Kubernetes semaphore Validating Webhook

Posted on Thu 24 September 2020 in Kubernetes

After more than 2 years a new post!

In the path of learning Kubernetes Dynamic Admission Control I wrote a small webhook to be used as a semaphore to deny certains operations on k8s objects with a specific label.

k8s-semaphore is a quick and dirty web.py app implementing the webhook, can be deployed on any Kubernetes cluster.

Here is a self-explaining usage of the admission controller:

$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Pod
metadata:
  annotations:
    bertera.it/k8s-semaphore: red
  name: k8s-semaphore-test
spec:
  containers:
  - name: test
    image: alpine
    # Just spin & wait forever
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
EOF

$ oc get pod test
NAME     READY   STATUS    RESTARTS   AGE
test     1/1     Running   0          29m

$ oc delete test
Error from server: admission webhook "k8s-semaphore.k8s-semaphore.svc" denied the request: Resource test (kind: Pod, version: v1, group: ) is annotated with bertera.it/k8s-semaphore, cannot be removed

$ oc annotate pod test bertera.it/k8s-semaphore-
pod/test annotated

$ oc delete pod test
pod "test" deleted

The label name and value can be modified via the environemt variables SEMAPHORE_ANNOTATION and SEMAPHORE_RED. Depending on the definition of the ValidatingWebhookConfiguration the admission controller can be applied to any Kubernetes resource and verbs.

Look at the manifest.yaml for an example deployment and ValidatingWebhookConfiguration.

Hint: OpenShift Webhook Certificate Manager can help deploying the Webhook certificate on OpenShift.

Kubernetes OpenShift