Kubernetes Admission-Controller Toolkit
Update: The Github Project has undergone a major refactor due to the go v1.18 release with generics support.
You can find in my GitHub a Kubernetes Admission Controller Toolkit which I recently put together when experimenting with them.
The technical documentation can be found in the GitHub Readme, so I will not double it here, but instead just briefly describe what this is about.
What are admission controllers?
Admission controllers are special webhooks that can be configured in Kubernetes. These webhooks intercept any API requests that matches a specified set of criteria. The purpose of the interception depends on the category of the webhook:
- Mutating webhooks can alter the API requests. The toy example adds to any created namespace the label "kubernetes.io/metadata.name" with the corresponding namespace name as value. They may also validate and reject API requests but there is no guarantee that a mutating webhook sees the final state of an API request as other mutating webhooks may follow.
- Validating webhooks validate API requests and may reject them. The validate webhooks run after all mutating webhooks have been applied. Therefore, they are guaranteed to the see the final state of the API request.
What is in the Toolkit
- A small golang library which provides tooling for marshalling/unmarshalling the API requests. And provides some general support, to e.g. generate the JSON patches for the mutating webhook responses from changes in the unmarshalled API objects.
- An example application accompanied by a Dockerfile to bundle the webhook server into a small Docker image (~16MB).
- A helm chart that sets up all the required Kubernetes resources. (deployment, service, ca, certificate issuer, certificates, webhooks).