[YUNIKORN-871] Admission controller should only validate yunikorn configmap changes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.12.1
Component/s: shim - kubernetes
Labels:
- pull-request-available

Target Version:

0.12.1

Description

Currently, the admission controller is watching all namespaces and tries to validate all configmap changes. But we only need to validate the yunikorn-related changes.

Example:

$ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
...
2021-10-04T11:52:19.379Z	INFO	webhook/webhook.go:83	the admission controller started	{"port": 9089, "listeningOn": ["/mutate", "/validate-conf"]}
$ kubectl create namespace testnamespace
namespace/testnamespace created
$ kubectl create configmap my-config --from-literal=mykey=myval --namespace=testnamespace
configmap/my-config created
$ kubectl get cm
NAME               DATA   AGE
yunikorn-configs   1      11m
$ kubectl get cm --namespace=testnamespace
NAME        DATA   AGE
my-config   1      17s
$ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
...
2021-10-04T11:52:19.379Z	INFO	webhook/webhook.go:83	the admission controller started	{"port": 9089, "listeningOn": ["/mutate", "/validate-conf"]}
2021-10-04T12:03:57.806Z	INFO	webhook/admission_controller.go:304	AdmissionReviewResponse	{"allowed": true}

We need something like the following in validations.yaml.template:

namespaceSelector:
 matchLabels:
   yunikorn

This problem was originally found by kmarton.

Attachments

Issue Links

links to

GitHub Pull Request #308

Activity

People

Assignee:: Peter Bacsko

Reporter:: Peter Bacsko

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/Oct/21 12:14

Updated:: 21/Jan/22 21:48

Resolved:: 11/Oct/21 10:30