Comments (6)
dlemel8
commented on September 1, 2024
Hey @adamwg , I want to do this.
Can you guide me a bit?
Thanks.
from clusterlint.
adamwg
commented on September 1, 2024
@dlemel8 Absolutely!
You can start by taking a look at the admission-controller-webhook-timeout check that we currently have in the doks group. I think it already implements the basic logic we would want for a timeout check in the basic group, so a first step would be to move it to the basic/ directory, and add basic to the list of groups it's registered in. (It should also stay in the doks group, since it is a DOKS pre-upgrade check.) The wording in the check diagnostics will need an update to be more generic.
I think there are at least two other checks that could be implemented in the basic group. These are both currently covered by the admission-controller-webhook-replacement check in the doks group, but should be broken out into their own checks:
- Checking that a webhook won't block its own service from running.
- Checking that a webhook doesn't apply to the
kube-systemnamespace.
If those conditions are broken out into their own checks, they could be added to the doks group as well, and we could make the larger existing check smaller.
from clusterlint.
dlemel8
commented on September 1, 2024
@adamwg great, thanks!
I will start working on it soon :)
from clusterlint.
dlemel8
commented on September 1, 2024
@adamwg just to make sure I understand correctly (regarding to admission-controller-webhook-replacement refactoring):
- currently the code will generate a diagnose only if the webhook is applied to system namespace and one of two is true:
** this is also the namespace of the webhook service
** this is not the namespace of the webhook service but the number of nodes is 1
do we want to just extract this logic to a new check or do we want to create stricter checks (for example create a diagnose if the webhook is applied to system namespace without any condition)? - currently the code contains 5 checks that must all fail to generate a diagnose. if we remove some of them (for example the system namespace one) we will weaken the overall check and will generate a diagnose on a service that today is ok. is that what you meant?
from clusterlint.
adamwg
commented on September 1, 2024
@dlemel8 Sorry for the delay getting back to you on this.
I think for the new check(s) in the basic group. we want to omit some of the existing conditions. The checks I'm proposing are based on the upstream guidance around webhook configurations, so they should be quite strict and would generate warnings for some configurations that are currently considered OK.
from clusterlint.
dlemel8
commented on September 1, 2024
@adamwg OK, that's answer my question about the new checks on basic group.
What about the question about the current admission-controller-webhook-replacement ?
if we remove some of its conditions we will warn about a service that now is OK
from clusterlint.
Related Issues (20)
- Cluster upgrade issue with cert manager HOT 8
- Cluster linter messages point to missing docs section HOT 5
- Check if pods referencing dobs volumes are owned by a statefulset
- Pods referencing DOBS volumes don't support Rolling deployments HOT 4
- Missing doc on warn Pod referencing dobs volumes must be owned by statefulset HOT 8
- Warn about containers pulling from docker.pkg.github.com
- False positives for "volumes must be owned by statefulset" and "fully qualified image name"? HOT 1
- false positive for webhooks with TimeoutSeconds value greater than 29s HOT 2
- Fatal error when building clusterlint on Go 1.17 HOT 1
- Running the tool in-cluster ? HOT 1
- upgrade to 1.22.7-do.0, incompatible ingress not detected
- Official Docker image ?
- No version number provided
- should be able to retrieve storageClassName from annotation
- Webhook with a timeoutSeconds greater than 29 seconds will block upgrades? HOT 8
- Admission control webhook check should check apiGroups HOT 4
- admission-controller-webhook-replacement check needs more details HOT 4
- Add a check for cronjobs with a concurrencyPolicy of Allow HOT 2
- Add resource requirements check to doks group HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clusterlint.