AdmissionWebhook介绍请参见Kubernetes AdmissionWebhook这篇博客。
webhook如何工作的
- 注册webhook server
- 资源操作请求通过API Server Auth验证
- 根据注册信息回调对应的webhook server
webhook注册信息说明
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: config
webhooks:
- name: lb-webhook.default.svc ①
rules: ②
- apiGroups:
- "*"
apiVersions:
- "*"
operations:
- CREATE
resources:
- deployments
clientConfig:
service:
namespace: default ③
name: lb-webhook ④
path: /deployments/mutate ⑤
⑥caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K① webhook名称
② 描述api-server操作什么资源什么动作时调用webhook插件
③ webhook service所在的namespace
④ webhook service name
⑤ 调用webhook api的地址
⑥ 提供和webhook通信的TLS链接信息, 生成的证书必须支持<svc_name>.<svc_namespace>.svc,这个证书可以直接使用k8s集群的ca.crt( kubectl config view --raw -o json | jq -r '.clusters[0].cluster."certificate-authority-data"' | tr -d '"')。
准备
- 准备一个kubernetes集群必须为v1.9或以上的版本(本人基于v1.18.6的版本测试的)。
- api server需要开启MutatingAdmissionWebhook ValidatingAdmissionWebhook,通过以下命令可查看。
kubectl api-versions | grep admissionregistration
> admissionregistration.k8s.io/v1
> admissionregistration.k8s.io/v1beta1证书制作
手动制作证书
- 生成密钥位数为 2048 的 ca.key
openssl genrsa -out ca.key 2048- 依据 ca.key 生成 ca.crt (使用 -days 参数来设置证书有效时间):
penssl req -x509 -new -nodes -key ca.key -subj "/CN=lb-webhook.default.svc" -days 10000 -out ca.crt- 生成密钥位数为 2048 的 server.key
openssl genrsa -out server.key 2048- 创建用于生成证书签名请求(CSR)的配置文件。确保在将其保存至文件(如csr.conf)。
[ req ]default_bits = 2048prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn
[ dn ]C = CNST = SiChuanL = SZO = Wise2cOU = Wise2cCN = lb-webhook.default.svc
[ req_ext ]subjectAltName = @alt_names
[ alt_names ]DNS.1 = lb-webhook.default.svc
[ v3_ext ]authorityKeyIdentifier=keyid,issuer:alwaysbasicConstraints=CA:FALSEkeyUsage=keyEncipherment,dataEnciphermentextendedKeyUsage=serverAuth,clientAuthsubjectAltName=@alt_names- 基于配置文件生成证书签名请求:
openssl req -new -key server.key -out server.csr -config csr.conf- 使用 ca.key、ca.crt 和 server.csr 生成服务器证书:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -out server.crt -days 10000 \-extensions v3_ext -extfile csr.conf- 查看证书
openssl x509 -noout -text -in ./server.crt部署
通过上面的操作,已经生成好了部署前的准备工作(证书)。接下来我们需要使用证书。
部署文件定义
admissionregistration.yaml,文件中的caBundle使用的是上面生成ca.crt文件内容的base64值(cat ca.crt | base64 | tr -d '\n' | tr -d '=' | tr '/+' '_-')。
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: config
webhooks:
- name: lb-webhook.default.svc
rules:
- apiGroups:
- "*"
apiVersions:
- "*"
operations:
- CREATE
resources:
- deployments
clientConfig:
service:
namespace: default
name: lb-webhook
path: /deployments/mutate
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K注意:Apiserver作为客户端使用https单向认证方式与lb-webhook-tls服务进行交互,Apiserver使用ca.crt验签server.crt,server.crt 生成的证书必须支持lb-webhook-tls.default.svc。
secret.yaml, 文件中的data内容分别对应生成证书的三个文件内容的base64值。
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpakNDQW5LZ0F3SUJBZ0lKQU81Tmdld0hENmdvTUEwR0NTcUdTSWIzRFFFQkJRVUFNQlF4RWpBUUJnTlYKQkFNTUNWZHBjMlV5WXlCRFFUQWdGdzB4T1RBM01UVXdOalUwTlRGYUdBOHlNVEU1TURZeU1UQTJOVFExTVZvdwpZekVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnTUNGTm9aVzVhYUdWdU1Rc3dDUVlEVlFRSERBSlRXakVQCk1BMEdBMVVFQ2d3R1YybHpaVEpqTVE4d0RRWURWUVFMREFaWGFYTmxNbU14RWpBUUJnTlZCQU1NQ1ZkcGMyVXkKWXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxVQXZFdkxjQ3hKbzhBaApVcUppeC9mZkNHUkdYc3FyYlpYcXd6c0dzL0tEcmF5NXVMd3lwcEtBSXgxaFVGZGkraER5SW5nalArQzRmRys0CkFKSGtKNWFqNFFEV0theFVrSHVrTmVaejJnOHlZZHQrYytlWHRTc25BRjZTbjdyanp0cTJab0lWRFNtR0lvNk4KSUFTNWtJWjRzMXIzSEcvRjZuVlA3Smg1R255VmxxWmpCenFnQ2RQZE5WSDRPVDdwWFJQUmN6c3Y1anVOTW1iNgpjcWlheTM1cytNTFVxMEZUM0tkd0Q4dm1nWjZVNGp5dG93RDJ6TFcxbkVVUUMwMkY4a2hpUFdySUdiUnAyalRJCkRKNXZ3MnBkR1pLVGhkekNQUmxjWnBrYyt5MStHeGdtS2pxeFplN09YMEw4UjlzZ2lGaWZaZUM5b1JDWGhiYUsKL3gwK1lMY0NBd0VBQWFPQmpUQ0JpakF1QmdOVkhTTUVKekFsb1Jpa0ZqQVVNUkl3RUFZRFZRUUREQWxYYVhObApNbU1nUTBHQ0NRQ0pXMWhxTnBXVVpEQUpCZ05WSFJNRUFqQUFNQXNHQTFVZER3UUVBd0lFTURBZEJnTlZIU1VFCkZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3SVFZRFZSMFJCQm93R0lJV2JHSXRkMlZpYUc5dmF5NWsKWldaaGRXeDBMbk4yWXpBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQTNBcExrYzdJNy93Y2VnYzRvbDNlaGViUApnQjFhaVdRanRiTGtsYmhhMHl0Z2R5UUtua2xvb0U2WnNyZTFLVFpZTzVmakt5OENQaVg5Mm5lZlRNL0VIN1E3CnVnRU8xNE5NcUoxTnNEV09IM3pIZXVuUWhSNHJRNGhVKzJKZk1iRXJCUVNYTDU5QlRMUlpENVVaSUZlTVpsZjAKUTNKTVZCRERsM3lhS1JWTExlY203RjZQRkRCdFhZbFlseFNCREMvNVZqVU9wS3dGcGVZZFlwQmN1MmVoa3dEVQpvRERLYUpNL3htSjFKdm5CK1BIT2U3REd0WVhGZDNyQWZ3cHVmYTJhM09VU3lHZnFlN3FzY1ZWa1RyMUU0c2lmCjArakpKamkvY0RJY01HT1BxQVpiaCtzT0xRSjZqUVl1anphMW03Yit3d2g2YTZQYytVajRmZjFzd25xRHRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdFFDOFM4dHdMRW1qd0NGU29tTEg5OThJWkVaZXlxdHRsZXJET3dhejhvT3RyTG00CnZES21rb0FqSFdGUVYyTDZFUElpZUNNLzRMaDhiN2dBa2VRbmxxUGhBTllwckZTUWU2UTE1blBhRHpKaDIzNXoKNTVlMUt5Y0FYcEtmdXVQTzJyWm1naFVOS1lZaWpvMGdCTG1RaG5peld2Y2NiOFhxZFUvc21Ia2FmSldXcG1NSApPcUFKMDkwMVVmZzVQdWxkRTlGek95L21PNDB5WnZweXFKckxmbXo0d3RTclFWUGNwM0FQeSthQm5wVGlQSzJqCkFQYk10YldjUlJBTFRZWHlTR0k5YXNnWnRHbmFOTWdNbm0vRGFsMFprcE9GM01JOUdWeG1tUno3TFg0YkdDWXEKT3JGbDdzNWZRdnhIMnlDSVdKOWw0TDJoRUplRnRvci9IVDVndHdJREFRQUJBb0lCQUg4OXFDRUVQN1B5aEpuUgpFeDB5b2U2ZkxIQUpoQ09uUlY5SmJMczI2Qk5JL0ROYlVBR0UvZElwSUFaTVhjVkF3QmhmajFtek5mbU0xM1ZWCi9aaVJzajdVcjV6OThNZkRudG84UXVQaGQxNk5oWHRldHE0TTJRQWY1OE9VQVpQSkI2WjY2Uzd6QzVDd1NlUzYKVXRMZmZEajc2dUc4cTVIcnFQbVZHUGJLMDVMV0NqUmZDSlhJMkNMZ1o1WjJLU0dDMno3Nng1OGRHeDZNdG5rSQpKNm9yaDk5WUhQK3pPZ0k0SHdHVUZiZkpwOGZuVHdwRXFrTnhFeHJ1azR0Nlh0QUlmS1JOWkYyQnRIMm1ZazNuCk1Db2pvU1ltVUJoYnE0L0k4RENCdGNkT1pOcnZvc0h0TitLZWI5SFhvSklJd2ZwNDRKcUZhMnhwd3ZCR0FEMFoKRlZYZnZaa0NnWUVBNlVJUUNwdDJwVGlUTll0RCsvbnVMTDhjaEVSd0QvODEySVpxUjZJeC8zbnpNU1BFZmdaUwo3Qkh5bklWd2xHSHRRcC9KY1pDcGFxTExEbWZBUzNlKzhFcGJSZlhGUmpjOS8ySkZtcFMxUHZPQW1jQ1pPUnpQCnlKTXZCK1lSUWkza01nQTZldURtTVNLMGdsbnYxRHVxYmxpWjllWVZLdmdkbm54NkpIMEtWSVVDZ1lFQXhxWnMKdFcvRnM2VlRyL1N1WE5nWDVVL0VTMUpHT1JGcXh1Zk15dTZuVk1YTmJBYldkNDhuR0pJNlVEVStmWkZNY0hlVQpoa3lTT2hKVU9ONnNZZXVIcTJCbGI5cDJ1MnZSa0s4YS8wSWFFc21yWEUzVFVKcUR5S0NCVVd5cmc1cFVKZ3FHCkVsd2hudVRyaVBDMW5NWXJjUzU2N1dZbENndnB0M2VKZzVrUmN3c0NnWUJzbXRmQk9KVkxaRVlXWGh0dlRQVTYKWEZrNHRHekE1Z0Q2S2N0K1F1U29vTzA4YWZ6bytLVFBTYVArZ0pya1c1d09zenNsNTBjYVlXWE45VHl4WnJXKwpSOENybUQwYjdraXRpZUlDa1U2NldzSDcxSk1DNW9sUVNFZFRsQ2xnK09FUTdzNUx2RDh4allraVVDRzhYWE9ECklUbStKanlnM3hsYlczVzdXNFRkeVFLQmdRQy9MYXV4Y2NCekE4bG1yYlNnNWRjWmVZc1FjajNpN2tBMDdTREsKcktPZGtrQUFseFFRUEZVRDhMYnVPay9KeU93bjBPMi8wakZvY2Z0Y1AvRG16Q1hsYVFBMmhhbCs5bVRaT2F4aAp2TndhK0x0U09oUUVucS8xaFlMdk9nWld3VS82ekdYN2hXOVYzRHBSc0ZjWWFoK2s3WGFnd28waS9oUVAzWnNhCmExVy93UUtCZ1FEbkZsUWF5WDdvbjdPYlM0K21yVjhqRXM3Y2VwTmhnMGlRNUhEZHNQSjh0SkRGMWpsNFJ5U1EKK0U5ajEwcTV4M3MyWk9DSGxpeFFyemI5bzdQK2JxWkovTk9uaVFjUG5GV29KVmZjMFVkTk9nT1Z0akw2YnU1SwpRRlVOUmFzdHNkaDdLSHQyWHNYaWlnNzNyRktjQ3JCS1BITlpKUWRrNjh5VENKNmRUZkxzeXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
name: lb-webhook-tls
namespace: default
type: Opaquedeployment.yaml
webhook server部署文件除了部署了server,还定义了server端相关的rbac模型。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webhook
rules:
- apiGroups: ["*"]
resources: ["deployments", "resourcequotas"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: webhook
namespace: default
subjects:
- kind: ServiceAccount
name: webhook
namespace: default
roleRef:
kind: ClusterRole
name: webhook
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook
namespace: default
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
com.wise2c.service: lb-webhook
name: lb-webhook
namespace: default
spec:
replicas: 1
selector:
matchLabels:
com.wise2c.service: lb-webhook
template:
metadata:
labels:
com.wise2c.service: lb-webhook
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/mojo/lb-webhook:master
imagePullPolicy: IfNotPresent
name: lb-webhook
args:
- "--memory=100Mi"
- "--cpu=200m"
- "--tls-cert-file=/etc/certs/server.crt"
- "--tls-private-key-file=/etc/certs/server.key"
volumeMounts:
- mountPath: /etc/certs
name: config
serviceAccount: webhook
volumes:
- name: config
secret:
secretName: lb-webhook-tls
---
apiVersion: v1
kind: Service
metadata:
labels:
com.wise2c.service: lb-webhook
name: lb-webhook
namespace: default
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: 443
selector:
com.wise2c.service: lb-webhook测试文件定义
在指定的namespace中创建resourcequota。通过两个test文件,一个包含webhook server指定的标签文件test-success.yaml, 另一个不带有指定标签文件test-fail.yaml, apply到对应的namespace中。期望看到test-success.yaml下发以后pod成功启动,test-fail.yaml未能看到相应pod启动。并且edit test-success.yaml的deployment对象发现该对象自动加上了对应的resources。
demo-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: webhook-demoquota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
namespace: webhook-demo
spec:
hard:
limits.memory: 2Gitest-success.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
run: web-success
io.wise2c.service.type: lb # 上文提到的特定标签
name: web-success
namespace: webhook-demo
spec:
selector:
matchLabels:
run: web-success
template:
metadata:
labels:
run: web-success
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: web
ports:
- containerPort: 80
protocol: TCPtest-fail.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
run: web
name: web-fail
namespace: webhook-demo
spec:
selector:
matchLabels:
run: web-fail
template:
metadata:
labels:
run: web-fail
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: web
ports:
- containerPort: 80
protocol: TCP测试:
kubectl apply -f admissionregistration.yaml
kubectl apply -f secret.yaml
kubectl apply -f deployment.yaml
kubectl apply -f demo-namespace.yaml
kubectl apply -f quota.yaml
kubectl apply -f test-fail.yaml
kubectl apply -f test-success.yaml结果如下:
[root@dev-7 webhook]# kubectl apply -f test-fail.yaml
deployment.extensions/web-fail created
[root@dev-7 webhook]# kubectl apply -f test-success.yaml
deployment.extensions/web-success created
[root@dev-7 webhook]# kubectl get po -n webhook-demo
NAME READY STATUS RESTARTS AGE
web-success-85fd64db95-wl9xx 0/1 ContainerCreating 0 9s上述结果和期望的一致, webhook到此结束。
参考:https://kubernetes.io/zh/docs/reference/access-authn-authz/extensible-admission-controllers/
