alexlebens/external-snapshotter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #353 from AndiLi99/AndiLi99/webhook

Browse Source 
Add snapshot webhook build and deployment. Modify controller to label invalid objects.
This commit is contained in:
Kubernetes Prow Robot
2020-08-28 18:51:19 -07:00
committed by GitHub
parent 6838d02ff4 8e8ab7b7c7
commit 4f3b02aaa0
73 changed files with 12821 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@@ -6,6 +6,8 @@ The CSI snapshotter is part of Kubernetes implementation of [Container Storage I
The volume snapshot feature supports CSI v1.0 and higher. It was introduced as an Alpha feature in Kubernetes v1.12 and has been promoted to an Beta feature in Kubernetes 1.17.
> :warning: **WARNING**: There is a new validating webhook server which provides tightened validation on snapshot objects. This SHOULD be installed by all users of this feature. More details [below](#validating-webhook).
## Overview
@@ -83,6 +85,22 @@ Install CSI Driver:
* kubectl create -f deploy/kubernetes/csi-snapshotter
* https://github.com/kubernetes-csi/external-snapshotter/tree/master/deploy/kubernetes/csi-snapshotter
### Validating Webhook
The snapshot validating webhook is an HTTP callback which responds to [admission requests](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It is part of a larger [plan](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md) to tighten validation for volume snapshot objects. This webhook introduces the [ratcheting validation](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md#backwards-compatibility) mechanism targeting the tighter validation. The cluster admin or Kubernetes distribution admin should install the webhook alongside the snapshot controllers and CRDs.
> :warning: **WARNING**: Cluster admins choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from `v1beta1` to `v1` volumesnapshot API, if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.
Read more about how to install the example webhook [here](deploy/kubernetes/webhook-example/README.md).
#### Validating Webhook Command Line Options
* `--tls-cert-file`: File containing the x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). Required.
* `--tls-private-key-file`: File containing the x509 private key matching --tls-cert-file. Required.
* `--port`: Secure port that the webhook listens on (default 443)
### Snapshot controller command line options
#### Important optional arguments that are highly recommended to be used