使用kubewebhook中的pod-annotation example验证:https://github.com/slok/kubewebhook.git
1. 配置ocp中开启mutatingadmissionwebhook
cat /etc/origin/master/master-config.yaml 添加如下配置: admissionConfig: pluginConfig: MutatingAdmissionWebhook: configuration: apiVersion: v1 kind: DefaultAdmissionConfig disable: false
2. 部署证书secret,以下证书内容认证域名pod-annotate-webhook.app.svc,可自己生成其它
apiVersion: v1 data: cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQWJJQ0NRRDFQM2RoS0tISEdUQU5CZ2txaGtpRzl3MEJBUXNGQURBbk1TVXdJd1lEVlFRRERCeHcKYjJRdFlXNXViM1JoZEdVdGQyVmlhRzl2YXk1aGNIQXVjM1pqTUI0WERUSXdNREl5TlRBNE5UY3pNMW9YRFRJeApNREl5TkRBNE5UY3pNMW93SnpFbE1DTUdBMVVFQXd3Y2NHOWtMV0Z1Ym05MFlYUmxMWGRsWW1odmIyc3VZWEJ3CkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMVS9pU29kU1VDYlhFNDYKUHZsNkVVeVVyRHE4dnNlK09NQngyTHVWUERtd1hvcVhzUzJOaFlSTC9UdGxJMkV3V0o0dkVZWjh0NmdQWDR1dApKUzMvWjFUU0dpRzhZVFppeVM1RlU0NU9hb1A0UkU2ZnFnV3ZqeVRhdUdtNWpDUVpEb3o0cHBzTlJLRzZZcEJ1CkdKbmJlcncvbFh3NWsvOFFjcWk0N0JoQ0M4TWZKN0xZcUVub1NpVXFjZnRZbXkvY1FjUFNac092dVNHTWpFSnUKQ0owa1J1SEpVNWNDYWtQUnNlM0k4NzZVU2lmdHdmZGRGTzdQQnhZeDBZY0RhOG1KMlFsTFlDUUhHYXh0enNxeApTQU1vMXhzdDViVjYrWTZNZkVrYlgvL2swSzE0YjJReVNDZzZoM3Eva1d1d2c0ZFRLVEh5M1RHc3lGM0FETWU0CjIxdTQwdjhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFvdjI1NHlNTnV4U0NtdVpsWHBmUmhSY2YKbFhLQU5pdmZpQ1NzaTRPeUVBSUEzbEV3VTByREt5Y2l5Ly9CdkJWa2ZhR3ErVHVCTEEvTkRmTlIwczlLaVA5QwpDS1VsR3UxUG1VS2ZNT043eHJ4REE5RDArSFVPK3NoQVRPNkp6eWdCUUtseE5FVUR2NW1kUjlOSldpV2ovVStXCmZhSTRTc3g3SzJBZzJJOWpubnJFSHRDN2pFTXpIenBVdVZLMTBYQ1ZESVRmbHg4Yy9COHZhUEdqaXQvbStsVVQKVVkwSHNQVTA1dUZCTFlsdEJYell3dzNFK2Fudmp0Z1BWb1RCcWU3UzJaMWNJczhqTVp4OFVvdWdNNVJnNUIvKwpoR3Iwc01DK0RLY054T0I3UWQydndZRWx2bnFUMWNzeEpnbTZUcjluNGxGUDV2SCtGcjNqdFkveHI4anlXUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdFQrSktoMUpRSnRjVGpvKytYb1JUSlNzT3J5K3g3NDR3SEhZdTVVOE9iQmVpcGV4CkxZMkZoRXY5TzJVallUQlluaThSaG55M3FBOWZpNjBsTGY5blZOSWFJYnhoTm1MSkxrVlRqazVxZy9oRVRwK3EKQmErUEpOcTRhYm1NSkJrT2pQaW1tdzFFb2JwaWtHNFltZHQ2dkQrVmZEbVQveEJ5cUxqc0dFSUx3eDhuc3RpbwpTZWhLSlNweCsxaWJMOXhCdzlKbXc2KzVJWXlNUW00SW5TUkc0Y2xUbHdKcVE5R3g3Y2p6dnBSS0orM0I5MTBVCjdzOEhGakhSaHdOcnlZblpDVXRnSkFjWnJHM095ckZJQXlqWEd5M2x0WHI1am94OFNSdGYvK1RRclhodlpESkkKS0RxSGVyK1JhN0NEaDFNcE1mTGRNYXpJWGNBTXg3amJXN2pTL3dJREFRQUJBb0lCQVFDalRXT2dkbEtSeTJrWApjcE5hNUFqQ0h4SXV1ZkNLdDNFYXMzaTdTbkxBNTQvRy8zVzd2VThYTEFBMWk2S2M1cHB4cTZiMnJWZ3NLKzNDClEzYkVRdUl2SWo0NU55bS9mcklVNXBHcUhpMEtTcDRBMlFxdnBNWXNSb1R4ZlNRdlFnUkNMNmFzL1A5aFdEV0cKUEN3ZU5Bb1pvcEJsSk51YmJJNWlSbnN5UUErbzlOckVSWFhKNDZvU0l3d0RvTjF1eHJzelgyR2ZqLzhRa2Q1Mgptd005cnBvaGRlKzFhUit0R1QwSUxOeThlaDBBMFVSVm5kSEhLY2Y1M1ZzVEthZWtOTjNDSUR4YTFEYzVQRk5qCmtYbEVJY0VmOEc2UFJ5ejMxYnlTOFA0QURnREJXc0I3YkNPSVNKc205dG9jSGRubWpqYnRPWVViMnM0ekpMN2wKTWIzZlBtT0JBb0dCQU8vQkJhQjR6ZEkrV0tUdFJhYnJhcVo4NkUrTDJxei9yRnE5NnkzbUtRZ0tvRkNPeXdjcAorOXI1UFh2T3JlQkxqR0hzUytvbDNvQVVwdVlIVklJMEpvMmN2WHRFc3J1d0VJcHV3MzFMNVdVT0dFZUdJaVV3CnBzaDFROGlFeklMVlhKdW93bGdWVGpQTHU4SjQvMzN4RHlOZjNhdVhCQUFMSWVHamFjQUhtUmZKQW9HQkFNR0gKbnowcHY1MWVtRHZ4d0VPRlkyQ3Y3T0RmbHduNnY2RXlhSmRBaDE1RGVoamVSN3haZ3JHWVJ6Q1dTRkdzZEgrSwpjMlRTNE5xbHJWL0JqOG4rK3VOcGdzUmxLOWtGRGZYTkZKM1llakF0OVRINUpYSFZ0N0ZjcmdCL2xpSUJ2NkZHCmY2ZHRYRE9SaG13ZkZqUGUyNnVwdFlheHl5NEdLWTJpamdKMHh3aUhBb0dBV0RoTFRNQUc1Q3ppeTFVdmd2c3YKRkRIei9ZazFudUM1Vis1NFFqeGxycnJTUUxJNlRObUsvZ2ttTVk5Y2RhTDI5ZlZQL2NtUGRNdWttaEhxYTdxcQowUUx5eWcvK1FJZkpubGFoZ2xKU0IzeEhQTkpEY0RIVnZQOUJRT0IwckZPOEx0N0xIRVJDc1Zadk1XRDZpaW9RCmF2RFVqVllWTjdyZzdia0dxWTFpTE5rQ2dZQTZYbU1pbVZMWGJjNVFWZ3Q4MGVBMUt4b3dnSDhYWFc4cWVQK2UKanJIRk5taSswMXVqYlFQRCtIK1FJZU5SN3NkOEtBL0JtdkNDUVhIVzdaUW1naWE5Sy9kcXNIRFhGWFV1YTFvSwplVjN3NWd1THRPOGNOQzhnNlNqNXNZRmdaRktkbTV1b3JZMGZhSWE0V1cvaTJSWTc0Z1dEeUYvVlU3cDRvMHhkClpVY2FSUUtCZ0JzNkdjUndHRm9oVTZGL0UrUEJvTk5vOTUwcThCOFVocXRnRmhVSklvTnFQeUdBcWttRWpKTmoKRGRYODJibVJ1T21FWWVGS0c2anU1UlhqbkZKdFhSOVZVeUYveURrNncxVTlrR09HUWFYK3VndkVkRWxKbzI2MQo2NytDbWNHT0FOaFFqeFFqbmlETXdkQmMySFczWVBjQXNHUENaTTBxRlIzTU5yWEhMLzA3Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: creationTimestamp: null name: pod-annotate-webhook-certs
3. 部署webhook服务
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: pod-annotate-webhook namespace: app labels: app: pod-annotate-webhook spec: replicas: 1 template: metadata: labels: app: pod-annotate-webhook spec: containers: - name: pod-annotate-webhook image: registry.cn-hangzhou.aliyuncs.com/zjltest/pod-annotate:v1 imagePullPolicy: Always args: - -tls-cert-file=/etc/webhook/certs/cert.pem - -tls-key-file=/etc/webhook/certs/key.pem volumeMounts: - name: webhook-certs mountPath: /etc/webhook/certs readOnly: true volumes: - name: webhook-certs secret: secretName: pod-annotate-webhook-certs --- apiVersion: v1 kind: Service metadata: name: pod-annotate-webhook namespace: app labels: app: pod-annotate-webhook spec: ports: - port: 443 targetPort: 8080 selector: app: pod-annotate-webhook
4. 注册上述webhook
apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: pod-annotate-webhook labels: app: pod-annotate-webhook kind: mutator webhooks: - name: pod-annotate-webhook.app.svc clientConfig: service: name: pod-annotate-webhook namespace: app path: "/mutate" caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQWJJQ0NRRDFQM2RoS0tISEdUQU5CZ2txaGtpRzl3MEJBUXNGQURBbk1TVXdJd1lEVlFRRERCeHcKYjJRdFlXNXViM1JoZEdVdGQyVmlhRzl2YXk1aGNIQXVjM1pqTUI0WERUSXdNREl5TlRBNE5UY3pNMW9YRFRJeApNREl5TkRBNE5UY3pNMW93SnpFbE1DTUdBMVVFQXd3Y2NHOWtMV0Z1Ym05MFlYUmxMWGRsWW1odmIyc3VZWEJ3CkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMVS9pU29kU1VDYlhFNDYKUHZsNkVVeVVyRHE4dnNlK09NQngyTHVWUERtd1hvcVhzUzJOaFlSTC9UdGxJMkV3V0o0dkVZWjh0NmdQWDR1dApKUzMvWjFUU0dpRzhZVFppeVM1RlU0NU9hb1A0UkU2ZnFnV3ZqeVRhdUdtNWpDUVpEb3o0cHBzTlJLRzZZcEJ1CkdKbmJlcncvbFh3NWsvOFFjcWk0N0JoQ0M4TWZKN0xZcUVub1NpVXFjZnRZbXkvY1FjUFNac092dVNHTWpFSnUKQ0owa1J1SEpVNWNDYWtQUnNlM0k4NzZVU2lmdHdmZGRGTzdQQnhZeDBZY0RhOG1KMlFsTFlDUUhHYXh0enNxeApTQU1vMXhzdDViVjYrWTZNZkVrYlgvL2swSzE0YjJReVNDZzZoM3Eva1d1d2c0ZFRLVEh5M1RHc3lGM0FETWU0CjIxdTQwdjhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFvdjI1NHlNTnV4U0NtdVpsWHBmUmhSY2YKbFhLQU5pdmZpQ1NzaTRPeUVBSUEzbEV3VTByREt5Y2l5Ly9CdkJWa2ZhR3ErVHVCTEEvTkRmTlIwczlLaVA5QwpDS1VsR3UxUG1VS2ZNT043eHJ4REE5RDArSFVPK3NoQVRPNkp6eWdCUUtseE5FVUR2NW1kUjlOSldpV2ovVStXCmZhSTRTc3g3SzJBZzJJOWpubnJFSHRDN2pFTXpIenBVdVZLMTBYQ1ZESVRmbHg4Yy9COHZhUEdqaXQvbStsVVQKVVkwSHNQVTA1dUZCTFlsdEJYell3dzNFK2Fudmp0Z1BWb1RCcWU3UzJaMWNJczhqTVp4OFVvdWdNNVJnNUIvKwpoR3Iwc01DK0RLY054T0I3UWQydndZRWx2bnFUMWNzeEpnbTZUcjluNGxGUDV2SCtGcjNqdFkveHI4anlXUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"]