Kubernetes构建自定义admission webhook

AdmissionWebhook介绍请参见Kubernetes AdmissionWebhook这篇博客。

webhook如何工作的

• 注册webhook server

• 资源操作请求通过API Server Auth验证

• 根据注册信息回调对应的webhook server

webhook注册信息说明

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: config
webhooks:
- name: lb-webhook.default.svc ①
  rules: ②
  - apiGroups:
    - "*"
    apiVersions:
    - "*"
    operations:
    - CREATE
    resources:
    - deployments 
  clientConfig:
    service:
      namespace: default ③
      name: lb-webhook ④
      path: /deployments/mutate ⑤
    ⑥caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

① webhook名称

② 描述api-server操作什么资源什么动作时调用webhook插件

③ webhook service所在的namespace

④ webhook service name

⑤ 调用webhook api的地址

⑥ 提供和webhook通信的TLS链接信息, 生成的证书必须支持<svc_name>.<svc_namespace>.svc，这个证书可以直接使用k8s集群的ca.crt（ kubectl config view --raw -o json | jq -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '"'）。

准备

• 准备一个kubernetes集群必须为v1.9或以上的版本(本人基于v1.18.6的版本测试的)。

• api server需要开启MutatingAdmissionWebhook ValidatingAdmissionWebhook，通过以下命令可查看。

kubectl api-versions | grep admissionregistration
> admissionregistration.k8s.io/v1
> admissionregistration.k8s.io/v1beta1

证书制作

手动制作证书

• 生成密钥位数为 2048 的 ca.key

?

1	openssl genrsa -out ca.key 2048

• 依据 ca.key 生成 ca.crt （使用 -days 参数来设置证书有效时间）：

?

1	penssl req -x509 -new -nodes -key ca.key -subj "/CN=lb-webhook.default.svc" -days 10000 -out ca.crt

• 生成密钥位数为 2048 的 server.key

?

1	openssl genrsa -out server.key 2048

• 创建用于生成证书签名请求（CSR）的配置文件。确保在将其保存至文件（如csr.conf）。

?

1 2 3 4 5

[ req ]default_bits = 2048prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn [ dn ]C = CNST = SiChuanL = SZO = Wise2cOU = Wise2cCN = lb-webhook.default.svc [ req_ext ]subjectAltName = @alt_names [ alt_names ]DNS.1 = lb-webhook.default.svc [ v3_ext ]authorityKeyIdentifier=keyid,issuer:alwaysbasicConstraints=CA:FALSEkeyUsage=keyEncipherment,dataEnciphermentextendedKeyUsage=serverAuth,clientAuthsubjectAltName=@alt_names

• 基于配置文件生成证书签名请求：

?

1	openssl req -new -key server.key -out server.csr -config csr.conf

• 使用 ca.key、ca.crt 和 server.csr 生成服务器证书：

?

1	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -out server.crt -days 10000 \-extensions v3_ext -extfile csr.conf

• 查看证书

?

1	openssl x509  -noout -text -in ./server.crt

部署

通过上面的操作，已经生成好了部署前的准备工作(证书)。接下来我们需要使用证书。

部署文件定义

admissionregistration.yaml，文件中的caBundle使用的是上面生成ca.crt文件内容的base64值（cat ca.crt | base64 | tr -d '\n' | tr -d '=' | tr '/+' '_-'）。

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata:   name: config webhooks: - name: lb-webhook.default.svc   rules:   - apiGroups:     - "*"     apiVersions:     - "*"     operations:     - CREATE     resources:     - deployments   clientConfig:     service:       namespace: default       name: lb-webhook       path: /deployments/mutate     caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

注意：Apiserver作为客户端使用https单向认证方式与lb-webhook-tls服务进行交互，Apiserver使用ca.crt验签server.crt，server.crt 生成的证书必须支持lb-webhook-tls.default.svc。

secret.yaml, 文件中的data内容分别对应生成证书的三个文件内容的base64值。

?

1 2 3 4 5 6 7 8 9 10

apiVersion: v1 data:   ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K   server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpakNDQW5LZ0F3SUJBZ0lKQU81Tmdld0hENmdvTUEwR0NTcUdTSWIzRFFFQkJRVUFNQlF4RWpBUUJnTlYKQkFNTUNWZHBjMlV5WXlCRFFUQWdGdzB4T1RBM01UVXdOalUwTlRGYUdBOHlNVEU1TURZeU1UQTJOVFExTVZvdwpZekVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnTUNGTm9aVzVhYUdWdU1Rc3dDUVlEVlFRSERBSlRXakVQCk1BMEdBMVVFQ2d3R1YybHpaVEpqTVE4d0RRWURWUVFMREFaWGFYTmxNbU14RWpBUUJnTlZCQU1NQ1ZkcGMyVXkKWXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxVQXZFdkxjQ3hKbzhBaApVcUppeC9mZkNHUkdYc3FyYlpYcXd6c0dzL0tEcmF5NXVMd3lwcEtBSXgxaFVGZGkraER5SW5nalArQzRmRys0CkFKSGtKNWFqNFFEV0theFVrSHVrTmVaejJnOHlZZHQrYytlWHRTc25BRjZTbjdyanp0cTJab0lWRFNtR0lvNk4KSUFTNWtJWjRzMXIzSEcvRjZuVlA3Smg1R255VmxxWmpCenFnQ2RQZE5WSDRPVDdwWFJQUmN6c3Y1anVOTW1iNgpjcWlheTM1cytNTFVxMEZUM0tkd0Q4dm1nWjZVNGp5dG93RDJ6TFcxbkVVUUMwMkY4a2hpUFdySUdiUnAyalRJCkRKNXZ3MnBkR1pLVGhkekNQUmxjWnBrYyt5MStHeGdtS2pxeFplN09YMEw4UjlzZ2lGaWZaZUM5b1JDWGhiYUsKL3gwK1lMY0NBd0VBQWFPQmpUQ0JpakF1QmdOVkhTTUVKekFsb1Jpa0ZqQVVNUkl3RUFZRFZRUUREQWxYYVhObApNbU1nUTBHQ0NRQ0pXMWhxTnBXVVpEQUpCZ05WSFJNRUFqQUFNQXNHQTFVZER3UUVBd0lFTURBZEJnTlZIU1VFCkZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3SVFZRFZSMFJCQm93R0lJV2JHSXRkMlZpYUc5dmF5NWsKWldaaGRXeDBMbk4yWXpBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQTNBcExrYzdJNy93Y2VnYzRvbDNlaGViUApnQjFhaVdRanRiTGtsYmhhMHl0Z2R5UUtua2xvb0U2WnNyZTFLVFpZTzVmakt5OENQaVg5Mm5lZlRNL0VIN1E3CnVnRU8xNE5NcUoxTnNEV09IM3pIZXVuUWhSNHJRNGhVKzJKZk1iRXJCUVNYTDU5QlRMUlpENVVaSUZlTVpsZjAKUTNKTVZCRERsM3lhS1JWTExlY203RjZQRkRCdFhZbFlseFNCREMvNVZqVU9wS3dGcGVZZFlwQmN1MmVoa3dEVQpvRERLYUpNL3htSjFKdm5CK1BIT2U3REd0WVhGZDNyQWZ3cHVmYTJhM09VU3lHZnFlN3FzY1ZWa1RyMUU0c2lmCjArakpKamkvY0RJY01HT1BxQVpiaCtzT0xRSjZqUVl1anphMW03Yit3d2g2YTZQYytVajRmZjFzd25xRHRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=   server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdFFDOFM4dHdMRW1qd0NGU29tTEg5OThJWkVaZXlxdHRsZXJET3dhejhvT3RyTG00CnZES21rb0FqSFdGUVYyTDZFUElpZUNNLzRMaDhiN2dBa2VRbmxxUGhBTllwckZTUWU2UTE1blBhRHpKaDIzNXoKNTVlMUt5Y0FYcEtmdXVQTzJyWm1naFVOS1lZaWpvMGdCTG1RaG5peld2Y2NiOFhxZFUvc21Ia2FmSldXcG1NSApPcUFKMDkwMVVmZzVQdWxkRTlGek95L21PNDB5WnZweXFKckxmbXo0d3RTclFWUGNwM0FQeSthQm5wVGlQSzJqCkFQYk10YldjUlJBTFRZWHlTR0k5YXNnWnRHbmFOTWdNbm0vRGFsMFprcE9GM01JOUdWeG1tUno3TFg0YkdDWXEKT3JGbDdzNWZRdnhIMnlDSVdKOWw0TDJoRUplRnRvci9IVDVndHdJREFRQUJBb0lCQUg4OXFDRUVQN1B5aEpuUgpFeDB5b2U2ZkxIQUpoQ09uUlY5SmJMczI2Qk5JL0ROYlVBR0UvZElwSUFaTVhjVkF3QmhmajFtek5mbU0xM1ZWCi9aaVJzajdVcjV6OThNZkRudG84UXVQaGQxNk5oWHRldHE0TTJRQWY1OE9VQVpQSkI2WjY2Uzd6QzVDd1NlUzYKVXRMZmZEajc2dUc4cTVIcnFQbVZHUGJLMDVMV0NqUmZDSlhJMkNMZ1o1WjJLU0dDMno3Nng1OGRHeDZNdG5rSQpKNm9yaDk5WUhQK3pPZ0k0SHdHVUZiZkpwOGZuVHdwRXFrTnhFeHJ1azR0Nlh0QUlmS1JOWkYyQnRIMm1ZazNuCk1Db2pvU1ltVUJoYnE0L0k4RENCdGNkT1pOcnZvc0h0TitLZWI5SFhvSklJd2ZwNDRKcUZhMnhwd3ZCR0FEMFoKRlZYZnZaa0NnWUVBNlVJUUNwdDJwVGlUTll0RCsvbnVMTDhjaEVSd0QvODEySVpxUjZJeC8zbnpNU1BFZmdaUwo3Qkh5bklWd2xHSHRRcC9KY1pDcGFxTExEbWZBUzNlKzhFcGJSZlhGUmpjOS8ySkZtcFMxUHZPQW1jQ1pPUnpQCnlKTXZCK1lSUWkza01nQTZldURtTVNLMGdsbnYxRHVxYmxpWjllWVZLdmdkbm54NkpIMEtWSVVDZ1lFQXhxWnMKdFcvRnM2VlRyL1N1WE5nWDVVL0VTMUpHT1JGcXh1Zk15dTZuVk1YTmJBYldkNDhuR0pJNlVEVStmWkZNY0hlVQpoa3lTT2hKVU9ONnNZZXVIcTJCbGI5cDJ1MnZSa0s4YS8wSWFFc21yWEUzVFVKcUR5S0NCVVd5cmc1cFVKZ3FHCkVsd2hudVRyaVBDMW5NWXJjUzU2N1dZbENndnB0M2VKZzVrUmN3c0NnWUJzbXRmQk9KVkxaRVlXWGh0dlRQVTYKWEZrNHRHekE1Z0Q2S2N0K1F1U29vTzA4YWZ6bytLVFBTYVArZ0pya1c1d09zenNsNTBjYVlXWE45VHl4WnJXKwpSOENybUQwYjdraXRpZUlDa1U2NldzSDcxSk1DNW9sUVNFZFRsQ2xnK09FUTdzNUx2RDh4allraVVDRzhYWE9ECklUbStKanlnM3hsYlczVzdXNFRkeVFLQmdRQy9MYXV4Y2NCekE4bG1yYlNnNWRjWmVZc1FjajNpN2tBMDdTREsKcktPZGtrQUFseFFRUEZVRDhMYnVPay9KeU93bjBPMi8wakZvY2Z0Y1AvRG16Q1hsYVFBMmhhbCs5bVRaT2F4aAp2TndhK0x0U09oUUVucS8xaFlMdk9nWld3VS82ekdYN2hXOVYzRHBSc0ZjWWFoK2s3WGFnd28waS9oUVAzWnNhCmExVy93UUtCZ1FEbkZsUWF5WDdvbjdPYlM0K21yVjhqRXM3Y2VwTmhnMGlRNUhEZHNQSjh0SkRGMWpsNFJ5U1EKK0U5ajEwcTV4M3MyWk9DSGxpeFFyemI5bzdQK2JxWkovTk9uaVFjUG5GV29KVmZjMFVkTk9nT1Z0akw2YnU1SwpRRlVOUmFzdHNkaDdLSHQyWHNYaWlnNzNyRktjQ3JCS1BITlpKUWRrNjh5VENKNmRUZkxzeXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata:   name: lb-webhook-tls   namespace: default type: Opaque

deployment.yaml

webhook server部署文件除了部署了server，还定义了server端相关的rbac模型。

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: webhook rules: - apiGroups: ["*"]   resources: ["deployments", "resourcequotas"]   verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: webhook   namespace: default subjects: - kind: ServiceAccount   name: webhook   namespace: default roleRef:   kind: ClusterRole   name: webhook   apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata:   name: webhook   namespace: default --- apiVersion: extensions/v1beta1 kind: Deployment metadata:   labels:     com.wise2c.service: lb-webhook   name: lb-webhook   namespace: default spec:   replicas: 1   selector:     matchLabels:       com.wise2c.service: lb-webhook   template:     metadata:       labels:         com.wise2c.service: lb-webhook     spec:       containers:       - image: registry.cn-hangzhou.aliyuncs.com/mojo/lb-webhook:master         imagePullPolicy: IfNotPresent         name: lb-webhook         args:         - "--memory=100Mi"         - "--cpu=200m"         - "--tls-cert-file=/etc/certs/server.crt"         - "--tls-private-key-file=/etc/certs/server.key"         volumeMounts:         - mountPath: /etc/certs           name: config       serviceAccount: webhook       volumes:       - name: config         secret:           secretName: lb-webhook-tls --- apiVersion: v1 kind: Service metadata:   labels:     com.wise2c.service: lb-webhook   name: lb-webhook   namespace: default spec:   ports:   - name: https     port: 443     protocol: TCP     targetPort: 443   selector:     com.wise2c.service: lb-webhook

测试文件定义

在指定的namespace中创建resourcequota。通过两个test文件，一个包含webhook server指定的标签文件test-success.yaml, 另一个不带有指定标签文件test-fail.yaml, apply到对应的namespace中。期望看到test-success.yaml下发以后pod成功启动,test-fail.yaml未能看到相应pod启动。并且edit test-success.yaml的deployment对象发现该对象自动加上了对应的resources。

demo-namespace.yaml

?

1 2 3 4

apiVersion: v1 kind: Namespace metadata:   name: webhook-demo

quota.yaml

?

1 2 3 4 5 6 7 8

apiVersion: v1 kind: ResourceQuota metadata:   name: compute-resources   namespace: webhook-demo spec:   hard:     limits.memory: 2Gi

test-success.yaml

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

apiVersion: extensions/v1beta1 kind: Deployment metadata:   labels:     run: web-success     io.wise2c.service.type: lb # 上文提到的特定标签   name: web-success   namespace: webhook-demo spec:   selector:     matchLabels:       run: web-success   template:     metadata:       labels:         run: web-success     spec:       containers:         - image: nginx           imagePullPolicy: Always           name: web           ports:             - containerPort: 80               protocol: TCP

test-fail.yaml

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

apiVersion: extensions/v1beta1 kind: Deployment metadata:   labels:     run: web   name: web-fail   namespace: webhook-demo spec:   selector:     matchLabels:       run: web-fail   template:     metadata:       labels:         run: web-fail     spec:       containers:         - image: nginx           imagePullPolicy: Always           name: web           ports:             - containerPort: 80               protocol: TCP

测试：

?

1 2 3 4 5 6 7 8

kubectl apply -f admissionregistration.yaml kubectl apply -f secret.yaml kubectl apply -f deployment.yaml   kubectl apply -f demo-namespace.yaml kubectl apply -f quota.yaml kubectl apply -f test-fail.yaml kubectl apply -f test-success.yaml

结果如下:　　

?

1 2 3 4 5 6 7

[root@dev-7 webhook]# kubectl apply -f test-fail.yaml deployment.extensions/web-fail created [root@dev-7 webhook]# kubectl apply -f test-success.yaml deployment.extensions/web-success created [root@dev-7 webhook]# kubectl get po -n webhook-demo NAME                           READY     STATUS              RESTARTS   AGE web-success-85fd64db95-wl9xx   0/1       ContainerCreating   0          9s

上述结果和期望的一致, webhook到此结束。

参考：https://mp.weixin.qq.com/s/Z6ucuqNs2rOaPzwhvW-bmw

参考：https://kubernetes.io/zh/docs/reference/access-authn-authz/extensible-admission-controllers/