vendor updates

vendor/k8s.io/kubernetes/test/images/webhook/BUILD

@@ -24,8 +24,7 @@ go_library(
 
 go_binary(
     name = "webhook",
-    importpath = "k8s.io/kubernetes/test/images/webhook",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
     visibility = ["//visibility:public"],
 )
 
@@ -46,8 +45,7 @@ filegroup(
 go_test(
     name = "go_default_test",
     srcs = ["patch_test.go"],
-    importpath = "k8s.io/kubernetes/test/images/webhook",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
     deps = [
         "//vendor/github.com/evanphx/json-patch:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",

vendor/k8s.io/kubernetes/test/images/webhook/Makefile

@@ -14,7 +14,7 @@
 
 build:
 	CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o webhook .
-	docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v6 .
+	docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.9v1 .
 	rm -rf webhook
 push:
-	gcloud docker -- push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v6
+	docker push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.9v1

vendor/k8s.io/kubernetes/test/images/webhook/README.md

@@ -1,51 +1,13 @@
-# Kubernetes External Admission Webhook Example
+# Kubernetes External Admission Webhook Test Image
 
-The example shows how to build and deploy an external webhook that only admits
-pods creation and update if the container images have the "grc.io" prefix.
+The image tests MutatingAdmissionWebhook and ValidatingAdmissionWebhook. After deploying
+it to kubernetes cluster, administrator needs to create a ValidatingWebhookConfiguration
+in kubernetes cluster to register remote webhook admission controllers.
 
-## Prerequisites
-
-Please use a Kubernetes release at least as new as v1.8.0 or v1.9.0-alpha.1,
-because the generated server cert/key only works with Kubernetes release that
-contains this [change](https://github.com/kubernetes/kubernetes/pull/50476).
-Please checkout the `pre-v1.8` tag for an example that works with older
-clusters.
-
-Please enable the admission webhook feature
-([doc](https://kubernetes.io/docs/admin/extensible-admission-controllers/#enable-external-admission-webhooks)).
+TODO: add the reference when the document for admission webhook v1beta1 API is done.
 
 ## Build the code
 
 ```bash
 make build
 ```
-
-## Deploy the code
-
-```bash
-make deploy-only 
-```
-
-The Makefile assumes your cluster is created by the
-[hack/local-up-cluster.sh](https://github.com/kubernetes/kubernetes/blob/master/hack/local-up-cluster.sh).
-Please modify the Makefile accordingly if your cluster is created differently.
-
-## Explanation on the CAs/Certs/Keys
-
-The apiserver initiates a tls connection with the webhook, so the apiserver is
-the tls client, and the webhook is the tls server.
-
-The webhook proves its identity by the `serverCert` in the certs.go. The server
-cert is signed by the CA in certs.go. To let the apiserver trust the `caCert`,
-the webhook registers itself with the apiserver via the
-`admissionregistration/v1beta1/externalAdmissionHook` API, with
-`clientConfig.caBundle=caCert`.
-
-For maximum protection, this example webhook requires and verifies the client
-(i.e., the apiserver in this case) cert. The cert presented by the apiserver is
-signed by a client CA, whose cert is stored in the configmap
-`extension-apiserver-authentication` in the `kube-system` namespace. See the
-`getAPIServerCert` function for more information. Usually you don't need to
-worry about setting up this CA cert. It's taken care of when the cluster is
-created. You can disable the client cert verification by setting the
-`tls.Config.ClientAuth` to `tls.NoClientCert` in `config.go`.

vendor/k8s.io/kubernetes/test/images/webhook/main.go

@@ -40,6 +40,9 @@ const (
 	patch2 string = `[
          { "op": "add", "path": "/data/mutation-stage-2", "value": "yes" }
      ]`
+	addInitContainerPatch string = `[
+		 {"op":"add","path":"/spec/initContainers","value":[{"image":"webhook-added-image","name":"webhook-added-init-container","resources":{}}]}
+	]`
 )
 
 // Config contains the server (the webhook) cert and key.
@@ -85,11 +88,16 @@ func admitPods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
 	reviewResponse.Allowed = true
 
 	var msg string
-	for k, v := range pod.Labels {
-		if k == "webhook-e2e-test" && v == "webhook-disallow" {
+	if v, ok := pod.Labels["webhook-e2e-test"]; ok {
+		if v == "webhook-disallow" {
 			reviewResponse.Allowed = false
 			msg = msg + "the pod contains unwanted label; "
 		}
+		if v == "wait-forever" {
+			reviewResponse.Allowed = false
+			msg = msg + "the pod response should not be sent; "
+			<-make(chan int) // Sleep forever - no one sends to this channel
+		}
 	}
 	for _, container := range pod.Spec.Containers {
 		if strings.Contains(container.Name, "webhook-disallow") {
@@ -103,6 +111,31 @@ func admitPods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
 	return &reviewResponse
 }
 
+func mutatePods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
+	glog.V(2).Info("mutating pods")
+	podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
+	if ar.Request.Resource != podResource {
+		glog.Errorf("expect resource to be %s", podResource)
+		return nil
+	}
+
+	raw := ar.Request.Object.Raw
+	pod := corev1.Pod{}
+	deserializer := codecs.UniversalDeserializer()
+	if _, _, err := deserializer.Decode(raw, nil, &pod); err != nil {
+		glog.Error(err)
+		return toAdmissionResponse(err)
+	}
+	reviewResponse := v1beta1.AdmissionResponse{}
+	reviewResponse.Allowed = true
+	if pod.Name == "webhook-to-be-mutated" {
+		reviewResponse.Patch = []byte(addInitContainerPatch)
+		pt := v1beta1.PatchTypeJSONPatch
+		reviewResponse.PatchType = &pt
+	}
+	return &reviewResponse
+}
+
 // deny configmaps with specific key-value pair.
 func admitConfigMaps(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
 	glog.V(2).Info("admitting configmaps")
@@ -266,6 +299,10 @@ func servePods(w http.ResponseWriter, r *http.Request) {
 	serve(w, r, admitPods)
 }
 
+func serveMutatePods(w http.ResponseWriter, r *http.Request) {
+	serve(w, r, mutatePods)
+}
+
 func serveConfigmaps(w http.ResponseWriter, r *http.Request) {
 	serve(w, r, admitConfigMaps)
 }
@@ -288,6 +325,7 @@ func main() {
 	flag.Parse()
 
 	http.HandleFunc("/pods", servePods)
+	http.HandleFunc("/mutating-pods", serveMutatePods)
 	http.HandleFunc("/configmaps", serveConfigmaps)
 	http.HandleFunc("/mutating-configmaps", serveMutateConfigmaps)
 	http.HandleFunc("/crd", serveCRD)