Part 1: How to Set Up a Validating Admission Webhook In Kubernetes?
In Part 1, we set up the Kubernetes Validating Admission Webhook and verified SSL connection.
This article will describe how to reply to a validation request properly.
Kubernetes expects a simple response to a validation request; False or True
The response structure is as follows (source):
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": "<value from request.uid>",
"allowed": true
}
}I’ll deploy simple code. True and False responses will be returned at random.
index.php
<?php
header('Content-Type: application/json; charset=utf-8');
$j = json_decode(file_get_contents('php://input'));
$allow_or_disallow = (bool)random_int(0, 1);
$response = [
"apiVersion" => "admission.k8s.io/v1",
"kind" => "AdmissionReview",
"response" => [
"uid" => $j->request->uid,
"allowed" => $allow_or_disallow
]
];
echo json_encode($response);Dockerfile
FROM php:latest
WORKDIR /app
COPY . .
EXPOSE 80
CMD ["php" , "-S", "0.0.0.0:80"]I will create a Docker image:
docker build -t ailhan/pod-rule-validator:latest .Deploy to Kubernetes
Upload your container image to a repository that Kubernetes can access.
Let’s create a Yaml file
pod-rule-validator.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: pod-rule-validator
labels:
app: pod-rule-validator
spec:
containers:
- name: pod-rule-validator
image: ailhan/pod-rule-validator:latest
imagePullPolicy: Always
ports:
- containerPort: 80Apply:
➜ ~ kubectl apply -f pod-rule-validator.yaml
Error from server (InternalError): error when creating "pod-rule-validator.yaml": Internal error occurred:
failed calling webhook "validate-pod-rule.adil.com": failed to call webhook:
couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }When I attempted to deploy the pod, an error occurred. Because my cluster still has Part 1's Validating Admission Webhook rule.
I will delete it:
➜ ~ kubectl delete validatingwebhookconfigurations validate-pod-rule
validatingwebhookconfiguration.admissionregistration.k8s.io "validate-pod-rule" deletedApply again:
➜ ~ kubectl apply -f pod-rule-validator.yaml
pod/pod-rule-validator createdCreate a service for pod-rule-validator
pod-rule-validator-svc.yaml
---
apiVersion: v1
kind: Service
metadata:
name: pod-rule-validator-svc
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: pod-rule-validatorApply:
➜ ~ kubectl apply -f pod-rule-validator-svc.yaml
service/pod-rule-validator-svc createdList of pods and services:
The validate-pod-rule-nginx pod returns a dummy response. It will function as pod-rule-validator’s reverse proxy. This means that we need to update it.
We’ll edit the ssl.conf file from Part 1.
ssl.conf
server {
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/key.pem;
location / {
proxy_pass http://pod-rule-validator-svc;
}
}The revised ssl.conf file will be used to build the validate-pod-rule-nginx image (version 2):
docker build -t ailhan/validate-pod-rule-nginx:v2 .Next, push your container image to a repository that Kubernetes can access.
I’m going to delete the current validate-pod-rule-nginx pod:
➜ ~ kubectl delete pod/validate-pod-rule-nginx
pod "validate-pod-rule-nginx" deletedvalidate-pod-rule-nginx.yaml from Part 1 will be deployed with the updated image version (v2).
validate-pod-rule-nginx-v2.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: validate-pod-rule-nginx
labels:
app: validate-pod-rule-nginx
spec:
containers:
- name: validate-pod-rule-nginx
image: ailhan/validate-pod-rule-nginx:v2
imagePullPolicy: Always
ports:
- containerPort: 443Apply:
➜ ~ kubectl apply -f validate-pod-rule-nginx-v2.yaml
pod/validate-pod-rule-nginx createdNow, let’s reactivate the Validating Admission Webhook rule.
I’m going to deploy validate-admission-webhook.yaml from Part 1
➜ ~ kubectl apply -f validate-admission-webhook.yaml
validatingwebhookconfiguration.admissionregistration.k8s.io/validate-pod-rule createdLet’s attempt to deploy a MySQL container:
The first two requests for deployment have been rejected. The third was approved. Please remember that validation requests get a random response from our validator, either True or False.
Part 1: How to Set Up a Validating Admission Webhook In Kubernetes?
