Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
The result should be:
admissionregistration.k8s.io/v1beta1
In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.
-
Setup dep
The repo uses dep as the dependency management tool for its Go codebase. Install
depby the following command:
go get -u github.com/golang/dep/cmd/dep
- Build and push docker image
./build
- Create a signed cert/key pair and store it in a Kubernetes
secretthat will be consumed by sidecar deployment
./deployment/webhook-create-signed-cert.sh \
--service etcd-webhook-webhook-svc \
--secret etcd-webhook-webhook-certs \
--namespace default
- Patch the
MutatingWebhookConfigurationby setcaBundlewith correct value from Kubernetes cluster
cat deployment/mutatingwebhook.yaml | \
deployment/webhook-patch-ca-bundle.sh > \
deployment/mutatingwebhook-ca-bundle.yaml
- Deploy resources
kubectl create -f deployment/deployment.yaml
kubectl create -f deployment/service.yaml
kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml
- The sidecar inject webhook should be running
[root@mstnode ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
etcd-webhook-deployment-bbb689d69-882dd 1/1 Running 0 5m
[root@mstnode ~]# kubectl get deployment
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
etcd-webhook-deployment 1 1 1 1 5m
- Label the default namespace with
etcd-webhook=enabled
kubectl label namespace default etcd-webhook=enabled
[root@mstnode ~]# kubectl get namespace -L etcd-webhook
NAME STATUS AGE etcd-webhook
default Active 18h enabled
kube-public Active 18h
kube-system Active 18h
- Deploy an app in Kubernetes cluster, take
sleepapp as an example
[root@mstnode ~]# cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: etcd-test-server
spec:
replicas: 3
selector:
matchLabels:
app: test-server
template:
metadata:
annotations:
etcd.web-hook.me/remove: "yes"
labels:
app: test-server
spec:
containers:
- name: test-server
image: k8s.gcr.io/etcd-statefulset-e2e-test:0.0
imagePullPolicy: Always
ports:
- containerPort: 8080
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 2
periodSeconds: 2
EOF