morvencao / kube-sidecar-injector Goto Github PK
View Code? Open in Web Editor NEWA Kubernetes mutating webhook server that implements sidecar injection
License: Apache License 2.0
A Kubernetes mutating webhook server that implements sidecar injection
License: Apache License 2.0
Hi Morvenco,
I was refering your repo & unable to get volumount config, may I know what I am missing here or any workaround it.
Hello,
As im using the newest kubernetes Version 1.22.0 i have to use the apiVersion certificates.k8s.io/v1
instead of certificates.k8s.io/v1beta1
. After deployment of webhook-create-signed-cert.sh
I got this failure:
error: error validating "STDIN": error validating data: ValidationError(CertificateSigningRequest.spec): missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec; if you choose to ignore these errors, turn validation off with --validate=false
Can someone tell me which signerName has to be set?
Greetings
Daniel
in new namespace called injection, injected container needs nginx-configmap but it does not current namespace.
/opt/mytempwork/sidecar/kube-mutating-webhook-tutorial-master is not within a known GOPATH/src
# _/opt/mytempwork/sidecar/kube-mutating-webhook-tutorial-master
./webhook.go:70:20: cannot use runtimeScheme (type *"k8s.io/apimachinery/pkg/runtime".Scheme) as type *"k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime".Scheme in argument to "k8s.io/kubernetes/pkg/apis/core/v1".AddToScheme
Sending build context to Docker daemon 285.7kB
Step 1/3 : FROM alpine:latest
latest: Pulling from library/alpine
9d48c3bd43c5: Pull complete
Digest: sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb
Status: Downloaded newer image for alpine:latest
---> 961769676411
Step 2/3 : ADD kube-mutating-webhook-tutorial /kube-mutating-webhook-tutorial
ADD failed: stat /var/lib/docker/tmp/docker-builder643695243/kube-mutating-webhook-tutorial: no such file or directory
When I try to compile kube-mutating-webhook-tutorial/webhook.go I get an error that
_ = v1.AddToScheme(runtimeScheme)
does not exist
./webhook.go:70:20: cannot use runtimeScheme (type *"k8s.io/apimachinery/pkg/runtime".Scheme) as type *"k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime".Scheme in argument to "k8s.io/kubernetes/pkg/apis/core/v1".AddToScheme
When I comment out this line it seems to compile.
您好,想请教一下API Server调用webhook扩展时报文是JSON的还是protobuf的,因为我们的技术栈是以Java为主,对Go不是很了解,所以想尝试看看Java能不能实现类似的功能,目前就是对报文的形式不是很了解,我看Go的参数声明中既有JSON的又有protouf的,想跟您咨询一下API Server调用webhook扩展时报文的形式,是JSON还是protobuf,还是可以配置的,非常感谢!
mistake:
error: error validating "STDIN": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false
Positive result : The injector pod is mapped to mutatingwebhookconfiguration.admissionregistration.k8s.io/sidecar-injector-webhook
however when I increase the replicas to 2, then the mutatingwebhook maps to ONLY one of the pod instance. As a result of this, any sidecar injection using other pod will fail. Is this known issue? Do you have any suggestion?
I run the webhook-patch-ca-bundle.sh script to replace ${CA_BUNDLE}. On running kubectl create for mutatingwebhook-ca-bundle.yaml, I get the following error :
error validating "deployment/mutatingwebhook-ca-bundle.yaml": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig.caBundle): invalid type for io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig.caBundle: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false
When I manually replaced the ${CA_BUNDLE} with the output of (kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n'), it seems to be fine.
Hello, I have followed the tutorial and managed to deploy and run an injected pod.
However, when I run the same deployment definition in a different namespace, it is unable to start the pod.
I have labeled the new namespace as instructed.
Are there any additional steps needed in order to inject pods in another namespace?
I am trying to make build-image
on ARM instance and I get
# make build-image
Building the tcp-health binary for Docker (linux) aarch64 ...
cmd/go: unsupported GOOS/GOARCH pair linux/aarch64
make: *** [build-linux] Error 2
Golang is installed so I am not sure what else is needed.
# go version
go version go1.15.14 linux/arm64
kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml
error: error validating "deployment/mutatingwebhook-ca-bundle.yaml": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig.caBundle): invalid type for io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig.caBundle: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false.
----
cat deployment/mutatingwebhook-ca-bundle.yaml
caBundle: [45 45 45 45 45....... 69 45 45 45 45 45 10]
Hello, I'm following your fantastic article about mutating webhook and I'm trying to understand what happens underground, unfortunately I'm struggling to understand what add Container
func does.
Can you please explain to me what you are doing in this block
first := len(target) == 0
for _, add := range added {
value = add
path := basePath
if first {
first = false
value = []corev1.Container{add}
} else {
path = path + "/-"
}
original function:
func addContainer(target, added []corev1.Container, basePath string) (patch []patchOperation) {
first := len(target) == 0
var value interface{}
for _, add := range added {
value = add
path := basePath
if first {
first = false
value = []corev1.Container{add}
} else {
path = path + "/-"
}
patch = append(patch, patchOperation{
Op: "add",
Path: path,
Value: value,
})
}
return patch
}
Thanks for your help!
The following issues were found in Gopkg.toml:
✗ unable to deduce repository and source type for "k8s.io/apimachinery": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apimachinery?go-get=1": Get http://k8s.io/apimachinery?go-get=1: EOF
✗ unable to deduce repository and source type for "k8s.io/api": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/api?go-get=1": Get http://k8s.io/api?go-get=1: EOF
hello,
According to your method, find the following problem in the sidecar-injector-webhook-deployment-57cb9d9954-qqqlt
pod log
remote error: tls: bad certificate
api-server
W0611 14:21:25.798710 1 dispatcher.go:168] Failed calling webhook, failing open sidecar-injector.istio.io: failed calling webhook "sidecar-injector.istio.io": Post https://sidecar-injector.istio-system.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority
Hi!
I have been trying to replicate your code in Python and have reached a point where I managed to :
The problem I have is that the certificate is not recognized:
failed to call webhook: Post "...svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
Looking at your code, I cannot find how the self-signed certificate is made recognizable to kubernetes. I can see that :
There are 2 CA configs in the script and 2 certificates made. The first is passed to the webhook configuration and the second is used in the webserver together with the private key. I do not quite understand why this is enough for kubernetes to recognize the certificate signer. Isn't there supposed to be a Certificate Signing Request made?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.