MutatingWebhookConfiguration简单实现
1.生成证书
# 生成CA私钥(2048位RSA)
openssl genrsa -out ca.key 2048
# 生成自签名CA证书(有效期10年)
openssl req -x509 -new -nodes -key ca.key -subj "/CN=pero-xdd" -days 3650 -out ca.crt
# 生成服务端私钥
openssl genrsa -out server.key 2048
# 生成证书签名请求(CSR),csr.conf文件见下文,这条命令还要输入Distinguished Name (DN) :CN=xdd,OU=pero,O=pcl,L=sz,ST=gd,C=CN,各参数解释见下文
openssl req -new -key server.key -config csr.conf -out server.csr
# 使用CA签发证书(有效期10年)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -extensions v3_req -extfile csr.conf
# 将 server.crt 和 server.key 合并为 PKCS12 格式
openssl pkcs12 -export -in server.crt -inkey server.key -out pero-xdd.p12 -name pero-xdd -CAfile ca.crt -caname pero-xdd -password pass:pero-xdd@xxxxxxxxx
# base64编码
cat ca.crt | base64 | tr "\n" "," | sed 's/,//g'
csr.conf文件如下
[req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name]
# webhook服务的地址 CN = pero-xdd-svc.namespace.svc [v3_req] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names
# webhook服务的地址
[alt_names]
DNS.1 = pero-xdd-svc
DNS.2 = pero-xdd-svc.namespace
DNS.3 = pero-xdd-svc.namespace.svc
DN 通常包含以下字段:
Common Name (CN):用户的全名或服务的名称。对于个人证书,通常是全名;对于服务证书,通常是服务的主机名。
Organization (O):组织的法律名称。
Organizational Unit (OU):组织内的部门或单位名称。
Locality (L):城市或地区名称。
State or Province (ST):州或省份的全称,不能使用缩写。
Country (C):国家代码,使用两位字母的 ISO 代码,如 US 表示美国。
2.构建一个springboot 服务
配置文件如下:
spring.application.name=pero-xdd server.port=8080
# 开启https,使用上一步生成的pero-xdd.p12证书 server.ssl.enabled=true server.ssl.key-store-type=PKCS12 server.ssl.key-store=classpath:pero-xdd.p12 server.ssl.key-store-password=pero-xdd@xxxxxxxxx server.ssl.key-alias=pero-xdd
Controller文件如下
@RequestMapping("/pero")
@RestController
@Slf4j
public class MutationWebhookController {
@Autowired
private MutationWebhookService mutationWebhookService;
@PostMapping("/xdd")
public AdmissionReview mutate(@RequestBody AdmissionReview review) {
log.info("webhook start");
// 实现自己的逻辑
AdmissionRequest request = review.getRequest();
// 这个response是啥也不做,直接返回
AdmissionResponse response = new AdmissionResponseBuilder()
.withUid(review.getRequest().getUid())
.withAllowed(true)
.build();
review.setResponse(response);
log.info("webhook end");
return review;
}
}
3.部署yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: pero-xdd-mwc
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: xxxxxxxxxxxxxxxx #base64编码后的ca.crt证书
service:
name: pero-xdd-svc #webhook服务的地址
namespace: namespace
path: /pero/xdd
port: 8080
name: pero-xdd-mwc.namespace.pcl #这个好像目前没什么用
objectSelector:
matchExpressions:
- key: pero-xdd #特殊标签,有这个标签才回调webhook服务
operator: In
values:
- "true"
- "false"
rules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- statefulsets
- daemonsets
sideEffects: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pero-xdd-deploy
namespace: namespace
spec:
replicas: 1
selector:
matchLabels:
name: pero-xdd
template:
metadata:
labels:
name: pero-xdd
spec:
containers:
- command:
- /bin/sh
- -c
- java -Dspring.config.location=/apps/pero-xdd/config/application.properties -jar /apps/pero-xdd/pero-xdd.jar
image: pero-xdd:test
imagePullPolicy: Always
name: pero-xdd
ports:
- containerPort: 8080
name: service-port
protocol: TCP
volumeMounts:
- name: pero-xdd-config
mountPath: /apps/pero-xdd/config
dnsPolicy: ClusterFirst
volumes:
- configMap:
name: pero-xdd-config
name: pero-xdd-config
---
apiVersion: v1
kind: Service
metadata:
name: pero-xdd-svc
namespace: namespace
spec:
ipFamilies:
- IPv4
- IPv6
ipFamilyPolicy: RequireDualStack
ports:
- name: service-port
port: 8080
protocol: TCP
targetPort: 8080
selector:
name: pero-xdd
type: ClusterIP
---
apiVersion: v1
data:
application.properties: |-
spring.application.name=pero-xdd
server.port=8080
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:pero-xdd.p12
server.ssl.key-store-password=pero-xdd@xxxxxxxxx
server.ssl.key-alias=pero-xdd
kind: ConfigMap
metadata:
name: pero-xdd-config
namespace: namespace
4.测试
去集群中更新一个带有特殊标签的资源
查看日志
浙公网安备 33010602011771号