alexlebens/external-snapshotter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
42b6b374cf4c599eb83d3f6b2eb4a5b0f9a50038
external-snapshotter/deploy/kubernetes/webhook-example/README.md
Andi Li 42b6b374cf Add phase 1 of validation tightening. 
https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md

1. Ratcheting validation webhook server image
2. Controller labels invalid objects
3. Unit tests for webhook
4. Deployment README and example deployment method with certs
5. Update top-level README

Racheting validation:
1. webhook is strict on create
2. webhook is strict on updates where the existing object passes strict validation
3. webhook is relaxed on updates where the existing object fails strict validation (allows finalizer removal, status update, deletion, etc)

Additionally the validating wehook server will perform immutability
checks on scenario 2 above.
2020-08-27 20:34:21 -04:00

5.0 KiB
Raw Blame History

Validating Webhook

The snapshot validating webhook is an HTTP callback which responds to admission requests. It is part of a larger plan to tighten validation for volume snapshot objects. This webhook introduces the ratcheting validation mechanism targeting the tighter validation.

⚠️ WARNING: Choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from v1beta1 to v1 volumesnapshot API if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.

Prerequisites

The following are prerequisites to use this validating webhook:

  • K8s version 1.17+ (v1.9+ to use admissionregistration.k8s.io/v1beta1, v1.16+ to use admissionregistration.k8s.io/v1, v1.17+ to use snapshot.storage.k8s.io/v1beta1)
  • ValidatingAdmissionWebhook is enabled. (in v1.18+ it will be enabled by default)
  • API admissionregistration.k8s.io/v1beta1 or admissionregistration.k8s.io/v1 is enabled.

How to build the webhook

Build the binary

make

Build the docker image

docker build -t validation-webhook:latest -f ./cmd/validation-webhook/Dockerfile .

How to deploy the webhook

The webhook server is provided as an image which can be built from this repository. It can be deployed anywhere, as long as the api server is able to reach it over HTTPS. It is recommended to deploy the webhook server in the cluster as snapshotting is latency sensitive. A ValidatingWebhookConfiguration object is needed to configure the api server to contact the webhook server. Please see the documentation for more details. The webhook server code is adapted from the webhook server used in the kubernetes/kubernetes end to end testing code.

Example in-cluster deployment using Kubernetes Secrets

Please note this is not considered to be a production ready method to deploy the certificates and is only provided for demo purposes. This is only one of many ways to deploy the certificates, it is your responsibility to ensure the security of your cluster. TLS certificates and private keys should be handled with care and you may not want to keep them in plain Kubernetes secrets.

This method was heavily adapted from banzai cloud.

Method

These commands should be run from the top level directory.

  1. Run the create-cert.sh script. Note using the default namespace will allow anyone with access to that namespace to read your secret. It is recommended to change the namespace in all the files and the commands given below.

    # This script will create a TLS certificate signed by the [cluster](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/). It will place the public and private key into a secret on the cluster.
./deploy/kubernetes/webhook-example/create-cert.sh --service snapshot-validation-service --secret snapshot-validation-secret --namespace default # Make sure to use a different namespace

  2. Patch the ValidatingWebhookConfiguration file from the template, filling in the CA bundle field.

    cat ./deploy/kubernetes/webhook-example/admission-configuration-template | ./deploy/kubernetes/webhook-example/patch-ca-bundle.sh > ./deploy/kubernetes/webhook-example/admission-configuration.yaml

  3. Change the namespace in the generated admission-configuration.yaml file. Change the namespace in the service and deployment in the webhook.yaml file.

  4. Create the deployment, service and admission configuration objects on the cluster.

    kubectl apply -f ./deploy/kubernetes/webhook-example

Once all the pods from the deployment are up and running, you should be ready to go.

Verify the webhook works

Try to create an invalid snapshot object, the snapshot creation should fail.

kubectl create -f ./examples/kubernetes/invalid-snapshot.yaml

Other methods to deploy the webhook server

Look into cert-manager to handle the certificates, and this kube-builder tutorial on how to deploy a webhook.

Important

Please see the deployment yaml for the arguments expected by the webhook server. The snapshot validation webhook is served at the path /snapshot.