fix

shenchangqing · shenchangqing · commit 5593a3f55063 · 2024-07-29T04:18:37.000+08:00
diff --git a/1.txt b/1.txt
@@ -0,0 +1,142 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: k8s-webhook
+  name: k8s-webhook
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: k8s-webhook
+  name: k8s-webhook
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - create
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - certificates
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: k8s-webhook
+  name: k8s-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8s-webhook
+subjects:
+- kind: ServiceAccount
+  name: k8s-webhook
+  namespace: default
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: k8s-webhook
+  name: pod-webhook
+  namespace: default
+spec:
+  ipFamilies:
+  - IPv4
+  ports:
+  - name: https-443
+    port: 9443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app: k8s-webhook
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: k8s-webhook
+  name: k8s-webhook
+  namespace: default
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: k8s-webhook
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      labels:
+        app: k8s-webhook
+    spec:
+      containers:
+      - command:
+        - k8s-webhook
+        image: ccr.ccs.tencentyun.com/public-proxy/k8s-webhook:validating-v0.1.0
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health_check
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 4
+        name: app
+        ports:
+        - containerPort: 9443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health_check
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 4
+        resources:
+          limits:
+            cpu: 200m
+            memory: 512Mi
+          requests:
+            cpu: 10m
+            memory: 56Mi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccountName: k8s-webhook
+      terminationGracePeriodSeconds: 30
diff --git a/Makefile b/Makefile
@@ -1,11 +1,11 @@
 VERSION_TAG ?= validating-v0.1.0
-REGISTRY_HOST ?= ccr.ccs.tencentyun.com/public-proxy/k8s-webhook
+REGISTRY_ADDR ?= ccr.ccs.tencentyun.com/public-proxy/k8s-webhook
 
 build:
 	go build -o k8s-webhook main.go
 build-image: build
-	docker build -t $(REGISTRY_HOST):$(VERSION_TAG) .
-	docker push $(REGISTRY_HOST):$(VERSION_TAG)
+	docker build -t $(REGISTRY_ADDR):$(VERSION_TAG) .
+	docker push $(REGISTRY_ADDR):$(VERSION_TAG)
 deploy-k8s: build-image
-	kustomize build kustomize/overlays/dev/ | sed "s/VERSION_TAG/${VERSION_TAG}/g" | kubectl apply -f -
+	kustomize build kustomize/overlays/dev/ | sed -e "s|VERSION_TAG|${VERSION_TAG}|g" -e "s|REGISTRY_ADDR|${REGISTRY_ADDR}|g" > 1.txt
 
diff --git a/k8s/validation.go b/k8s/validation.go
@@ -34,7 +34,7 @@ func ValidatingPod(k8sClient *kubernetes.Clientset) http.Handler {
 				}
 
 				if req.Operation == admission_v1.Delete && podCanNotBeDeleted {
-					slog.Info("pod can not be deleted labels allow-delete=false", "name", req.Name, "namespace", req.Namespace)
+					slog.Info("pod can not be deleted with labels allow-delete=false", "name", req.Name, "namespace", req.Namespace)
 					return admission.ValidationResponse(false, "not allow by webhook")
 				}
 				return admission.ValidationResponse(true, "ok")
diff --git a/kustomize/overlays/dev/kustomization.yaml b/kustomize/overlays/dev/kustomization.yaml
@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 images:
-  - newName: ccr.ccs.tencentyun.com/public-proxy/k8s-webhook
+  - newName: REGISTRY_ADDR
     name: image_name
     newTag: VERSION_TAG
 commonLabels:

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func ValidatingPod(k8sClient *kubernetes.Clientset) http.Handler {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`if req.Operation == admission_v1.Delete && podCanNotBeDeleted {`
`37`		`- slog.Info("pod can not be deleted labels allow-delete=false", "name", req.Name, "namespace", req.Namespace)`
	`37`	`+ slog.Info("pod can not be deleted with labels allow-delete=false", "name", req.Name, "namespace", req.Namespace)`
`38`	`38`	`return admission.ValidationResponse(false, "not allow by webhook")`
`39`	`39`	`}`
`40`	`40`	`return admission.ValidationResponse(true, "ok")`