Implementing a Validating Admission WebHook
Explore how to implement a validating admission webhook step-by-step to control pod creation in Kubernetes. Understand how to build and deploy the webhook service securely, generate certificates, configure the kube-apiserver, and test webhook functionality to ensure pods with specific naming criteria are denied. Gain practical knowledge of admission control mechanisms and webhook integration in Kubernetes.
Implement a validating admission webhook
A validating admission webhook service is a web server, because the kube-apiserver invokes it through HTTPS POST requests. Now, let’s implement such a service step by step.
Step 1: Write a simple HTTP server
Let’s write a simple HTTP server at the path /validate on port 443. It checks the Pod name and rejects all Pods having mock-app in their names. The development environment that we can use to add and modify our programs is given below. We can hit the “Run” button to initialize it.
-----BEGIN CERTIFICATE----- MIIDDjCCAfagAwIBAgIUWX6Cy5agnx6c0g/5NzmqVQxmMJcwDQYJKoZIhvcNAQEL BQAwDTELMAkGA1UEAxMCQ0EwHhcNMjMwMTAzMDcyNDAwWhcNMzIxMjMxMDcyNDAw WjANMQswCQYDVQQDEwJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANgQo4ebi+XzR1toF4RvgGjO9TbpGIPHAR4meB1s/a1605FadYJjeyMy3djeXfvD 6y5P9rBx6RCoPoAIaQWmwChcN5mMnNhxMPCm4JcsXrbmrEmn+0xJKGEZ88PafjmW q4WIc5Qz8neBRSWKjObqQoOiNrZaAYJZGc1uVdvEHUgBFqcTIqRv+O9A4gdLyQxO 4yRKKen9NhHibYHOigWii7zXVwLI8i/V2vO3KpQiyrKOTFlHW/UpygWd+tnmX5Dp mK1zLn01eamdnZI6gkPNprqo8+K3LU+mKhZGVNypgQegz2Ev8VUgdlcMQ6w8Crbw tHnVm80DCoCTsSzZhJ86TWUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud EwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFBeO3R6z1z0rmQii+bPSUX1Nnl5SMB8G A1UdIwQYMBaAFBeO3R6z1z0rmQii+bPSUX1Nnl5SMA0GCSqGSIb3DQEBCwUAA4IB AQCowSlJ+aSYuxjIG/NIHiCXUKBT/Sy9b1Uu/LhSMl5oEv+UxhZjX+v6PdGulPkr 3i8LphLnJ5KyI/yN9RIJnHVF/HFzAeARYijR1L04zEA3BeHRpN01ml8uMdKjnlvA vuXew5qwPTh79awN2muSv+ZC7zCkJGEf3dcik7NoHaIqZEYq0PgW9NxFQh9p9QzJ 2GNHgjzSlHc4UK05yfLFxmXUmnTjEyOnskl+jICrenC3dDwBzrdk0TF1M+sLNjE/ FzPCs7T9/9nNbJ1OQFHhNQP2yYLusHtWN7zQgMv0M11Fp6rwkj3fzls9KZMXimkD M0S2MuS6doi/uE/qhdeOvidT -----END CERTIFICATE-----
In a real-world scenario, we only need to replace the mock code in the function validate() (line 21 in main.go) with our actual business logic. In the demo ...