developer-guy/admission-webhook-example-with-openfaas

Use OpenFaaS functions as Kubernetes Validating Admission Webhook

Prerequisites

• A Kubernetes cluster (kind, minikube, etc.)
• OpenFaaS CLI
• Arkade
• Kubectl
• KinD

2. Setup Tools

• Arkade

$ curl -sLS https://dl.get-arkade.dev | sudo sh

• KinD

$ arkade get kind

• Kubectl

$ arkade get kubectl

• OpenFaaS CLI

$ arkade get faas-cli

Setup

1. Set Up a Kubernetes Cluster with Kind (Optional)

With Kind, you can run a local Kubernetes cluster using Docker containers as nodes. The steps in this section are optional. Follow them only if you don't have a running Kubernetes cluster.

Create a file named openfaas-cluster.yaml, and copy in the following spec:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker

$ kind create cluster --config kind-specs/kind-cluster.yaml

• Deploy OpenFaaS to a Kubernetes Cluster with:

$ arkade install openfaas

• Verify that the deployments were created

$ kubectl get deployments -n openfaas -l "release=openfaas, app=openfaas"

3. Deploy Validating Admission Webhook

$ cd deployment
$ sh webhook-create-signed-cert.sh
$ export CA_BUNDLE=$(kubectl config view --minify --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
$ sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" validatingwebhook.yaml | kubectl apply -f -
$ cd ..
$ DOCKER_USER=username ./build
$ cd deployment
$ kubectl apply -f rbac.yaml
$ kubectl apply -f service.yaml
$ kubectl apply -f deployment.yaml # make sure you are using same 'DOCKER_USER' in deployment.yaml. i.e: devopps
# Label the default namespace to enable the webhook
$ kubectl label namespaces default admission-webhook-example=enabled

4. Building OpenFaaS Function

$ cd functions
$ faas-cli up -f requiredlabel.yml # (build-push-deploy) make sure you are using your docker hub username. i.e: devopps

• Verify the functions that are working in openfaas-fn namespace.

5. Testing the whole workflow

• K8S API -> WebHook Broker w/TLS -> OpenFaaS Gateway (w/HTTP) --> OpenFaaS Function

• The purpose of this PoC is that to validate that pods has required labels. Which means you must have that labels:

app.kubernetes.io/name: sleep
app.kubernetes.io/instance: sleep
app.kubernetes.io/version: "0.1"
app.kubernetes.io/component: dummy
app.kubernetes.io/part-of: admission-webhook-example
app.kubernetes.io/managed-by: kubernetes

• Any Pod who have above labels is valid for us.

`./deployment/sleep.yaml` -> Incorrect, not-valid (We should deny this creation request.)
`./deployment/sleep-no-validation.yaml` -> Skip-validation (Based on `admission-webhook-example.qikqiak.com/validate: "false"` annotation, we skipped validation.)
`./deployment/sleep-with-labels.yaml` -> Correct, valid (We should accept this creation request.)

6. References

• https://appfleet.com/blog/create-serverless-functions-with-openfaas/
• https://github.com/morvencao/kube-mutating-webhook-tutorial