Build Your Own Admission Controllers in Kubernetes Using Go

Admission Control vs RBAC

What is Admission Controller?

  1. MutatingAdmissionWebhook : allow for the use of mutating webhooks to modify the content of the resource before it is persisted.
  2. ValidatingAdmissionWebhooks : allow for the use of validating webhooks to enforce custom admission policies.

What we need to develop our own admission controller?

  1. Deploy Webhook Server
> kubectl create secret tls webhook-server-tls \
--cert "certs/tls.crt" \
--key "certs/tls.key" -n production
> kubectl create -f webhook_server.yml
> kubectl create -f webhooks.yml
> kubectl get deployments.apps,svc,secret -n production
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/webhook-server 1/1 1 1 36m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/webhook-server ClusterIP 10.245.197.198 <none> 443/TCP 76m
NAME TYPE DATA AGE
secret/webhook-server-tls kubernetes.io/tls 2 59m
> kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io
NAME WEBHOOKS AGE
deployment-mutation 1 37m
> kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
NAME WEBHOOKS AGE
deployment-validation 1 38m
kubectl logs -n production webhook-server-5999c6d74d-4k4pg --follow
> kubectl create -f test_deployment.yml
{"level":"info","time":"2022-05-04T03:18:36Z","message":"Server started ..."}
{"level":"info","time":"2022-05-04T03:19:03Z","message":"handling request: {\"kind\":\"AdmissionReview\",\"apiVersion\":\"admission.k8s.io/v1\",\"request\":{\"uid\":\"8cde5fab-
...{"level":"info","time":"2022-05-04T03:19:03Z","message":"mutating deployments"}
{"level":"info","time":"2022-05-04T03:19:03Z","message":"sending response: &AdmissionReview{Request:nil,Response:&AdmissionResponse{UID:8cde5fab-8dd5-449d-8f92-455c005b1f3b,Allowed:true,Result:nil,Patch:*[91 123 32 34 111 112 34 58 32 34 97 100 100 34 44 32 34 112 97 116 104 34 58 32 34 47 109 101 116 97 100 97 116 97 47 110 97 109 101 34 44 32 34 118 97 108 117 101 34 58 32 34 112 114 111 100 45 110 103 105 110 120 45 100 101 112 108 111 121 109 101 110 116 34 32 125 93],PatchType:*JSONPatch,AuditAnnotations:map[string]string{},Warnings:[],},}"}
...{"level":"info","time":"2022-05-04T03:19:03Z","message":"validating deployments"}
{"level":"info","time":"2022-05-04T03:19:03Z","message":"sending response: &AdmissionReview{Request:nil,Response:&AdmissionResponse{UID:60773af9-ae64-41de-ade3-45f3424b59bf,Allowed:true,Result:nil,Patch:nil,PatchType:nil,AuditAnnotations:map[string]string{},Warnings:[],},}"}
> kubectl get deployments.apps -n production
NAME READY UP-TO-DATE AVAILABLE AGE
prod-nginx-deployment 1/1 1 1 5m24s

--

--

Hi, I’m Cloud Engineer, Golang & Python Enthusiast! A bit of random things...🥑🎶 🎯🌻

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bashayr Alabdullah

Hi, I’m Cloud Engineer, Golang & Python Enthusiast! A bit of random things...🥑🎶 🎯🌻