{"id":19747965,"url":"https://github.com/tensorchord/envd-server-pod-webhook","last_synced_at":"2026-05-12T11:44:00.832Z","repository":{"id":103398923,"uuid":"579814404","full_name":"tensorchord/envd-server-pod-webhook","owner":"tensorchord","description":"A sample pod defaulting webhook on Kubernetes","archived":false,"fork":false,"pushed_at":"2022-12-19T10:47:32.000Z","size":49,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-02-28T08:06:19.200Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tensorchord.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-12-19T01:45:29.000Z","updated_at":"2022-12-19T10:47:37.000Z","dependencies_parsed_at":"2023-07-01T11:00:31.311Z","dependency_job_id":null,"html_url":"https://github.com/tensorchord/envd-server-pod-webhook","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tensorchord/envd-server-pod-webhook","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tensorchord%2Fenvd-server-pod-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tensorchord%2Fenvd-server-pod-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tensorchord%2Fenvd-server-pod-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tensorchord%2Fenvd-server-pod-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tensorchord","download_url":"https://codeload.github.com/tensorchord/envd-server-pod-webhook/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tensorchord%2Fenvd-server-pod-webhook/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32938001,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-12T09:19:52.626Z","status":"ssl_error","status_checked_at":"2026-05-12T09:17:33.438Z","response_time":102,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T02:19:38.178Z","updated_at":"2026-05-12T11:44:00.816Z","avatar_url":"https://github.com/tensorchord.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# envd-server-pod-webhook\n\n## Installation\nThis project can fully run locally and includes automation to deploy a local Kubernetes cluster (using Kind).\n\n### Requirements\n* Docker\n* kubectl\n* [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)\n* Go \u003e=1.16 (optional)\n\n## Usage\n### Create Cluster\nFirst, we need to create a Kubernetes cluster:\n```\n❯ make cluster\n\n🔧 Creating Kubernetes cluster...\nkind create cluster --config dev/manifests/kind/kind.cluster.yaml\nCreating cluster \"kind\" ...\n ✓ Ensuring node image (kindest/node:v1.21.1) 🖼\n ✓ Preparing nodes 📦\n ✓ Writing configuration 📜\n ✓ Starting control-plane 🕹️\n ✓ Installing CNI 🔌\n ✓ Installing StorageClass 💾\nSet kubectl context to \"kind-kind\"\nYou can now use your cluster with:\n\nkubectl cluster-info --context kind-kind\n\nHave a nice day! 👋\n```\n\nMake sure that the Kubernetes node is ready:\n```\n❯ kubectl get nodes\nNAME                 STATUS   ROLES                  AGE     VERSION\nkind-control-plane   Ready    control-plane,master   3m25s   v1.21.1\n```\n\nAnd that system pods are running happily:\n```\n❯ kubectl -n kube-system get pods\nNAME                                         READY   STATUS    RESTARTS   AGE\ncoredns-558bd4d5db-thwvj                     1/1     Running   0          3m39s\ncoredns-558bd4d5db-w85ks                     1/1     Running   0          3m39s\netcd-kind-control-plane                      1/1     Running   0          3m56s\nkindnet-84slq                                1/1     Running   0          3m40s\nkube-apiserver-kind-control-plane            1/1     Running   0          3m54s\nkube-controller-manager-kind-control-plane   1/1     Running   0          3m56s\nkube-proxy-4h6sj                             1/1     Running   0          3m40s\nkube-scheduler-kind-control-plane            1/1     Running   0          3m54s\n```\n\n### Deploy Admission Webhook\nTo configure the cluster to use the admission webhook and to deploy said webhook, simply run:\n```\n❯ make deploy\n\n📦 Building envd-server-pod-webhook Docker image...\ndocker build -t envd-server-pod-webhook:latest .\n[+] Building 14.3s (13/13) FINISHED\n...\n\n📦 Pushing admission-webhook image into Kind's Docker daemon...\nkind load docker-image envd-server-pod-webhook:latest\nImage: \"envd-server-pod-webhook:latest\" with ID \"sha256:46b8603bcc11a8fa1825190d3ed99c099096395b22a709e13ec6e7ae2f54014d\" not yet present on node \"kind-control-plane\", loading...\n\n⚙️  Applying cluster config...\nkubectl apply -f dev/manifests/cluster-config/\nnamespace/apps created\nmutatingwebhookconfiguration.admissionregistration.k8s.io/envd-server.tensorchord.ai created\nvalidatingwebhookconfiguration.admissionregistration.k8s.io/envd-server.tensorchord.ai created\n\n🚀 Deploying envd-server-pod-webhook...\nkubectl apply -f dev/manifests/webhook/\ndeployment.apps/envd-server-pod-webhook created\nservice/envd-server-pod-webhook created\nsecret/envd-server-pod-webhook-tls created\n```\n\nThen, make sure the admission webhook pod is running (in the `default` namespace):\n```\n❯ kubectl get pods\nNAME                                        READY   STATUS    RESTARTS   AGE\nenvd-server-pod-webhook-77444566b7-wzwmx   1/1     Running   0          2m21s\n```\n\nYou can stream logs from it:\n```\n❯ make logs\n\n🔍 Streaming envd-server-pod-webhook logs...\nkubectl logs -l app=envd-server-pod-webhook -f\ntime=\"2021-09-03T04:59:10Z\" level=info msg=\"Listening on port 443...\"\ntime=\"2021-09-03T05:02:21Z\" level=debug msg=healthy uri=/health\n```\n\nAnd hit it's health endpoint from your local machine:\n```\n❯ curl -k https://localhost:8443/health\nOK\n```\n\n### Deploying pods\nDeploy a valid test pod that gets succesfully created:\n```\n❯ make pod\n\n🚀 Deploying test pod...\nkubectl apply -f dev/manifests/pods/lifespan-seven.pod.yaml\npod/lifespan-seven created\n```\nYou should see in the admission webhook logs that the pod got mutated and validated.\n\nDeploy a non valid pod that gets rejected:\n```\n❯ make bad-pod\n\n🚀 Deploying \"bad\" pod...\nkubectl apply -f dev/manifests/pods/bad-name.pod.yaml\nError from server: error when creating \"dev/manifests/pods/bad-name.pod.yaml\": admission webhook \"envd-server.tensorchord.ai\" denied the request: pod name contains \"offensive\"\n```\nYou should see in the admission webhook logs that the pod validation failed. It's possible you will also see that the pod was mutated, as webhook configurations are not ordered.\n\n## Testing\nUnit tests can be run with the following command:\n```\n$ make test\ngo test ./...\n?   \tgithub.com/tensorchord/envd-server-pod-webhook\t[no test files]\nok  \tgithub.com/tensorchord/envd-server-pod-webhook/pkg/admission\t0.611s\nok  \tgithub.com/tensorchord/envd-server-pod-webhook/pkg/mutation\t1.064s\nok  \tgithub.com/tensorchord/envd-server-pod-webhook/pkg/validation\t0.749s\n```\n\n## Admission Logic\nA set of validations and mutations are implemented in an extensible framework. Those happen on the fly when a pod is deployed and no further resources are tracked and updated (ie. no controller logic).\n\n### Validating Webhooks\n#### Implemented\n- [name validation](pkg/validation/name_validator.go): validates that a pod name doesn't contain any offensive string\n\n#### How to add a new pod validation\nTo add a new pod mutation, create a file `pkg/validation/MUTATION_NAME.go`, then create a new struct implementing the `validation.podValidator` interface.\n\n### Mutating Webhooks\n#### Implemented\n- [inject env](pkg/mutation/inject_env.go): inject environment variables into the pod such as `KUBE: true`\n- [minimum pod lifespan](pkg/mutation/minimum_lifespan.go): inject a set of tolerations used to match pods to nodes of a certain age, the tolerations injected are controlled via the `acme.com/lifespan-requested` pod label.\n\n#### How to add a new pod mutation\nTo add a new pod mutation, create a file `pkg/mutation/MUTATION_NAME.go`, then create a new struct implementing the `mutation.podMutator` interface.\n\n## Acknowledgements\n\n- [slackhq/simple-kubernetes-webhook](https://github.com/slackhq/simple-kubernetes-webhook)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftensorchord%2Fenvd-server-pod-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftensorchord%2Fenvd-server-pod-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftensorchord%2Fenvd-server-pod-webhook/lists"}