You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/02/05 09:40:34 UTC

[GitHub] [apisix-ingress-controller] tokers opened a new issue #244: Implement the admission server

tokers opened a new issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244


   We should implement an admission server in the apisix ingress controller to validate configurations like plugins. But for now, we don't have a way to validate each plugins unless we have the json schema data.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] fgksgf commented on issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
fgksgf commented on issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244#issuecomment-868970825


   I did a research and found three ways to implement this:
   
   1. The hand-crafted solution:implement the server with `net/http` or `gin`, verbose and time-consuming, but most flexible.
   2. [openshift/generic-admission-server](https://github.com/openshift/generic-admission-server): it is simpler to set up but more opinionated (e.g. you can’t select the server framework). It is worth noting that the framework uses TLS authentication and authorization mechanisms which are built into the Kubernetes aggregated API server library, which means that webhooks are secure by default. Using this library allows you to avoid the complication of creating and maintaining a client key and certificate for each webhook server; you only need to maintain a server key and certificate for each webhook server. And by using this library your webhook will also perform authorization which uses Kubernetes' own SubjectAccessReview and RBAC mechanisms.
   3. [kubewebhook](https://github.com/slok/kubewebhook):  the setup code at the beginning is longer,  but writing the actual business logic is much easier. More flexible than `openshift/generic-admission-server`.
   
   Reference: https://banzaicloud.com/blog/slok-webhook/
   
   Could you give some advice that which way should I take ? Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] tokers commented on issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
tokers commented on issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244#issuecomment-869116784


   > kubewebhook: the setup code at the beginning is longer, but writing the actual business logic is much easier. More flexible than openshift/generic-admission-server.
   
   It's not a problem as we already have a HTTP server managed by go-gin.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] tokers commented on issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
tokers commented on issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244#issuecomment-869116626


   > I did a research and found three ways to implement this:
   > 
   > 1. The hand-crafted solution:implement the server with `net/http` or `gin`, verbose and time-consuming, but most flexible.
   > 2. [openshift/generic-admission-server](https://github.com/openshift/generic-admission-server): it is simpler to set up but more opinionated (e.g. you can’t select the server framework). It is worth noting that the framework uses TLS authentication and authorization mechanisms which are built into the Kubernetes aggregated API server library, which means that webhooks are secure by default. Using this library allows you to avoid the complication of creating and maintaining a client key and certificate for each webhook server; you only need to maintain a server key and certificate for each webhook server. And by using this library your webhook will also perform authorization which uses Kubernetes' own SubjectAccessReview and RBAC mechanisms.
   > 3. [kubewebhook](https://github.com/slok/kubewebhook):  the setup code at the beginning is longer,  but writing the actual business logic is much easier. More flexible than `openshift/generic-admission-server`.
   > 
   > Reference: https://banzaicloud.com/blog/slok-webhook/
   > 
   > Could you give some advice that which way should I take ? Thanks.
   
   I look through these two packages, I like the features provided by kubewebhook like the metrics integration, I'd like to vote for it. BTW, do you know which admission server frameworks are used by other famous ingress controllers or service mesh control plane?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] fgksgf commented on issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
fgksgf commented on issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244#issuecomment-869127924


   > I look through these two packages, I like the features provided by kubewebhook like the metrics integration, I'd like to vote for it.
   
   Ok, I will use it.
   
   > BTW, do you know which admission server frameworks are used by other famous ingress controllers or service mesh control plane?
   
   I just look through `go.mod` files of ingress controllers mentioned in [this file](https://docs.google.com/spreadsheets/d/191WWNpjJ2za6-nbG4ZoUMXMpUK8KlCIosvQB0f-oq3k/edit?ts=5fd6c769#gid=907731238) and find neither of these frameworks is being used.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244#issuecomment-972730649


    This feature has been implemented #573, and I will close this issue. Feel free to reopen it, if you have any question.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] fgksgf commented on issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
fgksgf commented on issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244#issuecomment-864544794


   I'm working on this, assign it to me, please.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-ingress-controller] tao12345666333 closed issue #244: Implement the admission server

Posted by GitBox <gi...@apache.org>.
tao12345666333 closed issue #244:
URL: https://github.com/apache/apisix-ingress-controller/issues/244


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org