Skip to content

zoetrope/namespaced-admission

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits

.github/workflows

.github/workflows

 
 

api/v1

api/v1

 
 

cmd

cmd

 
 

config

config

 
 

controllers

controllers

 
 

hack

hack

 
 

hooks

hooks

 
 

pkg

pkg

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

Dockerfile.dummy

Dockerfile.dummy

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

PROJECT

PROJECT

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

version.go

version.go

 
 

Repository files navigation

CI PkgGoDev Go Report Card

Disclaimer: namespaced-admission is work in progress and not ready for production use.

namespaced-admission

namespaced-admission is a Kubernetes controller that allows tenant users to deploy Admission Webhook.

Concepts

In order to deploy AdmissionWebhook, we need to create ValidatingWebhookConfiguration or MutatingWebhookConfiguration resources. However, they are cluster-scoped resources, so tenant users cannot create them.

namespaced-admission provides namespace-scoped Custom Resources NamespacedValidatingWebhookConfiguration and NamespacedMutatingWebhookConfiguration. namespaced-admission can safely create ValidatingWebhookConfiguration and MutatingWebhookConfiguration from these resources.

These namespace-scoped resources are almost the same as cluster-scoped resources, but with the following limitations.

  • Cannot specify namespaceSelector.
  • The resources listed in rules must be accessible via the target webhook server.
  • The resources listed in rules must have a scope of Namespaced.

namespaceSelector will be automatically filled with conditions that match the "kubernetes.io/metadata.name" label assigned to the namespace of the custom resource. ("kubernetes.io/metadata.name" label is supported in Kubernetes 1.21 and later)

You can change the label key by using --target-label-key option. Please note the following to set this option up. (Accurate will help you)

  • Tenant users should not be able to modify namespace resources.
  • Namespaces with the same label specified in --target-label-key option must be guaranteed to have the same permissions.

namespaced-admission uses serviceAccountName filed to verify whether the resources listed in rules are accessible or not. Then apply the ServiceAccount to the target webhook. See Role, RoleBinding and ServiceAccount.

Demo

  1. Prepare Docker, kubectl, kind (Kubernetes-In-Docker)
  2. Launch a Kubernetes cluster with kind.
kind create cluster
  1. Deploy cert-manager.
make deploy-cert-manager
  1. Deploy namespaced-admission
make install
make docker-build
make docker-load
make deploy
  1. Deploy admission webhook server for a tenant user.
make docker-build-dummy
make docker-load-dummy
make deploy-dummy

About

namespaced-admission is a Kubernetes controller that allows tenant users to deploy Admission Webhook

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages