The Ops Community ⚙️: Jamie Gaskins The latest articles on The Ops Community ⚙️ by Jamie Gaskins (@jgaskins). https://community.ops.io/jgaskins https://community.ops.io/images/mn4LT8vhQO-5L0PKTf-2GoZn469TCEXqMcaItO-aZcQ/rs:fill:90:90/g:sm/mb:500000/ar:1/aHR0cHM6Ly9jb21t/dW5pdHkub3BzLmlv/L3JlbW90ZWltYWdl/cy91cGxvYWRzL3Vz/ZXIvcHJvZmlsZV9p/bWFnZS8xMjg4L2Q4/ZThjMmEzLTk0NDct/NGQyYi04NzZkLWU2/NGEzZDFjZWI3ZS5q/cGc The Ops Community ⚙️: Jamie Gaskins https://community.ops.io/jgaskins en Kubernetes webhooks and certs for those webhooks Jamie Gaskins Sun, 05 Feb 2023 23:07:44 +0000 https://community.ops.io/jgaskins/kubernetes-webhooks-and-certs-for-those-webhooks-hbb https://community.ops.io/jgaskins/kubernetes-webhooks-and-certs-for-those-webhooks-hbb <p>I'm experimenting with running ARM-based workloads on GKE so I need to set <code>nodeSelector: {kubernetes.io/arch: arm64}</code> on every pod, including ones I don't own (various operators like Cert Manager and Nginx Ingress Controller). I've had to manually go in and add that field to every <code>Deployment</code> and <code>StatefulSet</code> so far manually.</p> <p><a href="https://microblog.shivering-isles.com/@sheogorath/109733852122346226" rel="noopener noreferrer">Someone recommended</a> using a <code>MutatingWebhook</code> to achieve that, so I'm learning about those and I have one deployed to my GKE cluster, but the request isn't making it to my HTTP server. The <a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#service-reference" rel="noopener noreferrer">service reference docs</a> don't specifically mention a requirement for TLS, but the URL-based webhook docs do. I imagine the service reference does require TLS, though, so maybe it's failing TLS verification? I wasn't using TLS at all, just plain HTTP. Does this seem right? </p> <p>Also, if that's the case, I'm spoiled by Cert Manager and I never want to go back to dealing with CSRs manually, and every K8s webhook tutorial I can find seems to tell you to do just that with the <code>openssl req</code> CLI. So since I've already got Cert Manager running in the cluster, does it make sense to provision a <code>Certificate</code> resource (presumably something like <code>my-webhook-service.my-webhook-namespace.svc.cluster.local</code> for the TLS name?), then mount the resulting secret as a volume and load the <code>.key</code> file in the app? Or is there something easier?</p> <h2> [EDIT] Got it working! 🎉 </h2> <p>Turns out, Cert Manager actually has <a href="https://cert-manager.io/docs/concepts/ca-injector/" rel="noopener noreferrer">a documentation page</a> for <em>this very specific use case</em>. I'd always wondered what the <code>cert-manager-cainjector</code> deployment was for, tbh.</p> <p>Anyway, here's what I did, with comments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Everything in a namespace so I could just delete</span> <span class="c1"># it any time I needed</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">admissionregistration.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MutatingWebhookConfiguration</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook.jgaskins.dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># This is what tells CertManager to inject</span> <span class="c1"># the `caBundle` for certs we generate below</span> <span class="na">cert-manager.io/inject-ca-from</span><span class="pi">:</span> <span class="s">webhook-test/pod-mutating-webhook</span> <span class="na">webhooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook.jgaskins.dev</span> <span class="na">admissionReviewVersions</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">v1</span><span class="pi">]</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># We want all pods in the cluster to be passed</span> <span class="c1"># through this webhook just in case</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">apiVersions</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">v1</span><span class="pi">]</span> <span class="na">operations</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">CREATE</span><span class="pi">,</span> <span class="nv">UPDATE</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pods</span><span class="pi">]</span> <span class="c1"># If you're mutating Pod resources, you'll want to</span> <span class="c1"># Uncomment this so if you screw up so you can</span> <span class="c1"># deploy it again! This took a LOT of trial</span> <span class="c1"># and error!</span> <span class="c1"># failurePolicy: Ignore</span> <span class="na">clientConfig</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/pods</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">sideEffects</span><span class="pi">:</span> <span class="s">None</span> <span class="nn">---</span> <span class="c1"># The service we wire up to our webhook handler</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="nl">&amp;labels</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="nv">*labels</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># Of course I had to add the nodeSelector</span> <span class="c1"># here, too 😂</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">kubernetes.io/arch</span><span class="pi">:</span> <span class="s">arm64</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web</span> <span class="na">image</span><span class="pi">:</span> <span class="s">jgaskins/kubernetes-examples:mutating-webhooks</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">LOG_LEVEL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">DEBUG</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="c1"># Mount the certs created by Cert Manager into</span> <span class="c1"># the app</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tls</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tls</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">pod-mutating-webhook-tls</span> <span class="c1">####### CERT STUFF ######</span> <span class="nn">---</span> <span class="c1"># The self-signed cert issuer</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Issuer</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">selfsigned-issuer</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># Man, self-signed Issuers sure are simple, huh?</span> <span class="na">selfSigned</span><span class="pi">:</span> <span class="pi">{}</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Certificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-mutating-webhook</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">webhook-test</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># This must be the name of the secret that</span> <span class="c1"># you mount into your Deployment above!</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">pod-mutating-webhook-tls</span> <span class="c1"># This must be `${serviceName}.${namespace}.svc`</span> <span class="na">dnsNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pod-mutating-webhook.webhook-test.svc</span> <span class="na">issuerRef</span><span class="pi">:</span> <span class="c1"># Set this to your Issuer name above.</span> <span class="c1"># Must be in the same namespace if you're</span> <span class="c1"># not using a ClusterIssuer.</span> <span class="na">name</span><span class="pi">:</span> <span class="s">selfsigned-issuer</span> </code></pre> </div> <p>The code for this example (written in <a href="https://crystal-lang.org/" rel="noopener noreferrer">Crystal</a>) is <a href="https://github.com/jgaskins/kubernetes/tree/main/examples/mutating_webhooks/src" rel="noopener noreferrer">here</a> — the <code>AdmissionReview</code> response is generated <a href="https://github.com/jgaskins/kubernetes/blob/205eaa07369d704b988970c186ea7de5429de0cd/examples/mutating_webhooks/src/webhook.cr#L17-L42" rel="noopener noreferrer">in this method</a>. When I deployed it and removed all of the manual <code>kubernetes.io/arch: arm64</code> node selectors I added to every <code>Deployment</code> and <code>StatefulSet</code>, my <code>MutatingWebhook</code> server began properly adding them to the pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2023-02-06T06:59:56.451183Z INFO - app: Listening on port 3000... 2023-02-06T07:03:13.916140Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (2.54ms) 2023-02-06T07:03:21.900212Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (357.68µs) 2023-02-06T07:03:24.440362Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (345.84µs) 2023-02-06T07:03:25.537122Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (301.28µs) 2023-02-06T07:03:26.530624Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (347.08µs) 2023-02-06T07:03:28.076697Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (321.72µs) 2023-02-06T07:03:28.520480Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (396.52µs) 2023-02-06T07:03:29.507916Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (381.16µs) 2023-02-06T07:03:44.978362Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (341.52µs) 2023-02-06T07:03:49.315628Z INFO - http.server: 10.76.3.5 - POST /pods?timeout=10s HTTP/1.1 - 200 (483.32µs) </code></pre> </div> kubernetes webhooks tls