技术漫谈 | 为kubernetes构建自定义admission webhook


​原创作者:马涛本文包含admission webhook的server端demo、证书制作以及验证,欢迎各位前来围观。
demo中定义了webhook server, 通过jsonpatch的方式修改带有特定标签deployment的resources,地址请参考https://github.com/mojo-zd/kube-webhooks。
一、为什么使用 admission webhookkubernetes的admission webhook为开发者提供了非常灵活的插件模式,在kubernetes资源持久化之前用户可以对指定资源做校验、修改等操作。
应用场景 eg:接入sidecare、设置默认的servceaccount、设置quota等等。
二、webhook如何工作的注册webhook server资源操作请求通过API Server Auth验证根据注册信息回调对应的webhook serverwebhook注册信息说明apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookconfiguration
metadata:
name: config
webhooks:
– name: lb-webhook.default.svc ①
rules: ②
– apiGroups:
– “*”
apiVersions:
– “*”
operations:
– CREATE
resources:
– deployments
clientConfig:
service:
namespace: default ③
name: lb-webhook ④
path: /deployments/mutate ⑤
⑥caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
① webhook名称② 描述api-server操作什么资源什么动作时调用webhook插件③ webhook service所在的namespace④ webhook service name⑤ 调用webhook api的地址⑥ 提供和webhook通信的TLS链接信息, 生成的证书必须支持<svc_name>.<svc_namespace>.svc更多参数设置请参考文档https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers注: 如何编写webhook server可以参考https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/main.go三、准备准备一个kubernetes集群必须为v1.9或以上的版本(本人基于v1.13.6的版本测试的)。
api server需要开启MutatingAdmissionWebhook ValidatingAdmissionWebhook,通过以下命令可查看。
kubectl api-versions | grep admissionregistration
> admissionregistration.k8s.io/v1beta1
四、证书制作手动制作证书生成密钥位数为 2048 的 ca.keyopenssl genrsa -out ca.key 2048
依据 ca.key 生成 ca.crt (使用 -days 参数来设置证书有效时间):penssl req -x509 -new -nodes -key ca.key -subj “/CN=lb-webhook.default.svc” -days 10000 -out ca.crt
生成密钥位数为 2048 的 server.keyopenssl genrsa -out server.key 2048
创建用于生成证书签名请求(CSR)的配置文件。
确保在将其保存至文件(如csr.conf)。
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = CN
ST = SiChuan
L = SZ
O = Wise2c
OU = Wise2c
CN = lb-webhook.default.svc

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = lb-webhook.default.svc

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
[email protected]_names
基于配置文件生成证书签名请求:openssl req -new -key server.key -out server.csr -config csr.conf
使用 ca.key、ca.crt 和 server.csr 生成服务器证书:openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out server.crt -days 10000
-extensions v3_ext -extfile csr.conf
查看证书openssl x509 -noout -text -in ./server.crt
自动生成证书可用脚本文件https://github.com/mojo-zd/kube-webhooks/blob/master/scripts/Makefile执行make URL=lb-webhook.default.svc 相关说明请参考该项目readme.md。
!!!Waring: 证书制作也可以使用cert-manager(可自动为证书续期)来操作,具体操作可以参考官网也可以参考https://github.com/mojo-zd/kube-webhooks/tree/master/deployments/cert-manager五、部署通过上面的操作,已经生成好了部署前的准备工作(证书)。
接下来我们需要使用证书。
部署文件定义admissionregistration.yaml,文件中的caBundle使用的是上面生成ca.crt文件内容的base64值。
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: config
webhooks:
– name: lb-webhook.default.svc
rules:
– apiGroups:
– “*”
apiVersions:
– “*”
operations:
– CREATE
resources:
– deployments
clientConfig:
service:
namespace: default
name: lb-webhook
path: /deployments/mutate
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

secret.yaml, 文件中的data内容分别对应生成证书的三个文件内容的base64值。
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpakNDQW5LZ0F3SUJBZ0lKQU81Tmdld0hENmdvTUEwR0NTcUdTSWIzRFFFQkJRVUFNQlF4RWpBUUJnTlYKQkFNTUNWZHBjMlV5WXlCRFFUQWdGdzB4T1RBM01UVXdOalUwTlRGYUdBOHlNVEU1TURZeU1UQTJOVFExTVZvdwpZekVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnTUNGTm9aVzVhYUdWdU1Rc3dDUVlEVlFRSERBSlRXakVQCk1BMEdBMVVFQ2d3R1YybHpaVEpqTVE4d0RRWURWUVFMREFaWGFYTmxNbU14RWpBUUJnTlZCQU1NQ1ZkcGMyVXkKWXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxVQXZFdkxjQ3hKbzhBaApVcUppeC9mZkNHUkdYc3FyYlpYcXd6c0dzL0tEcmF5NXVMd3lwcEtBSXgxaFVGZGkraER5SW5nalArQzRmRys0CkFKSGtKNWFqNFFEV0theFVrSHVrTmVaejJnOHlZZHQrYytlWHRTc25BRjZTbjdyanp0cTJab0lWRFNtR0lvNk4KSUFTNWtJWjRzMXIzSEcvRjZuVlA3Smg1R255VmxxWmpCenFnQ2RQZE5WSDRPVDdwWFJQUmN6c3Y1anVOTW1iNgpjcWlheTM1cytNTFVxMEZUM0tkd0Q4dm1nWjZVNGp5dG93RDJ6TFcxbkVVUUMwMkY4a2hpUFdySUdiUnAyalRJCkRKNXZ3MnBkR1pLVGhkekNQUmxjWnBrYyt5MStHeGdtS2pxeFplN09YMEw4UjlzZ2lGaWZaZUM5b1JDWGhiYUsKL3gwK1lMY0NBd0VBQWFPQmpUQ0JpakF1QmdOVkhTTUVKekFsb1Jpa0ZqQVVNUkl3RUFZRFZRUUREQWxYYVhObApNbU1nUTBHQ0NRQ0pXMWhxTnBXVVpEQUpCZ05WSFJNRUFqQUFNQXNHQTFVZER3UUVBd0lFTURBZEJnTlZIU1VFCkZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3SVFZRFZSMFJCQm93R0lJV2JHSXRkMlZpYUc5dmF5NWsKWldaaGRXeDBMbk4yWXpBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQTNBcExrYzdJNy93Y2VnYzRvbDNlaGViUApnQjFhaVdRanRiTGtsYmhhMHl0Z2R5UUtua2xvb0U2WnNyZTFLVFpZTzVmakt5OENQaVg5Mm5lZlRNL0VIN1E3CnVnRU8xNE5NcUoxTnNEV09IM3pIZXVuUWhSNHJRNGhVKzJKZk1iRXJCUVNYTDU5QlRMUlpENVVaSUZlTVpsZjAKUTNKTVZCRERsM3lhS1JWTExlY203RjZQRkRCdFhZbFlseFNCREMvNVZqVU9wS3dGcGVZZFlwQmN1MmVoa3dEVQpvRERLYUpNL3htSjFKdm5CK1BIT2U3REd0WVhGZDNyQWZ3cHVmYTJhM09VU3lHZnFlN3FzY1ZWa1RyMUU0c2lmCjArakpKamkvY0RJY01HT1BxQVpiaCtzT0xRSjZqUVl1anphMW03Yit3d2g2YTZQYytVajRmZjFzd25xRHRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdFFDOFM4dHdMRW1qd0NGU29tTEg5OThJWkVaZXlxdHRsZXJET3dhejhvT3RyTG00CnZES21rb0FqSFdGUVYyTDZFUElpZUNNLzRMaDhiN2dBa2VRbmxxUGhBTllwckZTUWU2UTE1blBhRHpKaDIzNXoKNTVlMUt5Y0FYcEtmdXVQTzJyWm1naFVOS1lZaWpvMGdCTG1RaG5peld2Y2NiOFhxZFUvc21Ia2FmSldXcG1NSApPcUFKMDkwMVVmZzVQdWxkRTlGek95L21PNDB5WnZweXFKckxmbXo0d3RTclFWUGNwM0FQeSthQm5wVGlQSzJqCkFQYk10YldjUlJBTFRZWHlTR0k5YXNnWnRHbmFOTWdNbm0vRGFsMFprcE9GM01JOUdWeG1tUno3TFg0YkdDWXEKT3JGbDdzNWZRdnhIMnlDSVdKOWw0TDJoRUplRnRvci9IVDVndHdJREFRQUJBb0lCQUg4OXFDRUVQN1B5aEpuUgpFeDB5b2U2ZkxIQUpoQ09uUlY5SmJMczI2Qk5JL0ROYlVBR0UvZElwSUFaTVhjVkF3QmhmajFtek5mbU0xM1ZWCi9aaVJzajdVcjV6OThNZkRudG84UXVQaGQxNk5oWHRldHE0TTJRQWY1OE9VQVpQSkI2WjY2Uzd6QzVDd1NlUzYKVXRMZmZEajc2dUc4cTVIcnFQbVZHUGJLMDVMV0NqUmZDSlhJMkNMZ1o1WjJLU0dDMno3Nng1OGRHeDZNdG5rSQpKNm9yaDk5WUhQK3pPZ0k0SHdHVUZiZkpwOGZuVHdwRXFrTnhFeHJ1azR0Nlh0QUlmS1JOWkYyQnRIMm1ZazNuCk1Db2pvU1ltVUJoYnE0L0k4RENCdGNkT1pOcnZvc0h0TitLZWI5SFhvSklJd2ZwNDRKcUZhMnhwd3ZCR0FEMFoKRlZYZnZaa0NnWUVBNlVJUUNwdDJwVGlUTll0RCsvbnVMTDhjaEVSd0QvODEySVpxUjZJeC8zbnpNU1BFZmdaUwo3Qkh5bklWd2xHSHRRcC9KY1pDcGFxTExEbWZBUzNlKzhFcGJSZlhGUmpjOS8ySkZtcFMxUHZPQW1jQ1pPUnpQCnlKTXZCK1lSUWkza01nQTZldURtTVNLMGdsbnYxRHVxYmxpWjllWVZLdmdkbm54NkpIMEtWSVVDZ1lFQXhxWnMKdFcvRnM2VlRyL1N1WE5nWDVVL0VTMUpHT1JGcXh1Zk15dTZuVk1YTmJBYldkNDhuR0pJNlVEVStmWkZNY0hlVQpoa3lTT2hKVU9ONnNZZXVIcTJCbGI5cDJ1MnZSa0s4YS8wSWFFc21yWEUzVFVKcUR5S0NCVVd5cmc1cFVKZ3FHCkVsd2hudVRyaVBDMW5NWXJjUzU2N1dZbENndnB0M2VKZzVrUmN3c0NnWUJzbXRmQk9KVkxaRVlXWGh0dlRQVTYKWEZrNHRHekE1Z0Q2S2N0K1F1U29vTzA4YWZ6bytLVFBTYVArZ0pya1c1d09zenNsNTBjYVlXWE45VHl4WnJXKwpSOENybUQwYjdraXRpZUlDa1U2NldzSDcxSk1DNW9sUVNFZFRsQ2xnK09FUTdzNUx2RDh4allraVVDRzhYWE9ECklUbStKanlnM3hsYlczVzdXNFRkeVFLQmdRQy9MYXV4Y2NCekE4bG1yYlNnNWRjWmVZc1FjajNpN2tBMDdTREsKcktPZGtrQUFseFFRUEZVRDhMYnVPay9KeU93bjBPMi8wakZvY2Z0Y1AvRG16Q1hsYVFBMmhhbCs5bVRaT2F4aAp2TndhK0x0U09oUUVucS8xaFlMdk9nWld3VS82ekdYN2hXOVYzRHBSc0ZjWWFoK2s3WGFnd28waS9oUVAzWnNhCmExVy93UUtCZ1FEbkZsUWF5WDdvbjdPYlM0K21yVjhqRXM3Y2VwTmhnMGlRNUhEZHNQSjh0SkRGMWpsNFJ5U1EKK0U5ajEwcTV4M3MyWk9DSGxpeFFyemI5bzdQK2JxWkovTk9uaVFjUG5GV29KVmZjMFVkTk9nT1Z0akw2YnU1SwpRRlVOUmFzdHNkaDdLSHQyWHNYaWlnNzNyRktjQ3JCS1BITlpKUWRrNjh5VENKNmRUZkxzeXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
name: lb-webhook-tls
namespace: default
type: Opaque
deployment.yamlwebhook server部署文件除了部署了server,还定义了server端相关的rbac模型。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webhook
rules:
– apiGroups: [“*”]
resources: [“deployments”, “resourcequotas”]
verbs: [“*”]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: webhook
namespace: default
subjects:
– kind: ServiceAccount
name: webhook
namespace: default
roleRef:
kind: ClusterRole
name: webhook
apiGroup: rbac.authorization.k8s.io

apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook
namespace: default

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
com.wise2c.service: lb-webhook
name: lb-webhook
namespace: default
spec:
replicas: 1
selector:
matchLabels:
com.wise2c.service: lb-webhook
template:
metadata:
labels:
com.wise2c.service: lb-webhook
spec:
containers:
– image: registry.cn-hangzhou.aliyuncs.com/mojo/lb-webhook:master
imagePullPolicy: IfNotPresent
name: lb-webhook
args:
– “–memory=100Mi”
– “–cpu=200m”
– “–tls-cert-file=/etc/certs/server.crt”
– “–tls-private-key-file=/etc/certs/server.key”
volumeMounts:
– mountPath: /etc/certs
name: config
serviceAccount: webhook
volumes:
– name: config
secret:
secretName: lb-webhook-tls

apiVersion: v1
kind: Service
metadata:
labels:
com.wise2c.service: lb-webhook
name: lb-webhook
namespace: default
spec:
ports:
– name: https
port: 443
protocol: TCP
targetPort: 443
selector:
com.wise2c.service: lb-webhook
测试文件定义在指定的namespace中创建resourcequota。
通过两个test文件,一个包含webhook server指定的标签文件test-success.yaml, 另一个不带有指定标签文件test-fail.yaml, apply到对应的namespace中。
期望看到test-success.yaml下发以后pod成功启动,test-fail.yaml未能看到相应pod启动。
并且edit test-success.yaml的deployment对象发现该对象自动加上了对应的resources。
demo-namespace.yamlapiVersion: v1
kind: Namespace
metadata:
name: webhook-demo
quota.yamlapiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
namespace: webhook-demo
spec:
hard:
limits.memory: 2Gi
test-success.yamlapiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
run: web-success
io.wise2c.service.type: lb # 上文提到的特定标签
name: web-success
namespace: webhook-demo
spec:
selector:
matchLabels:
run: web-success
template:
metadata:
labels:
run: web-success
spec:
containers:
– image: nginx
imagePullPolicy: Always
name: web
ports:
– containerPort: 80
protocol: TCP
test-fail.yamlapiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
run: web
name: web-fail
namespace: webhook-demo
spec:
selector:
matchLabels:
run: web-fail
template:
metadata:
labels:
run: web-fail
spec:
containers:
– image: nginx
imagePullPolicy: Always
name: web
ports:
– containerPort: 80
protocol: TCP
六、测试kubectl apply -f admissionregistration.yaml
kubectl apply -f secret.yaml
kubectl apply -f deployment.yaml

kubectl apply -f demo-namespace.yaml
kubectl apply -f quota.yaml
kubectl apply -f test-fail.yaml
kubectl apply -f test-success.yaml
结果如下:[[email protected] webhook]# kubectl apply -f test-fail.yaml
deployment.extensions/web-fail created
[[email protected] webhook]# kubectl apply -f test-success.yaml
deployment.extensions/web-success created
[[email protected] webhook]# kubectl get po -n webhook-demo
NAME READY STATUS RESTARTS AGE
web-success-85fd64db95-wl9xx 0/1 ContainerCreating 0 9s
上述结果和期望的一直, webhook到此结束。
原文链接:https://mp.weixin.qq.com/s/Z6ucuqNs2rOaPzwhvW-bmw关于睿云智合深圳睿云智合科技有限公司成立于2012年,总部位于深圳,并分别在成都、深圳设立了研发中心,北京、上海设立了分支机构,核心骨干人员全部为来自金融、科技行业知名企业资深业务专家、技术专家。
早期专注于为中国金融保险等大型企业提供创新技术、电子商务、CRM等领域专业咨询服务。
自2016年始,在率先将容器技术引进到中国保险行业客户后,公司组建了专业的容器技术产品研发和实施服务团队,旨在帮助中国金融行业客户将容器创新技术应用于企业信息技术支持业务发展的基础能力改善与提升,成为中国金融保险行业容器技术服务领导品牌。
此外,凭借多年来在呼叫中心领域的业务经验与技术积累,睿云智合率先在业界推出基于开源软交换平台FreeSwitch的微服务架构多媒体数字化业务平台,将语音、视频、webchat、微信、微博等多种客户接触渠道集成,实现客户统一接入、精准识别、智能路由的CRM策略,并以容器化治理来支持平台的全应用生命周期管理,显著提升了数字化业务处理的灵活、高效、弹性、稳定等特性,为帮助传统企业向“以客户为中心”的数字化业务转型提供完美的一站式整体解决方案。

未经允许不得转载:选主机测评网 » 技术漫谈 | 为kubernetes构建自定义admission webhook