Kubernetes documentation about admission webhooks: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers
openssl genrsa -out certs/tls.key 2048
openssl req -new -key certs/tls.key -out certs/tls.csr -subj "/CN=demo-webhook-svc.default.svc"
openssl x509 -req -extfile <(printf "subjectAltName=DNS:demo-webhook-svc.default.svc") -in certs/tls.csr -signkey certs/tls.key -out certs/tls.crt
kubectl create secret tls demo-webhook-tls \
--cert "certs/tls.crt" \
--key "certs/tls.key" -n default
kubectl get secret demo-webhook-tls -n default -oyaml > k8s/tls-secret.yaml
ENCODED_CA=$(cat certs/tls.crt | base64 | tr -d '\n')
The service default path is /
, our server listens to /validate
on port 443
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#service-reference
- Docker and Go installed (optionally tmux and k9s for
task demo
) - Install taskfile
- Generate the CA and certs as explained in the first section or use CertManager
- Run
task demo
- Run
task k8s-up
- Try to deploy the example pods
allowed-pod.yaml
andunallowed-pod.yaml
- See the messages you recieve when trying to apply the unallowed-pod yaml
- In the
admission-go
pod you can see the logs that show what as sent as a request and the reason for the aproval/rejection
- verify the resource is a pod
- check all containers in the pod not only the first (main.go#L72)
- Check for a minum resource value
- CertManager CA injector as an automated alternative of generating the certs