add webhook

2023-09-06 17:52:39 +08:00
parent 586abdfd7b
commit b2972195cb
12 changed files with 882 additions and 12 deletions
--- a/config/deployment.yaml
+++ b/config/deployment.yaml
@@ -4,9 +4,14 @@ metadata:
  name: controller
  namespace: system
 spec:
-  replicas: 2
+  replicas: 1
+  selector:
+    matchLabels:
+      component: controller
  template:
    metadata:
+      labels:
+        component: controller
      annotations:
        prometheus.io/port: "8080"
        prometheus.io/scrape: "true"
@@ -17,6 +22,7 @@ spec:
      - args:
        - --metrics-address=:8080
        - --enable-leader-election
+        - --cert-dir=/tmp/webhook
        image: controller:latest
        name: manager
        env:
--- a/config/kustomization.yaml
+++ b/config/kustomization.yaml
@@ -13,8 +13,16 @@ resources:
 - rbac/role.yaml
 - rbac/leader_election_role.yaml
 - rbac/role_binding.yaml
+- webhook/manifests.yaml
+- webhook/service.yaml
 - deployment.yaml

+patchesStrategicMerge:
+- webhook/manager_patch.yaml
+
+configurations:
+- webhook/kustomizeconfig.yaml
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -2,9 +2,26 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
  name: role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - Pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
  - ""
  resources:
@@ -13,3 +30,36 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - monitor-mutating-webhook-configuration
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - monitor-validating-webhook-configuration
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - watch
--- a/config/webhook/kustomizeconfig.yaml
+++ b/config/webhook/kustomizeconfig.yaml
@@ -0,0 +1,33 @@
+# the following config is for teaching kustomize where to look at when substituting vars.
+# It requires kustomize v2.1.0 or newer to work properly.
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: CustomResourceDefinition
+    version: v1
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhook/clientConfig/service/name
+  - kind: MutatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+    path: webhooks/clientConfig/service/name
+  - kind: ValidatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+    path: webhooks/clientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+  version: v1
+  group: apiextensions.k8s.io
+  path: spec/conversion/webhook/clientConfig/service/namespace
+- kind: MutatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  path: webhooks/clientConfig/service/namespace
+  create: true
+- kind: ValidatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  path: webhooks/clientConfig/service/namespace
+  create: true
+
+varReference:
+- path: metadata/annotations
--- a/config/webhook/manager_patch.yaml
+++ b/config/webhook/manager_patch.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller
+  namespace: system
+spec:
+  template:
+    metadata:
+      labels:
+        monitor.demo.io/inject: "false"
+    spec:
+      containers:
+      - name: manager
+        ports:
+        - name: webhook-server
+          containerPort: 9443
+        volumeMounts:
+        - name: webhook
+          mountPath: /tmp/webhook
+      volumes:
+      - name: webhook
+        emptyDir: {}
--- a/config/webhook/manifests.yaml
+++ b/config/webhook/manifests.yaml
@@ -0,0 +1,70 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate--v1-pod
+  failurePolicy: Fail
+  name: namespace.injector.kb.io
+  namespaceSelector:
+    matchExpressions:
+    - key: monitor-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: monitor.demo.io/inject
+      operator: NotIn
+      values:
+      - "false"
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+    scope: '*'
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate--v1-pod
+  failurePolicy: Fail
+  name: object.injector.kb.io
+  namespaceSelector:
+    matchExpressions:
+    - key: monitor-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: monitor.demo.io/inject
+      operator: In
+      values:
+      - "true"
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+    scope: '*'
+  sideEffects: None
--- a/config/webhook/service.yaml
+++ b/config/webhook/service.yaml
@@ -0,0 +1,12 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-service
+  namespace: system
+spec:
+  selector:
+    component: controller
+  ports:
+  - port: 443
+    targetPort: 9443