kube-sidecar-injector

This repo is used for a tutorial at Medium to create a Kubernetes MutatingAdmissionWebhook that injects a nginx sidecar container into pod prior to persistence of the object. 此存储库用于 Medium 上的教程，用于创建 Kubernetes MutatingAdmissionWebhook，在对象持久化之前将 nginx sidecar 容器注入到 pod 中。

Prerequisites

• git
• go version v1.17+
• docker version 19.03+
• kubectl version v1.19+
• Access to a Kubernetes v1.19+ cluster with the admissionregistration.k8s.io/v1 API enabled. Verify that by the following command:

kubectl api-versions | grep admissionregistration.k8s.io

The result should be:

admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1

Note: In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Build and Deploy

1. Build and push docker image:

make -n --just-prin docker-build docker-push IMAGE=lanzhiwang/sidecar-injector:latest

2. Deploy the kube-sidecar-injector to kubernetes cluster:

make -n --just-prin deploy IMAGE=lanzhiwang/sidecar-injector:latest

3. Verify the kube-sidecar-injector is up and running:

kubectl -n sidecar-injector get pod
NAME                                READY   STATUS    RESTARTS   AGE
sidecar-injector-7c8bc5f4c9-28c84   1/1     Running   0          30s

How to use

1. Create a new namespace test-ns and label it with sidecar-injector=enabled:

$ kubectl create ns test-ns
$ kubectl label namespace test-ns sidecar-injection=enabled
$ kubectl get namespace -L sidecar-injection
NAME                 STATUS   AGE   SIDECAR-INJECTION
default              Active   26m
test-ns              Active   13s   enabled
kube-public          Active   26m
kube-system          Active   26m
sidecar-injector     Active   17m

2. Deploy an app in Kubernetes cluster, take alpine app as an example

kubectl -n test-ns run alpine \
    --image=alpine \
    --restart=Never \
    --command -- sleep infinity

3. Verify sidecar container is injected:

$ kubectl -n test-ns get pod
NAME                     READY     STATUS        RESTARTS   AGE
alpine                   2/2       Running       0          10s

$ kubectl -n test-ns get pod alpine -o jsonpath="{.spec.containers[*].name}"
alpine sidecar-nginx

Troubleshooting

Sometimes you may find that pod is injected with sidecar container as expected, check the following items:

1. The sidecar-injector pod is in running state and no error logs.

2. The namespace in which application pod is deployed has the correct labels(sidecar-injector=enabled) as configured in mutatingwebhookconfiguration.

3. Check if the application pod has annotation sidecar-injector-webhook.morven.me/inject:"yes".