|
2 | 2 |
|
3 | 3 | kcp extends the vanilla [admission plugins](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for webhooks, and makes them cluster-aware. |
4 | 4 |
|
5 | | -``` |
6 | | - ┌────────────────────────┐ |
7 | | - │ Consumer Workspace ws2 │ |
8 | | - ├────────────────────────┤ |
9 | | - │ │ |
10 | | - ┌────┼─ Widgets APIBinding │ |
11 | | - │ │ │ |
12 | | - │ │ Widget a │ |
13 | | -┌───────────────────────────────────────────────┐ │ │ Widget b │ |
14 | | -│ API Provider Workspace ws1 │ │ │ Widget c │ |
15 | | -├───────────────────────────────────────────────┤ │ │ │ |
16 | | -│ │ │ └────────────────────────┘ |
17 | | -│ Widgets APIExport ◄──────────────┼────┤ |
18 | | -│ │ │ │ |
19 | | -│ ▼ │ │ |
20 | | -│ Widgets APIResourceSchema │ │ ┌────────────────────────┐ |
21 | | -│ (widgets.v1.example.org) │ │ │ Consumer Workspace ws3 │ |
22 | | -│ ▲ │ │ ├────────────────────────┤ |
23 | | -│ │ │ │ │ │ |
24 | | -│ ┌───────────────────┴─────────────────────┐ │ └────┼─ Widgets APIBinding │ |
25 | | -│ │ Mutating/ValidatingWebhookConfiguration │ │ │ │ |
26 | | -│ │ for widgets.v1.example.org │ │ │ Widget a │ |
27 | | -│ │ │ │ │ Widget b │ |
28 | | -│ │ Handle a from ws2 (APIResourceSchema) │ │ │ Widget c │ |
29 | | -│ │ Handle b from ws3 (APIResourceSchema) │ │ │ │ |
30 | | -│ │ Handle a from ws1 (CRD) │ │ └────────────────────────┘ |
31 | | -│ │ ... │ │ |
32 | | -│ └───────────────────┬─────────────────────┘ │ |
33 | | -│ │ │ |
34 | | -│ ▼ │ |
35 | | -│ Widgets CustomResourceDefinition │ |
36 | | -│ (widgets.v1.example.org) │ |
37 | | -│ │ |
38 | | -│ Widget a │ |
39 | | -│ │ |
40 | | -└───────────────────────────────────────────────┘ |
| 5 | +```mermaid |
| 6 | +flowchart TD |
| 7 | + subgraph ws1["API Provider Workspace ws1"] |
| 8 | + export["Widgets APIExport"] |
| 9 | + schema["Widgets APIResourceSchema<br/>(widgets.v1.example.org)"] |
| 10 | + webhook["Mutating/ValidatingWebhookConfiguration<br/>for widgets.v1.example.org<br/><br/>Handle a from ws2 (APIResourceSchema)<br/>Handle b from ws3 (APIResourceSchema)<br/>Handle a from ws1 (CRD)"] |
| 11 | + crd["Widgets CustomResourceDefinition<br/>(widgets.v1.example.org)"] |
| 12 | + |
| 13 | + export --> schema |
| 14 | + schema --> webhook |
| 15 | + webhook --> crd |
| 16 | + end |
| 17 | +
|
| 18 | + subgraph ws2["Consumer Workspace ws2"] |
| 19 | + binding1["Widgets APIBinding"] |
| 20 | + widgetA1["Widget a"] |
| 21 | + widgetB1["Widget b"] |
| 22 | + widgetC1["Widget c"] |
| 23 | + end |
| 24 | +
|
| 25 | + subgraph ws3["Consumer Workspace ws3"] |
| 26 | + binding2["Widgets APIBinding"] |
| 27 | + widgetA2["Widget a"] |
| 28 | + widgetB2["Widget b"] |
| 29 | + widgetC2["Widget c"] |
| 30 | + end |
| 31 | +
|
| 32 | + export --> binding1 |
| 33 | + export --> binding2 |
| 34 | +
|
| 35 | + classDef default fill:#f9f9f9,stroke:#333,stroke-width:2px; |
| 36 | + classDef resource fill:#e1f3d8,stroke:#82c91e,stroke-width:2px; |
| 37 | + class export,schema,webhook,crd,binding1,binding2 resource; |
41 | 38 | ``` |
42 | 39 |
|
43 | 40 | When an object is to be mutated or validated, the webhook admission plugin ([`apis.kcp.io/MutatingWebhook`](https://github.com/kcp-dev/kcp/tree/main/pkg/admission/mutatingwebhook) and [`apis.kcp.io/ValidatingWebhook`](https://github.com/kcp-dev/kcp/tree/main/pkg/admission/validatingwebhook) respectively) looks for the owner of the resource schema. Once found, it then dispatches the handling for that object in the owner's workspace. There are two such cases in the diagram above: |
|
0 commit comments