kubernetes开发指南，技术漫谈为kubernetes构建自定义admission

kubernetes开发指南，技术漫谈为kubernetes构建自定义admissionapiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookconfiguration metadata: name: config webhooks: - name: lb-webhook.default.svc ① rules: ② - apiGroups: - "*" apiVersions: - "*" operations: - CREATE resources: - deployments clientConfig: service: namespace: default ③ name: lb-webhook ④ path: /deployments/mutate ⑤ ⑥caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t

​

原创作者：马涛

本文包含admission webhook的server端demo、证书制作以及验证 欢迎各位前来围观。demo中定义了webhook server 通过jsonpatch的方式修改带有特定标签deployment的resources，地址请参考

https://github.com/mojo-zd/kube-webhooks。

一、为什么使用 admission webhook

kubernetes的admission webhook为开发者提供了非常灵活的插件模式 在kubernetes资源持久化之前用户可以对指定资源做校验、修改等操作。应用场景 eg：接入sidecare、设置默认的servceaccount、设置quota等等。

二、webhook如何工作的

• 注册webhook server
• 资源操作请求通过API Server Auth验证
• 根据注册信息回调对应的webhook server

webhook注册信息说明

apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookconfiguration metadata: name: config webhooks: - name: lb-webhook.default.svc ① rules: ② - apiGroups: - "*" apiVersions: - "*" operations: - CREATE resources: - deployments clientConfig: service: namespace: default ③ name: lb-webhook ④ path: /deployments/mutate ⑤ ⑥caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

① webhook名称

② 描述api-server操作什么资源什么动作时调用webhook插件

③ webhook service所在的namespace

④ webhook service name

⑤ 调用webhook api的地址

⑥ 提供和webhook通信的TLS链接信息 生成的证书必须支持<svc_name>.<svc_namespace>.svc

更多参数设置请参考文档

https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers

注: 如何编写webhook server可以参考

https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/main.go

三、准备

• 准备一个kubernetes集群必须为v1.9或以上的版本(本人基于v1.13.6的版本测试的)。
• api server需要开启MutatingAdmissionWebhook ValidatingAdmissionWebhook，通过以下命令可查看。

kubectl api-versions | grep admissionregistration > admissionregistration.k8s.io/v1beta1

四、证书制作

手动制作证书

• 生成密钥位数为 2048 的 ca.key

openssl genrsa -out ca.key 2048

• 依据 ca.key 生成 ca.crt （使用 -days 参数来设置证书有效时间）：

penssl req -x509 -new -nodes -key ca.key -subj "/CN=lb-webhook.default.svc" -days 10000 -out ca.crt

• 生成密钥位数为 2048 的 server.key

openssl genrsa -out server.key 2048

• 创建用于生成证书签名请求（CSR）的配置文件。 确保在将其保存至文件（如csr.conf）。

[ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn ​ [ dn ] C = CN ST = SiChuan L = SZ O = Wise2c OU = Wise2c CN = lb-webhook.default.svc ​ [ req_ext ] subjectAltName = @alt_names ​ [ alt_names ] DNS.1 = lb-webhook.default.svc ​ [ v3_ext ] authorityKeyIdentifier=keyid issuer:always basicConstraints=CA:FALSE keyUsage=keyEncipherment dataEncipherment extendedKeyUsage=serverAuth clientAuth subjectAltName=@alt_names

• 基于配置文件生成证书签名请求：

openssl req -new -key server.key -out server.csr -config csr.conf

• 使用 ca.key、ca.crt 和 server.csr 生成服务器证书：

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out server.crt -days 10000 \ -extensions v3_ext -extfile csr.conf

• 查看证书

openssl x509 -noout -text -in ./server.crt

自动生成证书可用脚本文件

https://github.com/mojo-zd/kube-webhooks/blob/master/scripts/Makefile

执行make URL=lb-webhook.default.svc 相关说明请参考该项目readme.md。

!!!Waring: 证书制作也可以使用cert-manager(可自动为证书续期)来操作 具体操作可以参考官网也可以参考

https://github.com/mojo-zd/kube-webhooks/tree/master/deployments/cert-manager

五、部署

通过上面的操作，已经生成好了部署前的准备工作(证书)。接下来我们需要使用证书。

部署文件定义

• admissionregistration.yaml，文件中的caBundle使用的是上面生成ca.crt文件内容的base64值。

apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: config webhooks: - name: lb-webhook.default.svc rules: - apiGroups: - "*" apiVersions: - "*" operations: - CREATE resources: - deployments clientConfig: service: namespace: default name: lb-webhook path: /deployments/mutate caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K ​

• secret.yaml 文件中的data内容分别对应生成证书的三个文件内容的base64值。

apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRQ0pXMWhxTnBXVVpEQU5CZ2txaGtpRzl3MEJBUXNGQURBVU1SSXdFQVlEVlFRRERBbFgKYVhObE1tTWdRMEV3SUJjTk1Ua3dOekUxTURZMU5EVXhXaGdQTWpFeE9UQTJNakV3TmpVME5URmFNQlF4RWpBUQpCZ05WQkFNTUNWZHBjMlV5WXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPalpHM2tZcGZCMjFkNmREY2RRcU1IQ0NPRTU5NDlTeU5GTEhWWWpkYk52djRHQnlFOUJHVitCVzFxOS9rRHMKYmFFUTVZWnB3Q3NwS2lpL04zbEZEdTZRN2RqM0d1YnhOQlc5YWRmN0JrcFQreVhJRUVuRU9jTnViekhwbm9PNwpYdlVxMnpKQlYzd1FPbTgxMnBZeDlzckprYnAvclF1MjVqTktPZC9tZDEyMG1SRXN5Q3VLOTBIaXFqTjlLYlJICjVXaEh0R09SUjB1QWlTMGJoc0g0aElYRHhqMWhqenZEK21BZ2FPa0xRYjBBNDFZNGo2bE5GNUp6Q2h6eUJZYmYKbTFFVzRFdGdjZElvZ0hDRWVYekdXMEVHMWYvMVJuNDhGOXJMeFJ6ZTQyODFNbTJWZUh4ZGhBdXZSbGxPL3lHYgpnbEphSjlQTDFwdldNR2JMWC9jSmE4TUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtONUtLVndEClZ1VzBTQmVtbE9ENnRDUFowWmVlMEtITUliMUh4T3kwblM3akYxRm84Ukw0K25lMDB4ZEhmelNZcm5JSWZpSy8KL3UraVNpTk80RjhNQlo5RzI1OFhzcS9zVkpJWkhCRE9ad3M2emZkMklvdUdubFF5QU5tdEpHeTFTNDNOaFcvbwp0aTJQTlVzQ2hMdy9hQ21COEVlU3BRb0FZeHhVTW1SK3pHUEY2VGszQ3Z6T1c2ekczT1g3bWhzMVdtU1orTS9tCjJRbElKRWpQQVYzWDJMOUN5UTRucW5MSks5dDltcWpaOFJyRmcwNFR0QnhEYUdYazAvQ2JlSURibUxPRitOdzMKOWhUNm9QNlhoaGNHb0h2dG91MndUOU5GTjdxY1R5cC9GaDFRaktxdTJLOWNyUWs3Wk52QUdGVWdISnBhb0UxRAp2NzV3cGp3bG1TSU5Bdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpakNDQW5LZ0F3SUJBZ0lKQU81Tmdld0hENmdvTUEwR0NTcUdTSWIzRFFFQkJRVUFNQlF4RWpBUUJnTlYKQkFNTUNWZHBjMlV5WXlCRFFUQWdGdzB4T1RBM01UVXdOalUwTlRGYUdBOHlNVEU1TURZeU1UQTJOVFExTVZvdwpZekVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnTUNGTm9aVzVhYUdWdU1Rc3dDUVlEVlFRSERBSlRXakVQCk1BMEdBMVVFQ2d3R1YybHpaVEpqTVE4d0RRWURWUVFMREFaWGFYTmxNbU14RWpBUUJnTlZCQU1NQ1ZkcGMyVXkKWXlCRFFUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxVQXZFdkxjQ3hKbzhBaApVcUppeC9mZkNHUkdYc3FyYlpYcXd6c0dzL0tEcmF5NXVMd3lwcEtBSXgxaFVGZGkraER5SW5nalArQzRmRys0CkFKSGtKNWFqNFFEV0theFVrSHVrTmVaejJnOHlZZHQrYytlWHRTc25BRjZTbjdyanp0cTJab0lWRFNtR0lvNk4KSUFTNWtJWjRzMXIzSEcvRjZuVlA3Smg1R255VmxxWmpCenFnQ2RQZE5WSDRPVDdwWFJQUmN6c3Y1anVOTW1iNgpjcWlheTM1cytNTFVxMEZUM0tkd0Q4dm1nWjZVNGp5dG93RDJ6TFcxbkVVUUMwMkY4a2hpUFdySUdiUnAyalRJCkRKNXZ3MnBkR1pLVGhkekNQUmxjWnBrYyt5MStHeGdtS2pxeFplN09YMEw4UjlzZ2lGaWZaZUM5b1JDWGhiYUsKL3gwK1lMY0NBd0VBQWFPQmpUQ0JpakF1QmdOVkhTTUVKekFsb1Jpa0ZqQVVNUkl3RUFZRFZRUUREQWxYYVhObApNbU1nUTBHQ0NRQ0pXMWhxTnBXVVpEQUpCZ05WSFJNRUFqQUFNQXNHQTFVZER3UUVBd0lFTURBZEJnTlZIU1VFCkZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3SVFZRFZSMFJCQm93R0lJV2JHSXRkMlZpYUc5dmF5NWsKWldaaGRXeDBMbk4yWXpBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQTNBcExrYzdJNy93Y2VnYzRvbDNlaGViUApnQjFhaVdRanRiTGtsYmhhMHl0Z2R5UUtua2xvb0U2WnNyZTFLVFpZTzVmakt5OENQaVg5Mm5lZlRNL0VIN1E3CnVnRU8xNE5NcUoxTnNEV09IM3pIZXVuUWhSNHJRNGhVKzJKZk1iRXJCUVNYTDU5QlRMUlpENVVaSUZlTVpsZjAKUTNKTVZCRERsM3lhS1JWTExlY203RjZQRkRCdFhZbFlseFNCREMvNVZqVU9wS3dGcGVZZFlwQmN1MmVoa3dEVQpvRERLYUpNL3htSjFKdm5CK1BIT2U3REd0WVhGZDNyQWZ3cHVmYTJhM09VU3lHZnFlN3FzY1ZWa1RyMUU0c2lmCjArakpKamkvY0RJY01HT1BxQVpiaCtzT0xRSjZqUVl1anphMW03Yit3d2g2YTZQYytVajRmZjFzd25xRHRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdFFDOFM4dHdMRW1qd0NGU29tTEg5OThJWkVaZXlxdHRsZXJET3dhejhvT3RyTG00CnZES21rb0FqSFdGUVYyTDZFUElpZUNNLzRMaDhiN2dBa2VRbmxxUGhBTllwckZTUWU2UTE1blBhRHpKaDIzNXoKNTVlMUt5Y0FYcEtmdXVQTzJyWm1naFVOS1lZaWpvMGdCTG1RaG5peld2Y2NiOFhxZFUvc21Ia2FmSldXcG1NSApPcUFKMDkwMVVmZzVQdWxkRTlGek95L21PNDB5WnZweXFKckxmbXo0d3RTclFWUGNwM0FQeSthQm5wVGlQSzJqCkFQYk10YldjUlJBTFRZWHlTR0k5YXNnWnRHbmFOTWdNbm0vRGFsMFprcE9GM01JOUdWeG1tUno3TFg0YkdDWXEKT3JGbDdzNWZRdnhIMnlDSVdKOWw0TDJoRUplRnRvci9IVDVndHdJREFRQUJBb0lCQUg4OXFDRUVQN1B5aEpuUgpFeDB5b2U2ZkxIQUpoQ09uUlY5SmJMczI2Qk5JL0ROYlVBR0UvZElwSUFaTVhjVkF3QmhmajFtek5mbU0xM1ZWCi9aaVJzajdVcjV6OThNZkRudG84UXVQaGQxNk5oWHRldHE0TTJRQWY1OE9VQVpQSkI2WjY2Uzd6QzVDd1NlUzYKVXRMZmZEajc2dUc4cTVIcnFQbVZHUGJLMDVMV0NqUmZDSlhJMkNMZ1o1WjJLU0dDMno3Nng1OGRHeDZNdG5rSQpKNm9yaDk5WUhQK3pPZ0k0SHdHVUZiZkpwOGZuVHdwRXFrTnhFeHJ1azR0Nlh0QUlmS1JOWkYyQnRIMm1ZazNuCk1Db2pvU1ltVUJoYnE0L0k4RENCdGNkT1pOcnZvc0h0TitLZWI5SFhvSklJd2ZwNDRKcUZhMnhwd3ZCR0FEMFoKRlZYZnZaa0NnWUVBNlVJUUNwdDJwVGlUTll0RCsvbnVMTDhjaEVSd0QvODEySVpxUjZJeC8zbnpNU1BFZmdaUwo3Qkh5bklWd2xHSHRRcC9KY1pDcGFxTExEbWZBUzNlKzhFcGJSZlhGUmpjOS8ySkZtcFMxUHZPQW1jQ1pPUnpQCnlKTXZCK1lSUWkza01nQTZldURtTVNLMGdsbnYxRHVxYmxpWjllWVZLdmdkbm54NkpIMEtWSVVDZ1lFQXhxWnMKdFcvRnM2VlRyL1N1WE5nWDVVL0VTMUpHT1JGcXh1Zk15dTZuVk1YTmJBYldkNDhuR0pJNlVEVStmWkZNY0hlVQpoa3lTT2hKVU9ONnNZZXVIcTJCbGI5cDJ1MnZSa0s4YS8wSWFFc21yWEUzVFVKcUR5S0NCVVd5cmc1cFVKZ3FHCkVsd2hudVRyaVBDMW5NWXJjUzU2N1dZbENndnB0M2VKZzVrUmN3c0NnWUJzbXRmQk9KVkxaRVlXWGh0dlRQVTYKWEZrNHRHekE1Z0Q2S2N0K1F1U29vTzA4YWZ6bytLVFBTYVArZ0pya1c1d09zenNsNTBjYVlXWE45VHl4WnJXKwpSOENybUQwYjdraXRpZUlDa1U2NldzSDcxSk1DNW9sUVNFZFRsQ2xnK09FUTdzNUx2RDh4allraVVDRzhYWE9ECklUbStKanlnM3hsYlczVzdXNFRkeVFLQmdRQy9MYXV4Y2NCekE4bG1yYlNnNWRjWmVZc1FjajNpN2tBMDdTREsKcktPZGtrQUFseFFRUEZVRDhMYnVPay9KeU93bjBPMi8wakZvY2Z0Y1AvRG16Q1hsYVFBMmhhbCs5bVRaT2F4aAp2TndhK0x0U09oUUVucS8xaFlMdk9nWld3VS82ekdYN2hXOVYzRHBSc0ZjWWFoK2s3WGFnd28waS9oUVAzWnNhCmExVy93UUtCZ1FEbkZsUWF5WDdvbjdPYlM0K21yVjhqRXM3Y2VwTmhnMGlRNUhEZHNQSjh0SkRGMWpsNFJ5U1EKK0U5ajEwcTV4M3MyWk9DSGxpeFFyemI5bzdQK2JxWkovTk9uaVFjUG5GV29KVmZjMFVkTk9nT1Z0akw2YnU1SwpRRlVOUmFzdHNkaDdLSHQyWHNYaWlnNzNyRktjQ3JCS1BITlpKUWRrNjh5VENKNmRUZkxzeXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata: name: lb-webhook-tls namespace: default type: Opaque

• deployment.yaml

webhook server部署文件除了部署了server，还定义了server端相关的rbac模型。

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: webhook rules: - apiGroups: ["*"] resources: ["deployments" "resourcequotas"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: webhook namespace: default subjects: - kind: ServiceAccount name: webhook namespace: default roleRef: kind: ClusterRole name: webhook apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: webhook namespace: default --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: com.wise2c.service: lb-webhook name: lb-webhook namespace: default spec: replicas: 1 selector: matchLabels: com.wise2c.service: lb-webhook template: metadata: labels: com.wise2c.service: lb-webhook spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/mojo/lb-webhook:master imagePullPolicy: IfNotPresent name: lb-webhook args: - "--memory=100Mi" - "--cpu=200m" - "--tls-cert-file=/etc/certs/server.crt" - "--tls-private-key-file=/etc/certs/server.key" volumeMounts: - mountPath: /etc/certs name: config serviceAccount: webhook volumes: - name: config secret: secretName: lb-webhook-tls --- apiVersion: v1 kind: Service metadata: labels: com.wise2c.service: lb-webhook name: lb-webhook namespace: default spec: ports: - name: https port: 443 protocol: TCP targetPort: 443 selector: com.wise2c.service: lb-webhook

测试文件定义

在指定的namespace中创建resourcequota。通过两个test文件，一个包含webhook server指定的标签文件test-success.yaml 另一个不带有指定标签文件test-fail.yaml apply到对应的namespace中。期望看到test-success.yaml下发以后pod成功启动 test-fail.yaml未能看到相应pod启动。并且edit test-success.yaml的deployment对象发现该对象自动加上了对应的resources。

• demo-namespace.yaml

apiVersion: v1 kind: Namespace metadata: name: webhook-demo

• quota.yaml

apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources namespace: webhook-demo spec: hard: limits.memory: 2Gi

• test-success.yaml

apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: run: web-success io.wise2c.service.type: lb # 上文提到的特定标签 name: web-success namespace: webhook-demo spec: selector: matchLabels: run: web-success template: metadata: labels: run: web-success spec: containers: - image: nginx imagePullPolicy: Always name: web ports: - containerPort: 80 protocol: TCP

• test-fail.yaml

apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: run: web name: web-fail namespace: webhook-demo spec: selector: matchLabels: run: web-fail template: metadata: labels: run: web-fail spec: containers: - image: nginx imagePullPolicy: Always name: web ports: - containerPort: 80 protocol: TCP

六、测试

kubectl apply -f admissionregistration.yaml kubectl apply -f secret.yaml kubectl apply -f deployment.yaml ​ kubectl apply -f demo-namespace.yaml kubectl apply -f quota.yaml kubectl apply -f test-fail.yaml kubectl apply -f test-success.yaml

结果如下:

[root@dev-7 webhook]# kubectl apply -f test-fail.yaml deployment.extensions/web-fail created [root@dev-7 webhook]# kubectl apply -f test-success.yaml deployment.extensions/web-success created [root@dev-7 webhook]# kubectl get po -n webhook-demo NAME READY STATUS RESTARTS AGE web-success-85fd64db95-wl9xx 0/1 ContainerCreating 0 9s

上述结果和期望的一直 webhook到此结束。

原文链接：https://mp.weixin.qq.com/s/Z6ucuqNs2rOaPzwhvW-bmw

关于睿云智合

深圳睿云智合科技有限公司成立于2012年，总部位于深圳，并分别在成都、深圳设立了研发中心，北京、上海设立了分支机构，核心骨干人员全部为来自金融、科技行业知名企业资深业务专家、技术专家。早期专注于为中国金融保险等大型企业提供创新技术、电子商务、CRM等领域专业咨询服务。

自2016年始，在率先将容器技术引进到中国保险行业客户后，公司组建了专业的容器技术产品研发和实施服务团队，旨在帮助中国金融行业客户将容器创新技术应用于企业信息技术支持业务发展的基础能力改善与提升，成为中国金融保险行业容器技术服务领导品牌。

此外，凭借多年来在呼叫中心领域的业务经验与技术积累，睿云智合率先在业界推出基于开源软交换平台FreeSwitch的微服务架构多媒体数字化业务平台，将语音、视频、webchat、微信、微博等多种客户接触渠道集成，实现客户统一接入、精准识别、智能路由的CRM策略，并以容器化治理来支持平台的全应用生命周期管理，显著提升了数字化业务处理的灵活、高效、弹性、稳定等特性，为帮助传统企业向“以客户为中心”的数字化业务转型提供完美的一站式整体解决方案。