Admission Webhook 是 kubernetes 中的准入控制器,用于在 apiserver 中,对 API Request 进行拦挡,而后对 API Request 进行特定的解决,解决操作包含:
- Mutating: 批改 API Request 中的对象;
- Validating: 校验 API Request 中的对象,若校验非法,则间接返回 client,不再持续;
apiserver 提供了 Admission Webhook 的扩大机制,容许用户自定义 webhook,而后注册到 apiserver 上就能够发挥作用了。
一.Admission Webhook 的架构
API Request 在 apiserver 中的处理过程:
- 认证:通常是 client 端提供证书;
- 鉴权:校验 client 是否有操作相应资源的权限,应用 rbac 实现;
-
MutatingAdmission:
- 对传入的资源对象进行批改;
- 用户能够注册自定义的 webhook;
- Schema Validation: 对传入对象的 schema 进行校验;
-
ValiatingAdmission:
- 对传入的资源对象进行校验,若校验失败,则间接返回 client;
- 用户能够注册自定义的 webhook;
- 最初,将对象存入 etcd;
用户自定义的 webhook 通常应用 deploy 部署,同时部署对应的 service,在将 webhook 注册到 apiserver 时,提供 service 的名称以及拜访的 url path,这样 apiserver 就能够应用自定义 webhook 的性能逻辑了。
apiserver 与 webhook 之间的通信接口为 /api/admission/v1/AdmissionReview 构造。
二.AdmissionReview 的构造
apiserver 与自定义 webhook 之间通过 http 通信,其 Request 和 Response 均是 /api/admission/v1/AdmissionReview 构造,也就是说:
- 自定义 webhook 在解决 http 申请时,须要将 requestBody 反序列化为 AdmissionReview 构造;
- 自定义 webhook 在发送 http 响应后,须要结构 AdmissionReview 构造,将其序列化后发送进来;
AdmissionReview 构造既蕴含 Request,也蕴含 Response:
// AdmissionReview describes an admission review request/response.
type AdmissionReview struct {
metav1.TypeMeta `json:",inline"`
// Request describes the attributes for the admission request.
// +optional
Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
// Response describes the attributes for the admission response.
// +optional
Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
}
1. 申请:AdmissionRequest
AdmissionRequest 中封装了发送给 apiserver 的申请信息,蕴含咱们创立、更新、删除的 Deploy/Service/Pod 等信息,比方:
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
# Random uid uniquely identifying this admission call
"uid": <random uid>,
...
"object": {"apiVersion":"v1","kind":"Pod",...},
...
}
}
2. 响应:AdmissionResponse
AdmissionResponse 封装了准入管制的后果:
- 对于 Mutating: 须要返回批改对象的 Patch;
- 对于 Validating: 须要返回对象的校验后果,若校验失败,还要带上 errMsg;
比方,Mutating 的 AdmissionResponse:
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": "<value from request.uid>",
"allowed": true/false,
"status": {
"code": <optional http status code, ex: 200/403>,
"message": "optional message"
},
"patchType": "JSONPatch",
"patch": <base64 encoded JSON patch>
}
}
比方,Validating 的 AdmissionResponse:
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": "<value from request.uid>",
"allowed": true/false,
"status": {
"code": <optional http status code, ex: 200/403>,
"message": "optional message"
}
}
}
三. 注册 webhook 到 apiserver
webhook 要注册到 apiserver 后能力失效。
webhook 注册到 apiserver 时,须要通知 apiserver:
- webhook 的 svc 名称、命名空间;
- webhook 的 URL Path;
- webhook 作用的指标对象的筛选规定;
- webhook 操作的指标对象及操作;
对于 Mutating,注册由 MutatingWebhookConfiguration 资源类型形容,创立该资源对象即意味着注册,比方:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-example-cfg
labels:
app: admission-webhook-example
webhooks:
- name: mutating-example.com
clientConfig:
service: // webhook 的 svc
name: admission-webhook-example-svc
namespace: default
path: "/mutate" // webhook 的 url path
caBundle: ${CA_BUNDLE}
rules: // 操作的资源
- operations: ["CREATE"]
apiGroups: ["apps", ""]
apiVersions: ["v1"]
resources: ["deployments","services"]
namespaceSelector: // 指标对象的筛选规定
matchLabels:
admission-webhook-example: enabled
对于 Validating,注册由 ValidatingWebhookConfiguration 资源类型形容,创立该资源对象即意味着注册:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validation-webhook-example-cfg
labels:
app: admission-webhook-example
webhooks:
- name: validating-example.com
clientConfig:
service: // webhook 的 svc
name: admission-webhook-example-svc
namespace: default
path: "/validate" // webhook 的 url path
caBundle: ${CA_BUNDLE}
rules: // 操作的资源
- operations: ["CREATE"]
apiGroups: ["apps", ""]
apiVersions: ["v1"]
resources: ["deployments","services"]
namespaceSelector: // 指标对象的筛选规定
matchLabels:
admission-webhook-example: enabled
参考:
1.https://www.qikqiak.com/post/k8s-admission-webhook/
2.AdmissionReview 的构造:https://github.com/kubernetes/api/blob/master/admission/v1/types.go