when trying to use kubectl diff on a clusters.provisioning.cattle.io resource, the validating webhook blocks the request, because the psact (pod security admission controller template) changes to the machineSelectorFiles are skipped by the mutating webhook when in dry-run mode (which kubectl diff uses).
from kubectl cli
Error from server (InternalError): Internal error occurred: failed calling webhook "rancher.cattle.io.clusters.provisioning.cattle.io": ...
from rancher webhook
level=error msg="[provisioning cluster validator] machineSelectorFile for PSA should be in the cluster Spec"
mutating webhook skips handlePSACT when in dry-run mode (kubectl diff), so they don't get added
// Admit is the entrypoint for the mutator. Admit will return an error if it unable to process the request.
func (m *ProvisioningClusterMutator) Admit(request *admission.Request) (*admissionv1.AdmissionResponse, error) {
if request.DryRun != nil && *request.DryRun {
return &admissionv1.AdmissionResponse{
Allowed: true,
}, nil
}
...
response, err := m.handlePSACT(request, cluster)
when trying to use kubectl diff on a clusters.provisioning.cattle.io resource, the validating webhook blocks the request, because the psact (pod security admission controller template) changes to the machineSelectorFiles are skipped by the mutating webhook when in dry-run mode (which kubectl diff uses).
from kubectl cli
from rancher webhook
mutating webhook skips handlePSACT when in dry-run mode (kubectl diff), so they don't get added