Fix admission for decoding for unstructured

DirectXMan12 · DirectXMan12 · commit 107c8e98f577 · 2019-02-21T14:43:54.000-08:00
Due to a weird interaction between the unstructured decoder (which
demands APIVersion and Kind fields) and the API server (which fails to
set those fields on the embedded object in admission requests), we can't
use the normal decoders, nor can we call json.Unmarshal directly on the
unstructured (since it implements an unmarshaller that calls back into
the decoder).

This detects unstructured objects, and does the right thing for them.
diff --git a/pkg/webhook/admission/decode.go b/pkg/webhook/admission/decode.go
@@ -17,8 +17,10 @@ limitations under the License.
 package admission
 
 import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apimachinery/pkg/util/json"
 )
 
 // Decoder knows how to decode the contents of an admission
@@ -34,6 +36,22 @@ func NewDecoder(scheme *runtime.Scheme) (*Decoder, error) {
 
 // Decode decodes the inlined object in the AdmissionRequest into the passed-in runtime.Object.
 func (d *Decoder) Decode(req Request, into runtime.Object) error {
+	// NB(directxman12): there's a bug/weird interaction between decoders and
+	// the API server where the API server doesn't send a GVK on the embedded
+	// objects, which means the unstructured decoder refuses to decode.  It
+	// also means we can't pass the unstructured directly in, since it'll try
+	// and call unstructured's special Unmarshal implementation, which calls
+	// back into that same decoder :-/
+	// See kubernetes/kubernetes#74373.
+	if unstructuredInto, isUnstructured := into.(*unstructured.Unstructured); isUnstructured {
+		// unmarshal into unstructured's underlying object to avoid calling the decoder
+		if err := json.Unmarshal(req.Object.Raw, &unstructuredInto.Object); err != nil {
+			return err
+		}
+
+		return nil
+	}
+
 	deserializer := d.codecs.UniversalDeserializer()
 	return runtime.DecodeInto(deserializer, req.AdmissionRequest.Object.Raw, into)
 }
diff --git a/pkg/webhook/admission/decode_test.go b/pkg/webhook/admission/decode_test.go
@@ -23,6 +23,7 @@ import (
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 )
@@ -87,4 +88,16 @@ var _ = Describe("Admission Webhook Decoder", func() {
 		By("trying to extract a pod into a node")
 		Expect(decoder.Decode(req, &corev1.Node{})).NotTo(Succeed())
 	})
+
+	It("should be able to decode into an unstructured object", func() {
+		By("decoding into an unstructured object")
+		var target unstructured.Unstructured
+		Expect(decoder.Decode(req, &target)).To(Succeed())
+
+		By("sanity-checking the metadata on the output object")
+		Expect(target.Object["metadata"]).To(Equal(map[string]interface{}{
+			"name":      "foo",
+			"namespace": "default",
+		}))
+	})
 })
