This controller will rewrite deployments in Kuberentes with an image repository location of cluster.local/someimage
to a repository local to the cluster (in the sample it's rewritten.local/someimage
) and inject the correct image pull secret. The aim is to simplify deployment in a HA environment with multiple k8s clusters in multiple providers, each with seperate image repositories.
This is a task that could be performed by a CD pipeline and careful thought should be used around how this affects clusters if the webhook service isn't available. Currently the solution mutates deployments meaning that pods can be created successfully when the serivce is down allowing the cluster to recover from node failure - however no deployments could be created or updated during this time.
Lets start our webhook receiver locally.
ngrok http 3000
git clone https://github.com/lawrencegripper/ClusterLocalAdmissionsController
and CD into the dirnpm install && npm run watch-server
- Update the
./kubernetes/k8s-ngrok.yaml
file'surl
property with your ngrok https endpoint k apply -f ./kubernetes/k8s-ngrok.yaml
then runk apply -f ./kubernetes/testdep.yaml
and see the webhook hit your service and patch the image location
Run npm test
It receives the request it does the following:
- Clone the incoming pod spec into a new object
- Make changes to the clone, updating the image location
- Creates a JSONPatch by comparing the original and the clone
- Base64 Encodes the JSONPatch data
- Returns the patch as part of an
admissionResponse
object
To deploy the registry rewriter into your cluster you can use the helm chart contained here. You will need the following properties
- CA Root certificate of the cluster this is being deployed into
- URL of registry that should be used for cluster.local images
To get the root bundle you will need to run the following
kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n'
When installing this chart it will include a number of things
- A kubernetes job to create a CSR for the deployment and approve the CSR
- A deployment and service for the webhook itself
- A webhook configuration to tell kubernetes where the webhook is in you cluster
The chart can be found in this repo and can also be consumed from the resources page using
helm install <url of release> --name registry-rewiter --set containerRegistryUrl=someurl.com,caBundle=<rootbundleasbase64>
Once installed you run k apply -f ./kubernetes/testdep.yaml
to test it has worked. If all is working you should receive
deployment.apps/example-deployment configured
You can also choose to deploy your own custom container image for the webhook by supplying the webhookImage
value in the values.yaml.