Skip to content
An admission webhook that prevents the creation of specified namespaces
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


An admission webhook that prevents the creation of specified namespaces

Installation on Kubernetes 1.9+

  1. make sure to have at least Kubernetes 1.9, kubectl is working and that jq is installed
  2. clone this repo
  3. make build-image push-image REPO=<your-docker-username>/namespace-reservation-server
  4. adapt the namespace-reservation-server image in artifacts/kube-install/apiserver-list.yaml.template to your chosen Docker REPO.
  5. hack/, compare

Then test the setup:

  1. kubectl create -f artifacts/example/reserve-deads.yaml will reserve the deads namespace, compare reserve-deads.yaml.
  2. kubectl create namespace deads should produce "Error from server (Forbidden): "deads" is reserved"


The webhook is deployed as DaemonSet server in the namespace openshift-namespace-reservation. In a real cluster this is to be restricted to the master nodes. The server pods get a TLS key and cert injected by the secret server-serving-cert, self-signed by a local CA.

In front of the DaemonSet pods is a service named server in the same namespace.

The webhook is an API server itself. An APIService object named makes the API group available within and outside of the cluster via API aggregation of kube-apiserver. The group can be reached at /apis/ of the kube-apiserver, i.e. via the kubernetes.default.svc service hostname inside the cluster.

There are numerous advantages to registering the webhook server as an aggregated API:

  • allows other kubernetes components to talk to the the admission webhook using the kubernetes.default.svc service
  • allows other kubernetes components to use their in-cluster credentials to communicate with the webhook
  • allows you to test the webhook using kubectl
  • allows you to govern access to the webhook using RBAC
  • prevents other extension API servers from leaking their service account tokens to the webhook

For more information, see:

The admission webhook is registered via a ValidatingWebhookConfiguration object. The webhook URL used for admission requests is https://kubernetes.default.svc/apis/, i.e. the kube-apiserver sends admission requests to itself. They are forwarded by the aggregator proxy code to the actual webhook service and finally reach the webhook server.


You can’t perform that action at this time.