Skip to content

Kubernetes-Learning-Playground/k8s-webhook-develop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
client
client
 
 
image
image
 
 
pkg
pkg
 
 
yaml
yaml
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
readme.txt
readme.txt
 
 

Repository files navigation

k8s-webhook-develop

项目思路

1. Validate

使用k8s插件的webhook功能,部署ValidatingWebhookConfiguration资源对象。

支持白名单与黑名单校验镜像的两种方式(选其一)。

(在yaml/deploy.yaml的环境变量WhITE_OR_BLOCK中设置"white" or "black"。)

  1. 白名单:只有列表中的镜像前缀同意创建。

  2. 黑名单:只有列表中的镜像前缀拒绝创建。

注:当部署一个deployment时,只能两者选用其一功能。

2. Mutate

使用k8s插件的webhook功能,部署MutatingWebhookConfiguration资源对象。

  1. 支持替换(replace)pod image模式 或 边车(sidecar)pod image模式
  2. 预计支持sidecar模式的Pod image功能
  3. 增加自定义annotation功能

注:当部署一个deployment时,只能三者选用其一功能。

(在yaml/deploy.yaml的环境变量ANNOTATION_OR_IMAGE中设置"image" or "annotation" or "label"。)

项目部署步骤

  1. 进入目录

  2. 编译镜像

docker run --rm -it -v /root/k8sWebhookPractice:/app -w /app -e GOPROXY=https://goproxy.cn -e CGO_ENABLED=0  golang:1.18.7-alpine3.15 go build -o ./webhookPractice .
  1. 使用cfssl 建立证书 a.下载CA证书软件
# Linux
➜  wget -q --show-progress --https-only --timestamping \
  https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
  https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
➜  chmod +x cfssl_linux-amd64 cfssljson_linux-amd64
➜  sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
➜  sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

b. 创建 CA 证书

➜  cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "server": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF

➜  cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

➜  cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2021/01/23 16:59:51 [INFO] generating a new CA key and certificate from CSR
2021/01/23 16:59:51 [INFO] generate received request
2021/01/23 16:59:51 [INFO] received CSR
2021/01/23 16:59:51 [INFO] generating key: rsa-2048
2021/01/23 16:59:51 [INFO] encoded CSR
2021/01/23 16:59:51 [INFO] signed certificate with serial number 502715407096434913295607470541422244575186494509
➜  ls -la *.pem
-rw-------  1 ych  staff  1675 Jan 23 17:05 ca-key.pem
-rw-r--r--  1 ych  staff  1310 Jan 23 17:05 ca.pem

c.

➜  cat > server-csr.json <<EOF
{
  "CN": "admission",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
        "C": "CN",
        "L": "BeiJing",
        "ST": "BeiJing",
        "O": "k8s",
        "OU": "System"
    }
  ]
}
EOF

➜  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
		-hostname=admission-registry.default.svc -profile=server server-csr.json | cfssljson -bare server
2021/01/23 17:08:37 [INFO] generate received request
2021/01/23 17:08:37 [INFO] received CSR
2021/01/23 17:08:37 [INFO] generating key: rsa-2048
2021/01/23 17:08:37 [INFO] encoded CSR
2021/01/23 17:08:37 [INFO] signed certificate with serial number 701199816701013791180179639053450980282079712724
➜  ls -la *.pem
-rw-------  1 ych  staff  1675 Jan 23 17:05 ca-key.pem
-rw-r--r--  1 ych  staff  1310 Jan 23 17:05 ca.pem
-rw-------  1 ych  staff  1675 Jan 23 17:08 server-key.pem
-rw-r--r--  1 ych  staff  1452 Jan 23 17:08 server.pem

4.使用生成的 server 证书和私钥创建一个 Secret 对象

# 创建Secret
➜  kubectl create secret tls admission-registry-tls \
        --key=server-key.pem \
        --cert=server.pem
secret/admission-registry-tls created
  1. 启动项目(目前支援两个其中一个部署,如果同时部署会报错)
# 如果使用validate webhook
kubectl apply -f deploy.yaml
kubectl apply -f validatewebhook.yaml
# 如果使用 mutate webhook
kubectl apply -f configmaps.yaml
kubectl apply -f nginx-configmap.yaml
kubectl apply -f deploy.yaml
kubectl apply -f mutatewebhook.yaml

[root@vm-0-12-centos yaml]# kubectl apply -f .
deployment.apps/admission-registry created
service/admission-registry created
validatingwebhookconfiguration.admissionregistration.k8s.io/admission-registry created
  1. 测试

test.yaml : 主要测试validate webhook 通过白名单的前缀

test1.yaml:主要测试validate webhook 非白名单的前缀 会报错,也可以测试mutate webhook 更换镜像后不会报错。

test3.yaml:主要测试mutate webhook 新增annotation

kubectl apply -f test.yaml
kubectl apply -f test1.yaml
kubectl apply -f test3.yaml
  1. deployment配置

重点

目录:yaml/deploy.yaml,主要说明配置文件的环境变量

apiVersion: apps/v1
kind: Deployment
metadata:
  name: admission-registry
  labels:
    app: admission-registry
spec:
  replicas: 1
  selector:
    matchLabels:
      app: admission-registry
  template:
    metadata:
      labels:
        app: admission-registry
    spec:
      containers:
        - name: validate
          image: alpine:3.12
          imagePullPolicy: IfNotPresent
          command: ["/app/webhookPractice"]
          env: # 环境变量
            # validate 相关
            - name: WhITE_OR_BLOCK # 使用白名单还是黑名单功能
              value: "white"
            - name: WHITELIST_REGISTRIES # 白名单列表:可自己选填
              value: "docker.io,gcr.io"
            - name: BLACKLIST_REGISTRIES # 黑名单列表:可自己选填
              value: ""
            - name: PORT # 端口
              value: "443"
            # mutate 相关
            - name: MUTATE_OBJECT # 判断mutate是patch镜像功能还是补全annotation
              value: "image" # "image" 或 "annotation" "label"
            - name: ANNOTATION_KEY_VALUE # 可以自定义annotation
              value: "customizeAnnotation:my.practice.admission"
            - name: LABEL_KEY_VALUE # 可以自定义label
              value: "customizeLabel:my.practice.admission"
            - name: MUTATE_PATCH_IMAGE # replace模式的image
              value: "nginx:1.19-alpine"
            - name: MUTATE_PATCH_IMAGE_REPLACE # 区分是replace模式还是sidecar模式
              value: "false"
          ports:
            - containerPort: 443
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs # 写死的路径
              readOnly: true
            - name: app
              mountPath: /app
            - name: sidecarfile
              mountPath: /etc/webhook/config # 写死的路径
      volumes:
        - name: webhook-certs
          secret: # 把secret 映射到volumes。 最终会转为tls.crt tls.key
            secretName: admission-registry-tls
        - name: app
          hostPath:
            path: /root/k8sWebhookPractice
        - name: sidecarfile # 如果使用sidecar模式,一定要配置此文件
          configMap:
            name: sidecar-injector
---
apiVersion: v1
kind: Service
metadata:
  name: admission-registry
  labels:
    app: admission-registry
spec:
  ports:
    - port: 443
      targetPort: 443
  selector:
    app: admission-registry

About

基于k8s-apiserver的webhook扩展

Topics

go kubernetes kubernetes-webhook

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages