Kubernetes构建自定义admission webhook
AdmissionWebhook介绍请参见Kubernetes AdmissionWebhook这篇博客。
webhook如何工作的
-
注册webhook server
-
资源操作请求通过API Server Auth验证
-
根据注册信息回调对应的webhook server
webhook注册信息说明
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: config
webhooks:
- name: lb-webhook.default.svc ①
rules: ②
- apiGroups:
- "*"
apiVersions:
- "*"
operations:
- CREATE
resources:
- deployments
clientConfig:
service:
namespace: default ③
name: lb-webhook ④
path: /deployments/mutate ⑤
⑥caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
① webhook名称
② 描述api-server操作什么资源什么动作时调用webhook插件
③ webhook service所在的namespace
④ webhook service name
⑤ 调用webhook api的地址
⑥ 提供和webhook通信的TLS链接信息, 生成的证书必须支持<svc_name>.<svc_namespace>.svc,这个证书可以直接使用k8s集群的ca.crt( kubectl config view --raw -o json | jq -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '"')。
准备
-
准备一个kubernetes集群必须为v1.9或以上的版本(本人基于v1.18.6的版本测试的)。
-
api server需要开启MutatingAdmissionWebhook ValidatingAdmissionWebhook,通过以下命令可查看。
kubectl api-versions | grep admissionregistration
> admissionregistration.k8s.io/v1
> admissionregistration.k8s.io/v1beta1
证书制作
手动制作证书
-
生成密钥位数为 2048 的 ca.key
openssl genrsa -out ca.key 2048
-
依据 ca.key 生成 ca.crt (使用 -days 参数来设置证书有效时间):
penssl req -x509 -new -nodes -key ca.key -subj "/CN=lb-webhook.default.svc" -days 10000 -out ca.crt
-
生成密钥位数为 2048 的 server.key
openssl genrsa -out server.key 2048
-
创建用于生成证书签名请求(CSR)的配置文件。确保在将其保存至文件(如csr.conf)。
[ req ]default_bits = 2048prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn [ dn ]C = CNST = SiChuanL = SZO = Wise2cOU = Wise2cCN = lb-webhook.default.svc [ req_ext ]subjectAltName = @alt_names [ alt_names ]DNS.1 = lb-webhook.default.svc [ v3_ext ]authorityKeyIdentifier=keyid,issuer:alwaysbasicConstraints=CA:FALSEkeyUsage=keyEncipherment,dataEnciphermentextendedKeyUsage=serverAuth,clientAuthsubjectAltName=@alt_names
-
基于配置文件生成证书签名请求:
openssl req -new -key server.key -out server.csr -config csr.conf
-
使用 ca.key、ca.crt 和 server.csr 生成服务器证书:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -out server.crt -days 10000 \-extensions v3_ext -extfile csr.conf
-
查看证书
openssl x509 -noout -text -in ./server.crt
部署
通过上面的操作,已经生成好了部署前的准备工作(证书)。接下来我们需要使用证书。
部署文件定义
admissionregistration.yaml,文件中的caBundle使用的是上面生成ca.crt文件内容的base64值(cat ca.crt | base64 | tr -d '\n' | tr -d '=' | tr '/+' '_-')。
apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: config webhooks: - name: lb-webhook.default.svc rules: - apiGroups: - "*" apiVersions: - "*" operations: - CREATE resources: - deployments clientConfig: service: namespace: default name: lb-webhook path: /deployments/mutate caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
注意:Apiserver作为客户端使用https单向认证方式与lb-webhook-tls服务进行交互,Apiserver使用ca.crt验签server.crt,server.crt 生成的证书必须支持lb-webhook-tls.default.svc。
secret.yaml, 文件中的data内容分别对应生成证书的三个文件内容的base64值。
apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpakNDQW5LZ0F3SUJBZ0lKQU81Tmdld0hENmdvTUEwR0NTcUdTSWIzRFFFQkJRVUFNQlF4RWpBUUJnTlYKQkFNTUNWZHBjMlV5WXlCRFFUQWdGdzB4T1RBM01UVXdOalUwTlRGYUdBOHlNVEU1TURZeU1UQTJOVFExTVZvdwpZekVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnTUNGTm9aVzVhYUdWdU1Rc3dDUVlEVlFRSERBSlRXakVQCk1BMEdBMVVFQ2d3R1YybHpaVEpqTVE4d0RRWURWUVFMREFaWGFYTmxNbU14RWpBUUJnTlZCQU1NQ1ZkcGMyVXkKWXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxVQXZFdkxjQ3hKbzhBaApVcUppeC9mZkNHUkdYc3FyYlpYcXd6c0dzL0tEcmF5NXVMd3lwcEtBSXgxaFVGZGkraER5SW5nalArQzRmRys0CkFKSGtKNWFqNFFEV0theFVrSHVrTmVaejJnOHlZZHQrYytlWHRTc25BRjZTbjdyanp0cTJab0lWRFNtR0lvNk4KSUFTNWtJWjRzMXIzSEcvRjZuVlA3Smg1R255VmxxWmpCenFnQ2RQZE5WSDRPVDdwWFJQUmN6c3Y1anVOTW1iNgpjcWlheTM1cytNTFVxMEZUM0tkd0Q4dm1nWjZVNGp5dG93RDJ6TFcxbkVVUUMwMkY4a2hpUFdySUdiUnAyalRJCkRKNXZ3MnBkR1pLVGhkekNQUmxjWnBrYyt5MStHeGdtS2pxeFplN09YMEw4UjlzZ2lGaWZaZUM5b1JDWGhiYUsKL3gwK1lMY0NBd0VBQWFPQmpUQ0JpakF1QmdOVkhTTUVKekFsb1Jpa0ZqQVVNUkl3RUFZRFZRUUREQWxYYVhObApNbU1nUTBHQ0NRQ0pXMWhxTnBXVVpEQUpCZ05WSFJNRUFqQUFNQXNHQTFVZER3UUVBd0lFTURBZEJnTlZIU1VFCkZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3SVFZRFZSMFJCQm93R0lJV2JHSXRkMlZpYUc5dmF5NWsKWldaaGRXeDBMbk4yWXpBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQTNBcExrYzdJNy93Y2VnYzRvbDNlaGViUApnQjFhaVdRanRiTGtsYmhhMHl0Z2R5UUtua2xvb0U2WnNyZTFLVFpZTzVmakt5OENQaVg5Mm5lZlRNL0VIN1E3CnVnRU8xNE5NcUoxTnNEV09IM3pIZXVuUWhSNHJRNGhVKzJKZk1iRXJCUVNYTDU5QlRMUlpENVVaSUZlTVpsZjAKUTNKTVZCRERsM3lhS1JWTExlY203RjZQRkRCdFhZbFlseFNCREMvNVZqVU9wS3dGcGVZZFlwQmN1MmVoa3dEVQpvRERLYUpNL3htSjFKdm5CK1BIT2U3REd0WVhGZDNyQWZ3cHVmYTJhM09VU3lHZnFlN3FzY1ZWa1RyMUU0c2lmCjArakpKamkvY0RJY01HT1BxQVpiaCtzT0xRSjZqUVl1anphMW03Yit3d2g2YTZQYytVajRmZjFzd25xRHRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdFFDOFM4dHdMRW1qd0NGU29tTEg5OThJWkVaZXlxdHRsZXJET3dhejhvT3RyTG00CnZES21rb0FqSFdGUVYyTDZFUElpZUNNLzRMaDhiN2dBa2VRbmxxUGhBTllwckZTUWU2UTE1blBhRHpKaDIzNXoKNTVlMUt5Y0FYcEtmdXVQTzJyWm1naFVOS1lZaWpvMGdCTG1RaG5peld2Y2NiOFhxZFUvc21Ia2FmSldXcG1NSApPcUFKMDkwMVVmZzVQdWxkRTlGek95L21PNDB5WnZweXFKckxmbXo0d3RTclFWUGNwM0FQeSthQm5wVGlQSzJqCkFQYk10YldjUlJBTFRZWHlTR0k5YXNnWnRHbmFOTWdNbm0vRGFsMFprcE9GM01JOUdWeG1tUno3TFg0YkdDWXEKT3JGbDdzNWZRdnhIMnlDSVdKOWw0TDJoRUplRnRvci9IVDVndHdJREFRQUJBb0lCQUg4OXFDRUVQN1B5aEpuUgpFeDB5b2U2ZkxIQUpoQ09uUlY5SmJMczI2Qk5JL0ROYlVBR0UvZElwSUFaTVhjVkF3QmhmajFtek5mbU0xM1ZWCi9aaVJzajdVcjV6OThNZkRudG84UXVQaGQxNk5oWHRldHE0TTJRQWY1OE9VQVpQSkI2WjY2Uzd6QzVDd1NlUzYKVXRMZmZEajc2dUc4cTVIcnFQbVZHUGJLMDVMV0NqUmZDSlhJMkNMZ1o1WjJLU0dDMno3Nng1OGRHeDZNdG5rSQpKNm9yaDk5WUhQK3pPZ0k0SHdHVUZiZkpwOGZuVHdwRXFrTnhFeHJ1azR0Nlh0QUlmS1JOWkYyQnRIMm1ZazNuCk1Db2pvU1ltVUJoYnE0L0k4RENCdGNkT1pOcnZvc0h0TitLZWI5SFhvSklJd2ZwNDRKcUZhMnhwd3ZCR0FEMFoKRlZYZnZaa0NnWUVBNlVJUUNwdDJwVGlUTll0RCsvbnVMTDhjaEVSd0QvODEySVpxUjZJeC8zbnpNU1BFZmdaUwo3Qkh5bklWd2xHSHRRcC9KY1pDcGFxTExEbWZBUzNlKzhFcGJSZlhGUmpjOS8ySkZtcFMxUHZPQW1jQ1pPUnpQCnlKTXZCK1lSUWkza01nQTZldURtTVNLMGdsbnYxRHVxYmxpWjllWVZLdmdkbm54NkpIMEtWSVVDZ1lFQXhxWnMKdFcvRnM2VlRyL1N1WE5nWDVVL0VTMUpHT1JGcXh1Zk15dTZuVk1YTmJBYldkNDhuR0pJNlVEVStmWkZNY0hlVQpoa3lTT2hKVU9ONnNZZXVIcTJCbGI5cDJ1MnZSa0s4YS8wSWFFc21yWEUzVFVKcUR5S0NCVVd5cmc1cFVKZ3FHCkVsd2hudVRyaVBDMW5NWXJjUzU2N1dZbENndnB0M2VKZzVrUmN3c0NnWUJzbXRmQk9KVkxaRVlXWGh0dlRQVTYKWEZrNHRHekE1Z0Q2S2N0K1F1U29vTzA4YWZ6bytLVFBTYVArZ0pya1c1d09zenNsNTBjYVlXWE45VHl4WnJXKwpSOENybUQwYjdraXRpZUlDa1U2NldzSDcxSk1DNW9sUVNFZFRsQ2xnK09FUTdzNUx2RDh4allraVVDRzhYWE9ECklUbStKanlnM3hsYlczVzdXNFRkeVFLQmdRQy9MYXV4Y2NCekE4bG1yYlNnNWRjWmVZc1FjajNpN2tBMDdTREsKcktPZGtrQUFseFFRUEZVRDhMYnVPay9KeU93bjBPMi8wakZvY2Z0Y1AvRG16Q1hsYVFBMmhhbCs5bVRaT2F4aAp2TndhK0x0U09oUUVucS8xaFlMdk9nWld3VS82ekdYN2hXOVYzRHBSc0ZjWWFoK2s3WGFnd28waS9oUVAzWnNhCmExVy93UUtCZ1FEbkZsUWF5WDdvbjdPYlM0K21yVjhqRXM3Y2VwTmhnMGlRNUhEZHNQSjh0SkRGMWpsNFJ5U1EKK0U5ajEwcTV4M3MyWk9DSGxpeFFyemI5bzdQK2JxWkovTk9uaVFjUG5GV29KVmZjMFVkTk9nT1Z0akw2YnU1SwpRRlVOUmFzdHNkaDdLSHQyWHNYaWlnNzNyRktjQ3JCS1BITlpKUWRrNjh5VENKNmRUZkxzeXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata: name: lb-webhook-tls namespace: default type: Opaque
deployment.yaml
webhook server部署文件除了部署了server,还定义了server端相关的rbac模型。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: webhook rules: - apiGroups: ["*"] resources: ["deployments", "resourcequotas"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: webhook namespace: default subjects: - kind: ServiceAccount name: webhook namespace: default roleRef: kind: ClusterRole name: webhook apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: webhook namespace: default --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: com.wise2c.service: lb-webhook name: lb-webhook namespace: default spec: replicas: 1 selector: matchLabels: com.wise2c.service: lb-webhook template: metadata: labels: com.wise2c.service: lb-webhook spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/mojo/lb-webhook:master imagePullPolicy: IfNotPresent name: lb-webhook args: - "--memory=100Mi" - "--cpu=200m" - "--tls-cert-file=/etc/certs/server.crt" - "--tls-private-key-file=/etc/certs/server.key" volumeMounts: - mountPath: /etc/certs name: config serviceAccount: webhook volumes: - name: config secret: secretName: lb-webhook-tls --- apiVersion: v1 kind: Service metadata: labels: com.wise2c.service: lb-webhook name: lb-webhook namespace: default spec: ports: - name: https port: 443 protocol: TCP targetPort: 443 selector: com.wise2c.service: lb-webhook
测试文件定义
在指定的namespace中创建resourcequota。通过两个test文件,一个包含webhook server指定的标签文件test-success.yaml, 另一个不带有指定标签文件test-fail.yaml, apply到对应的namespace中。期望看到test-success.yaml下发以后pod成功启动,test-fail.yaml未能看到相应pod启动。并且edit test-success.yaml的deployment对象发现该对象自动加上了对应的resources。
demo-namespace.yaml
apiVersion: v1 kind: Namespace metadata: name: webhook-demo
quota.yaml
apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources namespace: webhook-demo spec: hard: limits.memory: 2Gi
test-success.yaml
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: run: web-success io.wise2c.service.type: lb # 上文提到的特定标签 name: web-success namespace: webhook-demo spec: selector: matchLabels: run: web-success template: metadata: labels: run: web-success spec: containers: - image: nginx imagePullPolicy: Always name: web ports: - containerPort: 80 protocol: TCP
test-fail.yaml
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: run: web name: web-fail namespace: webhook-demo spec: selector: matchLabels: run: web-fail template: metadata: labels: run: web-fail spec: containers: - image: nginx imagePullPolicy: Always name: web ports: - containerPort: 80 protocol: TCP
测试:
kubectl apply -f admissionregistration.yaml kubectl apply -f secret.yaml kubectl apply -f deployment.yaml kubectl apply -f demo-namespace.yaml kubectl apply -f quota.yaml kubectl apply -f test-fail.yaml kubectl apply -f test-success.yaml
结果如下:
[root@dev-7 webhook]# kubectl apply -f test-fail.yaml deployment.extensions/web-fail created [root@dev-7 webhook]# kubectl apply -f test-success.yaml deployment.extensions/web-success created [root@dev-7 webhook]# kubectl get po -n webhook-demo NAME READY STATUS RESTARTS AGE web-success-85fd64db95-wl9xx 0/1 ContainerCreating 0 9s
上述结果和期望的一致, webhook到此结束。
参考:https://mp.weixin.qq.com/s/Z6ucuqNs2rOaPzwhvW-bmw
参考:https://kubernetes.io/zh/docs/reference/access-authn-authz/extensible-admission-controllers/