https://github.com/stevesloka/validatingwebhook
Example of a ValidatingWebHook for Kubernetes
https://github.com/stevesloka/validatingwebhook
kubernetes
Last synced: 3 months ago
JSON representation
Example of a ValidatingWebHook for Kubernetes
- Host: GitHub
- URL: https://github.com/stevesloka/validatingwebhook
- Owner: stevesloka
- Created: 2018-05-21T03:08:11.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2020-02-16T19:16:10.000Z (almost 6 years ago)
- Last Synced: 2025-04-11T12:30:16.012Z (9 months ago)
- Topics: kubernetes
- Language: Go
- Homepage: https://kubernetes.io/docs/admin/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly
- Size: 13.9 MB
- Stars: 12
- Watchers: 3
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Kubernetes Admission Webhook
Admission webhooks are HTTP callbacks that receive admission requests and do something with them.
You can define two types of admission webhooks, validating admission Webhook and mutating admission webhook.
With validating admission Webhooks, you may reject requests to enforce custom admission policies.
With mutating admission Webhooks, you may change requests to enforce custom defaults.
This repo currently aims to provide an example for a validating admission Webhook.
## Overview
The Admission webhook requires a `ValidatingWebhookConfiguration` to be created. Once created the Kubernetes API server will send requests to the Webhook based upon the configuration created.
The configuration specifies a `namespace` & `service` to call back to which will process the webhook, then send a `Allowed` or `Disallowed` to the server.
In the event the webhook is disallowed, a `Status` response will be added to the request so it is clear why the request was denied.
The example code will allow any pod to be created except if one of the containers is named `steve`.
## Generate certs
The webhook requires the service to be running TLS.
The following example will show a simple way to generate a self-signed cert.
Generate CA
```bash
$ openssl genrsa -out ca.key 2048
$ openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
```
Generate server
```bash
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr -subj "/CN=webhook.default.svc" -config server.conf
$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf
```
## Deploy
### Certs
Create secret to pass the certs created in previous step:
```bash
$ kubectl create secret generic webhookcerts --from-file=server.crt --from-file=server.key
```
### Webhook
Deploy the webhook deployment, service, and config:
```bash
$ kubectl apply -f deployment
```
#### IngressRoute Validation
The webhook will also watch for IngressRoute changes. This example has a hard-coded "root" IngressRoute namespace which means any Root IngressRoute should only be allowed to be deployed to the "root" namespace.
