Skip to content

SachinMaharana/basic-validation-controller

Repository files navigation

Basic Validation Controller

This is a dead simple validating admission webhook controller(https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for kubernetes that allows images of verfied container registry to be deployed in the cluster. images of type docker.io/nginx:1.19, gcr.io/nginx:1.19 are whitelisted but images of tag nginx:1.19 are disallowed. The list of whitelisted registries is configurable through environment variable. The motivation for this controller aims to allow only trusted, secure images in the cluster. This can also be helpful to prevent docker rate-limting the images that could be pulled from docker registry.

The purpose is geared more towards learning how the the webhook controller works and the complete setup to be done so as to build more complex webhooks.

Golang implementation of the controller:

https://github.com/SachinMaharana/basic-validation-controller/tree/master/golang

Prerequisites

  • jq - jq-1.5-1

Complete guide to develop and deploy this admission controller

Assuming the prerequisites has been met/installed, let's continue with the workflow.

  1. Clone this project
{
    git clone https://github.com/SachinMaharana/basic-validation-controller
    cd basic-validation-controller
}
  1. Update variables in Justfile

A Justfile is provided in the repo to manage this project.

docker_user is the username of your dockerhub account. We will use it to tag our images.

cluster_name is the name of the cluster.

Others can be left as default

cluster_name := "gitter"
docker_user := "sachinnicky"
binary := "basic-validation-controller"
default_namespace := "default"
  1. Create a local dev kubernetes cluster
just cluster-up
  1. Verify cluster is up
$ kind get clusters
gitter

$ kubectl get nodes
NAME                   STATUS   ROLES    AGE     VERSION
gitter-control-plane   Ready    master   2m41s   v1.19.1
gitter-worker          Ready    <none>   2m9s    v1.19.1
gitter-worker2         Ready    <none>   2m9s    v1.19.1
gitter-worker3         Ready    <none>   2m15s   v1.19.1
  1. Generate tls certificates for HTTPS
# give permission to execute
$ chmod +x ./gencert.sh

$ just certs

# verify
$ kubectl get secret webhook-tls-certs
NAME                TYPE     DATA   AGE
webhook-tls-certs   Opaque   4      34s
  1. Deploy the ValidationWebhookConfiguration
$ just ca


$ kubectl get validationwebhookconfiguration.admissionregistration.k8s.io
NAME WEBHOOKS AGE
basic-validation-controller 1 27s
  1. Build and create docker image
$ just build

# verify
$ docker images
REPOSITORY                                    TAG                 IMAGE ID            CREATED             SIZE
sachinnicky/basic-validation-controller   latest              38baba376694        1 hours ago         98.8MB
  1. Make it available for the cluster

We can either push it to dockerhub and refer it in our deployment manifest or load the image into our cluster. We will go with second approach.

$ just load
  1. Deploy the controller
$ just deploy

# verify
$ kubectl get pods
NAME                                               READY   STATUS    RESTARTS   AGE
basic-validation-controller-764bd94bdc-2kb62   1/1     Running   0          82s
  1. Deploy the debug pods to verify
$ just debug

# verify
$ kubectl get po && kubectl get rs
# We see that pod `busybox:1.29` is not being created while `docker.io/nginx:1.29` could.

11 . Destroy the cluster

just cluster-down

About

simple validation controller for kubernetes

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published