This is a Kubernetes admission webhook example modified from slackhq repo. It is meant to be used as a validating and mutating admission webhook as the template for kubebuilder.
This project run kubernetes webhook on cluster of google Kubernetes engine
- kubectl = 1.23
- make = 4.2.1
- Go =1.18
- google kubernetes engine = 1.21
- To configure the cluster to use the admission webhook and to deploy said webhook, simply run:
❯ make deploy
- Then, make sure the admission webhook pod is running (
NAMESPACE
can be set inMakefile
):
❯ kubectl get pods -n NAMESPACE
- You can stream logs from it:
❯ make logs
🔍 Streaming simple-kubernetes-webhook logs...
kubectl logs -l app=simple-kubernetes-webhook -n "simple-webhook" -f
time="2022-04-17T10:41:42Z" level=info msg="Listening on port 443..."
time="2022-04-17T11:01:46Z" level=debug msg=healthy uri=/health
time="2022-04-17T11:01:49Z" level=debug msg=healthy uri=/health
- And hit it's health endpoint from local machine:
❯ make port-forward-test.
Open another terminal, and type:
❯ curl -k https://localhost:8443/health
OK
Deploy a valid test pod that gets succesfully created:
❯ make pod
🚀 Deploying test pod...
kubectl apply -f dev/manifests/pods/lifespan-seven.pod.yaml
pod/lifespan-seven created
You should see in the admission webhook logs that the pod got mutated and validated.
Deploy a non valid pod that gets rejected:
❯ make bad-pod
🚀 Deploying "bad" pod...
kubectl apply -f dev/manifests/pods/bad-name.pod.yaml
Error from server: error when creating "dev/manifests/pods/bad-name.pod.yaml": admission webhook "simple-kubernetes-webhook.acme.com" denied the request: pod name contains "offensive"
You should see in the admission webhook logs that the pod validation failed. It's possible you will also see that the pod was mutated, as webhook configurations are not ordered.