-
Notifications
You must be signed in to change notification settings - Fork 431
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add webhook with cert-manager issued certificate
- Loading branch information
1 parent
4499505
commit df3d397
Showing
10 changed files
with
211 additions
and
479 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Webhook | ||
|
||
From Kube-OVN v1.9.0, webhook is added back. The most important thing for webhook is ip address conflict and subnet cidr validating. | ||
|
||
## Pre-request | ||
|
||
- Kube-OVN without webhook | ||
- Cert-Manager | ||
|
||
## Cert-Manager installation | ||
|
||
The webhook needs https, so we use cert-manager here to generate the certificate. Normally cert-manager doesn't use `hostNetwork`, so it needs CNI to allocate IP addresses. As a result, we should install Kube-OVN, cert-manager before webhook. | ||
|
||
You can use the command downside to install Cert-Manager | ||
|
||
`kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml` | ||
|
||
And the help document refers to [cert-manager](https://cert-manager.io/docs/installation/). | ||
|
||
## Webhook installation | ||
The wehook has not been added to the `install.sh` script. So it should be installed manullay with the command `kubectl apply -f yamls/webhook.yaml`. | ||
|
||
After installation, you can find a pod in kube-system the same namespace as other pods. | ||
|
||
``` | ||
apple@bogon kube-ovn % kubectl get pod -n kube-system | ||
NAME READY STATUS RESTARTS AGE | ||
coredns-78fcd69978-k576h 1/1 Running 0 2d23h | ||
coredns-78fcd69978-m76xs 1/1 Running 0 2d23h | ||
etcd-kube-ovn-control-plane 1/1 Running 0 2d23h | ||
kube-apiserver-kube-ovn-control-plane 1/1 Running 0 2d23h | ||
kube-controller-manager-kube-ovn-control-plane 1/1 Running 0 2d23h | ||
kube-ovn-cni-kkgz4 1/1 Running 0 2d21h | ||
kube-ovn-cni-q4nf2 1/1 Running 0 2d21h | ||
kube-ovn-controller-7bd57d84d8-z94ck 1/1 Running 1 (2d3h ago) 2d21h | ||
kube-ovn-webhook-5bfccc66d-b8tzh 1/1 Running 0 30m | ||
. | ||
. | ||
. | ||
apple@bogon kube-ovn % | ||
``` | ||
|
||
## Test | ||
You can create a pod with static ip address `10.16.0.15`. | ||
``` | ||
apple@bogon ovn-test % kubectl get pod -o wide | ||
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES | ||
static-7584848b74-fw9dm 1/1 Running 0 2d13h 10.16.0.15 kube-ovn-worker <none> <none> | ||
apple@bogon ovn-test % | ||
``` | ||
|
||
And use the yaml downside to create another pod with same static ip address. | ||
``` | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
annotations: | ||
ovn.kubernetes.io/ip_address: 10.16.0.15 | ||
ovn.kubernetes.io/mac_address: 00:00:00:53:6B:B6 | ||
labels: | ||
app: static | ||
managedFields: | ||
name: staticip-pod | ||
namespace: default | ||
spec: | ||
containers: | ||
- image: qaimages:helloworld | ||
imagePullPolicy: IfNotPresent | ||
name: qatest | ||
``` | ||
|
||
As a result, this operation is denied by the webhook. | ||
``` | ||
apple@bogon ovn-test % kubectl apply -f pod-static.yaml | ||
Error from server (annotation ip address 10.16.0.15 is conflict with ip crd static-7584848b74-fw9dm.default 10.16.0.15): error when creating "pod-static.yaml": admission webhook "pod-ip-validaing.kube-ovn.io" denied the request: annotation ip address 10.16.0.15 is conflict with ip crd static-7584848b74-fw9dm.default 10.16.0.15 | ||
apple@bogon ovn-test % | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.