⚠️ admission responses with raw Status

If a custom webhook validator returns a metav1.Status object as the error, the validation handler will build an admission response with this Status object as is, instead of building a new Status object based on err.Error()

This might be considered as a breaking change since the behaviour of the
validation handler is going to be slightly different from what the users
might expect based on the previous version of the code

Author: Eric Abramov

pkg/webhook/admission/response.go

@@ -80,6 +80,17 @@ func ValidationResponse(allowed bool, reason string) Response {
 	return resp
 }
 
+// ValidationResponseFromStatus returns a response for admitting a request with provided Status object.
+func ValidationResponseFromStatus(allowed bool, status *metav1.Status) Response {
+	resp := Response{
+		AdmissionResponse: admissionv1beta1.AdmissionResponse{
+			Allowed: allowed,
+			Result: status,
+		},
+	}
+	return resp
+}
+
 // PatchResponseFromRaw takes 2 byte arrays and returns a new response with json patch.
 // The original object should be passed in as raw bytes to avoid the roundtripping problem
 // described in https://github.com/kubernetes-sigs/kubebuilder/issues/510.

pkg/webhook/admission/validator.go

@@ -21,6 +21,8 @@ import (
 	"net/http"
 
 	"k8s.io/api/admission/v1beta1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -67,7 +69,13 @@ func (h *validatingHandler) Handle(ctx context.Context, req Request) Response {
 		}
 
 		err = obj.ValidateCreate()
+
 		if err != nil {
+
+			isStatusError, status := isStatusError(&err)
+			if isStatusError {
+				return ValidationResponseFromStatus(false, status)
+			}
 			return Denied(err.Error())
 		}
 	}
@@ -85,7 +93,12 @@ func (h *validatingHandler) Handle(ctx context.Context, req Request) Response {
 		}
 
 		err = obj.ValidateUpdate(oldObj)
+
 		if err != nil {
+			isStatusError, status := isStatusError(&err)
+			if isStatusError {
+				return ValidationResponseFromStatus(false, status)
+			}
 			return Denied(err.Error())
 		}
 	}
@@ -100,9 +113,22 @@ func (h *validatingHandler) Handle(ctx context.Context, req Request) Response {
 
 		err = obj.ValidateDelete()
 		if err != nil {
+			isStatusError, status := isStatusError(&err)
+			if isStatusError {
+				return ValidationResponseFromStatus(false, status)
+			}
 			return Denied(err.Error())
 		}
 	}
 
 	return Allowed("")
 }
+
+func isStatusError(err *error) (bool, *metav1.Status) {
+	statusError, isStatusError := (*err).(*errors.StatusError)
+	if isStatusError {
+		return true, &statusError.ErrStatus
+	}
+
+	return false, nil
+}