From e8f182da1ac7c91c270b53ebba773077a5e99dc2 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 14 Sep 2023 12:06:16 -0700 Subject: [PATCH] Delete gateway api admission server No longer required, Gateway API has transitioned to CEL based validation https://kubernetes.io/blog/2023/08/29/gateway-api-v0-8/#cel-validation Signed-off-by: Arko Dasgupta --- charts/gateway-helm/crds/gatewayapi-crds.yaml | 282 ------------------ tools/make/kube.mk | 6 - 2 files changed, 288 deletions(-) diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml index 74c8fd4ef10..582aaeeeaa6 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml @@ -10774,285 +10774,3 @@ status: conditions: null storedVersions: null --- -# -# config/webhook/0-namespace.yaml -# -apiVersion: v1 -kind: Namespace -metadata: - name: gateway-system - labels: - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/warn: restricted ---- -# -# config/webhook/admission_webhook.yaml -# -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: gateway-api-admission -webhooks: -- name: validate.gateway.networking.k8s.io - matchPolicy: Equivalent - rules: - - operations: [ "CREATE" , "UPDATE" ] - apiGroups: [ "gateway.networking.k8s.io" ] - apiVersions: [ "v1alpha2", "v1beta1" ] - resources: [ "gateways", "gatewayclasses", "httproutes" ] - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - name: gateway-api-admission-server - namespace: gateway-system - path: "/validate" ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: gateway-api-webhook-server - name: gateway-api-admission-server - namespace: gateway-system -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - name: gateway-api-admission-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gateway-api-admission-server - namespace: gateway-system - labels: - name: gateway-api-admission-server -spec: - replicas: 1 - selector: - matchLabels: - name: gateway-api-admission-server - template: - metadata: - name: gateway-api-admission-server - labels: - name: gateway-api-admission-server - spec: - containers: - - name: webhook - image: registry.k8s.io/gateway-api/admission-server:v0.8.0 - imagePullPolicy: IfNotPresent - args: - - -logtostderr - - --tlsCertFile=/etc/certs/cert - - --tlsKeyFile=/etc/certs/key - - -v=10 - - 2>&1 - ports: - - containerPort: 8443 - name: webhook - resources: - limits: - memory: 50Mi - cpu: 100m - requests: - memory: 50Mi - cpu: 100m - volumeMounts: - - name: webhook-certs - mountPath: /etc/certs - readOnly: true - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - volumes: - - name: webhook-certs - secret: - secretName: gateway-api-admission ---- -# -# config/webhook/certificate_config.yaml -# -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gateway-api-admission - labels: - name: gateway-api-webhook - namespace: gateway-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gateway-api-admission - labels: - name: gateway-api -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gateway-api-admission -subjects: -- kind: ServiceAccount - name: gateway-api-admission - namespace: gateway-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook - namespace: gateway-system -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook - namespace: gateway-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gateway-api-admission -subjects: -- kind: ServiceAccount - name: gateway-api-admission - namespace: gateway-system ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook - namespace: gateway-system -spec: - template: - metadata: - name: gateway-api-admission-create - labels: - name: gateway-api-webhook - spec: - containers: - - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 - imagePullPolicy: IfNotPresent - args: - - create - - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=gateway-api-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure - serviceAccountName: gateway-api-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: gateway-api-admission-patch - labels: - name: gateway-api-webhook - namespace: gateway-system -spec: - template: - metadata: - name: gateway-api-admission-patch - labels: - name: gateway-api-webhook - spec: - containers: - - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=gateway-api-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --patch-validating=true - - --secret-name=gateway-api-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure - serviceAccountName: gateway-api-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 1f71612fecb..3a33c3efeda 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -114,10 +114,8 @@ install-ratelimit: .PHONY: run-e2e run-e2e: prepare-e2e @$(LOG_TARGET) - kubectl wait --timeout=5m -n gateway-system deployment/gateway-api-admission-server --for=condition=Available kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available - kubectl wait --timeout=5m -n gateway-system job/gateway-api-admission --for=condition=Complete kubectl apply -f test/config/gatewayclass.yaml go test -v -tags e2e ./test/e2e --gateway-class=envoy-gateway --debug=true @@ -170,9 +168,7 @@ kube-install-image: image.build $(tools/kind) ## Install the EG image to a kind .PHONY: run-conformance run-conformance: ## Run Gateway API conformance. @$(LOG_TARGET) - kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system deployment/gateway-api-admission-server --for=condition=Available kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available - kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system job/gateway-api-admission --for=condition=Complete kubectl apply -f test/config/gatewayclass.yaml go test -v -tags conformance ./test/conformance --gateway-class=envoy-gateway --debug=true @@ -181,9 +177,7 @@ CONFORMANCE_REPORT_PATH ?= .PHONY: run-experimental-conformance run-experimental-conformance: ## Run Experimental Gateway API conformance. @$(LOG_TARGET) - kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system deployment/gateway-api-admission-server --for=condition=Available kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available - kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system job/gateway-api-admission --for=condition=Complete kubectl apply -f test/config/gatewayclass.yaml go test -v -tags experimental ./test/conformance -run TestExperimentalConformance --gateway-class=envoy-gateway --debug=true --organization=envoyproxy --project=envoy-gateway --url=https://github.com/envoyproxy/gateway --version=latest --report-output="$(CONFORMANCE_REPORT_PATH)" --contact=https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md