Giter VIP home page Giter VIP logo

kube-sidecar-injector's Introduction

kube-sidecar-injector

This repo is used for a tutorial at Medium to create a Kubernetes MutatingAdmissionWebhook that injects a nginx sidecar container into pod prior to persistence of the object.

Prerequisites

  • git
  • go version v1.17+
  • docker version 19.03+
  • kubectl version v1.19+
  • Access to a Kubernetes v1.19+ cluster with the admissionregistration.k8s.io/v1 API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io

The result should be:

admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1

Note: In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Build and Deploy

  1. Build and push docker image:
make docker-build docker-push IMAGE=quay.io/<your_quayio_username>/sidecar-injector:latest
  1. Deploy the kube-sidecar-injector to kubernetes cluster:
make deploy IMAGE=quay.io/<your_quayio_username>/sidecar-injector:latest
  1. Verify the kube-sidecar-injector is up and running:
# kubectl -n sidecar-injector get pod
# kubectl -n sidecar-injector get pod
NAME                                READY   STATUS    RESTARTS   AGE
sidecar-injector-7c8bc5f4c9-28c84   1/1     Running   0          30s

How to use

  1. Create a new namespace test-ns and label it with sidecar-injector=enabled:
# kubectl create ns test-ns
# kubectl label namespace test-ns sidecar-injection=enabled
# kubectl get namespace -L sidecar-injection
NAME                 STATUS   AGE   SIDECAR-INJECTION
default              Active   26m
test-ns              Active   13s   enabled
kube-public          Active   26m
kube-system          Active   26m
sidecar-injector     Active   17m
  1. Deploy an app in Kubernetes cluster, take alpine app as an example
kubectl -n test-ns run alpine \
    --image=alpine \
    --restart=Never \
    --command -- sleep infinity
  1. Verify sidecar container is injected:
# kubectl -n test-ns get pod
NAME                     READY     STATUS        RESTARTS   AGE
alpine                   2/2       Running       0          10s
# kubectl -n test-ns get pod alpine -o jsonpath="{.spec.containers[*].name}"
alpine sidecar-nginx

Troubleshooting

Sometimes you may find that pod is injected with sidecar container as expected, check the following items:

  1. The sidecar-injector pod is in running state and no error logs.
  2. The namespace in which application pod is deployed has the correct labels(sidecar-injector=enabled) as configured in mutatingwebhookconfiguration.
  3. Check if the application pod has annotation sidecar-injector-webhook.morven.me/inject:"yes".

kube-sidecar-injector's People

Contributors

aholic avatar asnowfix avatar bvwells avatar falfaro avatar felixstarship avatar josegonzalez avatar jpedro avatar kelepirci avatar morvencao avatar tariq1890 avatar vlatombe avatar woosley avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

kube-sidecar-injector's Issues

webhook-create-signed-cert.sh

mistake:

error: error validating "STDIN": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false

I have the followed issues, when install modules

The following issues were found in Gopkg.toml:

✗ unable to deduce repository and source type for "k8s.io/apimachinery": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apimachinery?go-get=1": Get http://k8s.io/apimachinery?go-get=1: EOF
✗ unable to deduce repository and source type for "k8s.io/api": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/api?go-get=1": Get http://k8s.io/api?go-get=1: EOF

关于API Server调用webhook报文格式的咨询

您好,想请教一下API Server调用webhook扩展时报文是JSON的还是protobuf的,因为我们的技术栈是以Java为主,对Go不是很了解,所以想尝试看看Java能不能实现类似的功能,目前就是对报文的形式不是很了解,我看Go的参数声明中既有JSON的又有protouf的,想跟您咨询一下API Server调用webhook扩展时报文的形式,是JSON还是protobuf,还是可以配置的,非常感谢!

Blank map of container config

Hi Morvenco,

I was refering your repo & unable to get volumount config, may I know what I am missing here or any workaround it.

kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml error

kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml
error: error validating "deployment/mutatingwebhook-ca-bundle.yaml": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig.caBundle): invalid type for io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig.caBundle: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false.
----
cat deployment/mutatingwebhook-ca-bundle.yaml
 caBundle: [45 45 45 45 45....... 69 45 45 45 45 45 10]

Help webhook - func addContainer()

Hello, I'm following your fantastic article about mutating webhook and I'm trying to understand what happens underground, unfortunately I'm struggling to understand what add Container func does.
Can you please explain to me what you are doing in this block

first := len(target) == 0
for _, add := range added {
		value = add
		path := basePath
		if first {
			first = false
			value = []corev1.Container{add}
		} else {
			path = path + "/-"
		}

original function:

func addContainer(target, added []corev1.Container, basePath string) (patch []patchOperation) {
	first := len(target) == 0
	var value interface{}
	for _, add := range added {
		value = add
		path := basePath
		if first {
			first = false
			value = []corev1.Container{add}
		} else {
			path = path + "/-"
		}
		patch = append(patch, patchOperation{
			Op:    "add",
			Path:  path,
			Value: value,
		})
	}
	return patch
}

Thanks for your help!

permission issue when injecting to the non-default namespace

Hello, I have followed the tutorial and managed to deploy and run an injected pod.
However, when I run the same deployment definition in a different namespace, it is unable to start the pod.
I have labeled the new namespace as instructed.

Are there any additional steps needed in order to inject pods in another namespace?

missing required field "signerName"

Hello,

As im using the newest kubernetes Version 1.22.0 i have to use the apiVersion certificates.k8s.io/v1 instead of certificates.k8s.io/v1beta1. After deployment of webhook-create-signed-cert.sh I got this failure:

error: error validating "STDIN": error validating data: ValidationError(CertificateSigningRequest.spec): missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec; if you choose to ignore these errors, turn validation off with --validate=false

Can someone tell me which signerName has to be set?

Greetings

Daniel

init() function seems to have error

When I try to compile kube-mutating-webhook-tutorial/webhook.go I get an error that
_ = v1.AddToScheme(runtimeScheme)

does not exist

./webhook.go:70:20: cannot use runtimeScheme (type *"k8s.io/apimachinery/pkg/runtime".Scheme) as type *"k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime".Scheme in argument to "k8s.io/kubernetes/pkg/apis/core/v1".AddToScheme

When I comment out this line it seems to compile.

How do you approve the CA in the cluster

Hi!

I have been trying to replicate your code in Python and have reached a point where I managed to :

  1. create the certificates and a private key
  2. create the webhookconfiguration in the cluster

The problem I have is that the certificate is not recognized:

failed to call webhook: Post "...svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority

Looking at your code, I cannot find how the self-signed certificate is made recognizable to kubernetes. I can see that :

There are 2 CA configs in the script and 2 certificates made. The first is passed to the webhook configuration and the second is used in the webserver together with the private key. I do not quite understand why this is enough for kubernetes to recognize the certificate signer. Isn't there supposed to be a Certificate Signing Request made?

webhook-patch-ca-bundle.sh

I run the webhook-patch-ca-bundle.sh script to replace ${CA_BUNDLE}. On running kubectl create for mutatingwebhook-ca-bundle.yaml, I get the following error :

error validating "deployment/mutatingwebhook-ca-bundle.yaml": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig.caBundle): invalid type for io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig.caBundle: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false

When I manually replaced the ${CA_BUNDLE} with the output of (kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n'), it seems to be fine.

Multiple replicas wouldn't work as MutatingWebhook has only one instance

Positive result : The injector pod is mapped to mutatingwebhookconfiguration.admissionregistration.k8s.io/sidecar-injector-webhook

however when I increase the replicas to 2, then the mutatingwebhook maps to ONLY one of the pod instance. As a result of this, any sidecar injection using other pod will fail. Is this known issue? Do you have any suggestion?

cmd/go: unsupported GOOS/GOARCH pair linux/aarch64

I am trying to make build-image on ARM instance and I get

# make build-image
Building the tcp-health binary for Docker (linux) aarch64 ...
cmd/go: unsupported GOOS/GOARCH pair linux/aarch64
make: *** [build-linux] Error 2

Golang is installed so I am not sure what else is needed.

# go version
go version go1.15.14 linux/arm64

getting error during build

/opt/mytempwork/sidecar/kube-mutating-webhook-tutorial-master is not within a known GOPATH/src
# _/opt/mytempwork/sidecar/kube-mutating-webhook-tutorial-master
./webhook.go:70:20: cannot use runtimeScheme (type *"k8s.io/apimachinery/pkg/runtime".Scheme) as type *"k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime".Scheme in argument to "k8s.io/kubernetes/pkg/apis/core/v1".AddToScheme
Sending build context to Docker daemon  285.7kB
Step 1/3 : FROM alpine:latest
latest: Pulling from library/alpine
9d48c3bd43c5: Pull complete
Digest: sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb
Status: Downloaded newer image for alpine:latest
 ---> 961769676411
Step 2/3 : ADD kube-mutating-webhook-tutorial /kube-mutating-webhook-tutorial
ADD failed: stat /var/lib/docker/tmp/docker-builder643695243/kube-mutating-webhook-tutorial: no such file or directory

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.