Based on "Kubernetes Mutating Webhook for Sidecar Injection"
This repository to show how to deploy MutatingAdmissionWebhook for wallarm-sidecar container injection
- git
- go version v1.12+
- docker version 17.03+
- kubectl version v1.11.3+
- Access to a Kubernetes v1.11.3+ cluster with the
admissionregistration.k8s.io/v1beta1API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io
The result should be either
admissionregistration.k8s.io/v1
or
admissionregistration.k8s.io/v1beta1
or both
- Build docker image
make build-image
- Push docker image into a registry
make push-image
NB: log in to docker registry is required
- Create namespace
sidecar-injectorin which the sidecar injector webhook is deployed
kubectl create ns sidecar-injector
- Create a signed cert/key pair and store it in a Kubernetes
secretthat will be consumed by sidecar injector deployment
./deployment/webhook-create-signed-cert.sh \
--service sidecar-injector-webhook-svc \
--secret sidecar-injector-webhook-certs \
--namespace sidecar-injector
- Patch the
MutatingWebhookConfigurationby setcaBundlewith correct value from Kubernetes cluster
cat deployment/mutatingwebhook.yaml | \
deployment/webhook-patch-ca-bundle.sh > \
deployment/mutatingwebhook-ca-bundle.yaml
- Deploy resources:
kubectl create -f sidecar-deployment/injection-configmap.yaml
kubectl create -f sidecar-deployment/sidecar-deployment.yaml
kubectl create -f sidecar-deployment/sidecar-service.yaml
kubectl create -f sidecar-deployment/mutatingwebhook-ca-bundle.yaml
- The sidecar inject webhook should be in running state
kubectl -n sidecar-injector get pod
- Create new namespace
injectionand label it withsidecar-injector=enabled:
kubectl create ns injection
kubectl label namespace injection sidecar-injection=enabled
kubectl get namespace -L sidecar-injection
NAME STATUS AGE SIDECAR-INJECTION
default Active 26m
injection Active 13s enabled
kube-public Active 26m
kube-system Active 26m
sidecar-injector Active 17m
- Ensure a Node Token to be used. Change '<NODE_TOKEN>' to the relevant value from Wallarm UI
./deployment/wallarm-token-patch.sh '<NODE_TOKEN>'
- Deploy dvwa app in Kubernetes cluster
kubectl create -f deployment/wallarm-nginx-configmap.yaml
kubectl create -f deployment/wallarm-secret-patched.yaml
kubectl create -f deployment/wallarm-deploy.yaml
kubectl create -f deployment/wallarm-service.yaml
kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml
- Verify sidecar container is injected:
kubectl get pods -n injection
NAME READY STATUS RESTARTS AGE
myapp-84886f8ff9-4gwpr 3/3 Running 0 17s
- Webhook is in running state
- The namespace in which application pod is deployed has the correct labels as configured in
mutatingwebhookconfiguration - Check the
caBundleis patched tomutatingwebhookconfigurationobject by checking ifcaBundlefields is empty - Check the
WALLARM_TOKENis patched towallarm-secret-patched.yaml - The targetPort of the service has changed to
56245, the port of the wallarm-sidecar container - Ensure that deployment and service have the annotation
sidecar-injector-webhook.wallarm.injected/inject: "true" - Make sure that
proxy_pass http://localhost:80;defined inwallarm-nginx-configmap.yamlis appropriate for your App. App should be listening on the :80 port, if not you can easily change it to a suitable one, for instanceproxy_pass http://localhost:8080; - If port
56245is occupied in your App, it is feasible to alter to different one in thewebhook.go:L200 - You might want to use your own docker hub to locate sidecar-container. In this case, you may use the
docker-wallarm-nodefolder with all necessary information to fulfill it. When all is said and done you are meant to sustituteawallarm/wallarm-node-sidecar:slimin theinjection-configmap.yamlto yours.
NB:
wallarm-nginx-configmap.yamlstill needs to be in the correct namespace distinct from webhook's one