GithubHelp home page GithubHelp logo

fourhu / kube-mutating-webhook-tutorial Goto Github PK

View Code? Open in Web Editor NEW

This project forked from morvencao/kube-sidecar-injector

0.0 0.0 0.0 198 KB

A Kubernetes mutating webhook server that implements sidecar injection

License: Apache License 2.0

Go 57.10% Shell 22.30% Dockerfile 3.83% Makefile 16.76%

kube-mutating-webhook-tutorial's Introduction

Kubernetes Mutating Webhook for Sidecar Injection

GoDoc

This tutoral shows how to build and deploy a MutatingAdmissionWebhook that injects a nginx sidecar container into pod prior to persistence of the object.

Prerequisites

  • git
  • go version v1.12+
  • docker version 17.03+
  • kubectl version v1.11.3+
  • Access to a Kubernetes v1.11.3+ cluster with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io

The result should be:

admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1

Note: In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Build

  1. Build binary
# make build
  1. Build docker image
# make build-image
  1. push docker image
# make push-image

Note: log into the docker registry before pushing the image.

Deploy

  1. Create namespace sidecar-injector in which the sidecar injector webhook is deployed:
# kubectl create ns sidecar-injector
  1. Create a signed cert/key pair and store it in a Kubernetes secret that will be consumed by sidecar injector deployment:
# ./deploy/webhook-create-signed-cert.sh \
    --service sidecar-injector-webhook-svc \
    --secret sidecar-injector-webhook-certs \
    --namespace sidecar-injector
  1. Patch the MutatingWebhookConfiguration by set caBundle with correct value from Kubernetes cluster:
# cat deploy/mutatingwebhook.yaml | \
    deploy/webhook-patch-ca-bundle.sh > \
    deploy/mutatingwebhook-ca-bundle.yaml
  1. Deploy resources:
# kubectl create -f deploy/nginxconfigmap.yaml
# kubectl create -f deploy/configmap.yaml
# kubectl create -f deploy/deployment.yaml
# kubectl create -f deploy/service.yaml
# kubectl create -f deploy/mutatingwebhook-ca-bundle.yaml

Verify

  1. The sidecar inject webhook should be in running state:
# kubectl -n sidecar-injector get pod
NAME                                                   READY   STATUS    RESTARTS   AGE
sidecar-injector-webhook-deployment-7c8bc5f4c9-28c84   1/1     Running   0          30s
# kubectl -n sidecar-injector get deploy
NAME                                  READY   UP-TO-DATE   AVAILABLE   AGE
sidecar-injector-webhook-deployment   1/1     1            1           67s
  1. Create new namespace injection and label it with sidecar-injector=enabled:
# kubectl create ns injection
# kubectl label namespace injection sidecar-injection=enabled
# kubectl get namespace -L sidecar-injection
NAME                 STATUS   AGE   SIDECAR-INJECTION
default              Active   26m
injection            Active   13s   enabled
kube-public          Active   26m
kube-system          Active   26m
sidecar-injector     Active   17m
  1. Deploy an app in Kubernetes cluster, take alpine app as an example
# kubectl run alpine --image=alpine --restart=Never -n injection --overrides='{"apiVersion":"v1","metadata":{"annotations":{"sidecar-injector-webhook.morven.me/inject":"yes"}}}' --command -- sleep infinity
  1. Verify sidecar container is injected:
# kubectl get pod
NAME                     READY     STATUS        RESTARTS   AGE
alpine                   2/2       Running       0          1m
# kubectl -n injection get pod alpine -o jsonpath="{.spec.containers[*].name}"
alpine sidecar-nginx

Troubleshooting

Sometimes you may find that pod is injected with sidecar container as expected, check the following items:

  1. The sidecar-injector webhook is in running state and no error logs.
  2. The namespace in which application pod is deployed has the correct labels as configured in mutatingwebhookconfiguration.
  3. Check the caBundle is patched to mutatingwebhookconfiguration object by checking if caBundle fields is empty.
  4. Check if the application pod has annotation sidecar-injector-webhook.morven.me/inject":"yes".

kube-mutating-webhook-tutorial's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.