Merge pull request #22019 from pneedle-rh/bz1701038-admission-controllers

bergerhoffer · web-flow · commit 827c80f63f0a · 2020-06-15T14:57:24.000-04:00
BZ1701038 - Adding OpenShift 4 admission controller document.
diff --git a/_topic_map.yml b/_topic_map.yml
@@ -105,6 +105,9 @@ Topics:
 - Name: The CI/CD methodology and practice
   File: cicd_gitops
   Distros: openshift-enterprise,openshift-webscale
+- Name: Admission plug-ins
+  File: admission-plug-ins
+  Distros: openshift-enterprise,openshift-webscale,openshift-aro
 ---
 Name: Administering a cluster
 Dir: administering_a_cluster
diff --git a/architecture/admission-plug-ins.adoc b/architecture/admission-plug-ins.adoc
@@ -0,0 +1,26 @@
+[id="admission-plug-ins"]
+= Admission plug-ins
+include::modules/common-attributes.adoc[]
+:context: admission-plug-ins
+toc::[]
+
+// Concept modules
+include::modules/admission-plug-ins-about.adoc[leveloffset=+1]
+
+include::modules/admission-plug-ins-default.adoc[leveloffset=+1]
+
+include::modules/admission-webhooks-about.adoc[leveloffset=+1]
+
+include::modules/admission-webhook-types.adoc[leveloffset=+1]
+
+// Procedure module
+include::modules/configuring-dynamic-admission.adoc[leveloffset=+1]
+
+[id="admission-plug-ins-additional-resources"]
+== Additional resources
+
+* xref:../networking/hardware_networks/configuring-sriov-operator.adoc#configuring-sriov-operator[Limiting custom network resources managed by the SR-IOV network device plug-in]
+
+* xref:../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations_dedicating_nodes-scheduler-taints-tolerations[Defining tolerations that enable taints to qualify which pods should be scheduled on a node]
+
+* xref:../nodes/pods/nodes-pods-priority.adoc#admin-guide-priority-preemption-names_nodes-pods-priority[Pod priority class validation]
diff --git a/images/api-admission-chain.png b/images/api-admission-chain.png
diff --git a/modules/admission-plug-ins-about.adoc b/modules/admission-plug-ins-about.adoc
@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * architecture/admission-plug-ins.adoc
+
+[id="admission-plug-ins-about_{context}"]
+= About admission plug-ins
+
+Admission plug-ins are used to help regulate how {product-title} {product-version} functions. Admission plug-ins intercept requests to the master API to validate resource requests and ensure policies are adhered to, after the request is authenticated and authorized. For example, they are commonly used to enforce security policy, resource limitations or configuration requirements.
+
+Admission plug-ins run in sequence as an admission chain. If any admission plug-in in the sequence rejects a request, the whole chain is aborted and an error is returned.
+
+{product-title} has a default set of admission plug-ins enabled for each resource type. These are required for proper functioning of the cluster. Admission plug-ins ignore resources that they are not responsible for.
+
+In addition to the defaults, the admission chain can be extended dynamically through webhook admission plug-ins that call out to custom webhook servers. There are two types of webhook admission plug-ins: a mutating admission plug-in and a validating admission plug-in. The mutating admission plug-in runs first and can both modify resources and validate requests. The validating admission plug-in validates requests and runs after the mutating admission plug-in so that modifications triggered by the mutating admission plug-in can also be validated.
+
+Calling webhook servers through a mutating admission plug-in can produce side effects on resources related to the target object. In such situations, you must take steps to validate that the end result is as expected.
+
+[WARNING]
+====
+Dynamic admission should be used cautiously because it impacts cluster control plane operations. When calling webhook servers through webhook admission plug-ins in {product-title} {product-version}, ensure that you have read the documentation fully and tested for side effects of mutations. Include steps to restore resources back to their original state prior to mutation, in the event that a request does not pass through the entire admission chain.
+====
diff --git a/modules/admission-plug-ins-default.adoc b/modules/admission-plug-ins-default.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * architecture/admission-plug-ins.adoc
+
+[id="admission-plug-ins-default_{context}"]
+= Default admission plug-ins
+
+//Future xref - A set of default admission plug-ins is enabled in {product-title} {product-version}. These default plug-ins contribute to fundamental control plane functionality, such as ingress policy, xref:../nodes/clusters/nodes-cluster-overcommit.adoc#nodes-cluster-resource-override_nodes-cluster-overcommit[cluster resource limit override] and quota policy.
+A set of default admission plug-ins is enabled in {product-title} {product-version}. These default plug-ins contribute to fundamental control plane functionality, such as ingress policy, cluster resource limit override and quota policy.
diff --git a/modules/admission-webhook-types.adoc b/modules/admission-webhook-types.adoc
@@ -0,0 +1,110 @@
+// Module included in the following assemblies:
+//
+// * architecture/admission-plug-ins.adoc
+
+[id="admission-webhook-types_{context}"]
+= Types of webhook admission plug-ins
+
+Cluster administrators can call out to webhook servers through the mutating admission plug-in or the validating admission plug-in in the API server admission chain.
+
+[id="mutating-admission-plug-in_{context}"]
+== Mutating admission plug-in
+
+The mutating admission plug-in is invoked during the mutation phase of the admission process, which allows modification of resource content before it is persisted. One example webhook that can be called through the mutating admission plug-in is the Pod Node Selector feature, which uses an annotation on a namespace to find a label selector and add it to the pod specification.
+
+[id="mutating-admission-plug-in-config_{context}"]
+.Sample mutating admission plug-in configuration
+
+[source,yaml]
+----
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration <1>
+metadata:
+  name: <webhook_name> <2>
+webhooks:
+- name: <webhook_name> <3>
+  clientConfig: <4>
+    service:
+      namespace: default <5>
+      name: kubernetes <6>
+     path: <webhook_url> <7>
+    caBundle: <ca_signing_certificate> <8>
+  rules: <9>
+  - operations: <10>
+    - <operation>
+    apiGroups:
+    - ""
+    apiVersions:
+    - "*"
+    resources:
+    - <resource>
+  failurePolicy: <policy> <11>
+  sideEffects: None
+----
+
+<1> Specifies a mutating admission plug-in configuration.
+<2> The name for the webhook object. Replace `<webhook_name>` with the appropriate value.
+<3> The name of the webhook to call. Replace `<webhook_name>` with the appropriate value.
+<4> Information about how to connect to, trust, and send data to the webhook server.
+<5> The namespace where the front-end service is created.
+<6> The name of the front-end service.
+<7> The webhook URL used for admission requests. Replace `<webhook_url>` with the appropriate value.
+<8> A PEM-encoded CA certificate that signs the server certificate that is used by the webhook server.  Replace `<ca_signing_certificate>` with the appropriate certificate in base64 format.
+<9> Rules that define when the API server should use this webhook admission plug-in.
+<10> One or more operations that trigger the API server to call this webhook admission plug-in. Possible values are `create`, `update`, `delete` or `connect`. Replace `<operation>` and `<resource>` with the appropriate values.
+<11> Specifies how the policy should proceed if the webhook server is unavailable.
+Replace `<policy>` with either `Ignore` (to unconditionally accept the request in the event of a failure) or `Fail` (to deny the failed request). Using `Ignore` can result in unpredictable behavior for all clients.
+
+[IMPORTANT]
+====
+In {product-title} {product-version}, objects created by users or control loops through a mutating admission plug-in might return unexpected results, especially if values set in an initial request are overwritten, which is not recommended.
+====
+
+[id="validating-admission-plug-in_{context}"]
+== Validating admission plug-in
+
+A validating admission plug-in is invoked during the validation phase of the admission process. This phase allows the enforcement of invariants on particular API resources to ensure that the resource does not change again. The Pod Node Selector is also an example of a webhook which is called by the validating admission plug-in, to ensure that all `nodeSelector` fields are constrained by the node selector restrictions on the namespace.
+
+[id="validating-admission-plug-in-config_{context}"]
+//http://blog.kubernetes.io/2018/01/extensible-admission-is-beta.html
+.Sample validating admission plug-in configuration
+
+[source,yaml]
+----
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration <1>
+metadata:
+  name: <webhook_name> <2>
+webhooks:
+- name: <webhook_name> <3>
+  clientConfig: <4>
+    service:
+      namespace: default  <5>
+      name: kubernetes <6>
+     path: <webhook_url> <7>
+    caBundle: <ca_signing_certificate> <8>
+  rules: <9>
+  - operations: <10>
+    - <operation>
+    apiGroups:
+    - ""
+    apiVersions:
+    - "*"
+    resources:
+    - <resource>
+  failurePolicy: <policy> <11>
+  sideEffects: Unknown
+----
+
+<1> Specifies a validating admission plug-in configuration.
+<2> The name for the webhook object. Replace `<webhook_name>` with the appropriate value.
+<3> The name of the webhook to call. Replace `<webhook_name>` with the appropriate value.
+<4> Information about how to connect to, trust, and send data to the webhook server.
+<5> The namespace where the front-end service is created.
+<6> The name of the front-end service.
+<7> The webhook URL used for admission requests. Replace `<webhook_url>` with the appropriate value.
+<8> A PEM-encoded CA certificate that signs the server certificate that is used by the webhook server.  Replace `<ca_signing_certificate>` with the appropriate certificate in base64 format.
+<9> Rules that define when the API server should use this webhook admission plug-in.
+<10> One or more operations that trigger the API server to call this webhook admission plug-in. Possible values are `create`, `update`, `delete` or `connect`. Replace `<operation>` and `<resource>` with the appropriate values.
+<11> Specifies how the policy should proceed if the webhook server is unavailable.
+Replace `<policy>` with either `Ignore` (to unconditionally accept the request in the event of a failure) or `Fail` (to deny the failed request). Using `Ignore` can result in unpredictable behavior for all clients.
diff --git a/modules/admission-webhooks-about.adoc b/modules/admission-webhooks-about.adoc
@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * architecture/admission-plug-ins.adoc
+
+[id="admission-webhooks-about_{context}"]
+= Webhook admission plug-ins
+
+In addition to {product-title} default admission plug-ins, dynamic admission can be implemented through webhook admission plug-ins that call webhook servers, in order to extend the functionality of the admission chain. Webhook servers are called over HTTP at defined endpoints.
+
+There are two types of webhook admission plug-ins in {product-title}:
+
+//Future xref - * During the admission process, xref:../architecture/admission-plug-ins.adoc#mutating-admission-plug-in[the mutating admission plug-in] can perform tasks, such as injecting affinity labels.
+* During the admission process, the _mutating admission plug-in_ can perform tasks, such as injecting affinity labels.
+
+//Future xref - * At the end of the admission process, xref:../architecture/admission-plug-ins.adoc#validating-admission-plug-in[the validating admission plug-in] makes sure an object is configured properly, for example ensuring affinity labels are as expected. If the validation passes, {product-title} schedules the object as configured.
+* At the end of the admission process, the _validating admission plug-in_ can be used to make sure an object is configured properly, for example ensuring affinity labels are as expected. If the validation passes, {product-title} schedules the object as configured.
+
+When an API request comes in, mutating or validating admission plug-ins use the list of external webhooks in the configuration and call them in parallel:
+
+* If all of the webhooks approve the request, the admission chain continues.
+
+* If any of the webhooks deny the request, the admission request is denied and the reason for doing so is based on the first denial.
+
+* If more than one webhook denies the admission request, only the first denial reason is returned to the user.
+
+* If an error is encountered when calling a webhook, the request is either denied or the webhook is ignored depending on the error policy set. If the error policy is set to `Ignore`, the request is unconditionally accepted in the event of a failure. If the policy is set to `Fail`, failed requests are denied. Using `Ignore` can result in unpredictable behavior for all clients.
+
+//Future xrefs - Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a certificate authority (CA) certificate and use the certificate to sign the server certificate that is used by your webhook server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as xref:../authentication/certificates/service-serving-certificate.adoc#service-serving-certificate[service serving certificate secrets].
+Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a CA certificate and use the certificate to sign the server certificate that is used by your webhook admission server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as service serving certificate secrets.
+
+The following diagram illustrates the sequential admission chain process within which multiple webhook servers are called.
+
+.API admission chain with mutating and validating admission plug-ins
+image::api-admission-chain.png["API admission stage", align="center"]
+
+An example webhook admission plug-in use case is where all pods must have a common set of labels. In this example, the mutating admission plug-in can inject labels and the validating admission plug-in can check that labels are as expected. {product-title} would subsequently schedule pods that include required labels and reject those that do not.
+
+Some common webhook admission plug-in use cases include:
+
+//Future xref - * Namespace reservation.
+* Namespace reservation.
+//Future xrefs - * xref:../networking/hardware_networks/configuring-sriov-operator.adoc#configuring-sriov-operator[Limiting custom network resources managed by the SR-IOV network device plug-in].
+* Limiting custom network resources managed by the SR-IOV network device plug-in.
+//Future xref - * xref:../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations_dedicating_nodes-scheduler-taints-tolerations[Defining tolerations that enable taints to qualify which pods should be scheduled on a node].
+* Defining tolerations that enable taints to qualify which pods should be scheduled on a node.
+//Future xref - * xref:../nodes/pods/nodes-pods-priority.adoc#admin-guide-priority-preemption-names_nodes-pods-priority[Pod priority class validation].
+* Pod priority class validation.
diff --git a/modules/configuring-dynamic-admission.adoc b/modules/configuring-dynamic-admission.adoc
