Skip to content
/ monban Public

When you need to lock deployments. Monban(門番) can lock deployments in a namespace.

License

MIT license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

koudaiii/monban

BranchesTags

Repository files navigation

monban 門番

Monban(門番) is simple managing locked deployments by Admission Webhooks in a namespace.

Build Status Docker Repository on Quay GitHub release

Description

When you need to lock deployments. Monban(門番) can lock deployments in a namespace. Monban(門番) is valid at the time of the following situations.

  • for Maintenance
  • for Code-freeze
  • for recovery operations in Production

Please refer to Admission Webhooks and the implementation of the admission webhook server.

Table of Contents

Requirements

# for Mac
$ brew install cfssl # for make cert files
$ brew install kubernetes-cli # for deploy to kubernetes

Installation

  1. Setup RBAC (ex. https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/)
  2. Monban(門番) deploy to k8s.
$ make deploy

Check deploy

$ kubectl get deployment monban -n default
NAME     DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
monban   1         1         1            1           21h

$ kubectl logs deployment/monban -f -n default
2018/12/19 05:26:03 Starting monban...

Usage

Example: How to lock deployments in a namespace

Monban enabled

$ kubectl annotate namespace/default koudaiii/monban=enabled
namespace/default annotated

Check lock

$ kubectl patch deployment/nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
Error from server: admission webhook "monban.default.service" denied the request: nginx-test is locked in default.
If you unlock, Please run command `kubectl annotate namespace/default koudaiii/monban-`

locking deployment 👌

Example: How to unlock deployment in a namespace

Monban disabled

$ kubectl annotate namespace/default koudaiii/monban-
namespace/default annotated

Check unlock

$ kubectl patch deployment/nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
deployment.extensions/nginx-test patched

$ kubectl get po
nginx-test-56f766d96f-7qd4x            1/1     Running             0          2d
nginx-test-56f766d96f-8tgfn            1/1     Running             0          2d
nginx-test-56f766d96f-bwltr            0/1     Terminating         0          2d
nginx-test-56f766d96f-cfrpd            1/1     Running             0          2d
nginx-test-56f766d96f-k55jn            1/1     Running             0          2d
nginx-test-56f766d96f-rzd2j            1/1     Running             0          2d
nginx-test-56f766d96f-vvlb8            1/1     Running             0          2d
nginx-test-8595c7fdbd-642bn            1/1     Running             0          10s
nginx-test-8595c7fdbd-7m72g            1/1     Running             0          10s
nginx-test-8595c7fdbd-dgtqn            0/1     ContainerCreating   0          4s
nginx-test-8595c7fdbd-h6rqg            1/1     Running             0          6s
nginx-test-8595c7fdbd-hfml7            0/1     ContainerCreating   0          1s

unlocked deployment 👌

in minikube

  1. Setup minikube.
  2. Clone this repository and build using make.
$ minikube start
$ minikube update-context
$ make deploy
  1. Create User RBAC

Set context

$ kubectl config set-credentials koudaiii --client-certificate=$HOME/.minikube/client.crt --client-key=$HOME/.minikube/client.key
$ kubectl config set-context koudaiii-context --cluster=minikube --namespace=default --user=koudaiii
# Check
$ kubectl --context=koudaiii-context get pods

Set RBAC

$ kubectl apply -f example/user.yaml
  1. Deploy sample app
$ kubectl --context=koudaiii-context run --image nginx nginx-test
$ kubectl --context=koudaiii-context get pods
  1. Check Monban(門番)

Reload

$ kubectl --context=koudaiii-context patch deployment nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
deployment.extensions/nginx-test patched

$ kubectl get po
NAME                          READY   STATUS              RESTARTS   AGE
monban-84647c5bbc-p4ntj       1/1     Running             0          12m
nginx-test-5cb5969668-2j5qn   1/1     Running             0          1m
nginx-test-7499b7747-mvdf7    0/1     ContainerCreating   0          3s

Monban enabled

$ kubectl --context=koudaiii-context annotate namespace/default koudaiii/monban=enabled
namespace/default annotated

$ kubectl --context=koudaiii-context patch deployment nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
Error from server: admission webhook "monban.default.service" denied the request: nginx-test is locked in default.
If you unlock, Please run command `kubectl annotate namespace/default koudaiii/monban-`

Monban disable

$ kubectl annotate namespace/default koudaiii/monban-
namespace/default annotated

$ kubectl --context=koudaiii-context patch deployment nginx-test -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
deployment.extensions/nginx-test patched

Contribution

  1. Fork (https://github.com/koudaiii/monban/fork)
  2. Create a feature branch
  3. Commit your changes
  4. Rebase your local changes against the master branch
  5. Run test suite with the go test ./... command and confirm that it passes
  6. Run gofmt -s
  7. Create a new Pull Request

Author

koudaiii

License

MIT License

About

When you need to lock deployments. Monban(門番) can lock deployments in a namespace.

Topics

kubernetes kubernetes-deployment admission-webhook

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Initial development release Latest
Dec 20, 2018

Packages

No packages published

Languages