🌱 adding TokenReview.auth.k8s.io/v1 webhook support

[christopherhein]

This adds a new pkg/webhook/authentication/ package for setting up the ServeHTTP func for the webook server to be able to handle TokenReview.authentication.k8s.io/(v1,v1beta1) requests.

Closes #1436

Signed-off-by: Chris Hein me@chrishein.com

[christopherhein]

@rfranzke would you be interested in giving this a review and seeing if it aligns with what you implemented for Gardener?

[christopherhein]

/assign @alvaroaleman
/cc @coderanger

[christopherhein]

/test pull-controller-runtime-test-master

[rfranzke]

/assign

[rfranzke]

Thanks @christopherhein, I don't have too many comments because I'm not very familiar with the design decisions made for the admission webhooks, but overall I like it and it looks like it's going into the right direction! :)

Once this PR is merged, I will use it as reference to also contribute the authorization handling.

Generally, I see that many things are now "duplicated" and this might then happen again for the authz. Maybe we should try more to encapsulate shared functionality to make it reusable (not sure if this is always possible in all cases). Probably a maintainer can give better recommendations here.

[rfranzke]

This is exactly the same like in

controller-runtime/pkg/webhook/admission/http.go

Lines 46 to 77 in b5065bd

	var body []byte
	var err error
	ctx := r.Context()
	if wh.WithContextFunc != nil {
	ctx = wh.WithContextFunc(ctx, r)
	}
	var reviewResponse Response
	if r.Body != nil {
	if body, err = ioutil.ReadAll(r.Body); err != nil {
	wh.log.Error(err, "unable to read the body from the incoming request")
	reviewResponse = Errored(http.StatusBadRequest, err)
	wh.writeResponse(w, reviewResponse)
	return
	}
	} else {
	err = errors.New("request body is empty")
	wh.log.Error(err, "bad request")
	reviewResponse = Errored(http.StatusBadRequest, err)
	wh.writeResponse(w, reviewResponse)
	return
	}
	// verify the content type is accurate
	contentType := r.Header.Get("Content-Type")
	if contentType != "application/json" {
	err = fmt.Errorf("contentType=%s, expected application/json", contentType)
	wh.log.Error(err, "unable to process a request with an unknown content type", "content type", contentType)
	reviewResponse = Errored(http.StatusBadRequest, err)
	wh.writeResponse(w, reviewResponse)
	return
	}

and I think it will be exactly the ~same for authorization (https://github.com/gardener/gardener/blob/master/pkg/admissioncontroller/webhooks/auth/seed/handler.go#L68-L95).

Probably it should be made re-useable and moved into a function?

[christopherhein]

Maybe I should take a step back and first move some of this logic out of the admission package in separate PRs then come back to this and use those packages.

@vincepri curious what you think, you'll see we called out a bunch of duplication. I can move some of those packages around/make a little more generic upfront in separate PRs then adjust this PR to have the moved packages/helpers, or we could move forward with some duplication and clean up after…

Rethinking this implementation a bit I was able to cut down on a bunch of the duplication, @rfranzke about the checks, got ideas on how we could pass all the different implementations of Response around? Since that and write response maps to specific writers for those k8s types.

[christopherhein]

@alvaroaleman any chance you'd have some time to review this? 🙏

[DirectXMan12]

this is maybe more dangerous that it might seem? What if a new field is added to v1beta1 that's actually different than v1 (they're not guarnateed to be the same, just round-trippable). We could end up making a decision on bad data, right?

I suppose for new named fields this is the same as operating on old types against a new apiserver.

If v1 and v1beta1 both introduced a field called foo with different types though, this would just break entirely.

Is v1beta1 deprecated? May be worth commenting, cause that makes the chances of that happening much less.

[christopherhein]

v1beta1 is deprecated in 1.19 as per - https://github.com/kubernetes/api/blob/master/authentication/v1beta1/types.go#L25-L31 currently it looks like v1 and v1beta1 are in parity. Given it's deprecated I assume that means we can support this with the expectation that v1beta1 shouldn't chnage, right?

If so I can add a note to the comment above. A lot of this was carried over from the Admissions webhook, even this comment tbh.

[christopherhein]

For now I've added a comment, mentioning that v1beta1 is deprecated as of 1.19 and will be removed in 1.22 per the v1.22 deprecation guide - https://kubernetes.io/docs/reference/using-api/deprecation-guide/#tokenreview-v122

[alvaroaleman]

Sorry for the delay in reviewing, I have a lot on my plate right now and this is a pretty big PR :) I am also not very familiar with the existing webhook code, so apologies if I am criticizing something you got from there.

[alvaroaleman]

We need to close the body if its non-nil

[christopherhein]

#1440 (comment)

[alvaroaleman]

From the godocs of net/http.Request:

 For server requests, the Request Body is always non-nil
	// but will return EOF immediately when no body is present.

So this doesn't need to be an else but simply at the top level after the r.Body != nil and check for the length of var body instead

[christopherhein]

This is another carryover from the admission package. https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/webhook/admission/http.go#L53-L67

That being said since we're not actually checking the HTTP Method, I believe this is what this block is meant to confirm that this isn't a GET, but I could have also understood the goals of it.

[christopherhein]

Do you think I should remove this?

[christopherhein]

I've switched around the way this is handled, the first check r.Body == nil now checks if it's a request that doesn't support a body, like a Get and fails out then we go on to reading the body.

[alvaroaleman]

Is this check needed? Deserialization will fail if its not json or not?

[christopherhein]

This was carried over from the admission package. https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/webhook/admission/http.go#L69-L77 I'd guess this is to give a bit more visibility into what actually went wrong in the request. Should I remove it?

[christopherhein]

So I guess that isn't what happens, the decoder doesn't seem to check what the actual headers are. If you don't have this check and the body is valid the request could be successful or could fail other places.

[DirectXMan12]

you get better errors this way too -- if you try to deserialize proto as json, for instance, you just end up with a really confusing error, whereas if you explicitly check content-type, you can provide a better error (plus, it's more correct, and like maybe theoretically avoids weird behavior where some blob of non-json looks enough like json to be deserialized, but is subtly wrong).

[christopherhein]

/test pull-controller-runtime-test-master

[christopherhein]

@alvaroaleman this should be all updated.

[DirectXMan12]

[christopherhein]

so unacceptable 😝

[DirectXMan12]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: christopherhein, DirectXMan12

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [DirectXMan12]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[christopherhein]

/test pull-controller-runtime-test-master