K
Q

How does kubernetes chain its admission webhooks?

9/13/2021

I'm currently writing a custom admission webhook to accept/deny at the creation of a CRD that I defined.
My main purpose is to ensure the creation of this resource won't go beyond a certain quota but with some custom logic around it.
I can do this easily with an atomic counter on the custom webhook.

The thing is I'm not sure what happens with that custom admission if another webhook would fail just after (making my "customRessourceQuota" out of sync as it will be incremented by 1 but no resource has booted).

So my question is how do K8s chains its admission webhooks?

  • Does custom ones are the ending ones?
  • Can we adjust the order ourselves?
  • Should I use another mechanism of K8s to make my own quota?

PS: I've looked into the ResourceQuota calculator code but didn't find a good answer to this neither

-- Otor
kubernetes

Similar Questions

Why are my pod template config maps not appearing in my Kubernetes plugin configurations?
Why does the pod is running on the master nodes?
How to assign an IP to istio-ingressgateway on localhost?
How to mount multiple files / secrets into common directory in kubernetes?
Http Read timeouts on query calls to Elastic Search cluster

1 Answer

9/13/2021

Mutating webhooks all run in a functionally random order, then validating webhooks all run concurrently after that.

-- coderanger
Source: StackOverflow