Skip to content
An admission webhook that prevents the creation of specified namespaces
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
artifacts
cmd/namespacereservationserver
hack
vendor
.gitignore
.travis.yml
LICENSE
Makefile
README.md
glide.lock
glide.yaml

README.md

kubernetes-namespace-reservation

An admission webhook that prevents the creation of specified namespaces

Installation on Kubernetes 1.9+

  1. make sure to have at least Kubernetes 1.9, kubectl is working and that jq is installed
  2. clone this repo
  3. make build-image push-image REPO=<your-docker-username>/namespace-reservation-server
  4. adapt the namespace-reservation-server image in artifacts/kube-install/apiserver-list.yaml.template to your chosen Docker REPO.
  5. hack/install-kube.sh, compare install-kube.sh

Then test the setup:

  1. kubectl create -f artifacts/example/reserve-deads.yaml will reserve the deads namespace, compare reserve-deads.yaml.
  2. kubectl create namespace deads should produce "Error from server (Forbidden): "deads" is reserved"

Topology

The webhook is deployed as DaemonSet server in the namespace openshift-namespace-reservation. In a real cluster this is to be restricted to the master nodes. The server pods get a TLS key and cert injected by the secret server-serving-cert, self-signed by a local CA.

In front of the DaemonSet pods is a service named server in the same namespace.

The webhook is an API server itself. An APIService object named v1beta1.admission.online.openshift.io makes the API group v1beta1.admission.online.openshift.io/v1beta1 available within and outside of the cluster via API aggregation of kube-apiserver. The group can be reached at /apis/admission.online.openshift.io/v1beta1/namespacereservations of the kube-apiserver, i.e. via the kubernetes.default.svc service hostname inside the cluster.

There are numerous advantages to registering the webhook server as an aggregated API:

  • allows other kubernetes components to talk to the the admission webhook using the kubernetes.default.svc service
  • allows other kubernetes components to use their in-cluster credentials to communicate with the webhook
  • allows you to test the webhook using kubectl
  • allows you to govern access to the webhook using RBAC
  • prevents other extension API servers from leaking their service account tokens to the webhook

For more information, see: https://kubernetes.io/blog/2018/01/extensible-admission-is-beta

The admission webhook is registered via a ValidatingWebhookConfiguration object. The webhook URL used for admission requests is https://kubernetes.default.svc/apis/admission.online.openshift.io/v1beta1/namespacereservations, i.e. the kube-apiserver sends admission requests to itself. They are forwarded by the aggregator proxy code to the actual webhook service and finally reach the webhook server.

Trust

You can’t perform that action at this time.