This topic was presented by me at a Meetup in Bangalore on 21st September 2019.
Slides for the same are here
-
Start minikube with PodSecurityPolicy enabled.
Reference - https://suraj.io/post/psp-on-existing-cluster/
minikube start --extra-config=apiserver.enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
-
Once the server is started, due to the enabling of PSP, we need to provide policies.
$ kubectl apply -f manifests/minikube-yamls-after-enabling-psp/psp.yaml $ kubectl auth reconcile -f manifests/minikube-yamls-after-enabling-psp/clusterroles.yaml $ kubectl auth reconcile -f manifests/minikube-yamls-after-enabling-psp/rolebindings.yaml
-
Building docker image locally
$ eval $(minikube docker-env) # This will use the docker daemon of minikube $ docker build -t webhookserver .
-
Deploying the all-in-one-yaml manifest
$ kubectl apply -f manifests/solution-deployment-yamls/all-in-one.yaml
-
Generate TLS certs for our webhookserver and create a secret Copy the certificate string to template and create a
ValidatingWebhookConfiguration
Reference- https://github.com/banzaicloud/admission-webhook-example
$ cd manifests/solution-deployment-yamls/certs $ ./webhook-create-signed-cert.sh $ cat validatingwebhook.yaml.template | ./webhook-patch-ca-bundle.sh > webhookconfiguration.yaml $ kubectl apply -f webhookconfiguration.yaml
-
Test the solution with some test yamls
$ cd manifests/test-yamls $ kubectl apply -f invalid-profiles.yaml $ kubectl apply -f invalid-wildcard-policy.yaml $ kubectl apply -f no-policy.yaml $ kubectl apply -f valid-policy.yaml
- https://msazure.club/podsecuritypolicy-explained-by-examples/
- https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration
- https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/main.go
- https://banzaicloud.com/blog/k8s-admission-webhooks/
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
- https://github.com/kubernetes/client-go/blob/master/util/jsonpath/jsonpath_test.go
- As a serverless solution
https://github.com/kelseyhightower/denyenv-validating-admission-webhook
- Deploying webhook as an aggregated API Server