侧边栏壁纸
  • 累计撰写 43 篇文章
  • 累计创建 9 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录

Kubernetes增加和管理webhook

landonchan
2023-10-08 / 0 评论 / 0 点赞 / 12 阅读 / 2264 字
温馨提示:
欢迎留言讨论!若内容或图片失效,请留言反馈。若不小心影响到您的利益,请联系我们删除。

获取 webhook 配置

在做系统开发时,时常会遇到在一些指定的资源中,增加 agent 等,故采用了 K8s 的 webhook。

kuberctl get MutatingWebhookConfiguration webhook-app -n xxx -o yaml

如何写webhook

推荐一个开源项目,https://github.com/stackrox/admission-controller-webhook-demo

笔者采用的就是这个项目,具体场景是在app调度起来前在pod里面指定container增加agent。

如何使用

参考这个文件deployment/deployment.yaml.template。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webhook-server
  namespace: webhook-demo
  labels:
    app: webhook-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook-server
  template:
    metadata:
      labels:
        app: webhook-server
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1234
      containers:
      - name: server
        image: stackrox/admission-controller-webhook-demo:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8443
          name: webhook-api
        volumeMounts:
        - name: webhook-tls-certs
          mountPath: /run/secrets/tls
          readOnly: true
      volumes:
      - name: webhook-tls-certs
        secret:
          secretName: webhook-server-tls
---
apiVersion: v1
kind: Service
metadata:
  name: webhook-server
  namespace: webhook-demo
spec:
  selector:
    app: webhook-server
  ports:
    - port: 443
      targetPort: webhook-api
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: demo-webhook
webhooks:
  - name: webhook-server.webhook-demo.svc
    sideEffects: None
    admissionReviewVersions: ["v1", "v1beta1"]
    clientConfig:
      service:
        name: webhook-server
        namespace: webhook-demo
        path: "/mutate"
      caBundle: ${CA_PEM_B64}
    rules:
      - operations: [ "CREATE" ]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]

0

评论区