How to Use Validating Admission Webhook In Kubernetes?

adil
3 min readJan 7, 2024

Part 1: How to Set Up a Validating Admission Webhook In Kubernetes?

In Part 1, we set up the Kubernetes Validating Admission Webhook and verified SSL connection.

Photo by Drahomír Hugo Posteby-Mach on Unsplash

This article will describe how to reply to a validation request properly.

Kubernetes expects a simple response to a validation request; False or True

The response structure is as follows (source):

{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": "<value from request.uid>",
"allowed": true
}
}

I’ll deploy simple code. True and False responses will be returned at random.

index.php

<?php

header('Content-Type: application/json; charset=utf-8');
$j = json_decode(file_get_contents('php://input'));

$allow_or_disallow = (bool)random_int(0, 1);

$response = [
"apiVersion" => "admission.k8s.io/v1",
"kind" => "AdmissionReview",
"response" => [
"uid" => $j->request->uid,
"allowed" => $allow_or_disallow
]
];

echo json_encode($response);

Dockerfile

FROM php:latest
WORKDIR /app
COPY . .
EXPOSE 80
CMD ["php" , "-S", "0.0.0.0:80"]

I will create a Docker image:

docker build -t ailhan/pod-rule-validator:latest .

Deploy to Kubernetes

Upload your container image to a repository that Kubernetes can access.

Let’s create a Yaml file

pod-rule-validator.yaml

---
apiVersion: v1
kind: Pod
metadata:
name: pod-rule-validator
labels:
app: pod-rule-validator
spec:
containers:
- name: pod-rule-validator
image: ailhan/pod-rule-validator:latest
imagePullPolicy: Always
ports:
- containerPort: 80

Apply:

➜  ~ kubectl apply -f pod-rule-validator.yaml
Error from server (InternalError): error when creating "pod-rule-validator.yaml": Internal error occurred:
failed calling webhook "validate-pod-rule.adil.com": failed to call webhook:
couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }

When I attempted to deploy the pod, an error occurred. Because my cluster still has Part 1's Validating Admission Webhook rule.

I will delete it:

➜  ~ kubectl delete validatingwebhookconfigurations validate-pod-rule
validatingwebhookconfiguration.admissionregistration.k8s.io "validate-pod-rule" deleted

Apply again:

➜  ~ kubectl apply -f pod-rule-validator.yaml
pod/pod-rule-validator created

Create a service for pod-rule-validator

pod-rule-validator-svc.yaml

---
apiVersion: v1
kind: Service
metadata:
name: pod-rule-validator-svc
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: pod-rule-validator

Apply:

➜  ~ kubectl apply -f pod-rule-validator-svc.yaml
service/pod-rule-validator-svc created

List of pods and services:

The validate-pod-rule-nginx pod returns a dummy response. It will function as pod-rule-validator’s reverse proxy. This means that we need to update it.

We’ll edit the ssl.conf file from Part 1.

ssl.conf

server {
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/key.pem;
location / {
proxy_pass http://pod-rule-validator-svc;
}
}

The revised ssl.conf file will be used to build the validate-pod-rule-nginx image (version 2):

docker build -t ailhan/validate-pod-rule-nginx:v2 .

Next, push your container image to a repository that Kubernetes can access.

I’m going to delete the current validate-pod-rule-nginx pod:

➜  ~ kubectl delete pod/validate-pod-rule-nginx
pod "validate-pod-rule-nginx" deleted

validate-pod-rule-nginx.yaml from Part 1 will be deployed with the updated image version (v2).

validate-pod-rule-nginx-v2.yaml

---
apiVersion: v1
kind: Pod
metadata:
name: validate-pod-rule-nginx
labels:
app: validate-pod-rule-nginx
spec:
containers:
- name: validate-pod-rule-nginx
image: ailhan/validate-pod-rule-nginx:v2
imagePullPolicy: Always
ports:
- containerPort: 443

Apply:

➜  ~ kubectl apply -f validate-pod-rule-nginx-v2.yaml
pod/validate-pod-rule-nginx created

Now, let’s reactivate the Validating Admission Webhook rule.

I’m going to deploy validate-admission-webhook.yaml from Part 1

➜  ~ kubectl apply -f validate-admission-webhook.yaml
validatingwebhookconfiguration.admissionregistration.k8s.io/validate-pod-rule created

Let’s attempt to deploy a MySQL container:

The first two requests for deployment have been rejected. The third was approved. Please remember that validation requests get a random response from our validator, either True or False.

Part 1: How to Set Up a Validating Admission Webhook In Kubernetes?

--

--