【发布时间】:2021-04-28 20:59:50
【问题描述】:
我正在尝试构建一个准入控制器来在我们的集群上强制执行 pod 注释。
我能够构建一个 webhook 服务并部署它。出于测试目的,我将服务器代码更改为以 Allowed: false 作为对任何请求的默认响应,但它不会阻止创建 pod。
在日志中,我看到请求到达服务器,但似乎 kubeapi-server 没有接收或不遵守响应。
2021/01/25 02:29:15 &AdmissionResponse{UID:,Allowed:false,Result:&v1.Status{ListMeta:ListMeta{SelfLink:,ResourceVersion:,Continue:,RemainingItemCount:nil,},Status:,Message:,Reason:,Details:nil,Code:0,},Patch:nil,PatchType:nil,AuditAnnotations:map[string]string{},Warnings:[],}
以下是服务部署文件和验证 webhook 配置。 感谢任何想法/建议!
apiVersion: apps/v1
kind: Deployment
metadata:
name: webhook-server
namespace: webhook-demo
labels:
app: webhook-server
spec:
replicas: 1
selector:
matchLabels:
app: webhook-server
template:
metadata:
labels:
app: webhook-server
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1234
containers:
- name: webhook-server
image: demo/admission-controller-webhook-demo:latest
imagePullPolicy: Never
ports:
- containerPort: 8443
name: webhook-api
resources:
requests:
cpu: "100m"
memory: "128M"
limits:
cpu: "250m"
memory: "256M"
volumeMounts:
- name: webhook-tls-certs
mountPath: /run/secrets/tls
readOnly: true
volumes:
- name: webhook-tls-certs
secret:
secretName: webhook-server-tls
---
apiVersion: v1
kind: Service
metadata:
name: webhook-server
namespace: webhook-demo
spec:
selector:
app: webhook-server
ports:
- port: 443
targetPort: webhook-api
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: webhook-server
webhooks:
- name: webhook-server.webhook-demo.svc
rules:
- apiGroups: ["*"]
apiVersions: ["*"]
operations: ["CREATE","UPDATE"]
resources: ["pods","deployments", "replicasets"]
timeoutSeconds: 5
clientConfig:
service:
name: webhook-server
namespace: webhook-demo
path: "/validate"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t<truncated>
sideEffects: None
admissionReviewVersions: ["v1beta1"]
【问题讨论】:
-
您是否遵循 webhook 中的确切响应语法:kubernetes.io/docs/reference/access-authn-authz/…
标签: kubernetes google-kubernetes-engine webhooks kubectl