Skip to content

fix(webhook): scope v1alpha1 DNSRecord webhook to v1alpha1 requests#299

Merged
golgoth31 merged 1 commit into
mainfrom
fix/dnsrecord-v1alpha1-webhook-matchpolicy
Jun 18, 2026
Merged

fix(webhook): scope v1alpha1 DNSRecord webhook to v1alpha1 requests#299
golgoth31 merged 1 commit into
mainfrom
fix/dnsrecord-v1alpha1-webhook-matchpolicy

Conversation

@golgoth31

@golgoth31 golgoth31 commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Summary

On dev the DNS controller looped on:

admission webhook "vdnsrecord-v1alpha1.kb.io" denied the request:
manual DNSRecord cannot be modified via v1alpha1; use sreportal.io/v1alpha2

even though the controller writes DNSRecords in v1alpha2.

Root cause

vdnsrecord-v1alpha1 had no matchPolicy, so it defaulted to Equivalent. With a multi-version CRD + conversion webhook (storage = v1alpha2), Equivalent makes the apiserver convert v1alpha2 writes down to v1alpha1 and route them through this webhook too. The v2→v1 conversion (ConvertFrom) stamps every record with the sreportal.io/v1alpha2-dnsrecord-spec annotation the validator keys on — so the controller's own v1alpha2 auto-record updates were rejected.

Fix

Set matchPolicy=Exact on the v1alpha1 webhook so it only fires for genuine v1alpha1 requests. v1alpha2 controller writes are no longer routed here.

  • A v1alpha1-native edit of a v2-backed record is still blocked (intended): it preserves the v2-only data (origin/entries) and the controller-SA reservation on origin=auto (a user can't bypass it via the v1alpha1 surface — confirmed by review).
  • Reworded the message/variable (manualbackedByV2) since it applies to any v2-backed record, not only manual.

Regenerated config/webhook/manifests.yaml + helm template (only matchPolicy: Exact added).

Test plan

  • validator unit test updated for the new message
  • make manifests / make helm regenerated (no parasitic churn)
  • golangci-lint clean
  • Review panel (exec-trace / security / code) — RAS; security confirmed no SA-bypass opened

🤖 Generated with Claude Code

@golgoth31 @claude
fix(webhook): scope v1alpha1 DNSRecord webhook to v1alpha1 requests
e21d0f7 
The vdnsrecord-v1alpha1 validating webhook had no matchPolicy, so it
defaulted to Equivalent: the apiserver converted v1alpha2 DNSRecord
writes to v1alpha1 and routed them through this webhook too. Since the
v2->v1 conversion stamps every record with the v1alpha2-spec annotation
the validator keys on, it rejected the DNS controller's own v1alpha2
auto-record updates ("... cannot be modified via v1alpha1"), looping the
DNS reconcile.

Set matchPolicy=Exact so the webhook only fires for genuine v1alpha1
requests, leaving v1alpha2 controller writes untouched. A v1alpha1-native
edit of a v2-backed record is still blocked (intended — it preserves the
controller-SA reservation on origin=auto and the v2-only data). Reworded
the message/var since it applies to any v2-backed record, not only manual.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@golgoth31 golgoth31 merged commit b95a642 into main Jun 18, 2026
2 checks passed
@golgoth31 golgoth31 deleted the fix/dnsrecord-v1alpha1-webhook-matchpolicy branch June 18, 2026 18:16
@github-actions github-actions Bot mentioned this pull request Jun 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@golgoth31