feat: add crd gen

Signed-off-by: runzexia <runzexia@yunify.com>

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+
+package webhookadmission

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/register.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhookadmission
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// GroupName is the group name use in this package
+const GroupName = "apiserver.config.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	// TODO this will get cleaned up with the scheme types are fixed
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&WebhookAdmission{},
+	)
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/types.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhookadmission
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// WebhookAdmission provides configuration for the webhook admission controller.
+type WebhookAdmission struct {
+	metav1.TypeMeta
+
+	// KubeConfigFile is the path to the kubeconfig file.
+	KubeConfigFile string
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=apiserver.config.k8s.io
+
+// Package v1alpha1 is the v1alpha1 version of the API.
+package v1alpha1

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1/register.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "apiserver.config.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&WebhookAdmission{},
+	)
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1/types.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// WebhookAdmission provides configuration for the webhook admission controller.
+type WebhookAdmission struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// KubeConfigFile is the path to the kubeconfig file.
+	KubeConfigFile string `json:"kubeConfigFile"`
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,67 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	webhookadmission "k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*WebhookAdmission)(nil), (*webhookadmission.WebhookAdmission)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WebhookAdmission_To_webhookadmission_WebhookAdmission(a.(*WebhookAdmission), b.(*webhookadmission.WebhookAdmission), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*webhookadmission.WebhookAdmission)(nil), (*WebhookAdmission)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_webhookadmission_WebhookAdmission_To_v1alpha1_WebhookAdmission(a.(*webhookadmission.WebhookAdmission), b.(*WebhookAdmission), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_WebhookAdmission_To_webhookadmission_WebhookAdmission(in *WebhookAdmission, out *webhookadmission.WebhookAdmission, s conversion.Scope) error {
+	out.KubeConfigFile = in.KubeConfigFile
+	return nil
+}
+
+// Convert_v1alpha1_WebhookAdmission_To_webhookadmission_WebhookAdmission is an autogenerated conversion function.
+func Convert_v1alpha1_WebhookAdmission_To_webhookadmission_WebhookAdmission(in *WebhookAdmission, out *webhookadmission.WebhookAdmission, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WebhookAdmission_To_webhookadmission_WebhookAdmission(in, out, s)
+}
+
+func autoConvert_webhookadmission_WebhookAdmission_To_v1alpha1_WebhookAdmission(in *webhookadmission.WebhookAdmission, out *WebhookAdmission, s conversion.Scope) error {
+	out.KubeConfigFile = in.KubeConfigFile
+	return nil
+}
+
+// Convert_webhookadmission_WebhookAdmission_To_v1alpha1_WebhookAdmission is an autogenerated conversion function.
+func Convert_webhookadmission_WebhookAdmission_To_v1alpha1_WebhookAdmission(in *webhookadmission.WebhookAdmission, out *WebhookAdmission, s conversion.Scope) error {
+	return autoConvert_webhookadmission_WebhookAdmission_To_v1alpha1_WebhookAdmission(in, out, s)
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,50 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookAdmission) DeepCopyInto(out *WebhookAdmission) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAdmission.
+func (in *WebhookAdmission) DeepCopy() *WebhookAdmission {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookAdmission)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WebhookAdmission) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,32 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/zz_generated.deepcopy.go

@@ -0,0 +1,50 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package webhookadmission
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookAdmission) DeepCopyInto(out *WebhookAdmission) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAdmission.
+func (in *WebhookAdmission) DeepCopy() *WebhookAdmission {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookAdmission)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WebhookAdmission) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"path"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1"
+)
+
+var (
+	scheme = runtime.NewScheme()
+	codecs = serializer.NewCodecFactory(scheme)
+)
+
+func init() {
+	utilruntime.Must(webhookadmission.AddToScheme(scheme))
+	utilruntime.Must(v1alpha1.AddToScheme(scheme))
+}
+
+// LoadConfig extract the KubeConfigFile from configFile
+func LoadConfig(configFile io.Reader) (string, error) {
+	var kubeconfigFile string
+	if configFile != nil {
+		// we have a config so parse it.
+		data, err := ioutil.ReadAll(configFile)
+		if err != nil {
+			return "", err
+		}
+		decoder := codecs.UniversalDecoder()
+		decodedObj, err := runtime.Decode(decoder, data)
+		if err != nil {
+			return "", err
+		}
+		config, ok := decodedObj.(*webhookadmission.WebhookAdmission)
+		if !ok {
+			return "", fmt.Errorf("unexpected type: %T", decodedObj)
+		}
+
+		if !path.IsAbs(config.KubeConfigFile) {
+			return "", field.Invalid(field.NewPath("kubeConfigFile"), config.KubeConfigFile, "must be an absolute file path")
+		}
+
+		kubeconfigFile = config.KubeConfigFile
+	}
+	return kubeconfigFile, nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/errors/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package errors contains utilities for admission webhook specific errors
+package errors // import "k8s.io/apiserver/pkg/admission/plugin/webhook/errors"

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/errors/statuserror.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errors
+
+import (
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ToStatusErr returns a StatusError with information about the webhook plugin
+func ToStatusErr(webhookName string, result *metav1.Status) *apierrors.StatusError {
+	deniedBy := fmt.Sprintf("admission webhook %q denied the request", webhookName)
+	const noExp = "without explanation"
+
+	if result == nil {
+		result = &metav1.Status{Status: metav1.StatusFailure}
+	}
+
+	switch {
+	case len(result.Message) > 0:
+		result.Message = fmt.Sprintf("%s: %s", deniedBy, result.Message)
+	case len(result.Reason) > 0:
+		result.Message = fmt.Sprintf("%s: %s", deniedBy, result.Reason)
+	default:
+		result.Message = fmt.Sprintf("%s %s", deniedBy, noExp)
+	}
+
+	return &apierrors.StatusError{
+		ErrStatus: *result,
+	}
+}
+
+// NewDryRunUnsupportedErr returns a StatusError with information about the webhook plugin
+func NewDryRunUnsupportedErr(webhookName string) *apierrors.StatusError {
+	reason := fmt.Sprintf("admission webhook %q does not support dry run", webhookName)
+	return apierrors.NewBadRequest(reason)
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/conversion.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// convertor converts objects to the desired version.
+type convertor struct {
+	Scheme *runtime.Scheme
+}
+
+// ConvertToGVK converts object to the desired gvk.
+func (c *convertor) ConvertToGVK(obj runtime.Object, gvk schema.GroupVersionKind) (runtime.Object, error) {
+	// Unlike other resources, custom resources do not have internal version, so
+	// if obj is a custom resource, it should not need conversion.
+	if obj.GetObjectKind().GroupVersionKind() == gvk {
+		return obj, nil
+	}
+	out, err := c.Scheme.New(gvk)
+	if err != nil {
+		return nil, err
+	}
+	err = c.Scheme.Convert(obj, out, nil)
+	if err != nil {
+		return nil, err
+	}
+	// Explicitly set the GVK
+	out.GetObjectKind().SetGroupVersionKind(gvk)
+	return out, nil
+}
+
+// Validate checks if the conversion has a scheme.
+func (c *convertor) Validate() error {
+	if c.Scheme == nil {
+		return fmt.Errorf("the convertor requires a scheme")
+	}
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/interfaces.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"context"
+
+	"k8s.io/api/admissionregistration/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/admission"
+)
+
+// Source can list dynamic webhook plugins.
+type Source interface {
+	Webhooks() []v1beta1.Webhook
+	HasSynced() bool
+}
+
+// VersionedAttributes is a wrapper around the original admission attributes, adding versioned
+// variants of the object and old object.
+type VersionedAttributes struct {
+	admission.Attributes
+	VersionedOldObject runtime.Object
+	VersionedObject    runtime.Object
+}
+
+// Dispatcher dispatches webhook call to a list of webhooks with admission attributes as argument.
+type Dispatcher interface {
+	// Dispatch a request to the webhooks using the given webhooks. A non-nil error means the request is rejected.
+	Dispatch(ctx context.Context, a *VersionedAttributes, hooks []*v1beta1.Webhook) error
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go

@@ -0,0 +1,205 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	"k8s.io/api/admissionregistration/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/admission"
+	genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/namespace"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/rules"
+	"k8s.io/apiserver/pkg/util/webhook"
+	"k8s.io/client-go/informers"
+	clientset "k8s.io/client-go/kubernetes"
+)
+
+// Webhook is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.
+type Webhook struct {
+	*admission.Handler
+
+	sourceFactory sourceFactory
+
+	hookSource       Source
+	clientManager    *webhook.ClientManager
+	convertor        *convertor
+	namespaceMatcher *namespace.Matcher
+	dispatcher       Dispatcher
+}
+
+var (
+	_ genericadmissioninit.WantsExternalKubeClientSet = &Webhook{}
+	_ admission.Interface                             = &Webhook{}
+)
+
+type sourceFactory func(f informers.SharedInformerFactory) Source
+type dispatcherFactory func(cm *webhook.ClientManager) Dispatcher
+
+// NewWebhook creates a new generic admission webhook.
+func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory sourceFactory, dispatcherFactory dispatcherFactory) (*Webhook, error) {
+	kubeconfigFile, err := config.LoadConfig(configFile)
+	if err != nil {
+		return nil, err
+	}
+
+	cm, err := webhook.NewClientManager(admissionv1beta1.SchemeGroupVersion, admissionv1beta1.AddToScheme)
+	if err != nil {
+		return nil, err
+	}
+	authInfoResolver, err := webhook.NewDefaultAuthenticationInfoResolver(kubeconfigFile)
+	if err != nil {
+		return nil, err
+	}
+	// Set defaults which may be overridden later.
+	cm.SetAuthenticationInfoResolver(authInfoResolver)
+	cm.SetServiceResolver(webhook.NewDefaultServiceResolver())
+
+	return &Webhook{
+		Handler:          handler,
+		sourceFactory:    sourceFactory,
+		clientManager:    &cm,
+		convertor:        &convertor{},
+		namespaceMatcher: &namespace.Matcher{},
+		dispatcher:       dispatcherFactory(&cm),
+	}, nil
+}
+
+// SetAuthenticationInfoResolverWrapper sets the
+// AuthenticationInfoResolverWrapper.
+// TODO find a better way wire this, but keep this pull small for now.
+func (a *Webhook) SetAuthenticationInfoResolverWrapper(wrapper webhook.AuthenticationInfoResolverWrapper) {
+	a.clientManager.SetAuthenticationInfoResolverWrapper(wrapper)
+}
+
+// SetServiceResolver sets a service resolver for the webhook admission plugin.
+// Passing a nil resolver does not have an effect, instead a default one will be used.
+func (a *Webhook) SetServiceResolver(sr webhook.ServiceResolver) {
+	a.clientManager.SetServiceResolver(sr)
+}
+
+// SetScheme sets a serializer(NegotiatedSerializer) which is derived from the scheme
+func (a *Webhook) SetScheme(scheme *runtime.Scheme) {
+	if scheme != nil {
+		a.convertor.Scheme = scheme
+	}
+}
+
+// SetExternalKubeClientSet implements the WantsExternalKubeInformerFactory interface.
+// It sets external ClientSet for admission plugins that need it
+func (a *Webhook) SetExternalKubeClientSet(client clientset.Interface) {
+	a.namespaceMatcher.Client = client
+}
+
+// SetExternalKubeInformerFactory implements the WantsExternalKubeInformerFactory interface.
+func (a *Webhook) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
+	namespaceInformer := f.Core().V1().Namespaces()
+	a.namespaceMatcher.NamespaceLister = namespaceInformer.Lister()
+	a.hookSource = a.sourceFactory(f)
+	a.SetReadyFunc(func() bool {
+		return namespaceInformer.Informer().HasSynced() && a.hookSource.HasSynced()
+	})
+}
+
+// ValidateInitialization implements the InitializationValidator interface.
+func (a *Webhook) ValidateInitialization() error {
+	if a.hookSource == nil {
+		return fmt.Errorf("kubernetes client is not properly setup")
+	}
+	if err := a.namespaceMatcher.Validate(); err != nil {
+		return fmt.Errorf("namespaceMatcher is not properly setup: %v", err)
+	}
+	if err := a.clientManager.Validate(); err != nil {
+		return fmt.Errorf("clientManager is not properly setup: %v", err)
+	}
+	if err := a.convertor.Validate(); err != nil {
+		return fmt.Errorf("convertor is not properly setup: %v", err)
+	}
+	return nil
+}
+
+// ShouldCallHook makes a decision on whether to call the webhook or not by the attribute.
+func (a *Webhook) ShouldCallHook(h *v1beta1.Webhook, attr admission.Attributes) (bool, *apierrors.StatusError) {
+	var matches bool
+	for _, r := range h.Rules {
+		m := rules.Matcher{Rule: r, Attr: attr}
+		if m.Matches() {
+			matches = true
+			break
+		}
+	}
+	if !matches {
+		return false, nil
+	}
+
+	return a.namespaceMatcher.MatchNamespaceSelector(h, attr)
+}
+
+// Dispatch is called by the downstream Validate or Admit methods.
+func (a *Webhook) Dispatch(attr admission.Attributes) error {
+	if rules.IsWebhookConfigurationResource(attr) {
+		return nil
+	}
+	if !a.WaitForReady() {
+		return admission.NewForbidden(attr, fmt.Errorf("not yet ready to handle request"))
+	}
+	hooks := a.hookSource.Webhooks()
+	// TODO: Figure out if adding one second timeout make sense here.
+	ctx := context.TODO()
+
+	var relevantHooks []*v1beta1.Webhook
+	for i := range hooks {
+		call, err := a.ShouldCallHook(&hooks[i], attr)
+		if err != nil {
+			return err
+		}
+		if call {
+			relevantHooks = append(relevantHooks, &hooks[i])
+		}
+	}
+
+	if len(relevantHooks) == 0 {
+		// no matching hooks
+		return nil
+	}
+
+	// convert the object to the external version before sending it to the webhook
+	versionedAttr := VersionedAttributes{
+		Attributes: attr,
+	}
+	if oldObj := attr.GetOldObject(); oldObj != nil {
+		out, err := a.convertor.ConvertToGVK(oldObj, attr.GetKind())
+		if err != nil {
+			return apierrors.NewInternalError(err)
+		}
+		versionedAttr.VersionedOldObject = out
+	}
+	if obj := attr.GetObject(); obj != nil {
+		out, err := a.convertor.ConvertToGVK(obj, attr.GetKind())
+		if err != nil {
+			return apierrors.NewInternalError(err)
+		}
+		versionedAttr.VersionedObject = out
+	}
+	return a.dispatcher.Dispatch(ctx, &versionedAttr, relevantHooks)
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go

@@ -0,0 +1,166 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package mutating delegates admission checks to dynamically configured
+// mutating webhooks.
+package mutating
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	jsonpatch "github.com/evanphx/json-patch"
+	"k8s.io/klog"
+
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	"k8s.io/api/admissionregistration/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
+	webhookerrors "k8s.io/apiserver/pkg/admission/plugin/webhook/errors"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/request"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/util"
+	"k8s.io/apiserver/pkg/util/webhook"
+)
+
+type mutatingDispatcher struct {
+	cm     *webhook.ClientManager
+	plugin *Plugin
+}
+
+func newMutatingDispatcher(p *Plugin) func(cm *webhook.ClientManager) generic.Dispatcher {
+	return func(cm *webhook.ClientManager) generic.Dispatcher {
+		return &mutatingDispatcher{cm, p}
+	}
+}
+
+var _ generic.Dispatcher = &mutatingDispatcher{}
+
+func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr *generic.VersionedAttributes, relevantHooks []*v1beta1.Webhook) error {
+	for _, hook := range relevantHooks {
+		t := time.Now()
+		err := a.callAttrMutatingHook(ctx, hook, attr)
+		admissionmetrics.Metrics.ObserveWebhook(time.Since(t), err != nil, attr.Attributes, "admit", hook.Name)
+		if err == nil {
+			continue
+		}
+
+		ignoreClientCallFailures := hook.FailurePolicy != nil && *hook.FailurePolicy == v1beta1.Ignore
+		if callErr, ok := err.(*webhook.ErrCallingWebhook); ok {
+			if ignoreClientCallFailures {
+				klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr)
+				utilruntime.HandleError(callErr)
+				continue
+			}
+			klog.Warningf("Failed calling webhook, failing closed %v: %v", hook.Name, err)
+		}
+		return apierrors.NewInternalError(err)
+	}
+
+	// convert attr.VersionedObject to the internal version in the underlying admission.Attributes
+	if attr.VersionedObject != nil {
+		return a.plugin.scheme.Convert(attr.VersionedObject, attr.Attributes.GetObject(), nil)
+	}
+	return nil
+}
+
+// note that callAttrMutatingHook updates attr
+func (a *mutatingDispatcher) callAttrMutatingHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
+	if attr.IsDryRun() {
+		if h.SideEffects == nil {
+			return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
+		}
+		if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
+			return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		}
+	}
+
+	// Make the webhook request
+	request := request.CreateAdmissionReview(attr)
+	client, err := a.cm.HookClient(util.HookClientConfigForWebhook(h))
+	if err != nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
+	}
+	response := &admissionv1beta1.AdmissionReview{}
+	if err := client.Post().Context(ctx).Body(&request).Do().Into(response); err != nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
+	}
+
+	if response.Response == nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook response was absent")}
+	}
+
+	for k, v := range response.Response.AuditAnnotations {
+		key := h.Name + "/" + k
+		if err := attr.AddAnnotation(key, v); err != nil {
+			klog.Warningf("Failed to set admission audit annotation %s to %s for mutating webhook %s: %v", key, v, h.Name, err)
+		}
+	}
+
+	if !response.Response.Allowed {
+		return webhookerrors.ToStatusErr(h.Name, response.Response.Result)
+	}
+
+	patchJS := response.Response.Patch
+	if len(patchJS) == 0 {
+		return nil
+	}
+	patchObj, err := jsonpatch.DecodePatch(patchJS)
+	if err != nil {
+		return apierrors.NewInternalError(err)
+	}
+	if len(patchObj) == 0 {
+		return nil
+	}
+
+	// if a non-empty patch was provided, and we have no object we can apply it to (e.g. a DELETE admission operation), error
+	if attr.VersionedObject == nil {
+		return apierrors.NewInternalError(fmt.Errorf("admission webhook %q attempted to modify the object, which is not supported for this operation", h.Name))
+	}
+
+	objJS, err := runtime.Encode(a.plugin.jsonSerializer, attr.VersionedObject)
+	if err != nil {
+		return apierrors.NewInternalError(err)
+	}
+	patchedJS, err := patchObj.Apply(objJS)
+	if err != nil {
+		return apierrors.NewInternalError(err)
+	}
+
+	var newVersionedObject runtime.Object
+	if _, ok := attr.VersionedObject.(*unstructured.Unstructured); ok {
+		// Custom Resources don't have corresponding Go struct's.
+		// They are represented as Unstructured.
+		newVersionedObject = &unstructured.Unstructured{}
+	} else {
+		newVersionedObject, err = a.plugin.scheme.New(attr.GetKind())
+		if err != nil {
+			return apierrors.NewInternalError(err)
+		}
+	}
+	// TODO: if we have multiple mutating webhooks, we can remember the json
+	// instead of encoding and decoding for each one.
+	if _, _, err := a.plugin.jsonSerializer.Decode(patchedJS, nil, newVersionedObject); err != nil {
+		return apierrors.NewInternalError(err)
+	}
+	attr.VersionedObject = newVersionedObject
+	a.plugin.scheme.Default(attr.VersionedObject)
+	return nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package mutating makes calls to mutating webhooks during the admission
+// process.
+package mutating // import "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/plugin.go

@@ -0,0 +1,96 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package mutating
+
+import (
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/admission/configuration"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+)
+
+const (
+	// PluginName indicates the name of admission plug-in
+	PluginName = "MutatingAdmissionWebhook"
+)
+
+// Register registers a plugin
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
+		plugin, err := NewMutatingWebhook(configFile)
+		if err != nil {
+			return nil, err
+		}
+
+		return plugin, nil
+	})
+}
+
+// Plugin is an implementation of admission.Interface.
+type Plugin struct {
+	*generic.Webhook
+
+	scheme         *runtime.Scheme
+	jsonSerializer *json.Serializer
+}
+
+var _ admission.MutationInterface = &Plugin{}
+
+// NewMutatingWebhook returns a generic admission webhook plugin.
+func NewMutatingWebhook(configFile io.Reader) (*Plugin, error) {
+	handler := admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update)
+	p := &Plugin{}
+	var err error
+	p.Webhook, err = generic.NewWebhook(handler, configFile, configuration.NewMutatingWebhookConfigurationManager, newMutatingDispatcher(p))
+	if err != nil {
+		return nil, err
+	}
+
+	return p, nil
+}
+
+// SetScheme sets a serializer(NegotiatedSerializer) which is derived from the scheme
+func (a *Plugin) SetScheme(scheme *runtime.Scheme) {
+	a.Webhook.SetScheme(scheme)
+	if scheme != nil {
+		a.scheme = scheme
+		a.jsonSerializer = json.NewSerializer(json.DefaultMetaFactory, scheme, scheme, false)
+	}
+}
+
+// ValidateInitialization implements the InitializationValidator interface.
+func (a *Plugin) ValidateInitialization() error {
+	if err := a.Webhook.ValidateInitialization(); err != nil {
+		return err
+	}
+	if a.scheme == nil {
+		return fmt.Errorf("scheme is not properly setup")
+	}
+	if a.jsonSerializer == nil {
+		return fmt.Errorf("jsonSerializer is not properly setup")
+	}
+	return nil
+}
+
+// Admit makes an admission decision based on the request attributes.
+func (a *Plugin) Admit(attr admission.Attributes) error {
+	return a.Webhook.Dispatch(attr)
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/namespace/doc.go

@@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package namespace defines the utilities that are used by the webhook
+// plugin to decide if a webhook should be applied to an object based on its
+// namespace.
+package namespace // import "k8s.io/apiserver/pkg/admission/plugin/webhook/namespace"

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/namespace/matcher.go

@@ -0,0 +1,117 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package namespace
+
+import (
+	"fmt"
+
+	"k8s.io/api/admissionregistration/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/admission"
+	clientset "k8s.io/client-go/kubernetes"
+	corelisters "k8s.io/client-go/listers/core/v1"
+)
+
+// Matcher decides if a request is exempted by the NamespaceSelector of a
+// webhook configuration.
+type Matcher struct {
+	NamespaceLister corelisters.NamespaceLister
+	Client          clientset.Interface
+}
+
+// Validate checks if the Matcher has a NamespaceLister and Client.
+func (m *Matcher) Validate() error {
+	var errs []error
+	if m.NamespaceLister == nil {
+		errs = append(errs, fmt.Errorf("the namespace matcher requires a namespaceLister"))
+	}
+	if m.Client == nil {
+		errs = append(errs, fmt.Errorf("the namespace matcher requires a namespaceLister"))
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+// GetNamespaceLabels gets the labels of the namespace related to the attr.
+func (m *Matcher) GetNamespaceLabels(attr admission.Attributes) (map[string]string, error) {
+	// If the request itself is creating or updating a namespace, then get the
+	// labels from attr.Object, because namespaceLister doesn't have the latest
+	// namespace yet.
+	//
+	// However, if the request is deleting a namespace, then get the label from
+	// the namespace in the namespaceLister, because a delete request is not
+	// going to change the object, and attr.Object will be a DeleteOptions
+	// rather than a namespace object.
+	if attr.GetResource().Resource == "namespaces" &&
+		len(attr.GetSubresource()) == 0 &&
+		(attr.GetOperation() == admission.Create || attr.GetOperation() == admission.Update) {
+		accessor, err := meta.Accessor(attr.GetObject())
+		if err != nil {
+			return nil, err
+		}
+		return accessor.GetLabels(), nil
+	}
+
+	namespaceName := attr.GetNamespace()
+	namespace, err := m.NamespaceLister.Get(namespaceName)
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, err
+	}
+	if apierrors.IsNotFound(err) {
+		// in case of latency in our caches, make a call direct to storage to verify that it truly exists or not
+		namespace, err = m.Client.CoreV1().Namespaces().Get(namespaceName, metav1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+	}
+	return namespace.Labels, nil
+}
+
+// MatchNamespaceSelector decideds whether the request matches the
+// namespaceSelctor of the webhook. Only when they match, the webhook is called.
+func (m *Matcher) MatchNamespaceSelector(h *v1beta1.Webhook, attr admission.Attributes) (bool, *apierrors.StatusError) {
+	namespaceName := attr.GetNamespace()
+	if len(namespaceName) == 0 && attr.GetResource().Resource != "namespaces" {
+		// If the request is about a cluster scoped resource, and it is not a
+		// namespace, it is never exempted.
+		// TODO: figure out a way selective exempt cluster scoped resources.
+		// Also update the comment in types.go
+		return true, nil
+	}
+	namespaceLabels, err := m.GetNamespaceLabels(attr)
+	// this means the namespace is not found, for backwards compatibility,
+	// return a 404
+	if apierrors.IsNotFound(err) {
+		status, ok := err.(apierrors.APIStatus)
+		if !ok {
+			return false, apierrors.NewInternalError(err)
+		}
+		return false, &apierrors.StatusError{status.Status()}
+	}
+	if err != nil {
+		return false, apierrors.NewInternalError(err)
+	}
+	// TODO: adding an LRU cache to cache the translation
+	selector, err := metav1.LabelSelectorAsSelector(h.NamespaceSelector)
+	if err != nil {
+		return false, apierrors.NewInternalError(err)
+	}
+	return selector.Matches(labels.Set(namespaceLabels)), nil
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package request
+
+import (
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+)
+
+// CreateAdmissionReview creates an AdmissionReview for the provided admission.Attributes
+func CreateAdmissionReview(attr *generic.VersionedAttributes) admissionv1beta1.AdmissionReview {
+	gvk := attr.GetKind()
+	gvr := attr.GetResource()
+	aUserInfo := attr.GetUserInfo()
+	userInfo := authenticationv1.UserInfo{
+		Extra:    make(map[string]authenticationv1.ExtraValue),
+		Groups:   aUserInfo.GetGroups(),
+		UID:      aUserInfo.GetUID(),
+		Username: aUserInfo.GetName(),
+	}
+	dryRun := attr.IsDryRun()
+
+	// Convert the extra information in the user object
+	for key, val := range aUserInfo.GetExtra() {
+		userInfo.Extra[key] = authenticationv1.ExtraValue(val)
+	}
+
+	return admissionv1beta1.AdmissionReview{
+		Request: &admissionv1beta1.AdmissionRequest{
+			UID: uuid.NewUUID(),
+			Kind: metav1.GroupVersionKind{
+				Group:   gvk.Group,
+				Kind:    gvk.Kind,
+				Version: gvk.Version,
+			},
+			Resource: metav1.GroupVersionResource{
+				Group:    gvr.Group,
+				Resource: gvr.Resource,
+				Version:  gvr.Version,
+			},
+			SubResource: attr.GetSubresource(),
+			Name:        attr.GetName(),
+			Namespace:   attr.GetNamespace(),
+			Operation:   admissionv1beta1.Operation(attr.GetOperation()),
+			UserInfo:    userInfo,
+			Object: runtime.RawExtension{
+				Object: attr.VersionedObject,
+			},
+			OldObject: runtime.RawExtension{
+				Object: attr.VersionedOldObject,
+			},
+			DryRun: &dryRun,
+		},
+	}
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/request/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package request creates admissionReview request based on admission attributes.
+package request // import "k8s.io/apiserver/pkg/admission/plugin/webhook/request"

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/rules/rules.go

@@ -0,0 +1,107 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"strings"
+
+	"k8s.io/api/admissionregistration/v1beta1"
+	"k8s.io/apiserver/pkg/admission"
+)
+
+// Matcher determines if the Attr matches the Rule.
+type Matcher struct {
+	Rule v1beta1.RuleWithOperations
+	Attr admission.Attributes
+}
+
+// Matches returns if the Attr matches the Rule.
+func (r *Matcher) Matches() bool {
+	return r.operation() &&
+		r.group() &&
+		r.version() &&
+		r.resource()
+}
+
+func exactOrWildcard(items []string, requested string) bool {
+	for _, item := range items {
+		if item == "*" {
+			return true
+		}
+		if item == requested {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (r *Matcher) group() bool {
+	return exactOrWildcard(r.Rule.APIGroups, r.Attr.GetResource().Group)
+}
+
+func (r *Matcher) version() bool {
+	return exactOrWildcard(r.Rule.APIVersions, r.Attr.GetResource().Version)
+}
+
+func (r *Matcher) operation() bool {
+	attrOp := r.Attr.GetOperation()
+	for _, op := range r.Rule.Operations {
+		if op == v1beta1.OperationAll {
+			return true
+		}
+		// The constants are the same such that this is a valid cast (and this
+		// is tested).
+		if op == v1beta1.OperationType(attrOp) {
+			return true
+		}
+	}
+	return false
+}
+
+func splitResource(resSub string) (res, sub string) {
+	parts := strings.SplitN(resSub, "/", 2)
+	if len(parts) == 2 {
+		return parts[0], parts[1]
+	}
+	return parts[0], ""
+}
+
+func (r *Matcher) resource() bool {
+	opRes, opSub := r.Attr.GetResource().Resource, r.Attr.GetSubresource()
+	for _, res := range r.Rule.Resources {
+		res, sub := splitResource(res)
+		resMatch := res == "*" || res == opRes
+		subMatch := sub == "*" || sub == opSub
+		if resMatch && subMatch {
+			return true
+		}
+	}
+	return false
+}
+
+// IsWebhookConfigurationResource determines if an admission.Attributes object is describing
+// the admission of a ValidatingWebhookConfiguration or a MutatingWebhookConfiguration
+func IsWebhookConfigurationResource(attr admission.Attributes) bool {
+	gvk := attr.GetKind()
+	if gvk.Group == "admissionregistration.k8s.io" {
+		if gvk.Kind == "ValidatingWebhookConfiguration" || gvk.Kind == "MutatingWebhookConfiguration" {
+			return true
+		}
+	}
+	return false
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/util/client_config.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"k8s.io/api/admissionregistration/v1beta1"
+	"k8s.io/apiserver/pkg/util/webhook"
+)
+
+// HookClientConfigForWebhook construct a webhook.ClientConfig using a v1beta1.Webhook API object.
+// webhook.ClientConfig is used to create a HookClient and the purpose of the config struct is to
+// share that with other packages that need to create a HookClient.
+func HookClientConfigForWebhook(w *v1beta1.Webhook) webhook.ClientConfig {
+	ret := webhook.ClientConfig{Name: w.Name, CABundle: w.ClientConfig.CABundle}
+	if w.ClientConfig.URL != nil {
+		ret.URL = *w.ClientConfig.URL
+	}
+	if w.ClientConfig.Service != nil {
+		ret.Service = &webhook.ClientConfigService{
+			Name:      w.ClientConfig.Service.Name,
+			Namespace: w.ClientConfig.Service.Namespace,
+		}
+		if w.ClientConfig.Service.Path != nil {
+			ret.Service.Path = *w.ClientConfig.Service.Path
+		}
+	}
+	return ret
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go

@@ -0,0 +1,134 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validating
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"k8s.io/klog"
+
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	"k8s.io/api/admissionregistration/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
+	webhookerrors "k8s.io/apiserver/pkg/admission/plugin/webhook/errors"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/request"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/util"
+	"k8s.io/apiserver/pkg/util/webhook"
+)
+
+type validatingDispatcher struct {
+	cm *webhook.ClientManager
+}
+
+func newValidatingDispatcher(cm *webhook.ClientManager) generic.Dispatcher {
+	return &validatingDispatcher{cm}
+}
+
+var _ generic.Dispatcher = &validatingDispatcher{}
+
+func (d *validatingDispatcher) Dispatch(ctx context.Context, attr *generic.VersionedAttributes, relevantHooks []*v1beta1.Webhook) error {
+	wg := sync.WaitGroup{}
+	errCh := make(chan error, len(relevantHooks))
+	wg.Add(len(relevantHooks))
+	for i := range relevantHooks {
+		go func(hook *v1beta1.Webhook) {
+			defer wg.Done()
+
+			t := time.Now()
+			err := d.callHook(ctx, hook, attr)
+			admissionmetrics.Metrics.ObserveWebhook(time.Since(t), err != nil, attr.Attributes, "validating", hook.Name)
+			if err == nil {
+				return
+			}
+
+			ignoreClientCallFailures := hook.FailurePolicy != nil && *hook.FailurePolicy == v1beta1.Ignore
+			if callErr, ok := err.(*webhook.ErrCallingWebhook); ok {
+				if ignoreClientCallFailures {
+					klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr)
+					utilruntime.HandleError(callErr)
+					return
+				}
+
+				klog.Warningf("Failed calling webhook, failing closed %v: %v", hook.Name, err)
+				errCh <- apierrors.NewInternalError(err)
+				return
+			}
+
+			klog.Warningf("rejected by webhook %q: %#v", hook.Name, err)
+			errCh <- err
+		}(relevantHooks[i])
+	}
+	wg.Wait()
+	close(errCh)
+
+	var errs []error
+	for e := range errCh {
+		errs = append(errs, e)
+	}
+	if len(errs) == 0 {
+		return nil
+	}
+	if len(errs) > 1 {
+		for i := 1; i < len(errs); i++ {
+			// TODO: merge status errors; until then, just return the first one.
+			utilruntime.HandleError(errs[i])
+		}
+	}
+	return errs[0]
+}
+
+func (d *validatingDispatcher) callHook(ctx context.Context, h *v1beta1.Webhook, attr *generic.VersionedAttributes) error {
+	if attr.IsDryRun() {
+		if h.SideEffects == nil {
+			return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook SideEffects is nil")}
+		}
+		if !(*h.SideEffects == v1beta1.SideEffectClassNone || *h.SideEffects == v1beta1.SideEffectClassNoneOnDryRun) {
+			return webhookerrors.NewDryRunUnsupportedErr(h.Name)
+		}
+	}
+
+	// Make the webhook request
+	request := request.CreateAdmissionReview(attr)
+	client, err := d.cm.HookClient(util.HookClientConfigForWebhook(h))
+	if err != nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
+	}
+	response := &admissionv1beta1.AdmissionReview{}
+	if err := client.Post().Context(ctx).Body(&request).Do().Into(response); err != nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: err}
+	}
+
+	if response.Response == nil {
+		return &webhook.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Webhook response was absent")}
+	}
+	for k, v := range response.Response.AuditAnnotations {
+		key := h.Name + "/" + k
+		if err := attr.AddAnnotation(key, v); err != nil {
+			klog.Warningf("Failed to set admission audit annotation %s to %s for validating webhook %s: %v", key, v, h.Name, err)
+		}
+	}
+	if response.Response.Allowed {
+		return nil
+	}
+	return webhookerrors.ToStatusErr(h.Name, response.Response.Result)
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package validating makes calls to validating (i.e., non-mutating) webhooks
+// during the admission process.
+package validating // import "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"

vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/plugin.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validating
+
+import (
+	"io"
+
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/admission/configuration"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+)
+
+const (
+	// PluginName indicates the name of admission plug-in
+	PluginName = "ValidatingAdmissionWebhook"
+)
+
+// Register registers a plugin
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
+		plugin, err := NewValidatingAdmissionWebhook(configFile)
+		if err != nil {
+			return nil, err
+		}
+
+		return plugin, nil
+	})
+}
+
+// Plugin is an implementation of admission.Interface.
+type Plugin struct {
+	*generic.Webhook
+}
+
+var _ admission.ValidationInterface = &Plugin{}
+
+// NewValidatingAdmissionWebhook returns a generic admission webhook plugin.
+func NewValidatingAdmissionWebhook(configFile io.Reader) (*Plugin, error) {
+	handler := admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update)
+	webhook, err := generic.NewWebhook(handler, configFile, configuration.NewValidatingWebhookConfigurationManager, newValidatingDispatcher)
+	if err != nil {
+		return nil, err
+	}
+	return &Plugin{webhook}, nil
+}
+
+// Validate makes an admission decision based on the request attributes.
+func (a *Plugin) Validate(attr admission.Attributes) error {
+	return a.Webhook.Dispatch(attr)
+}