Deploys a custom Kubernetes validating admission controller.
The controller will review deployments for namespaces with the label admission-webhook: enabled
.
The controller then uses an OPA (OpenPolicyAgent) sidecar to decide what to do with the deployment.
That step of indirection allows us to use the OPA data API instead of the Query API. The data API is much more convenient to manage.
OPA can not only allow or deny an admission, it can also provide more advanced policies, most importantly control taking actions upon deployments.
The policies define a set of processors that can be called out-of-band if the deployment is allowed. The deployment won't be slowed down by steps that can take a lot of time. This approach makes it easy to fulfil auditing or archiving requirements.
In the future, things like max/min resource limits, number of instances and so on could also be controlled by central OPA policies.
-
GNU Make
-
Kubectl
-
Docker
-
Go > 1.11 (Because we are using Go modules)
-
OpenSSL
-
Kubernetes Cluster
The Makefile assumes that
docker build
will install the image in the target cluster's registry. This is the case for Docker Desktop and Minikube, but not for remote clusters. -
OPA (Only needed for manual local testing)
-
Build & Deploy the Web hook
make deploy
-
Try to deploy an application that does not meet the policy
kubectl apply -f test/deployments/invalid.yaml
-
You should get the following error message
Error from server (Forbidden): error when creating "test/deployments/invalid.yaml": admission webhook "test-validating-webhook.az82.de" denied the request: No explicit image version for the container hello-kubernetes, Invalid Git repository annotation, Invalid Git commit hash annotation
-
Try to deploy an application that meets the policy
kubectl apply -f test/deployments/valid.yaml
-
Inspect the policies. You can then try to create a deployment that fulfils the policies or try to tweak the policies.
-
Undeploy everything
make undeploy
-
Clean the workspace
make clean
Kubernetes currently does not support creating config maps recursively from a directory. That means that policies stored in a config map cannot be organized in directories. See kubernetes/kubernetes#62421 for reference