`