switching to v1 admission review

Signed-off-by: Min Jin <[email protected]>

Author: yue9944882

deploy/mutatingwebhook.yaml

@@ -24,4 +24,4 @@ webhooks:
     apiVersions: ["v1"]
     resources: ["pods"]
   sideEffects: None
-  admissionReviewVersions: ["v1beta1"]
+  admissionReviewVersions: ["v1"]

pkg/handler/handler.go

@@ -30,7 +30,8 @@ import (
 
 	"github.com/aws/amazon-eks-pod-identity-webhook/pkg"
 	"github.com/aws/amazon-eks-pod-identity-webhook/pkg/cache"
-	"k8s.io/api/admission/v1beta1"
+	"k8s.io/api/admission/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -41,6 +42,7 @@ import (
 
 func init() {
 	_ = corev1.AddToScheme(runtimeScheme)
+	_ = admissionregistrationv1.AddToScheme(runtimeScheme)
 	_ = admissionregistrationv1beta1.AddToScheme(runtimeScheme)
 }
 
@@ -480,8 +482,8 @@ func (m *Modifier) buildPodPatchConfig(pod *corev1.Pod) *podPatchConfig {
 }
 
 // MutatePod takes a AdmissionReview, mutates the pod, and returns an AdmissionResponse
-func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
-	badRequest := &v1beta1.AdmissionResponse{
+func (m *Modifier) MutatePod(ar *v1.AdmissionReview) *v1.AdmissionResponse {
+	badRequest := &v1.AdmissionResponse{
 		Result: &metav1.Status{
 			Message: "bad content",
 		},
@@ -498,7 +500,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp
 	if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
 		klog.Errorf("Could not unmarshal raw object: %v", err)
 		klog.Errorf("Object: %v", string(req.Object.Raw))
-		return &v1beta1.AdmissionResponse{
+		return &v1.AdmissionResponse{
 			Result: &metav1.Status{
 				Message: err.Error(),
 			},
@@ -511,7 +513,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp
 	if patchConfig == nil {
 		klog.V(4).Infof("Pod was not mutated. Reason: "+
 			"Service account did not have the right annotations or was not found in the cache. %s", logContext(pod.Name, pod.GenerateName, pod.Spec.ServiceAccountName, pod.Namespace))
-		return &v1beta1.AdmissionResponse{
+		return &v1.AdmissionResponse{
 			Allowed: true,
 		}
 	}
@@ -520,7 +522,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp
 	patchBytes, err := json.Marshal(patch)
 	if err != nil {
 		klog.Errorf("Error marshaling pod update: %v", err.Error())
-		return &v1beta1.AdmissionResponse{
+		return &v1.AdmissionResponse{
 			Result: &metav1.Status{
 				Message: err.Error(),
 			},
@@ -535,11 +537,11 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp
 			"Required volume mounts and env variables were already present. %s", logContext(pod.Name, pod.GenerateName, pod.Spec.ServiceAccountName, pod.Namespace))
 	}
 
-	return &v1beta1.AdmissionResponse{
+	return &v1.AdmissionResponse{
 		Allowed: true,
 		Patch:   patchBytes,
-		PatchType: func() *v1beta1.PatchType {
-			pt := v1beta1.PatchTypeJSONPatch
+		PatchType: func() *v1.PatchType {
+			pt := v1.PatchTypeJSONPatch
 			return &pt
 		}(),
 	}
@@ -562,11 +564,11 @@ func (m *Modifier) Handle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var admissionResponse *v1beta1.AdmissionResponse
-	ar := v1beta1.AdmissionReview{}
+	var admissionResponse *v1.AdmissionResponse
+	ar := v1.AdmissionReview{}
 	if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
 		klog.Errorf("Can't decode body: %v", err)
-		admissionResponse = &v1beta1.AdmissionResponse{
+		admissionResponse = &v1.AdmissionResponse{
 			Result: &metav1.Status{
 				Message: err.Error(),
 			},
@@ -575,7 +577,7 @@ func (m *Modifier) Handle(w http.ResponseWriter, r *http.Request) {
 		admissionResponse = m.MutatePod(&ar)
 	}
 
-	admissionReview := v1beta1.AdmissionReview{}
+	admissionReview := v1.AdmissionReview{}
 	if admissionResponse != nil {
 		admissionReview.Response = admissionResponse
 		if ar.Request != nil {

pkg/handler/handler_test.go

@@ -18,23 +18,23 @@ package handler
 import (
 	"bytes"
 	"encoding/json"
-	"github.com/aws/amazon-eks-pod-identity-webhook/pkg/containercredentials"
-	"github.com/stretchr/testify/assert"
 	"io"
 	"io/ioutil"
-	"k8s.io/apimachinery/pkg/types"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"testing"
 
 	"github.com/aws/amazon-eks-pod-identity-webhook/pkg/cache"
-	"k8s.io/api/admission/v1beta1"
+	"github.com/aws/amazon-eks-pod-identity-webhook/pkg/containercredentials"
+	"github.com/stretchr/testify/assert"
+	admissionv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/api/core/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 const uuid = "918ef1dc-928f-4525-99ef-988389f263c3"
@@ -54,18 +54,18 @@ func TestMutatePod(t *testing.T) {
 	)
 	cases := []struct {
 		caseName string
-		input    *v1beta1.AdmissionReview
-		response *v1beta1.AdmissionResponse
+		input    *admissionv1.AdmissionReview
+		response *admissionv1.AdmissionResponse
 	}{
 		{
 			"nilBody",
 			nil,
-			&v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
+			&admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
 		},
 		{
 			"NoRequest",
-			&v1beta1.AdmissionReview{Request: nil},
-			&v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
+			&admissionv1.AdmissionReview{Request: nil},
+			&admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
 		},
 		{
 			"ValidRequest",
@@ -114,7 +114,7 @@ func TestMutatePod_MutationNotNeeded(t *testing.T) {
 	assert.Nil(t, response.Patch)
 }
 
-var jsonPatchType = v1beta1.PatchType("JSONPatch")
+var jsonPatchType = admissionv1.PatchType("JSONPatch")
 
 var rawPodWithoutVolume = []byte(`
 {
@@ -138,18 +138,18 @@ var rawPodWithoutVolume = []byte(`
 
 var validPatchIfNoVolumesPresent = []byte(`[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":3600,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_ROLE_ARN","value":"arn:aws:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]`)
 
-func getValidHandlerResponse(uuid string) *v1beta1.AdmissionResponse {
-	return &v1beta1.AdmissionResponse{
+func getValidHandlerResponse(uuid string) *admissionv1.AdmissionResponse {
+	return &admissionv1.AdmissionResponse{
 		UID:       types.UID(uuid),
 		Allowed:   true,
 		Patch:     validPatchIfNoVolumesPresent,
 		PatchType: &jsonPatchType,
 	}
 }
 
-func getValidReview(pod []byte) *v1beta1.AdmissionReview {
-	return &v1beta1.AdmissionReview{
-		Request: &v1beta1.AdmissionRequest{
+func getValidReview(pod []byte) *admissionv1.AdmissionReview {
+	return &admissionv1.AdmissionReview{
+		Request: &admissionv1.AdmissionRequest{
 			UID: uuid,
 			Kind: metav1.GroupVersionKind{
 				Version: "v1",
@@ -171,7 +171,7 @@ func getValidReview(pod []byte) *v1beta1.AdmissionReview {
 	}
 }
 
-func serializeAdmissionReview(t *testing.T, want *v1beta1.AdmissionReview) []byte {
+func serializeAdmissionReview(t *testing.T, want *admissionv1.AdmissionReview) []byte {
 	wantedBytes, err := json.Marshal(want)
 	if err != nil {
 		t.Errorf("Failed to marshal desired response: %v", err)
@@ -209,21 +209,21 @@ func TestModifierHandler(t *testing.T) {
 			"nilBody",
 			nil,
 			"application/json",
-			serializeAdmissionReview(t, &v1beta1.AdmissionReview{
-				Response: &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
+			serializeAdmissionReview(t, &admissionv1.AdmissionReview{
+				Response: &admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
 			}),
 		},
 		{
 			"NoRequest",
-			serializeAdmissionReview(t, &v1beta1.AdmissionReview{Request: nil}),
+			serializeAdmissionReview(t, &admissionv1.AdmissionReview{Request: nil}),
 			"application/json",
-			serializeAdmissionReview(t, &v1beta1.AdmissionReview{
-				Response: &v1beta1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
+			serializeAdmissionReview(t, &admissionv1.AdmissionReview{
+				Response: &admissionv1.AdmissionResponse{Result: &metav1.Status{Message: "bad content"}},
 			}),
 		},
 		{
 			"BadContentType",
-			serializeAdmissionReview(t, &v1beta1.AdmissionReview{Request: nil}),
+			serializeAdmissionReview(t, &admissionv1.AdmissionReview{Request: nil}),
 			"application/xml",
 			[]byte("Invalid Content-Type, expected `application/json`\n"),
 		},
@@ -243,7 +243,7 @@ func TestModifierHandler(t *testing.T) {
 			"ValidRequestSuccessWithoutVolumes",
 			serializeAdmissionReview(t, getValidReview(rawPodWithoutVolume)),
 			"application/json",
-			serializeAdmissionReview(t, &v1beta1.AdmissionReview{Response: getValidHandlerResponse(uuid)}),
+			serializeAdmissionReview(t, &admissionv1.AdmissionReview{Response: getValidHandlerResponse(uuid)}),
 		},
 	}