/lxcfs-admission-webhook

Primary LanguageGoApache License 2.0Apache-2.0

Kubernetes Admission Webhook for LXCFS

This project shows how to build and deploy an AdmissionWebhook for LXCFS.

Prerequisites

Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

The result should be:

admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Ubuntu:

apt install libfuse-dev

If it is not installed, it will report an error

ln: failed to create symbolic link '/usr/lib64/libfuse.so.2': File exists
ln: failed to create symbolic link '/usr/lib64/libulockmgr.so.1': File exists
/usr/local/bin/lxcfs: error while loading shared libraries: libfuse.so.2: cannot open shared object file: No such file or directory

Build

  1. Setup dep

    The repo uses dep as the dependency management tool for its Go codebase. Install dep by the following command:

go get -u github.com/golang/dep/cmd/dep
  1. Build and push docker image
./build

Deploy

  1. Deploy lxcfs to worker nodes
kubectl apply -f deployment/lxcfs-daemonset.yaml
  1. Install injector with lxcfs-admission-webhook
deployment/install.sh

Test

  1. Enable the namespace for injection
kubectl label namespace default lxcfs-admission-webhook=enabled

Note: All the new created pod under the namespace will be injected with LXCFS

  1. Deploy the test deployment
kubectl apply -f deployment/web.yaml
  1. Inspect the resource inside container
$ kubectl get pod

NAME                                                 READY   STATUS    RESTARTS   AGE
lxcfs-admission-webhook-deployment-f4bdd6f66-5wrlg   1/1     Running   0          8m29s
lxcfs-pqs2d                                          1/1     Running   0          55m
lxcfs-zfh99                                          1/1     Running   0          55m
web-7c5464f6b9-6zxdf                                 1/1     Running   0          8m10s
web-7c5464f6b9-nktff                                 1/1     Running   0          8m10s

$ kubectl exec -ti web-7c5464f6b9-6zxdf sh
# free
             total       used       free     shared    buffers     cached
Mem:        262144       2744     259400          0          0        312
-/+ buffers/cache:       2432     259712
Swap:            0          0          0
#

Cleanup

  1. Uninstall injector with lxcfs-admission-webhook
deployment/uninstall.sh
  1. Uninstall lxcfs from cluster nodes
kubectl delete -f deployment/lxcfs-daemonset.yaml

How does it work?

If you want to know webhooks in depth, please check it out!

Resources

https://github.com/slackhq/simple-kubernetes-webhook https://github.com/liggitt/kubernetes/blob/7e8277284aa733636ba7b5af4d03168b6e8bdb46/staging/src/k8s.io/pod-security-admission/webhook/Makefile https://github.com/kubernetes/kubernetes/blob/master/test/images/agnhost/webhook/pods.go https://aisensiy.me/lxcfs-in-kubernetes