{"id":19661878,"url":"https://github.com/nsubrahm/k8s-mutating-webhook","last_synced_at":"2025-09-04T02:32:34.869Z","repository":{"id":41746408,"uuid":"228530780","full_name":"nsubrahm/k8s-mutating-webhook","owner":"nsubrahm","description":"Kubernetes mutating webhook to inject sidecar containers in a pod","archived":false,"fork":false,"pushed_at":"2022-12-11T17:33:18.000Z","size":97,"stargazers_count":12,"open_issues_count":4,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-04-28T21:43:00.035Z","etag":null,"topics":["docker","kubernetes","mutating-webhook","nodejs","webhook"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nsubrahm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-17T04:12:46.000Z","updated_at":"2024-04-15T23:33:00.000Z","dependencies_parsed_at":"2023-01-27T04:00:53.224Z","dependency_job_id":null,"html_url":"https://github.com/nsubrahm/k8s-mutating-webhook","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nsubrahm/k8s-mutating-webhook","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsubrahm%2Fk8s-mutating-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsubrahm%2Fk8s-mutating-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsubrahm%2Fk8s-mutating-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsubrahm%2Fk8s-mutating-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nsubrahm","download_url":"https://codeload.github.com/nsubrahm/k8s-mutating-webhook/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsubrahm%2Fk8s-mutating-webhook/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263469330,"owners_count":23471503,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","kubernetes","mutating-webhook","nodejs","webhook"],"created_at":"2024-11-11T16:08:55.096Z","updated_at":"2025-07-04T07:35:05.340Z","avatar_url":"https://github.com/nsubrahm.png","language":"Shell","readme":"# Introduction\n\nThis branch demonstrates a simple example of a Kubernetes mutating webhook implemented with NodeJS. This branch accompanies the Medium articles: \n\n1. [Kubernetes Mutating Webhook in NodeJS - Part I - Introduction](https://medium.com/@nageshblore/kubernetes-mutating-webhook-with-nodejs-part-i-introduction-ee33b2668af4).\n2. [Kubernetes Mutating Webhook with NodeJS— Part II — Development](https://medium.com/@nageshblore/kubernetes-mutating-webhook-part-ii-development-bec5033c591d).\n\n- [Introduction](#introduction)\n  - [Quick start](#quick-start)\n    - [Clone repository](#clone-repository)\n    - [Launch kind](#launch-kind)\n    - [Deploy webhook server and webhook configuration](#deploy-webhook-server-and-webhook-configuration)\n    - [Start a test pod](#start-a-test-pod)\n    - [Testing the deployment](#testing-the-deployment)\n  - [How does it work](#how-does-it-work)\n\n## Quick start\n\nStart with cloning the GitHub repository and change into cloned directory.\n\n### Clone repository\n\n```bash\ngit clone https://github.com/nsubrahm/k8s-mutating-webhook.git\ncd k8s-mutating-webhook\n```\n\n### Launch `kind`\n\nThe APIs that need to be enabled in `kind` will be passed via a configuration file. The `kubectl` context needs to be configured to use `kind` cluster. These steps are executed with commands as shown below.\n\n```bash\ncd yaml\nkind create cluster --config kind.yaml\nkubectl config use-context kind-kind\n```\n\n### Deploy webhook server and webhook configuration\n\nThe command shown below will deploy the webhook server (that will actually mutate the request) and the webhook configuration (that defines the webhook server to `kube-apiserver`). This command takes three arguments in this order:\n\n1. Webhook application name e.g. `webhook` in the command below.\n2. Namespace e.g. `sidecars` in the command below.\n3. Docker repository name e.g. `your_docker_repo` in the command below. The name of the image is derived from the webhook application name suffixed with `-server`. The tag of the image is set to `0.0.0`.\n\n```bash\ncd ..\nscripts/install.sh webhook sidecars your_docker_repo\n```\n\n### Start a test pod\n\nOnce the webhook server is deployed, you may have to wait a couple of seconds for it to come up. The status can be checked by running `kubectl get po/webhook -n sidecars`. The webhook server is ready to accept requests if the status is seen as `Running`. To start a test pod, run the command below.\n\n```bash\ncd yaml\nkubectl create -f test.yaml -n sidecars\n```\n\n### Testing the deployment\n\nThe `test.yaml` is written to start a pod named `demo` having a container with the image as `tutum/curl`. The webhook server will 'mutate' this YAML such that the image name is now set to `debian`. Thus, once the pod is deployed, it can be examined for the images running in the container using the command below. It will return the image name as `debian` as defined in the mutating webhook.\n\n```bash\nkubectl get po/demo -n sidecars -o jsonpath='{.spec.containers[0].image}'\n```\n\n## How does it work\n\nHere is a quick explanation of how the mutation happens. For details, see [Kubernetes Mutating Webhook with NodeJS— Part II — Development](https://medium.com/@nageshblore/kubernetes-mutating-webhook-part-ii-development-bec5033c591d).\n\n1. Register a `MutatingWebhookConfiguration` as generated in `yaml/mutatingWebhookConfiguration.yaml`.\n   1. The `webhooks` is an array of webhooks that need to be invoked.\n   2. Only one webhook is defined where, the `clientConfig.service.name` points to a service that will mutate the request.\n   3. This service is available at the `/mutate` end-point as defined in `clientConfig.service.path`.\n2. Deploy the webhook application, that will mutate the request, as defined in the `webhook-deploy.yaml`.\n   1. The webhook API is _always_ invoked over `https` and port `443` by default.\n   2. The end-point should be configured with certificate and private key files. These files are generated in the `certs` directory and are used to create the `webhook-tls-secret` object where, the string `webhook` is derived from the application name provided to the installation script.\n3. When the request is submitted with `yaml/test.yaml`:\n   1. `kube-apiserver` forwards this request to the registered webhook.\n   2. The webhook forwards the request to the end-point and service as defined in `clientConfig.service.path` (`/mutate` in this example implementation) and `clientConfig.service.name` respectively.\n   3. At the `/mutate` end-point, a response is generated where the image name in the request (i.e. `test.yaml`) is modified to hold the name `debian` - see [`mutate.js`](webhook/app/mutate.js) for details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsubrahm%2Fk8s-mutating-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnsubrahm%2Fk8s-mutating-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsubrahm%2Fk8s-mutating-webhook/lists"}