Caution
THIS PROJECT IS UNDER CONSTRUCTION (WIP). DO NOT TAKE IT SERIOUSLY YET!
This repository contains a well detailed PoC about an specific use case: enabling custom validation and mutating webhook for your Kubernetes deployments based on a set of rules. There are many solutions out there like OPA Gatekeeper or Kyverno specialized for this. However, understanding how could you configure your custom server for validation or mutating webhook can provide you even farther flexibility if needed.
- Docker
- Python 3.10+
- Kubectl
- yq (only for Kubernetes deployment).
sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
sudo chmod a+x /usr/local/bin/yq
- Build required docker images and upload to your cluster registry. Other option is to use my already publish image in DockerHub.
docker build . -f docker/Dockerfile.service -t uvicorn:1.0
- [Optional] Generate self-signed certs for the uvicorn server. Omit this step if you have your own certificates for TLS exposure.
# Make sure to set your target domain and ip
./gen_certs.sh --domain codetriarii.org --ip 172.20.140.18
If you want to deploy the server outside the cluster, make sure to follow these steps:
-
[Optional] If you have your own certs, place those in
certs
folder. Ensure naming isca.crt
,cert.crt
andcert.key
. -
Start the server with
docker compose
.
docker compose -f docker-compose.yml up --force-recreate
Important
For kubernetes, you must generate the certs with CN expected the service name to avoid TLS errors.
./gen_certs.sh --domain uvicorn-service.demo.svc --ip 127.0.0.1
- Create the tls secret from your certs (either the ones you have placed in
certs
folder or the automatically generated ones.)
kubectl create ns demo
kubectl config set-context --current --namespace demo
kubectl create secret tls uvicorn-tls-secret --cert=certs/cert.crt --key=certs/cert.key -n demo
- Create the configmap with the rules details.
kubectl create cm uvicorn-config --from-file=uvicorn_config/config.yaml -n demo
Tip
Check the rules before creation, to enable, disable, change the parameters as you require.
- Create the deployment.
kubectl create -f kubernetes/uvicorn-deployment.yaml
Important
If you are using your own built image, then make sure to change the image
of the deployment and include imagePullSecrets
if required (if your registry is authorized as it should be...)
Important
Kubernetes versions enable by default ValidatingAdmissionWebhook
and MutatingAdmissionWebhook
. Ensure both plugins are enabled in your cluster. If not, just include both in --enable-admission-plugins=
flag of /etc/kubernetes/manifests/kube-apiserver.yaml
of your master(s) node.
- Set the ca-bundle from
certs
folder.
{
ca_bundle=$(cat certs/ca.crt | base64 -w0)
yq read kubernetes/validation-webhook.yaml -j | jq ".webhooks[].clientConfig.caBundle = \"${ca_bundle}\"" | yq read -P - > kubernetes/validation-webhook.yaml.bak
mv kubernetes/validation-webhook.yaml.bak kubernetes/validation-webhook.yaml
}
- Create the validation and mutating webhook definitions:
kubectl create -f kubernetes/validation-webhook.yaml
kubectl create -f kubernetes/mutating-webhook.yaml
- Create validation/mutating server with FastAPI.
- Prepare docker and kubernetes deployment (two flavors).
- Implement rules based on
config.yaml
- Support for pods - whitelist images
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated 💹.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
-
Fork the Project
-
Create your Feature Branch
git checkout -b feature/AmazingFeature
-
Commit your Changes
git commit -m 'Add some AmazingFeature
-
Push to the Branch
git push origin feature/AmazingFeature
-
Open a Pull Request
Distributed under the APACHE 2.0
License.
As we always state, our main purpose is keep learning, contributing to the community and finding ways to collaborate in interesting initiatives.
Do not hesitate to contact us at codetriariism@gmail.com
If you are interested in our content creation, also check our social media accounts. We have all sorts of training resources, blogs, hackathons, write-ups and more! Do not skip it, you will like it 😏 😏 😏 👍
Don't forget to give the project a star if you liked it! Thanks again! 🌟 💛