Add a flag to ignore webhook errors. (#19)

Add a `--ignore-errors` flag to ignore failing on webhook errors.
google · Aug 31, 2023 · 275b83a · 275b83a
1 parent 82c7a73
commit 275b83a
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/cmd/webhook/webhook.go b/cmd/webhook/webhook.go
@@ -77,6 +77,7 @@ var (
 	metricsAddr         string
 	offline             bool
 	port                int
+	ignoreErrors        bool
 )
 
 func init() {
@@ -88,6 +89,7 @@ func init() {
 	Cmd.Flags().StringVar(&metricsAddr, "metrics-addr", defaultMetricsAddr, "metrics endpoint address")
 	Cmd.Flags().BoolVar(&offline, "offline", false, "do not connect to API server to retrieve imagePullSecrets")
 	Cmd.Flags().IntVar(&port, "port", defaultPort, "webhook server port")
+	Cmd.Flags().BoolVar(&ignoreErrors, "ignore-errors", false, "do not fail on webhook admission errors, just log them")
 }
 
 func run(ctx context.Context) error {
@@ -144,7 +146,7 @@ func run(ctx context.Context) error {
 		close(certSetupFinished)
 	}
 
-	go setupControllers(mgr, log, dryRun, certSetupFinished)
+	go setupControllers(mgr, log, dryRun, ignoreErrors, certSetupFinished)
 
 	log.Info("starting manager")
 	if err := mgr.Start(ctx); err != nil {
@@ -153,7 +155,7 @@ func run(ctx context.Context) error {
 	return nil
 }
 
-func setupControllers(mgr manager.Manager, log logr.Logger, dryRun bool, certSetupFinished chan struct{}) {
+func setupControllers(mgr manager.Manager, log logr.Logger, dryRun bool, ignoreErrors bool, certSetupFinished chan struct{}) {
 	log.Info("waiting for cert rotation setup")
 	<-certSetupFinished
 	log.Info("done waiting for cert rotation setup")
@@ -162,9 +164,10 @@ func setupControllers(mgr manager.Manager, log logr.Logger, dryRun bool, certSet
 		config = mgr.GetConfig()
 	}
 	whh := &handler.Handler{
-		Log:    log.WithName("webhook"),
-		DryRun: dryRun,
-		Config: config,
+		Log:          log.WithName("webhook"),
+		DryRun:       dryRun,
+		IgnoreErrors: ignoreErrors,
+		Config:       config,
 	}
 	mwh := &admission.Webhook{Handler: whh}
 	log.Info("starting webhook server", "path", webhookPath)

diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go
@@ -33,15 +33,17 @@ import (
 const (
 	reasonNoMutationForOperation = "NoMutationForOperation"
 	reasonNoSelfManagement       = "NoSelfManagement"
+	reasonErrorIgnored           = "ErrorIgnored"
 	reasonNotPatched             = "NotPatched"
 	reasonPatched                = "Patched"
 )
 
 // Handler implements admission.Handler
 type Handler struct {
-	Log    logr.Logger
-	DryRun bool
-	Config *rest.Config
+	Log          logr.Logger
+	DryRun       bool
+	IgnoreErrors bool
+	Config       *rest.Config
 }
 
 var resolveImageTags = resolve.ImageTags // override for testing
@@ -97,6 +99,10 @@ func (h *Handler) Handle(ctx context.Context, req admission.Request) admission.R
 }
 
 func (h *Handler) admissionError(err error) admission.Response {
+	if h.IgnoreErrors {
+		h.Log.Error(err, "ignored admission error")
+		return admission.Allowed(reasonErrorIgnored)
+	}
 	h.Log.Error(err, "admission error")
 	return admission.Errored(int32(http.StatusInternalServerError), err)
 }
diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go
@@ -73,6 +73,27 @@ func Test_Handle_DisallowedOnParseError(t *testing.T) {
 	assertAdmissionError(t, resp)
 }
 
+func Test_Handle_IgnoreError(t *testing.T) {
+	req := admission.Request{
+		AdmissionRequest: admissionv1.AdmissionRequest{
+			Object: runtime.RawExtension{
+				Raw: []byte("\U0001f4a9"),
+			},
+			Operation: admissionv1.Create,
+		},
+	}
+	h := &Handler{
+		Log:          nullLog, // suppress output of expected error
+		IgnoreErrors: true,
+	}
+
+	resp := h.Handle(ctx, req)
+
+	assertAdmissionAllowed(t, resp)
+	assertReason(t, resp, reasonErrorIgnored)
+	assertNoPatches(t, resp)
+}
+
 func Test_Handle_NoMutationOfDigesterNamespaceRequests(t *testing.T) {
 	req := admission.Request{
 		AdmissionRequest: admissionv1.AdmissionRequest{