kubernetes - ValidatingWebhookConfiguration does not stop pod without annotations being created

Question

I'm trying to build an admission controller to enforce pod annotations on our cluster. I was able to build a webhook service and deploy it. For testing purposes, I'm changing the server code to respond with Allowed: false as a default response to any request but it doesn't stop pods from getting created.

In the logs, I'm seeing the request hit the server but it seems as though the kubeapi-server is not receiving or not adhering to the response.

2021/01/25 02:29:15 &AdmissionResponse{UID:,Allowed:false,Result:&v1.Status{ListMeta:ListMeta{SelfLink:,ResourceVersion:,Continue:,RemainingItemCount:nil,},Status:,Message:,Reason:,Details:nil,Code:0,},Patch:nil,PatchType:nil,AuditAnnotations:map[string]string{},Warnings:[],}

Below are the service deployment file and the validating webhook configuration. Appreciate any ideas/recommendations!

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webhook-server
  namespace: webhook-demo
  labels:
    app: webhook-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook-server
  template:
    metadata:
      labels:
        app: webhook-server
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1234
      containers:
        - name: webhook-server
          image: demo/admission-controller-webhook-demo:latest
          imagePullPolicy: Never
          ports:
            - containerPort: 8443
              name: webhook-api
          resources:
            requests:
              cpu: "100m"
              memory: "128M"
            limits:
              cpu: "250m"
              memory: "256M"
          volumeMounts:
            - name: webhook-tls-certs
              mountPath: /run/secrets/tls
              readOnly: true
      volumes:
        - name: webhook-tls-certs
          secret:
            secretName: webhook-server-tls
---
apiVersion: v1
kind: Service
metadata:
  name: webhook-server
  namespace: webhook-demo
spec:
  selector:
    app: webhook-server
  ports:
    - port: 443
      targetPort: webhook-api
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: webhook-server
webhooks:
  - name: webhook-server.webhook-demo.svc
    rules:
      - apiGroups: ["*"]
        apiVersions: ["*"]
        operations: ["CREATE","UPDATE"]
        resources: ["pods","deployments", "replicasets"]
    timeoutSeconds: 5
    clientConfig:
      service:
        name: webhook-server
        namespace: webhook-demo
        path: "/validate"
      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t<truncated>
    sideEffects: None
    admissionReviewVersions: ["v1beta1"]

question from:https://stackoverflow.com/questions/65878271/validatingwebhookconfiguration-does-not-stop-pod-without-annotations-being-creat

Answer 1

I was sending the Admission Response object in the response but the API server actually needs the Admission Review object which encapsulates the admission response and request objects. :facepalm