Change failurePolicy to "Fail" and add reinvocationPolicy "IfNeeded" #265

Neumann-Nils · 2020-06-22T06:47:06Z

This PR changes two things:

It changes the failurePolicy from Ignore to Fail. I argue that it might be problematic if the Karydia webhook fails silently. It should rather fail and throw an error. Also see FailurePolicy considerations #2

https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
2. It sets the reinvocationPolicy to IfNeeded. Thus, the webhook may be called if the object being admitted is modified by other webhooks after the initial webhook call. For example, if the Karydia webhook is invoked for an object and modifies it, another webhook could modify it later on, then the Karydia webhook should be called again to enforce the security policies.
(For me it seems like this scenario is limited in the number of calls if changes appears on an already mutated object. See kubernetes/enhancements#1049).
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy

Before submitting this PR, please make sure:

Change failurePolicy to "Fail" and add reinvocationPolicy "IfNeeded"

fa441b1

Neumann-Nils requested a review from a team as a code owner June 22, 2020 06:47

Neumann-Nils self-assigned this Jun 22, 2020

gardener-robot-ci-2 added the ci/wanted Required to trigger CI build and test label Jun 22, 2020

gardener-robot-ci-3 removed the ci/wanted Required to trigger CI build and test label Jun 22, 2020

Merge branch 'master' into webhook-policy

9c4ebbb

gardener-robot-ci-3 added the ci/wanted Required to trigger CI build and test label Jun 22, 2020

gardener-robot-ci-2 removed the ci/wanted Required to trigger CI build and test label Jun 22, 2020

Neumann-Nils added the ci/wanted Required to trigger CI build and test label Oct 13, 2020

gardener-robot-ci-2 removed the ci/wanted Required to trigger CI build and test label Oct 13, 2020

Provide feedback