An admission webhook that prevents the creation of specified namespaces
Switch branches/tags
Nothing to show
Clone or download
Latest commit a65f78e Jul 5, 2018


An admission webhook that prevents the creation of specified namespaces

Installation on Kubernetes 1.9+

  1. make sure to have at least Kubernetes 1.9, kubectl is working and that jq is installed
  2. clone this repo
  3. make build-image push-image REPO=<your-docker-username>/namespace-reservation-server
  4. adapt the namespace-reservation-server image in artifacts/kube-install/apiserver-list.yaml.template to your chosen Docker REPO.
  5. hack/, compare

Then test the setup:

  1. kubectl create -f artifacts/example/reserve-deads.yaml will reserve the deads namespace, compare reserve-deads.yaml.
  2. kubectl create namespace deads should produce "Error from server (Forbidden): "deads" is reserved"


The webhook is deployed as DaemonSet server in the namespace openshift-namespace-reservation. In a real cluster this is to be restricted to the master nodes. The server pods get a TLS key and cert injected by the secret server-serving-cert, self-signed by a local CA.

In front of the DaemonSet pods is a service named server in the same namespace.

The webhook is an API server itself. An APIService object named makes the API group available within and outside of the cluster via API aggregation of kube-apiserver. The group can be reached at /apis/ of the kube-apiserver, i.e. via the kubernetes.default.svc service hostname inside the cluster.

There are numerous advantages to registering the webhook server as an aggregated API:

  • allows other kubernetes components to talk to the the admission webhook using the kubernetes.default.svc service
  • allows other kubernetes components to use their in-cluster credentials to communicate with the webhook
  • allows you to test the webhook using kubectl
  • allows you to govern access to the webhook using RBAC
  • prevents other extension API servers from leaking their service account tokens to the webhook

For more information, see:

The admission webhook is registered via a ValidatingWebhookConfiguration object. The webhook URL used for admission requests is https://kubernetes.default.svc/apis/, i.e. the kube-apiserver sends admission requests to itself. They are forwarded by the aggregator proxy code to the actual webhook service and finally reach the webhook server.