First things first. Most of the webhook examples are written in golang and this is an effort to offer similar functionality for python developers.
Under the hood API Server can invoke webhooks before persisting the state to etcd.
The challenge in writing a webhook is not the webhook code but enabling mTLS. So I will describle steps to generate a self signed certificate and configure it before delving into webhook code
- Generate certificate authority key
openssl genrsa -out ca.key 2048
- Use the certificate authority key to generate certificate authority certificate
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=admission_ca"
- Base64 encode the certificate to add it to caBundle in webhook.yaml
cat ca.crt | base64
- Genere server key (similar to certificate authority key)
openssl genrsa -out server.key 2048
- Create certificate signing request for the server (Common Name is nsat (name of the pod). hooks (namespace in which the pod is deployed). svc (K8S suffix for service)). Update DNS.1 in server.conf to match the common name.
openssl req -new -key server.key -out server.csr -subj "/CN=nsat.hooks.svc" -config ../server.conf
- Sign the csr (certificate sign request) with certificate authority that was generated in step 2
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_req -extfile ../server.conf
webhook.yaml has namespaceselector which selects namespaces with webhook enabled
namespaceSelector:
matchLabels:
webhook: enabled
In addition the file also defines the webhook to act when a pod is getting created. It also defines clientConfig/Service that the API call would be delegated to. In this case the call is getting delegated to Python API written in flask. When the API is containerized it is running as gunicorn process instead of a stand alone flask application.
nsafftolerations.yaml contents
- Defines namespace hooks for deploying the Webhook code
- Defines secret to run gunicorn in https mode. servercrt.pem and serverkey.pem are generated by certgen.sh
- Defines configmap where rules.yaml is generated with namespace specific affinity and toleration
- Defines deployment where certs and rules.yaml files are mounted to enforce the rules
- Defines service so API Server can communicate with the webhook
- Finally it also defines namespaces to test the webhook
To run the code on local minikube by generating self signed certs
- Run ./certgen.sh
- Copy base64 text into nsafftolerations-k8s.yaml and webhook.yaml as described in the shell output
- kubectl apply -f nsafftolerations-k8s.yaml
- kubectl apply -f webhook.yaml
- kubectl apply -f pod.yaml