zhangguanzhang's Blog

编写一个动态准入控制

字数统计: 454阅读时长: 2 min
2020/04/03 
1
2
3
4
5
6
7
8
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - name: test
    image: nginx:alpine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
{
   "kind":"Pod",
   "apiVersion":"v1",
   "metadata":{
      "name":"test",
      "namespace":"default",
      "creationTimestamp":null,
      "annotations":{
         "kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"test\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:alpine\",\"name\":\"test\"}]}}\n"
      }
   },
   "spec":{
      "volumes":[
         {
            "name":"default-token-lsh6v",
            "secret":{
               "secretName":"default-token-lsh6v"
            }
         }
      ],
      "containers":[
         {
            "name":"test",
            "image":"nginx:alpine",
            "resources":{
               
            },
            "volumeMounts":[
               {
                  "name":"default-token-lsh6v",
                  "readOnly":true,
                  "mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"
               }
            ],
            "terminationMessagePath":"/dev/termination-log",
            "terminationMessagePolicy":"File",
            "imagePullPolicy":"IfNotPresent"
         }
      ],
      "restartPolicy":"Always",
      "terminationGracePeriodSeconds":30,
      "dnsPolicy":"ClusterFirst",
      "serviceAccountName":"default",
      "serviceAccount":"default",
      "securityContext":{
         
      },
      "schedulerName":"default-scheduler",
      "enableServiceLinks":true
   },
   "status":{
      
   }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

var (
	TerminationGracePeriodSeconds int64 = 30
	EnableServiceLinks = true
)

var pod = corev1.Pod{
	TypeMeta:   metav1.TypeMeta{
		Kind: "pod",
		APIVersion: "v1",
	},
	ObjectMeta: metav1.ObjectMeta{
		Name: "test",
		Namespace: "default",
		CreationTimestamp: metav1.Time{},
	},
	Spec:       corev1.PodSpec{
		Volumes: []corev1.Volume{
			{
				Name: "default-token-lsh6v",
				VolumeSource: corev1.VolumeSource{
					Secret: &corev1.SecretVolumeSource{
						SecretName: "default-token-lsh6v",
					},
				},
			},
		},
		Containers: []corev1.Container{
			{
				Name: "test",
				Image: "nginx:alpine",
				Resources: corev1.ResourceRequirements{},
				VolumeMounts: []corev1.VolumeMount{
					{
						Name: "default-token-lsh6v",
						ReadOnly: true,
						MountPath: "/var/run/secrets/kubernetes.io/serviceaccount",
					},
				},
			},
		},
		RestartPolicy: corev1.RestartPolicyAlways,
		TerminationGracePeriodSeconds: &TerminationGracePeriodSeconds,
		DNSPolicy: corev1.DNSClusterFirst,
		ServiceAccountName: "default",
		SecurityContext: &corev1.PodSecurityContext{},
		SchedulerName: "default-scheduler",
		EnableServiceLinks: &EnableServiceLinks,
	},
	Status:     corev1.PodStatus{},
}

https://github.com/redhat-cop/podpreset-webhook/blob/master/pkg/handler/handler.go#L107
https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/webhook/admission#PatchResponseFromRaw

原文作者:Zhangguanzhang

原文链接:http://zhangguanzhang.github.io/2020/04/03/kubernetes-admission-controllers/

发表日期:四月 3日 2020, 7:28:30 晚上

更新日期:四月 3日 2020, 7:28:30 晚上

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
Total : 190
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
linux 微信 diy 8266 总结 ipmi CLP k8s Mismatch Altium Designer ansible consul docker lnmp 安卓 Linux kernel prometheus exporter boot grub cad tcp golang centos6 chromedp chrony kubernetes cni-plugins mips64le kubeconfig swap dlv adguardhome dns Dockerfile e2fsck fsck keepavlied ecs xmrig etcd fio flannel ftp go mod go gobot esp8266 hello world host-gw mqtt 原创 jira confluence kube-controller-manager java springboot vip keepalived ConfigMap PodAffinity kylin arm64 Kylin audit fs nginx microsoft graph onedrive nodeport usb-net overlay kernal preseed Prometheus openstack cloud-init python containerd keepalive shell bash skopeo ssh kubelet systemd dockerhub gcr.io api ubuntu18 initrd tftp uos x86 openwrt zabbix zombie 正则 awk EmuELEC ingress N1 cobra hang cifs http lvs ipvsadm kube-proxy 63s timeout lamp nfc pm3 coredns openshift ocp squashfs timezone rpm rpmbuild segfault suse wireguard raid kubeadm operator exsi redhat8.4 vxlan veth panic supervisor pyinstaller ttf woff hostname qemu binfmt_misc loongarch64 externalIP cgo nfs ipset proxmox non-root containers vmware hung apparmor serviceAccountToken gpu nvidia cri-dockerd pprof trivy redis /etc/resolv.conf hostPort hotplug android headscale derper iptables inotifywait confd net clickhouse ssl aliyun
日志 心得 闲搞 ipmi kubernetes ansible kubelet Linux 心得 prometheus boot Auto cad boot golang kubeconfig grub linux centos6 容器 docker docker 容器 openstack boot vsftp go version panic gobot 闲聊 iptables admission kube-controller-manager keepalived k8s Prometheus Job k8s lua microsoft openwrt preseed Prometheus proxmox 总结 CI Kylin ubuntu18 pxe uos graph 运维 zombie 技巧 travis docker onedrive kickstart consul fstab http vxlan coredns node-cache golang kmem suse wireguard raid kubeadm LVM kickstart prometheus raid