{"id":15655648,"url":"https://github.com/developer-guy/admission-webhook-example-with-openfaas","last_synced_at":"2025-05-05T14:42:33.482Z","repository":{"id":42575863,"uuid":"306127949","full_name":"developer-guy/admission-webhook-example-with-openfaas","owner":"developer-guy","description":"Use OpenFaaS functions as Kubernetes Validating Admission Webhook","archived":false,"fork":false,"pushed_at":"2023-06-01T06:45:59.000Z","size":66,"stargazers_count":23,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T21:51:15.508Z","etag":null,"topics":["admission-webhook","arkade","faas-cli","kind","kubectl","kubernetes-cluster","openfaas","openfaas-cli","openfaas-function","openfaas-functions","validating-webhook"],"latest_commit_sha":null,"homepage":"https://www.openfaas.com/blog/kubernetes-webhooks-made-easy-with-openfaas/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/developer-guy.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-21T19:32:51.000Z","updated_at":"2024-05-02T16:28:44.000Z","dependencies_parsed_at":"2024-10-23T04:59:00.118Z","dependency_job_id":null,"html_url":"https://github.com/developer-guy/admission-webhook-example-with-openfaas","commit_stats":{"total_commits":11,"total_committers":4,"mean_commits":2.75,"dds":0.5454545454545454,"last_synced_commit":"e0f36739b19cb3c8365dc8538b4c7e4ef1ebcc40"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fadmission-webhook-example-with-openfaas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fadmission-webhook-example-with-openfaas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fadmission-webhook-example-with-openfaas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-guy%2Fadmission-webhook-example-with-openfaas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/developer-guy","download_url":"https://codeload.github.com/developer-guy/admission-webhook-example-with-openfaas/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252516200,"owners_count":21760742,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["admission-webhook","arkade","faas-cli","kind","kubectl","kubernetes-cluster","openfaas","openfaas-cli","openfaas-function","openfaas-functions","validating-webhook"],"created_at":"2024-10-03T13:00:13.387Z","updated_at":"2025-05-05T14:42:33.455Z","avatar_url":"https://github.com/developer-guy.png","language":"Go","readme":"# Prerequisites\n* A Kubernetes cluster (kind, minikube, etc.)\n* OpenFaaS CLI\n* Arkade\n* Kubectl\n* KinD\n\n## 2. Setup Tools\n* Arkade\n```sh\n$ curl -sLS https://dl.get-arkade.dev | sudo sh\n```\n\n* KinD\n```sh\n$ arkade get kind\n```\n\n* Kubectl\n```sh\n$ arkade get kubectl\n```\n\n* OpenFaaS CLI\n```sh\n$ arkade get faas-cli\n```\n\n# Setup\n\n## 1. Set Up a Kubernetes Cluster with Kind (Optional)\n\nWith Kind, you can run a local Kubernetes cluster using Docker containers as nodes. The steps in this section are optional. Follow them only if you don't have a running Kubernetes cluster.\n\nCreate a file named openfaas-cluster.yaml, and copy in the following spec:\n\n```yaml\nkind: Cluster\napiVersion: kind.x-k8s.io/v1alpha4\nnodes:\n- role: control-plane\n- role: worker\n```\n\n```bash\n$ kind create cluster --config kind-specs/kind-cluster.yaml\n```\n\n* Deploy OpenFaaS to a Kubernetes Cluster with:\n\n```sh\n$ arkade install openfaas\n```\n\n* Verify that the deployments were created\n\n```sh\n$ kubectl get deployments -n openfaas -l \"release=openfaas, app=openfaas\"\n```\n\n## 3. Deploy Validating Admission Webhook\n\n```sh\n$ cd deployment\n$ sh webhook-create-signed-cert.sh\n$ export CA_BUNDLE=$(kubectl config view --minify --flatten -o json | jq -r '.clusters[] | select(.name == \"'$(kubectl config current-context)'\") | .cluster.\"certificate-authority-data\"')\n$ sed -e \"s|\\${CA_BUNDLE}|${CA_BUNDLE}|g\" validatingwebhook.yaml | kubectl apply -f -\n$ cd ..\n$ DOCKER_USER=username ./build\n$ cd deployment\n$ kubectl apply -f rbac.yaml\n$ kubectl apply -f service.yaml\n$ kubectl apply -f deployment.yaml # make sure you are using same 'DOCKER_USER' in deployment.yaml. i.e: devopps\n# Label the default namespace to enable the webhook\n$ kubectl label namespaces default admission-webhook-example=enabled\n```\n\n## 4. Building OpenFaaS Function\n\n```sh\n$ cd functions\n$ faas-cli up -f requiredlabel.yml # (build-push-deploy) make sure you are using your docker hub username. i.e: devopps\n```\n\n* Verify the functions that are working in `openfaas-fn` namespace.\n\n## 5. Testing the whole workflow\n\n* K8S API -\u003e WebHook Broker w/TLS -\u003e OpenFaaS Gateway (w/HTTP) --\u003e OpenFaaS Function \n\n* The purpose of this PoC is that to validate that pods has required `labels`. Which means you must have that labels:\n\n```yaml\napp.kubernetes.io/name: sleep\napp.kubernetes.io/instance: sleep\napp.kubernetes.io/version: \"0.1\"\napp.kubernetes.io/component: dummy\napp.kubernetes.io/part-of: admission-webhook-example\napp.kubernetes.io/managed-by: kubernetes\n```\n\n* Any Pod who have above labels is valid for us.\n```sh\n`./deployment/sleep.yaml` -\u003e Incorrect, not-valid (We should deny this creation request.)\n`./deployment/sleep-no-validation.yaml` -\u003e Skip-validation (Based on `admission-webhook-example.qikqiak.com/validate: \"false\"` annotation, we skipped validation.)\n`./deployment/sleep-with-labels.yaml` -\u003e Correct, valid (We should accept this creation request.)\n```\n\n## 6. References\n* https://appfleet.com/blog/create-serverless-functions-with-openfaas/\n* https://github.com/morvencao/kube-mutating-webhook-tutorial\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Fadmission-webhook-example-with-openfaas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeveloper-guy%2Fadmission-webhook-example-with-openfaas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-guy%2Fadmission-webhook-example-with-openfaas/lists"}