Admission Webhook是kubernetes中的准入控制器,用于在apiserver中,对API Request进行拦挡,而后对API Request进行特定的解决,解决操作包含:
- Mutating: 批改API Request中的对象;
- Validating: 校验API Request中的对象,若校验非法,则间接返回client,不再持续;
apiserver提供了Admission Webhook的扩大机制,容许用户自定义webhook,而后注册到apiserver上就能够发挥作用了。
一.Admission Webhook的架构
API Request在apiserver中的处理过程:
- 认证:通常是client端提供证书;
- 鉴权:校验client是否有操作相应资源的权限,应用rbac实现;
MutatingAdmission:
- 对传入的资源对象进行批改;
- 用户能够注册自定义的webhook;
- Schema Validation: 对传入对象的schema进行校验;
ValiatingAdmission:
- 对传入的资源对象进行校验,若校验失败,则间接返回client;
- 用户能够注册自定义的webhook;
- 最初,将对象存入etcd;
用户自定义的webhook通常应用deploy部署,同时部署对应的service,在将webhook注册到apiserver时,提供service的名称以及拜访的url path,这样apiserver就能够应用自定义webhook的性能逻辑了。
apiserver与webhook之间的通信接口为/api/admission/v1/AdmissionReview构造。
二.AdmissionReview的构造
apiserver与自定义webhook之间通过http通信,其Request和Response均是/api/admission/v1/AdmissionReview构造,也就是说:
- 自定义webhook在解决http申请时,须要将requestBody反序列化为AdmissionReview构造;
- 自定义webhook在发送http响应后,须要结构AdmissionReview构造,将其序列化后发送进来;
AdmissionReview构造既蕴含Request,也蕴含Response:
// AdmissionReview describes an admission review request/response.type AdmissionReview struct { metav1.TypeMeta `json:",inline"` // Request describes the attributes for the admission request. // +optional Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"` // Response describes the attributes for the admission response. // +optional Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`}1. 申请:AdmissionRequest
AdmissionRequest中封装了发送给apiserver的申请信息,蕴含咱们创立、更新、删除的Deploy/Service/Pod等信息,比方:
{ "apiVersion": "admission.k8s.io/v1", "kind": "AdmissionReview", "request": { # Random uid uniquely identifying this admission call "uid": <random uid>, ... "object": {"apiVersion":"v1","kind":"Pod",...}, ... }}2. 响应:AdmissionResponse
AdmissionResponse封装了准入管制的后果:
- 对于Mutating: 须要返回批改对象的Patch;
- 对于Validating: 须要返回对象的校验后果,若校验失败,还要带上errMsg;
比方,Mutating的AdmissionResponse:
{ "apiVersion": "admission.k8s.io/v1", "kind": "AdmissionReview", "response": { "uid": "<value from request.uid>", "allowed": true/false, "status": { "code": <optional http status code, ex: 200/403>, "message": "optional message" }, "patchType": "JSONPatch", "patch": <base64 encoded JSON patch> }}比方,Validating的AdmissionResponse:
{ "apiVersion": "admission.k8s.io/v1", "kind": "AdmissionReview", "response": { "uid": "<value from request.uid>", "allowed": true/false, "status": { "code": <optional http status code, ex: 200/403>, "message": "optional message" } }}三.注册webhook到apiserver
webhook要注册到apiserver后能力失效。
webhook注册到apiserver时,须要通知apiserver:
- webhook的svc名称、命名空间;
- webhook的URL Path;
- webhook作用的指标对象的筛选规定;
- webhook操作的指标对象及操作;
对于Mutating,注册由MutatingWebhookConfiguration资源类型形容,创立该资源对象即意味着注册,比方:
apiVersion: admissionregistration.k8s.io/v1kind: MutatingWebhookConfigurationmetadata: name: mutating-webhook-example-cfg labels: app: admission-webhook-examplewebhooks: - name: mutating-example.com clientConfig: service: // webhook的svc name: admission-webhook-example-svc namespace: default path: "/mutate" // webhook的url path caBundle: ${CA_BUNDLE} rules: // 操作的资源 - operations: [ "CREATE" ] apiGroups: ["apps", ""] apiVersions: ["v1"] resources: ["deployments","services"] namespaceSelector: // 指标对象的筛选规定 matchLabels: admission-webhook-example: enabled对于Validating,注册由ValidatingWebhookConfiguration资源类型形容,创立该资源对象即意味着注册:
apiVersion: admissionregistration.k8s.io/v1beta1kind: ValidatingWebhookConfigurationmetadata: name: validation-webhook-example-cfg labels: app: admission-webhook-examplewebhooks: - name: validating-example.com clientConfig: service: // webhook的svc name: admission-webhook-example-svc namespace: default path: "/validate" // webhook的url path caBundle: ${CA_BUNDLE} rules: // 操作的资源 - operations: [ "CREATE" ] apiGroups: ["apps", ""] apiVersions: ["v1"] resources: ["deployments","services"] namespaceSelector: // 指标对象的筛选规定 matchLabels: admission-webhook-example: enabled参考:
1.https://www.qikqiak.com/post/k8s-admission-webhook/
2.AdmissionReview的构造:https://github.com/kubernetes/api/blob/master/admission/v1/types.go