In Kubernetes, a Mutating Webhook is a resource that allows you to intercept requests to the Kubernetes API server and modify them before they are persisted or admitted into the cluster. This capability is powerful for enforcing policies and making dynamic changes to resources.
In this project, we are creating a Mutating Webhook that specifically targets pods. The webhook server will intercept requests to create or update pods and apply custom logic to modify the pod specifications before they are admitted to the Kubernetes cluster.
The GoLang code in this project serves as the foundation for the Mutating Webhook Server. Let's break down the key components of the code:
-
Dockerfile: The
Dockerfiledefines how the GoLang application is containerized. It starts by using the official Go image as a parent image and sets up the working directory inside the container. -
Building the Webhook Server:
- The code is copied into the container.
- The project's Go module files (
go.modandgo.sum) are copied to ensure dependencies are available. - The Go module dependencies are downloaded using
go mod tidyandgo mod download. - The code is compiled for a specific target platform (in this case,
linux/amd64) usingCGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build. The resulting binary is namedwebhook-server.
-
Creating the Final Image:
- A minimal Alpine Linux image is used as the base image.
- Certificates are installed to ensure secure communication.
- The compiled
webhook-serverbinary is copied from the builder image to the final image.
-
Entrypoint: The
ENTRYPOINTinstruction specifies the command that should be executed when the container starts. In this case, it runs thewebhook-server.
To build the Docker image, we use the docker build command with the --platform linux/amd64 flag to specify the target platform. This ensures that the image is built for the linux/amd64 platform, which is common for many development environments.
For local testing, we recommend using a Kind (Kubernetes in Docker) cluster. You can create a Kind cluster and deploy the Mutating Webhook Server as described in the README. The webhook server will intercept and modify pod specifications according to your custom logic.
Testing is facilitated by deploying a sample pod that triggers the webhook server. The server's logs can be checked to verify its behavior.
In summary, this project creates a Mutating Webhook Server using GoLang that intercepts pod creation and update requests in Kubernetes, applies custom logic to modify pod specifications, and provides a secure and reusable solution for policy enforcement and dynamic configuration in a Kubernetes cluster.
# Mutating Webhook Server for Kubernetes
This project demonstrates how to create a mutating webhook server for Kubernetes. The webhook server modifies pod specifications before they are admitted to the cluster. In this example, we use a Kind (Kubernetes in Docker) cluster for local testing.
## Prerequisites
Before you begin, make sure you have the following prerequisites installed on your local machine:
- [Docker](https://www.docker.com/)
- [Kind](https://kind.sigs.k8s.io/)
- [kubectl](https://kubernetes.io/docs/tasks/tools/)
## Building the Webhook Server
To build the webhook server, follow these steps:
1. Clone this repository:
```shell
git clone https://github.com/yourusername/pod-mutator-webhook.git
cd pod-mutator-webhook-
Build the Docker image:
docker build --platform linux/amd64 -t pod-mutator:0.1 . -
Load the Docker image into your Kind cluster:
kind load docker-image pod-mutator:0.1
If you don't have a Kind cluster set up, you can create one with the following command:
kind create cluster --config kind-config.yamlEnsure that you have a kind-config.yaml file with appropriate cluster configuration.
-
Deploy the MutatingWebhookConfiguration:
kubectl apply -f webhook-config.yaml
-
Create a secret to store TLS certificates:
kubectl create secret tls webhook-server-cert --cert=path/to/webhook-server.crt --key=path/to/webhook-server.key
-
Deploy a sample pod to test the webhook server:
kubectl apply -f test-pod.yaml
-
Check the logs of the webhook server pod for debugging:
kubectl logs -f <pod_name>
To clean up the resources created for testing:
-
Delete the test pod:
kubectl delete -f test-pod.yaml
-
Delete the MutatingWebhookConfiguration:
kubectl delete -f webhook-config.yaml
-
Delete the secret:
kubectl delete secret webhook-server-cert
-
If you no longer need the Kind cluster, you can delete it:
kind delete cluster
Feel free to contribute to this project by opening issues or creating pull requests. Your feedback and contributions are welcome!
This project is licensed under the Apache Licence, feel free to use, modify and share.
Please replace placeholders like `yourusername`, `path/to/webhook-server.crt`, and `path/to/webhook-server.key` with your actual values and paths. Additionally, make sure you have the appropriate Kubernetes configuration files for your Kind cluster.