部署 Admission Webhooks

Kind Cluster

建议使用 kind 集群开发 Webhook,以加快迭代速度。 为什么?

  • 你可以在1分钟内在本地启动多节点群集。
  • 你可以在几秒钟内将其拆除。
  • 你无需将 images 推送到远程镜像仓库。

Cert Manager

你需要 按此 安装 cert manager bundle。你只需要安装就好,对于证书的申请 kubebuilder 会帮你做。

Build your image

运行以下命令以在本地生成 image。

make docker-build

如果你使用 kind 创建的群集,则无需将 image 推送到远程镜像仓库。你可以将本地的 image 直接加载到 kind 创建的群集:

kind load docker-image your-image-name:your-tag

部署 Webhooks

您可以通过 kustomize 启动 webhook 和 cert manager 配置,将 config/default/kustomization.yaml 改成如下所示:

# Adds namespace to all resources. namespace: project-system # Value of this field is prepended to the # names of all resources, e.g. a deployment named # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. namePrefix: project- # Labels to add to all resources and selectors. #commonLabels: # someName: someValue bases: - ../crd - ../rbac - ../manager # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. - ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus patchesStrategicMerge: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection - webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR objref: kind: Certificate group: cert-manager.io version: v1alpha2 name: serving-cert # this name should match the one in certificate.yaml fieldref: fieldpath: metadata.namespace - name: CERTIFICATE_NAME objref: kind: Certificate group: cert-manager.io version: v1alpha2 name: serving-cert # this name should match the one in certificate.yaml - name: SERVICE_NAMESPACE # namespace of the service objref: kind: Service version: v1 name: webhook-service fieldref: fieldpath: metadata.namespace - name: SERVICE_NAME objref: kind: Service version: v1 name: webhook-service

现在你可以通过执行下面的命令将它们部署到你的集群中

make docker-build docker-push IMG=<some-registry>/<project-name>:tag make deploy IMG=<some-registry>/<project-name>:tag

稍等片刻,直到出现 webhook pod 启动并且证书被提供。它通常在1分钟内完成。

现在,您可以创建一个有效的 CronJob 来测试你的 webhooks,创建应该成功完成。

kubectl create -f config/samples/batch_v1_cronjob.yaml

您也可以尝试创建一个无效的 CronJob (例如,使用格式错误的 cron schedule 字段),您应该看到创建失败并显示 validation error。