From 0a5a9a2647375f2ddb776827271ee057fcac434a Mon Sep 17 00:00:00 2001 From: Fei Guo Date: Wed, 1 Nov 2023 23:31:51 -0700 Subject: [PATCH 1/2] fix: remove unused RBAC permission for workspace create/delete (#124) Co-authored-by: guofei --- charts/kaito/workspace/templates/clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kaito/workspace/templates/clusterrole.yaml b/charts/kaito/workspace/templates/clusterrole.yaml index 4eecde327..ddd604756 100644 --- a/charts/kaito/workspace/templates/clusterrole.yaml +++ b/charts/kaito/workspace/templates/clusterrole.yaml @@ -8,7 +8,7 @@ metadata: rules: - apiGroups: ["kaito.sh"] resources: ["workspaces"] - verbs: ["create", "delete", "update", "patch","get","list","watch"] + verbs: ["update", "patch","get","list","watch"] - apiGroups: ["kaito.sh"] resources: ["workspaces/status"] verbs: ["update", "patch","get","list","watch"] From ab74683334b048d8082afc0ac651f15d03891fde Mon Sep 17 00:00:00 2001 From: Fei Guo Date: Thu, 2 Nov 2023 00:15:12 -0700 Subject: [PATCH 2/2] fix: rename webhook secret name and remove leader election (#126) Rename the secret name so that it is specific to workspace webhook. The workspace controller only runs single instance so that webhook HA is not needed. Co-authored-by: guofei --- charts/kaito/workspace/templates/clusterrole.yaml | 2 +- charts/kaito/workspace/templates/role.yaml | 9 +-------- .../kaito/workspace/templates/secret-webhook-cert.yaml | 2 +- charts/kaito/workspace/templates/webhooks.yaml | 4 ++-- cmd/main.go | 6 ++++-- pkg/webhooks/webhooks.go | 2 +- 6 files changed, 10 insertions(+), 15 deletions(-) diff --git a/charts/kaito/workspace/templates/clusterrole.yaml b/charts/kaito/workspace/templates/clusterrole.yaml index ddd604756..90ff90345 100644 --- a/charts/kaito/workspace/templates/clusterrole.yaml +++ b/charts/kaito/workspace/templates/clusterrole.yaml @@ -39,4 +39,4 @@ rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["update"] - resourceNames: ["validation.webhook.kaito.sh"] + resourceNames: ["validation.workspace.kaito.sh"] diff --git a/charts/kaito/workspace/templates/role.yaml b/charts/kaito/workspace/templates/role.yaml index d1beaf5d0..a15a8d819 100644 --- a/charts/kaito/workspace/templates/role.yaml +++ b/charts/kaito/workspace/templates/role.yaml @@ -19,11 +19,4 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["update"] - resourceNames: ["webhook-cert"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["patch", "update"] - resourceNames: ["webhook.validationwebhook.00-of-01", "webhook.webhookcertificates.00-of-01"] + resourceNames: ["workspace-webhook-cert"] diff --git a/charts/kaito/workspace/templates/secret-webhook-cert.yaml b/charts/kaito/workspace/templates/secret-webhook-cert.yaml index 55f4cf980..9fab5a666 100644 --- a/charts/kaito/workspace/templates/secret-webhook-cert.yaml +++ b/charts/kaito/workspace/templates/secret-webhook-cert.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: webhook-cert + name: workspace-webhook-cert namespace: {{ include "kaito.fullname" .}} labels: {{- include "kaito.labels" . | nindent 4 }} diff --git a/charts/kaito/workspace/templates/webhooks.yaml b/charts/kaito/workspace/templates/webhooks.yaml index 99cacfb4a..440804a72 100644 --- a/charts/kaito/workspace/templates/webhooks.yaml +++ b/charts/kaito/workspace/templates/webhooks.yaml @@ -1,11 +1,11 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: validation.webhook.kaito.sh + name: validation.workspace.kaito.sh labels: {{- include "kaito.labels" . | nindent 4 }} webhooks: - - name: validation.webhook.kaito.sh + - name: validation.workspace.kaito.sh admissionReviewVersions: ["v1"] clientConfig: service: diff --git a/cmd/main.go b/cmd/main.go index 9c71ad26c..e5ff04e8b 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -129,9 +129,11 @@ func main() { ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{ ServiceName: os.Getenv(WebhookServiceName), Port: p, - SecretName: "webhook-cert", + SecretName: "workspace-webhook-cert", }) - sharedmain.MainWithConfig(sharedmain.WithHealthProbesDisabled(ctx), "webhook", ctrl.GetConfigOrDie(), webhooks.NewWebhooks()...) + ctx = sharedmain.WithHealthProbesDisabled(ctx) + ctx = sharedmain.WithHADisabled(ctx) + sharedmain.MainWithConfig(ctx, "webhook", ctrl.GetConfigOrDie(), webhooks.NewWebhooks()...) }() // wait 2 seconds to allow reconciling webhookconfiguration and service endpoint. time.Sleep(2 * time.Second) diff --git a/pkg/webhooks/webhooks.go b/pkg/webhooks/webhooks.go index 34e6da146..6755d16f5 100644 --- a/pkg/webhooks/webhooks.go +++ b/pkg/webhooks/webhooks.go @@ -25,7 +25,7 @@ func NewWebhooks() []knativeinjection.ControllerConstructor { func NewCRDValidationWebhook(ctx context.Context, _ configmap.Watcher) *controller.Impl { return validation.NewAdmissionController(ctx, - "validation.webhook.kaito.sh", + "validation.workspace.kaito.sh", "/validate/workspace.kaito.sh", Resources, func(ctx context.Context) context.Context { return ctx },