example-webhook-admission-controller

command module

v0.0.0-...-844f1cb Latest Latest Go to latest Published: Jan 24, 2018 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/caesarxuchao/example-webhook-admission-controller

Links

Open Source Insights

README ¶

Deprecated

This example works for Kubernetes v1.8. To use webhooks in 1.9, please refer to the Kubernetes e2e test for the webhook setup and implementation. Note that the authentication model has changed in 1.9, so the two-way tls shown in this repository does not work in v1.9. The webhook in the e2e test uses one-way tls.

Kubernetes External Admission Webhook Example

The example shows how to build and deploy an external webhook that only admits pods creation and update if the container images have the "grc.io" prefix.

Prerequisites

Please use a Kubernetes release at least as new as v1.8.0 or v1.9.0-alpha.1, because the generated server cert/key only works with Kubernetes release that contains this change. Please checkout the pre-v1.8 tag for an example that works with older clusters.

Please enable the admission webhook feature (doc).

Build the code

make build

Deploy the code

make deploy-only

The Makefile assumes your cluster is created by the hack/local-up-cluster.sh. Please modify the Makefile accordingly if your cluster is created differently.

Explanation on the CAs/Certs/Keys

The apiserver initiates a tls connection with the webhook, so the apiserver is the tls client, and the webhook is the tls server.

The webhook proves its identity by the serverCert in the certs.go. The server cert is signed by the CA in certs.go. To let the apiserver trust the caCert, the webhook registers itself with the apiserver via the admissionregistration/v1alpha1/externalAdmissionHook API, with clientConfig.caBundle=caCert.

For maximum protection, this example webhook requires and verifies the client (i.e., the apiserver in this case) cert. The cert presented by the apiserver is signed by a client CA, whose cert is stored in the configmap extension-apiserver-authentication in the kube-system namespace. See the getAPIServerCert function for more information. Usually you don't need to worry about setting up this CA cert. It's taken care of when the cluster is created. You can disable the client cert verification by setting the tls.Config.ClientAuth to tls.NoClientCert in config.go.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL