You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@yunikorn.apache.org by GitBox <gi...@apache.org> on 2022/09/29 14:09:17 UTC

[GitHub] [yunikorn-k8shim] pbacsko opened a new pull request, #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

pbacsko opened a new pull request, #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467

   ### What is this PR for?
   Handle non-pod workloads in the admission controller.
   
   ### What type of PR is it?
   * [ ] - Bug Fix
   * [x] - Improvement
   * [ ] - Feature
   * [ ] - Documentation
   * [ ] - Hot Fix
   * [ ] - Refactoring
   
   ### Todos
   * [ ] - Task
   
   ### What is the Jira issue?
   https://issues.apache.org/jira/browse/YUNIKORN-1338
   
   ### How should this be tested?
   
   ### Screenshots (if appropriate)
   
   ### Questions:
   * [ ] - The licenses files need update.
   * [ ] - There is breaking changes for older versions.
   * [ ] - It needs documentation.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r988861320


##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup.go:
##########
@@ -0,0 +1,167 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation

Review Comment:
   Moved



##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup_test.go:
##########
@@ -0,0 +1,249 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation

Review Comment:
   Moved from "main"



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] wilfred-s commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

wilfred-s commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r1018564520


##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup.go:
##########
@@ -0,0 +1,167 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation

Review Comment:
   moving it to its own package makes it nice and clear



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r990112163


##########
pkg/plugin/admissioncontrollers/webhook/admission_controller.go:
##########
@@ -294,6 +294,41 @@ func (c *admissionController) mutate(req *admissionv1.AdmissionRequest) *admissi
 	return admissionResponseBuilder(uid, true, "", patchBytes)
 }
 
+func (c *admissionController) processWorkload(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	var uid = string(req.UID)
+	requestKind := req.Kind.Kind
+
+	annotations, supported, err := c.annotationHandler.GetAnnotationsFromRequestKind(requestKind, req)
+	if !supported {
+		// Unknown request kind - pass
+		return admissionResponseBuilder(uid, true, "", nil)

Review Comment:
   Yes, workloads of unsupported type are let through. That is the original behavior, there is a scenario for it in `TestMutate()`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r990116502


##########
pkg/plugin/admissioncontrollers/webhook/admission_controller.go:
##########
@@ -294,6 +294,41 @@ func (c *admissionController) mutate(req *admissionv1.AdmissionRequest) *admissi
 	return admissionResponseBuilder(uid, true, "", patchBytes)
 }
 
+func (c *admissionController) processWorkload(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	var uid = string(req.UID)
+	requestKind := req.Kind.Kind
+
+	annotations, supported, err := c.annotationHandler.GetAnnotationsFromRequestKind(requestKind, req)
+	if !supported {
+		// Unknown request kind - pass
+		return admissionResponseBuilder(uid, true, "", nil)
+	}
+	if err != nil {
+		return admissionResponseBuilder(uid, false, err.Error(), nil)
+	}
+
+	if annotation, ok := annotations[userInfoAnnotation]; ok && !c.bypassAuth {
+		userName := req.UserInfo.Username
+		groups := req.UserInfo.Groups
+
+		if allowed := c.annotationHandler.IsAnnotationAllowed(userName, groups); !allowed {
+			errMsg := fmt.Sprintf("user %s with groups [%s] is not allowed to set user annotation", userName,
+				strings.Join(groups, ","))
+			log.Logger().Error("user info validation failed - submitter is not allowed to set user annotation",
+				zap.String("user", userName),
+				zap.Strings("groups", groups))
+			return admissionResponseBuilder(uid, false, errMsg, nil)
+		}
+
+		if err := c.annotationHandler.IsAnnotationValid(annotation); err != nil {
+			log.Logger().Error("invalid user info annotation", zap.Error(err))
+			return admissionResponseBuilder(uid, false, err.Error(), nil)
+		}
+	}
+
+	return admissionResponseBuilder(uid, true, "", nil)
+}
+

Review Comment:
   Done



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r1017555822


##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup.go:
##########
@@ -0,0 +1,167 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation

Review Comment:
   Update: I'm no longer sure that this is necessary, maybe we can do this some time later



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r988861936


##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup.go:
##########
@@ -0,0 +1,167 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation
+
+import (
+	"encoding/json"
+	"regexp"
+	"strings"
+
+	"go.uber.org/zap"
+	admissionv1 "k8s.io/api/admission/v1"
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	batchv1Beta "k8s.io/api/batch/v1beta1"
+
+	"github.com/apache/yunikorn-k8shim/pkg/log"
+	"github.com/apache/yunikorn-scheduler-interface/lib/go/si"
+)
+
+type UserGroupAnnotationHandler struct {

Review Comment:
   Changes visibilities and type to "struct" for a better modular design.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] codecov[bot] commented on pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

codecov[bot] commented on PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#issuecomment-1262355390

   # [Codecov](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
   > Merging [#467](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (c835f54) into [master](https://codecov.io/gh/apache/yunikorn-k8shim/commit/244a28f3175b5d4a1c314aa621a45cc9010bca4a?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (244a28f) will **increase** coverage by `0.74%`.
   > The diff coverage is `83.33%`.
   
   ```diff
   @@            Coverage Diff             @@
   ##           master     #467      +/-   ##
   ==========================================
   + Coverage   67.00%   67.74%   +0.74%     
   ==========================================
     Files          41       43       +2     
     Lines        6767     6960     +193     
   ==========================================
   + Hits         4534     4715     +181     
   - Misses       2062     2068       +6     
   - Partials      171      177       +6     
   ```
   
   
   | [Impacted Files](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
   |---|---|---|
   | [...g/plugin/admissioncontrollers/webhook/workloads.go](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3BsdWdpbi9hZG1pc3Npb25jb250cm9sbGVycy93ZWJob29rL3dvcmtsb2Fkcy5nbw==) | `63.26% <63.26%> (ø)` | |
   | [...missioncontrollers/webhook/admission\_controller.go](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3BsdWdpbi9hZG1pc3Npb25jb250cm9sbGVycy93ZWJob29rL2FkbWlzc2lvbl9jb250cm9sbGVyLmdv) | `67.07% <78.26%> (+2.89%)` | :arrow_up: |
   | [pkg/plugin/admissioncontrollers/webhook/webhook.go](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3BsdWdpbi9hZG1pc3Npb25jb250cm9sbGVycy93ZWJob29rL3dlYmhvb2suZ28=) | `40.00% <93.15%> (+40.00%)` | :arrow_up: |
   | [...g/plugin/admissioncontrollers/webhook/usergroup.go](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3BsdWdpbi9hZG1pc3Npb25jb250cm9sbGVycy93ZWJob29rL3VzZXJncm91cC5nbw==) | `100.00% <100.00%> (ø)` | |
   | [pkg/dispatcher/dispatcher.go](https://codecov.io/gh/apache/yunikorn-k8shim/pull/467/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL2Rpc3BhdGNoZXIvZGlzcGF0Y2hlci5nbw==) | `74.82% <0.00%> (-1.40%)` | :arrow_down: |
   
   :mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r990112163


##########
pkg/plugin/admissioncontrollers/webhook/admission_controller.go:
##########
@@ -294,6 +294,41 @@ func (c *admissionController) mutate(req *admissionv1.AdmissionRequest) *admissi
 	return admissionResponseBuilder(uid, true, "", patchBytes)
 }
 
+func (c *admissionController) processWorkload(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	var uid = string(req.UID)
+	requestKind := req.Kind.Kind
+
+	annotations, supported, err := c.annotationHandler.GetAnnotationsFromRequestKind(requestKind, req)
+	if !supported {
+		// Unknown request kind - pass
+		return admissionResponseBuilder(uid, true, "", nil)

Review Comment:
   Yes, workloads of unsupported type are let through. That is the original behavior.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] wilfred-s closed pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

wilfred-s closed pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods
URL: https://github.com/apache/yunikorn-k8shim/pull/467


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r988861320


##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup.go:
##########
@@ -0,0 +1,167 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation

Review Comment:
   Moved from "main"



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] pbacsko commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

pbacsko commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r988861936


##########
pkg/plugin/admissioncontrollers/webhook/annotation/usergroup.go:
##########
@@ -0,0 +1,167 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package annotation
+
+import (
+	"encoding/json"
+	"regexp"
+	"strings"
+
+	"go.uber.org/zap"
+	admissionv1 "k8s.io/api/admission/v1"
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	batchv1Beta "k8s.io/api/batch/v1beta1"
+
+	"github.com/apache/yunikorn-k8shim/pkg/log"
+	"github.com/apache/yunikorn-scheduler-interface/lib/go/si"
+)
+
+type UserGroupAnnotationHandler struct {

Review Comment:
   Made this struct for a better modular design.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [yunikorn-k8shim] manirajv06 commented on a diff in pull request #467: [YUNIKORN-1338] [admission] support different kind of workloads other than pods

Posted by GitBox <gi...@apache.org>.

manirajv06 commented on code in PR #467:
URL: https://github.com/apache/yunikorn-k8shim/pull/467#discussion_r989964937


##########
pkg/plugin/admissioncontrollers/webhook/admission_controller.go:
##########
@@ -294,6 +294,41 @@ func (c *admissionController) mutate(req *admissionv1.AdmissionRequest) *admissi
 	return admissionResponseBuilder(uid, true, "", patchBytes)
 }
 
+func (c *admissionController) processWorkload(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	var uid = string(req.UID)
+	requestKind := req.Kind.Kind
+
+	annotations, supported, err := c.annotationHandler.GetAnnotationsFromRequestKind(requestKind, req)
+	if !supported {
+		// Unknown request kind - pass
+		return admissionResponseBuilder(uid, true, "", nil)

Review Comment:
   Is sending back nil error and true correct behaviour? I think GetAnnotationsFromRequestKind() method itself should return unsupported error message when corresponding kind is not supported



##########
pkg/plugin/admissioncontrollers/webhook/admission_controller.go:
##########
@@ -294,6 +294,41 @@ func (c *admissionController) mutate(req *admissionv1.AdmissionRequest) *admissi
 	return admissionResponseBuilder(uid, true, "", patchBytes)
 }
 
+func (c *admissionController) processWorkload(req *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+	var uid = string(req.UID)
+	requestKind := req.Kind.Kind
+
+	annotations, supported, err := c.annotationHandler.GetAnnotationsFromRequestKind(requestKind, req)
+	if !supported {
+		// Unknown request kind - pass
+		return admissionResponseBuilder(uid, true, "", nil)
+	}
+	if err != nil {
+		return admissionResponseBuilder(uid, false, err.Error(), nil)
+	}
+
+	if annotation, ok := annotations[userInfoAnnotation]; ok && !c.bypassAuth {
+		userName := req.UserInfo.Username
+		groups := req.UserInfo.Groups
+
+		if allowed := c.annotationHandler.IsAnnotationAllowed(userName, groups); !allowed {
+			errMsg := fmt.Sprintf("user %s with groups [%s] is not allowed to set user annotation", userName,
+				strings.Join(groups, ","))
+			log.Logger().Error("user info validation failed - submitter is not allowed to set user annotation",
+				zap.String("user", userName),
+				zap.Strings("groups", groups))
+			return admissionResponseBuilder(uid, false, errMsg, nil)
+		}
+
+		if err := c.annotationHandler.IsAnnotationValid(annotation); err != nil {
+			log.Logger().Error("invalid user info annotation", zap.Error(err))
+			return admissionResponseBuilder(uid, false, err.Error(), nil)
+		}
+	}
+
+	return admissionResponseBuilder(uid, true, "", nil)
+}
+

Review Comment:
   I see a lot of commonalities between these two ways of processing request after username and groups info extraction which can be refactored to a common method and this new common method can be used by these two methods.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@yunikorn.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org