-
Notifications
You must be signed in to change notification settings - Fork 1
haozi4263/admission-resource
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
## 1. 创建ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
## 2. 创建服务端证书,hostname要指定admission-webhook的svc名称
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
-hostname=admission-resource.default.svc -profile=server server-csr.json | cfssljson -bare server
## 3. 创建tls的secret
kubectl create secret tls admission-resource-tls \
--key=server-key.pem \
--cert=server.pem
## 4. 将ca.pem放入admission-webhook的caBundle中
cat ca.pem|base64
## 5.编译镜像
docker build -t haozi4263/admission-resource:v1.1 . && docker push haozi4263/admission-resource:v1.1
## 6. 运行admission-webhook
kubectl apply -f deploy/admission-webhook-controller.yaml
## 7. 注册admission-webhook
kubectl apply -f deploy/registry-webhook.yaml
## 8. 对namespace打标签用于允许admission webhook
kubectl label namespace default admission-resource=enabled
deployment需要打上标签admission-resource: enabled
## 9. 运行deployment测试,观察日志
kubectl apply -f deploy/admission-resource-test.yaml
a. 观察cpu/memory资源创建是否符合资源规定
b. 观察是否增加labels/annotations/initContainers
# 项目说明:
validate admission webook:
对deployment/statfulset资源检测limit_cpu/request_cpu和limit_memory/limit_memory
占比是否大于4倍数,大于4倍以上说明资源分配不合理,拒绝创建deployment/statfulset
小于4倍则认为合理允许创建deployment/statfulset
mutate admission webhook:
对deployment/statfulset资源通过给定对configmap增加labels和annotations注解。
对deployment/statfulset资源通过给定对configmap增加initContainers。
## 参考文档:
https://kubernetes.io/zh/docs/reference/access-authn-authz/extensible-admission-controllers/
https://jsonpatch.com/About
admission根据cpu/memory资源准入控制和增加labels/annotations/initContainers校验控制器
Resources
Stars
Watchers
Forks
Packages 0
No packages published