{"id":13839369,"url":"https://github.com/openshift/generic-admission-server","last_synced_at":"2025-05-15T03:07:43.506Z","repository":{"id":37664010,"uuid":"107308294","full_name":"openshift/generic-admission-server","owner":"openshift","description":"A library for writing admission webhooks based on k8s.io/apiserver","archived":false,"fork":false,"pushed_at":"2025-02-03T20:46:36.000Z","size":48004,"stargazers_count":155,"open_issues_count":1,"forks_count":52,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-04-14T03:11:26.257Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openshift.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-10-17T18:28:11.000Z","updated_at":"2025-04-04T04:31:30.000Z","dependencies_parsed_at":"2024-11-14T06:02:11.494Z","dependency_job_id":"3bf92a17-68b4-4fc4-ad24-949fb1c1e7bd","html_url":"https://github.com/openshift/generic-admission-server","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fgeneric-admission-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fgeneric-admission-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fgeneric-admission-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fgeneric-admission-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openshift","download_url":"https://codeload.github.com/openshift/generic-admission-server/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254264769,"owners_count":22041794,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:20.572Z","updated_at":"2025-05-15T03:07:38.478Z","avatar_url":"https://github.com/openshift.png","language":"Go","funding_links":[],"categories":["Framework"],"sub_categories":[],"readme":"# generic-admission-server\nA library for writing admission webhooks based on k8s.io/apiserver\n\n```go\nimport \"github.com/openshift/generic-admission-server/pkg/cmd\"\n\nfunc main() {\n\tcmd.RunAdmissionServer(\u0026admissionHook{})\n}\n\n// where to host it\nfunc (a *admissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {}\n\n// your business logic\nfunc (a *admissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {}\n\n// any special initialization goes here\nfunc (a *admissionHook) Initialize(kubeClientConfig *rest.Config, stopCh \u003c-chan struct{}) error {}\n```\n\n## Why use this library?\n\nThis library helps you to write secure [Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).\nIt uses TLS authentication and authorization mechanisms which are built into the [Kubernetes aggregated API server](https://github.com/kubernetes/apiserver) library,\nwhich means that your webhooks are secure by default.\n\nUsing this library allows you to avoid the complication of creating and maintaining a client key and certificate for each webhook server;\nyou only need to maintain a server key and certificate for each webhook server.\nAnd by using this library your webhook will also perform authorization which uses Kubernetes' own `SubjectAccessReview` and `RBAC` mechanisms.\n\n## Deployment\n\nDeploy your webhook as an [aggregated API server](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/).\nThis provides one or more new Kubernetes API endpoints which are served by the Kubernetes API server its self.\nE.g. `/apis/admission.core.example.com/v1/flunders`\nEnsure that these endpoints are accessible before continuing.\n\nThen [configure admission webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly) which target this new endpoint on the Kubernetes API server.\nE.g.\n\n```\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n  name: example-webhook\nwebhooks:\n  - name: admission.core.example.com\n    rules:\n      - apiGroups:\n          - \"core.example.com\"\n        apiVersions:\n          - v1\n        operations:\n          - CREATE\n          - UPDATE\n        resources:\n          - flunders\n    failurePolicy: Fail\n    clientConfig:\n      service:\n        name: kubernetes\n        namespace: default\n        path: /apis/admission.core.example.com/v1/flunders\n      caBundle: $CA_BUNDLE\n```\n\nIn this way, the [MutatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) or [ValidatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) admission controllers, running in the Kubernetes API server process, are looping back to the main Kubernetes API service.\n\n## Architecture\n\nKubernetes API servers connect to webhook servers using TLS encrypted HTTPS connections.\nIn a production environment, the [Kubernetes API servers should also be configured to authenticate themselves to webhook servers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers),\nand your webhook servers should verify the authenticity of the requests they receive from Kubernetes API servers.\nBut this is (currently) rather complicated to maintain because you have to provide a `kubeConfig` file containing the client authentication configuration for each webhook server.\n\nAn alternative approach, used by this library, is to deploy the webhook server as a [Kubernetes aggregated API server](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/).\nThe advantage of this approach is that the [mechanism for establishing mutual authentication between the Kubernetes API server and aggregate API servers is more mature and easier to maintain](https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/#authentication-flow).\nIn this mechanism, Kubernetes takes care of generating the client authentication credentials that it uses when connecting to aggregate API servers.\nAnd the aggregate API server then reads these client credentials from a standardized `ConfigMap` at `kube-system/extension-apiserver-authentication`.\nThe [Kubernetes API server library](https://github.com/kubernetes/apiserver) takes care of all this for you.\n\nAdditional security is provided because the [webhook aggregate API server authorizes the request](https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/#extension-apiserver-authorizes-the-request).\nThe webhook aggregate API server will receive the username and group of the user or service account that made the request that triggered the web hook.\nAnd it will check, using a `SubjectAccessReview`, that that original user has permission to interact with this webhook API.\n\n## FAQ\n\n### Why can't I write a simple HTTP webhook server?\n\nAdmission webhooks have tremendous power over what can and cannot be created in the API.\nThey can see, validate, and in some cases mutate every object in the cluster,\nso it is vital that the API server can verify that it is connecting to an authentic webhook server.\nAnd it is also vital that a webhook server can verify that it is receiving requests from an authentic Kubernetes API server.\nKubernetes will eventually deprecate and remove all unencrypted HTTP APIs.\n\n### OK, but how am I supposed to manage all the TLS certificates for my web hooks?\n\nFor testing purposes, you can create a private key and a self-signed certificate using `openssl` or `cfssl`.\n\nIn production, you must implement a process for rotating the certificates.\nFor example:\n* [OpenShift Service CA Operator](https://github.com/openshift/service-ca-operator): Controller to mint and manage serving certificates for Kubernetes services.\n* [cert-manager](https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html): A controller for automatically provisioning and managing TLS certificates in Kubernetes.\n\n## Examples of Projects that use Openshift Generic Admission Server\n\nHere are a selection of webhooks which use the Openshift Generic Admission Server:\n\n* [Openshift Kubernetes Namespace Reservation](https://github.com/openshift/kubernetes-namespace-reservation): An admission webhook that prevents the creation of specified namespaces.\n* [Quack](https://github.com/pusher/quack): In-Cluster templating for Kubernetes manifests.\n* [Cert-Manager Validating Webhook](https://docs.cert-manager.io/en/latest/getting-started/webhook.html): Allows cert-manager to validate that Issuer, ClusterIssuer and Certificate resources that are submitted to the apiserver are syntactically valid.\n* [Anchore Image Validator](https://github.com/banzaicloud/anchore-image-validator): Lets you automatically detect or block security issues just before a Kubernetes pod starts.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift%2Fgeneric-admission-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenshift%2Fgeneric-admission-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift%2Fgeneric-admission-server/lists"}