Created
April 19, 2020 13:05
-
-
Save developer-guy/07b9cadd2018a460f2c12501c374dc77 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Then the MutatingAdmissionWebhook observes the requests to apiserver and intercepts requests matching the rules in admission webhooks and calls them in parallel. | |
| # For each request to the apiserver, the MutatingAdmissionWebhook sends an admissionReview(API for reference) to the relevant webhook admission server. The webhook admission server gathers information like object, oldobject, and userInfo from admissionReview, and sends back a admissionReview response including AdmissionResponse whose Allowed and Result fields are filled with the admission decision and optional Patch to mutate the resoures. | |
| # MutatingAdmissionWebhook needs to be registered in the apiserver by providing MutatingWebhookConfiguration. | |
| # During the registration process, MutatingAdmissionWebhook states: | |
| # - How to connect to the webhook admission server | |
| # - How to verify the webhook admission server | |
| # - The URL path of the webhook admission server | |
| # - Rules defining which resource and what action it handles | |
| # -How unrecognized errors from the webhook admission server are handled | |
| apiVersion: admissionregistration.k8s.io/v1beta1 | |
| kind: MutatingWebhookConfiguration | |
| metadata: | |
| name: sidecar-injector | |
| webhooks: | |
| - name: sidecar-injector-service.platform.svc | |
| namespaceSelector: | |
| matchExpressions: | |
| - key: sidecar/webhook | |
| operator: NotIn | |
| values: | |
| - ignore | |
| timeoutSeconds: 2 | |
| sideEffects: None | |
| admissionReviewVersions: [ "v1beta1" ] | |
| clientConfig: | |
| service: | |
| name: sidecar-injector-service | |
| namespace: platform | |
| path: "/mutate" | |
| caBundle: |- | |
| LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJvQ0NRRGVtallORWNjSWZqQU5CZ2txaGtpRzl3MEJBUXNGQURBcU1TZ3dKZ1lEVlFRRERCOWoKYjI1bWFXY3RjMmxrWldOaGNpMXBibXBsWTNSdmNpMXpaWEoyYVdObE1DQVhEVEl3TURRd05URTBNVFV3TjFvWQpEekl5T1RRd01URTVNVFF4TlRBM1dqQXFNU2d3SmdZRFZRUUREQjlqYjI1bWFXY3RjMmxrWldOaGNpMXBibXBsClkzUnZjaTF6WlhKMmFXTmxNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQStXUzIKNHlRTGxtL0MwYUlqMXZqUldNZTY4QytabkJYekRyVkZDdVkvVm50TndWbVJOUityM1lQdFozZEtsM2tKb1VCSApHcUhsMklhajN6eHlnOHBQL042UzAzN0ErLy8xN3AwRE5hM1FtTVc0c2F0K2JTdWpERER6ZXBMcUx4WDVvYlJrClVLRDlQR3NpV3EzUkw3RUMrWGExYjM5MEZ5VjZhaHZPaStMZXNCUnlpZlZGaTlvc3Qvc055MG9yWEo0R3l3TE4KRmloNzZ0Mm9TdWpycUwrVk5UYVJsZWdxNkVIeEhvNHZQbmxiWWg3dUp4ZTRFZmQ0ZzF5SXVzdHNNVUFRam9EcwpwckY0MFhxenh0enNKVDVUS2ppc1FhWEFWT2V3SFM3OEtUNTlXeEttWFNzREgvcm9idDBpYzB4TVR3M2JjUjkyCnE0ZXYvYzd3YUR6dzVuNXF1UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQkF0bm5nWEZBdXlLck8KVGVJbnBiK3J6bmMvMThmMGwxb3R2L1RJS01MT25UUUNBVEFtaEZmQ1lxV2NTS3J1YWdveE1nc24zYldHRzhtVQpiWlhPeVpXaDJkMU4rckxDbWV5cytqZzdpVy9hNDZSZ2pXbFpHdE0vYldQNmwzSDdEM1pobkhqbTJ1bExseFBDCnlDWkkvbVdBMVU5NmxPY0Z5Uk9zbldvdVRFNk9KZjY3Rm9UUWljSDJHbDAwc2hRMkRhZDBNWXBYQURUbHhwOHUKSVEzOFA4Z0ROaGdHclN1UUlGNFMrM3FrcUZCTUNjNlJEZm1TUmJCcHFGVklDZVdidDFic2h1bXNiN2F1bXh4cApGdHVXVmh0Sm1BUUVBMzNEdXJZeFgvdWQ4a05tV0hoWEVKdjZuUTJJYTJHYWFBamlkb1BQZ3g3NHFLbjAzWVNTCnhZeFIxRGpTCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | |
| rules: | |
| - apiGroups: | |
| - "" | |
| apiVersions: | |
| - v1 | |
| operations: | |
| - CREATE | |
| resources: | |
| - pods | |
| scope: "Namespaced" | |
| #KIND: MutatingWebhookConfiguration | |
| #VERSION: admissionregistration.k8s.io/v1 | |
| # | |
| #RESOURCE: webhooks <[]Object> | |
| # | |
| #DESCRIPTION: | |
| # Webhooks is a list of webhooks and the affected resources and operations. | |
| # | |
| # MutatingWebhook describes an admission webhook and the resources and | |
| # operations it applies to. | |
| # | |
| #FIELDS: | |
| # admissionReviewVersions <[]string> | |
| # clientConfig <Object> | |
| # caBundle <string> | |
| # service <Object> | |
| # name <string> | |
| # namespace <string> | |
| # path <string> | |
| # port <integer> | |
| # url <string> | |
| # failurePolicy <string> | |
| # matchPolicy <string> | |
| # name <string> | |
| # namespaceSelector <Object> | |
| # matchExpressions <[]Object> | |
| # key <string> | |
| # operator <string> | |
| # values <[]string> | |
| # matchLabels <map[string]string> | |
| # objectSelector <Object> | |
| # matchExpressions <[]Object> | |
| # key <string> | |
| # operator <string> | |
| # values <[]string> | |
| # matchLabels <map[string]string> | |
| # reinvocationPolicy <string> | |
| # rules <[]Object> | |
| # apiGroups <[]string> | |
| # apiVersions <[]string> | |
| # operations <[]string> | |
| # resources <[]string> | |
| # scope <string> | |
| # sideEffects <string> | |
| # timeoutSeconds <integer> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment