Disclaimer: namespaced-admission is work in progress and not ready for production use.
namespaced-admission is a Kubernetes controller that allows tenant users to deploy Admission Webhook.
In order to deploy AdmissionWebhook, we need to create ValidatingWebhookConfiguration or MutatingWebhookConfiguration resources. However, they are cluster-scoped resources, so tenant users cannot create them.
namespaced-admission provides namespace-scoped Custom Resources NamespacedValidatingWebhookConfiguration
and NamespacedMutatingWebhookConfiguration
.
namespaced-admission can safely create ValidatingWebhookConfiguration
and MutatingWebhookConfiguration
from these resources.
These namespace-scoped resources are almost the same as cluster-scoped resources, but with the following limitations.
- Cannot specify
namespaceSelector
. - The resources listed in
rules
must be accessible via the target webhook server. - The resources listed in
rules
must have a scope ofNamespaced
.
namespaceSelector
will be automatically filled with conditions that match the "kubernetes.io/metadata.name" label assigned to the namespace of the custom resource.
("kubernetes.io/metadata.name" label is supported in Kubernetes 1.21 and later)
You can change the label key by using --target-label-key
option.
Please note the following to set this option up. (Accurate will help you)
- Tenant users should not be able to modify namespace resources.
- Namespaces with the same label specified in
--target-label-key
option must be guaranteed to have the same permissions.
namespaced-admission uses serviceAccountName
filed to verify whether the resources listed in rules
are accessible or not.
Then apply the ServiceAccount to the target webhook.
See Role, RoleBinding and ServiceAccount.
- Prepare Docker, kubectl, kind (Kubernetes-In-Docker)
- Launch a Kubernetes cluster with kind.
kind create cluster
- Deploy cert-manager.
make deploy-cert-manager
- Deploy namespaced-admission
make install
make docker-build
make docker-load
make deploy
- Deploy admission webhook server for a tenant user.
make docker-build-dummy
make docker-load-dummy
make deploy-dummy