部署 Admission Webhooks

Kind Cluster

建议使用 kind 集群开发 Webhook，以加快迭代速度。为什么？

你可以在1分钟内在本地启动多节点群集。
你可以在几秒钟内将其拆除。
你无需将 images 推送到远程镜像仓库。

Cert Manager

你需要按此安装 cert manager bundle。你只需要安装就好，对于证书的申请 kubebuilder 会帮你做。

Build your image

运行以下命令以在本地生成 image。

make docker-build

如果你使用 kind 创建的群集，则无需将 image 推送到远程镜像仓库。你可以将本地的 image 直接加载到 kind 创建的群集：

kind load docker-image your-image-name:your-tag

部署 Webhooks

您可以通过 kustomize 启动 webhook 和 cert manager 配置，将 config/default/kustomization.yaml 改成如下所示：

# Adds namespace to all resources.
namespace: project-system

# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: project-

# Labels to add to all resources and selectors.
#commonLabels:
#  someName: someValue

bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus

patchesStrategicMerge:
  # Protect the /metrics endpoint by putting it behind auth.
  # If you want your controller-manager to expose the /metrics
  # endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml

# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
- manager_webhook_patch.yaml

# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
- webhookcainjection_patch.yaml

# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
  objref:
    kind: Certificate
    group: cert-manager.io
    version: v1alpha2
    name: serving-cert # this name should match the one in certificate.yaml
  fieldref:
    fieldpath: metadata.namespace
- name: CERTIFICATE_NAME
  objref:
    kind: Certificate
    group: cert-manager.io
    version: v1alpha2
    name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICE_NAMESPACE # namespace of the service
  objref:
    kind: Service
    version: v1
    name: webhook-service
  fieldref:
    fieldpath: metadata.namespace
- name: SERVICE_NAME
  objref:
    kind: Service
    version: v1
    name: webhook-service

现在你可以通过执行下面的命令将它们部署到你的集群中

make docker-build docker-push IMG=<some-registry>/<project-name>:tag
make deploy IMG=<some-registry>/<project-name>:tag

稍等片刻，直到出现 webhook pod 启动并且证书被提供。它通常在1分钟内完成。

现在，您可以创建一个有效的 CronJob 来测试你的 webhooks，创建应该成功完成。

kubectl create -f config/samples/batch_v1_cronjob.yaml

您也可以尝试创建一个无效的 CronJob (例如，使用格式错误的 cron schedule 字段),您应该看到创建失败并显示 validation error。