How to Set Up a Validating Admission Webhook In Kubernetes?

4 min readJan 7, 2024

Part 2: How to Use Validating Admission Webhook In Kubernetes?

Checking if the resources match your needs is an essential precondition for Kubernetes.

Consider that several teams are delivering various projects to your Kubernetes cluster. Ensuring that all teams adhere to certain infrastructure guidelines is important.

A few instances of prerequisites;

The name of the pod should be like this: teamname-projectname-version
The namespace and the pod’s teamname need to match.
Every container has to utilize an Ubuntu image.
Persistent volume claims reference existing storage classes and have appropriate access modes.

and so forth.

Kubernetes may use a web service to verify the system resources.

With the help of Kubernetes’ Validating Admission Webhook, you may use your internal or external web service to confirm the validity of the system resources that have been requested.

Configuring an Validating Admission Webhook

A Validating Admission Webhook requires an SSL/TLS Certificate to function.
An HTTPS call to your service will be attempted by Kubernetes. Therefore, a valid certificate is needed.

I’m going to presume that you use the default namespace in your cluster.

For this internal domain, let’s generate a self-signed certificate:
validate-pod-rule.default.svc

With the openssl command, you may generate a self-signed certificate:

openssl req -subj '/CN=validate-pod-rule.default.svc' -addext "subjectAltName = DNS:validate-pod-rule.default.svc" -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

This command will generate two files: cert.pem and key.pem

For SSL termination, I’ll build an Nginx container. For testing purposes, it will provide a basic response.

The Nginx container’s Dockerfile is as follows:

FROM nginx:latest

COPY ssl.conf /etc/nginx/conf.d/ssl.conf
COPY cert.pem /etc/nginx/conf.d/cert.pem
COPY key.pem /etc/nginx/conf.d/key.pem

EXPOSE 443

CMD ["nginx", "-g", "daemon off;"]

ssl.conf

server {
  listen 443 ssl;
  ssl_certificate /etc/nginx/conf.d/cert.pem;
  ssl_certificate_key /etc/nginx/conf.d/key.pem;
  location / {
      return 200 'hello from container';
  }
}

P.S.: This Nginx setup aims to verify the connection of the Validating Admission Webhook. Later on, a proxy_pass rule will be added.

I will create a Docker image:

docker build -t ailhan/validate-pod-rule-nginx:v1 .

To test the SSL/TLS Certificate, I set up a Docker container on my local computer:

➜  ~ docker run --name nginx-ssl-test -d -p 443:443 ailhan/validate-pod-rule-nginx:v1
c1473f563b3dbc2e5ba42dcfd02d454197772197637ce151de2edc3a6ffb00c4

Test:

I can establish an SSL connection to the Nginx container.

Deploy to Kubernetes

Upload your container image to a repository that Kubernetes can access.

validate-pod-rule-nginx.yaml

---
apiVersion: v1
kind: Pod
metadata:
  name: validate-pod-rule-nginx
  labels:
    app: validate-pod-rule-nginx
spec:
  containers:
  - name: validate-pod-rule-nginx
    image: ailhan/validate-pod-rule-nginx:v1
    imagePullPolicy: Always
    ports:
    - containerPort: 443

Apply:

➜  ~ kubectl apply -f validate-pod-rule-nginx.yaml
pod/validate-pod-rule-nginx created

validate-pod-rule-svc.yaml

---
apiVersion: v1
kind: Service
metadata:
  name: validate-pod-rule
  namespace: default
spec:
  ports:
  - name: https
    port: 443
    targetPort: 443
  selector:
    app: validate-pod-rule-nginx

Apply:

➜  ~ kubectl apply -f validate-pod-rule-svc.yaml
service/validate-pod-rule created

validate-admission-webhook.yaml

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "validate-pod-rule"
webhooks:
- name: "validate-pod-rule.adil.com"
  rules:
  - apiGroups:   [""]
    apiVersions: ["v1"]
    operations:  ["CREATE"]
    resources:   ["pods"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: "default"
      name: "validate-pod-rule"
    caBundle: "<CA_BUNDLE_BASE64_HERE>"
  admissionReviewVersions: ["v1"]
  sideEffects: None
  timeoutSeconds: 5

The base64 version of cert.pem must be used to replace the caBundle variable.

Get the base64 value:

cat cert.pem | base64

To verify your Pod creation requests, Kubernetes will make a request to https://validate-pod-rule-svc.default.svc once you deploy validate-admission-webhook.yaml to your cluster.

Apply:

➜  ~ kubectl apply -f validate-admission-webhook.yaml
validatingwebhookconfiguration.admissionregistration.k8s.io/validate-pod-rule created

Let’s test it

When I attempted to deploy a pod, a validation request was sent to the Nginx container.

The validation request failed as the Nginx container returned plain text.

We are sure that the connection flow functions properly as a consequence.

Part 2: How to Use Validating Admission Webhook In Kubernetes?

How to Set Up a Validating Admission Webhook In Kubernetes?

Configuring an Validating Admission Webhook

Deploy to Kubernetes

Let’s test it

Written by adil