Custom admission controller
Kubernetes provides us a way to create our custom admission controllers. We can create admission controllers for both mutating and validating admission controllers.
Creation of custom admission controllers involves,
- Setup webhook server which validates/mutates the request
- Configuring admission webhook.
We can setup a webhook server in kubernetes cluster or can provide link to the server running somewhere outside.
We can configure admission webhook as follows.
When admission webhook server running inside the cluster,
admission-webhook-mutation.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: demo-webhook
webhooks:
- name: webhook-server.webhook-demo.svc
clientConfig:
service:
name: webhook-server
namespace: webhook-demo
path: "/mutate"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0...
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1beta1"]
sideEffects: Nonewhere clientConfig provides the settings for accessing webhook server. In the above example, we provide service name, its namespace and path to the server.
When admission webhook server is running somewhere else and accessible using the url.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: demo-webhook
webhooks:
- name: webhook-server.webhook-demo.svc
clientConfig:
url: https://external-server.com
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1beta1"]
sideEffects: NoneWebhook server can be implemented in any programming language. It contains endpoints to validate and mutate the request. Kubernetes then uses validating and mutation webhook configurations to send request to the webhook server and proceed with the request.
Note
I have not tried it practically, it is a totally theoretical knowledge.