Prerequisites

A Kubernetes cluster (kind, minikube, etc.)
OpenFaaS CLI
Arkade
Kubectl
KinD

2. Setup Tools

Arkade

$ curl -sLS https://dl.get-arkade.dev | sudo sh

KinD

$ arkade get kind

Kubectl

$ arkade get kubectl

OpenFaaS CLI

$ arkade get faas-cli

Setup

1. Set Up a Kubernetes Cluster with Kind (Optional)

With Kind, you can run a local Kubernetes cluster using Docker containers as nodes. The steps in this section are optional. Follow them only if you don't have a running Kubernetes cluster.

Create a file named openfaas-cluster.yaml, and copy in the following spec:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker

$ kind create cluster --config kind-specs/kind-cluster.yaml

Deploy OpenFaaS to a Kubernetes Cluster with:

$ arkade install openfaas

Verify that the deployments were created

$ kubectl get deployments -n openfaas -l "release=openfaas, app=openfaas"

3. Deploy Validating Admission Webhook

$ cd deployment
$ sh webhook-create-signed-cert.sh
$ export CA_BUNDLE=$(kubectl config view --minify --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
$ sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" validatingwebhook.yaml | kubectl apply -f -
$ cd ..
$ DOCKER_USER=username ./build
$ cd deployment
$ kubectl apply -f rbac.yaml
$ kubectl apply -f service.yaml
$ kubectl apply -f deployment.yaml # make sure you are using same 'DOCKER_USER' in deployment.yaml. i.e: devopps
# Label the default namespace to enable the webhook
$ kubectl label namespaces default admission-webhook-example=enabled

4. Building OpenFaaS Function

$ cd functions
$ faas-cli up -f requiredlabel.yml # (build-push-deploy) make sure you are using your docker hub username. i.e: devopps

Verify the functions that are working in openfaas-fn namespace.

5. Testing the whole workflow

K8S API -> WebHook Broker w/TLS -> OpenFaaS Gateway (w/HTTP) --> OpenFaaS Function
The purpose of this PoC is that to validate that pods has required labels. Which means you must have that labels:

app.kubernetes.io/name: sleep
app.kubernetes.io/instance: sleep
app.kubernetes.io/version: "0.1"
app.kubernetes.io/component: dummy
app.kubernetes.io/part-of: admission-webhook-example
app.kubernetes.io/managed-by: kubernetes

Any Pod who have above labels is valid for us.

`./deployment/sleep.yaml` -> Incorrect, not-valid (We should deny this creation request.)
`./deployment/sleep-no-validation.yaml` -> Skip-validation (Based on `admission-webhook-example.qikqiak.com/validate: "false"` annotation, we skipped validation.)
`./deployment/sleep-with-labels.yaml` -> Correct, valid (We should accept this creation request.)

developer-guy / admission-webhook-example-with-openfaas Goto Github PK

admission-webhook-example-with-openfaas's Introduction

Prerequisites

2. Setup Tools

Setup

1. Set Up a Kubernetes Cluster with Kind (Optional)

3. Deploy Validating Admission Webhook

4. Building OpenFaaS Function

5. Testing the whole workflow

6. References

admission-webhook-example-with-openfaas's People

Contributors

Stargazers

Watchers

Forkers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs