v0.1.0

Author: shenchangqing

Dockerfile

@@ -0,0 +1,7 @@
+FROM ubuntu:24.04
+
+COPY k8s-webhook /usr/local/bin/
+
+RUN chmod +x /usr/local/bin/k8s-webhook
+
+CMD ["k8s-webhook"]

Makefile

@@ -1,10 +1,11 @@
-VERSION ?= valvalidating-v0.0.1
+VERSION_TAG ?= validating-v0.1.0
+REGISTRY_HOST ?= ccr.ccs.tencentyun.com/public-proxy/k8s-webhook
 
 build:
-    go build -o k8s-webhook main.go
-build-image:
-	docker build -t shenchangqing/k8s-webhook:$(VERSION)
-	docker push shenchangqing/k8s-webhook:$(VERSION)
-deploy-k8s:
-    sed -i "s/#{VERSION}/${VERSION}/g" kustomize/overlays/dev/kustomization.yaml
-    kustomize build kustomize/overlays/dev 
+	go build -o k8s-webhook main.go
+build-image: build
+	docker build -t $(REGISTRY_HOST):$(VERSION_TAG) .
+	docker push $(REGISTRY_HOST):$(VERSION_TAG)
+deploy-k8s: build-image
+	kustomize build kustomize/overlays/dev/ | sed "s/VERSION_TAG/${VERSION_TAG}/g" | kubectl apply -f -
+

README.md

@@ -1,3 +1,31 @@
-## use controller-manager webhook
+## k8s webhook template, you can use it by simple wirte logical code
 
 - need cert-manager generate tls cert/key
+
+### validationg webhook
+- 实现逻辑在`k8s/validation.go`
+- pod 打了标签`allow-delete=false`, cannot be delete
+### mutating webhook
+- 实现逻辑在`k8s/mutating.go`
+- 创建 pod 时，自动添加标签`k8s-webhook=test`
+### usage
+- 快速实现webhook功能
+- copy this repo, and write your own logic
+- Makefile部署,change VERSION_TAG|REGISTRY_HOST,`make deploy-k8s`
+
+
+## License
+
+Copyright 2023 changqings.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

k8s/mutation.go

@@ -0,0 +1,104 @@
+package k8s
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"gomodules.xyz/jsonpatch/v2"
+	admission_v1 "k8s.io/api/admission/v1"
+	v1 "k8s.io/api/admissionregistration/v1"
+	k8s_error "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func MutatingPod() http.Handler {
+	return &admission.Webhook{
+		Handler: admission.HandlerFunc(
+			func(ctx context.Context, req admission.Request) admission.Response {
+				if req.AdmissionRequest.Operation == admission_v1.Create {
+					slog.Info("create pod patch labels")
+					return admission.Patched(
+						"add label",
+						jsonpatch.JsonPatchOperation{
+							Operation: "add",
+							Path:      "/metadata/labels/k8s-webhook",
+							Value:     "test",
+						},
+					)
+				} else {
+					return admission.Allowed("ok")
+				}
+			},
+		),
+	}
+}
+
+func CreateMutatingWebhook(k8sClient *kubernetes.Clientset) error {
+
+	mutateServiceName := strings.Split(webhookServiceName, ".")[0]
+	caCrt, err := getCaBundle(k8sClient, webhookSecretName, webhookNamespace)
+	if err != nil {
+		return err
+	}
+
+	mutate_webhook := v1.MutatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: webhookNamespace,
+			Name:      mutateServiceName,
+		},
+		Webhooks: []v1.MutatingWebhook{
+			{
+				Name: "pod-webhook.some.cn",
+				NamespaceSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"kubernetes.io/metadata.name": "default",
+					},
+				},
+				Rules: []v1.RuleWithOperations{
+					{
+						Operations: []v1.OperationType{
+							v1.Create,
+						},
+						Rule: v1.Rule{
+							APIGroups:   []string{""},
+							APIVersions: []string{"v1"},
+							Resources:   []string{"pods"},
+						},
+					},
+				},
+				ClientConfig: v1.WebhookClientConfig{
+					Service: &v1.ServiceReference{
+						Namespace: webhookNamespace,
+						Name:      mutateServiceName,
+						Path:      &WebhookMutatePath,
+						Port:      &TLSPort,
+					},
+					CABundle: caCrt,
+				},
+				AdmissionReviewVersions: []string{"v1"},
+				SideEffects: func() *v1.SideEffectClass {
+					var none v1.SideEffectClass = "None"
+					return &none
+				}(),
+			},
+		},
+	}
+
+	_, err = k8sClient.AdmissionregistrationV1().MutatingWebhookConfigurations().
+		Create(context.Background(), &mutate_webhook, metav1.CreateOptions{})
+	if err != nil {
+		if k8s_error.IsAlreadyExists(err) {
+			slog.Info("mutatingWebhookConfiguration already exists", "name", mutate_webhook.Name, "namespace", mutate_webhook.Namespace)
+			return nil
+		} else {
+			return err
+		}
+	}
+	slog.Info("mutatingWebhookConfiguration create success", "name", mutate_webhook.Name, "namespace", mutate_webhook.Namespace)
+
+	return nil
+}

k8s/tls.go

@@ -19,11 +19,12 @@ import (
 )
 
 var (
-	TLSCertDir       = "k8s-tls"
-	CertName         = "cert.crt"
-	KeyName          = "key.crt"
-	WebhookValidPath = "/webhook/validate"
-	webhookNamespace = "default"
+	TLSCertDir        = "k8s-tls"
+	CertName          = "cert.crt"
+	KeyName           = "key.crt"
+	WebhookValidPath  = "/webhook/validate"
+	WebhookMutatePath = "/webhook/mutate"
+	webhookNamespace  = "default"
 
 	TLSPort int32 = 9443
 	//ca

k8s/validation.go

@@ -7,21 +7,37 @@ import (
 	"net/http"
 	"strings"
 
+	admission_v1 "k8s.io/api/admission/v1"
 	v1 "k8s.io/api/admissionregistration/v1"
 	k8s_error "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-func ValidatingPod() http.Handler {
+func ValidatingPod(k8sClient *kubernetes.Clientset) http.Handler {
 	return &admission.Webhook{
 		Handler: admission.HandlerFunc(
 			func(ctx context.Context, req admission.Request) admission.Response {
-				if req.Namespace == "default" && req.Operation == "delete" {
+				podCanNotBeDeleted := false
+
+				podName := req.Name
+				podNamespace := req.Namespace
+
+				pod, err := k8sClient.CoreV1().Pods(podNamespace).Get(ctx, podName, metav1.GetOptions{})
+				if err != nil {
+					return admission.ValidationResponse(false, "get pod error")
+				}
+
+				if v, ok := pod.Labels["allow-delete"]; ok && v == "false" {
+					podCanNotBeDeleted = true
+				}
+
+				if req.Operation == admission_v1.Delete && podCanNotBeDeleted {
+					slog.Info("pod can not be deleted labels allow-delete=false", "name", req.Name, "namespace", req.Namespace)
 					return admission.ValidationResponse(false, "not allow by webhook")
 				}
-				return admission.ValidationResponse(true, "ok, you can do it")
+				return admission.ValidationResponse(true, "ok")
 			},
 		),
 	}
@@ -42,10 +58,10 @@ func CreateValidatingWebhook(k8sClient *kubernetes.Clientset) error {
 		},
 		Webhooks: []v1.ValidatingWebhook{
 			{
-				Name: webhookServiceName,
+				Name: "pod-webhook.some.cn",
 				NamespaceSelector: &metav1.LabelSelector{
 					MatchLabels: map[string]string{
-						"kubernetes.io/metadata": "default",
+						"kubernetes.io/metadata.name": "default",
 					},
 				},
 				Rules: []v1.RuleWithOperations{
@@ -54,7 +70,7 @@ func CreateValidatingWebhook(k8sClient *kubernetes.Clientset) error {
 							v1.Delete,
 						},
 						Rule: v1.Rule{
-							APIGroups:   []string{"core"},
+							APIGroups:   []string{""},
 							APIVersions: []string{"v1"},
 							Resources:   []string{"pods"},
 						},
@@ -82,12 +98,13 @@ func CreateValidatingWebhook(k8sClient *kubernetes.Clientset) error {
 		Create(context.Background(), &valid_webhook, metav1.CreateOptions{})
 	if err != nil {
 		if k8s_error.IsAlreadyExists(err) {
-			slog.Info("ValidatingWebhookConfiguration already exists, %s.%s", valid_webhook.Name, valid_webhook.Namespace)
+			slog.Info("validatingWebhookConfiguration already exists", "name", valid_webhook.Name, "namespace", valid_webhook.Namespace)
 			return nil
 		} else {
 			return err
 		}
 	}
+	slog.Info("validatingWebhookConfiguration create success", "name", valid_webhook.Name, "namespace", valid_webhook.Namespace)
 
 	return nil
 }

kustomize/base/clusterrolebinding.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8s-webhook
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - create
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - certificates
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8s-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8s-webhook
+subjects:
+- kind: ServiceAccount
+  name: k8s-webhook

kustomize/base/deployment.yaml

@@ -26,8 +26,8 @@ spec:
             failureThreshold: 3
             httpGet:
               path: /health_check
-              port: http-check
-              scheme: HTTPS
+              port: 8080
+              scheme: HTTP
             initialDelaySeconds: 10
             periodSeconds: 15
             successThreshold: 1
@@ -36,8 +36,8 @@ spec:
             failureThreshold: 3
             httpGet:
               path: /health_check
-              port: http-check
-              scheme: HTTPS
+              port: 8080
+              scheme: HTTP
             initialDelaySeconds: 5
             periodSeconds: 15
             successThreshold: 1
@@ -54,4 +54,5 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
+      serviceAccountName: k8s-webhook
       terminationGracePeriodSeconds: 30

kustomize/base/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 resources:
 - deployment.yaml
-- service.yaml
+- service.yaml
+- clusterrolebinding.yaml

kustomize/base/service.yaml

@@ -2,13 +2,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: k8s-webhook
+  name: pod-webhook
 spec:
   ipFamilies:
     - IPv4
   ports:
     - name: https-443
-      port: 443
+      port: 9443
       protocol: TCP
       targetPort: https
   sessionAffinity: None

kustomize/overlay/dev/kustomization.yaml kustomize/overlays/dev/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 images:
-  - newName: shenchangqing/k8s-webhook
+  - newName: ccr.ccs.tencentyun.com/public-proxy/k8s-webhook
     name: image_name
-    newTag: #{VERSION}
+    newTag: VERSION_TAG
 commonLabels:
   app: k8s-webhook
 kind: Kustomization