部署 Admission Webhooks
Kind Cluster
建议使用 kind 集群开发 Webhook,以加快迭代速度。 为什么?
- 你可以在1分钟内在本地启动多节点群集。
- 你可以在几秒钟内将其拆除。
- 你无需将 images 推送到远程镜像仓库。
Cert Manager
你需要 按此 安装 cert manager bundle。你只需要安装就好,对于证书的申请 kubebuilder 会帮你做。
Build your image
运行以下命令以在本地生成 image。
make docker-build
如果你使用 kind
创建的群集,则无需将 image 推送到远程镜像仓库。你可以将本地的 image 直接加载到 kind
创建的群集:
kind load docker-image your-image-name:your-tag
部署 Webhooks
您可以通过 kustomize 启动 webhook 和 cert manager 配置,将 config/default/kustomization.yaml
改成如下所示:
# Adds namespace to all resources.
namespace: project-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: project-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
- manager_webhook_patch.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
- webhookcainjection_patch.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
objref:
kind: Certificate
group: cert-manager.io
version: v1alpha2
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATE_NAME
objref:
kind: Certificate
group: cert-manager.io
version: v1alpha2
name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICE_NAMESPACE # namespace of the service
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: SERVICE_NAME
objref:
kind: Service
version: v1
name: webhook-service
现在你可以通过执行下面的命令将它们部署到你的集群中
make docker-build docker-push IMG=<some-registry>/<project-name>:tag
make deploy IMG=<some-registry>/<project-name>:tag
稍等片刻,直到出现 webhook pod 启动并且证书被提供。它通常在1分钟内完成。
现在,您可以创建一个有效的 CronJob 来测试你的 webhooks,创建应该成功完成。
kubectl create -f config/samples/batch_v1_cronjob.yaml
您也可以尝试创建一个无效的 CronJob (例如,使用格式错误的 cron schedule 字段),您应该看到创建失败并显示 validation error。