开发apiserver实现一个容器镜像白名单的 K8S 准入控制器

于 2023-06-03 11:51:14 发布
阅读量173 收藏
点赞数
文章标签: kubernetes go
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_51445191/article/details/131019492
版权

在这里插入图片描述在这里插入图片描述我们使用go编写validate和mutate

package main

import (
	"context"
	"crypto/tls"
	"flag"
	"fmt"
	"net/http"
	"os"
	"os/signal"
	"strings"
	"syscall"
	"webhook/pkg"

	"k8s.io/klog/v2"
)

func main() {
	var param pkg.WhSvrParam
	flag.IntVar(&param.Port, "port", 443, "webhook server port")
	flag.StringVar(&param.Certfile, "tlsCertfile", "/etc/webhook/certs/tls.crt", "x509 certification file")
	flag.StringVar(&param.KeyFile, "tlsKeyfile", "/etc/webhook/certs/tls.key", "x509 private key file")
	flag.Parse()

	certficate, err := tls.LoadX509KeyPair(param.Certfile, param.KeyFile)
	if err != nil {
		klog.Errorf("Failed to load key pair: &v", err)
		return
	}

	whsrv := pkg.WebhookServer{
		Server: &http.Server{
			Addr: fmt.Sprintf(":%d", param.Port),
			TLSConfig: &tls.Config{
				Certificates: []tls.Certificate{certficate},
			},
		},
		WhiteListRegistries: strings.Split(os.Getenv("WHITELIST_REGISTRIES"), ","),
	}

	mux := http.NewServeMux()
	mux.HandleFunc("/validate", whsrv.Handler)
	mux.HandleFunc("/mutate", whsrv.Handler)
	whsrv.Server.Handler = mux

	go func() {
		if err := whsrv.Server.ListenAndServeTLS("", ""); err != nil {
			klog.Errorf("failed to listen and serve webhook: %v", err)
		}
	}()

	klog.Info("Serevr start")

	signalChan := make(chan os.Signal, 1)
	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
	<-signalChan

	klog.Info("get os shuting...")
	if err := whsrv.Server.Shutdown(context.Background()); err != nil {
		klog.Errorf("http server shutdown err: %v", err)
	}
}


package pkg

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"strings"

	admissionv1 "k8s.io/api/admission/v1"
	appsv1 "k8s.io/api/apps/v1"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/runtime/serializer"
	"k8s.io/klog/v2"
)

type patchOperation struct {
	Op    string      `json:"op"`
	Path  string      `json:"path"`
	Value interface{} `json:"value,omitempty"`
}

const (
	AnnotationMutateKey = "io.ydzs.admission-registry/mutate"
	AnnotationStatusKey = "io.ydzs.admission-registry/status"
)

var (
	runtimeScheme = runtime.NewScheme()
	codeFactory   = serializer.NewCodecFactory(runtimeScheme)
	deserializer  = codeFactory.UniversalDeserializer()
)

type WhSvrParam struct {
	Port     int
	Certfile string
	KeyFile  string
}

type WebhookServer struct {
	Server              *http.Server
	WhiteListRegistries []string
}

func (s *WebhookServer) Handler(w http.ResponseWriter, r *http.Request) {
	var body []byte
	if r.Body != nil {
		if data, err := ioutil.ReadAll(r.Body); err == nil {
			body = data
		}
	}

	if len(body) == 0 {
		klog.Errorf("empty data body")
		http.Error(w, "empty data body", http.StatusBadRequest)
		return
	}

	contentType := r.Header.Get("Content-Type")
	if contentType != "application/json" {
		klog.Errorf("content-type id %s, but expect application/json", contentType)
		http.Error(w, "content-type invalid, expect application/json", http.StatusBadRequest)
		return
	}

	var admissionReponse *admissionv1.AdmissionResponse
	requestedAdmissionReview := admissionv1.AdmissionReview{}

	if _, _, err := deserializer.Decode(body, nil, &requestedAdmissionReview); err != nil {
		klog.Errorf("can not decode body: %v", err)
		admissionReponse = &admissionv1.AdmissionResponse{
			Result: &metav1.Status{
				Code:    http.StatusInternalServerError,
				Message: err.Error(),
			},
		}
	} else {
		if r.URL.Path == "/mutate" {
			admissionReponse = s.mutate(&requestedAdmissionReview)
		} else if r.URL.Path == "/validate" {
			admissionReponse = s.validate(&requestedAdmissionReview)
		}
	}

	//构造返回的 admissionreview
	reponseAdmissionReview := admissionv1.AdmissionReview{}
	reponseAdmissionReview.APIVersion = requestedAdmissionReview.APIVersion
	reponseAdmissionReview.Kind = requestedAdmissionReview.Kind

	if admissionReponse != nil {
		reponseAdmissionReview.Response = admissionReponse
		if requestedAdmissionReview.Request != nil {
			reponseAdmissionReview.Response.UID = requestedAdmissionReview.Request.UID
		}
	}

	klog.Info(fmt.Printf("sending reponse: %v", requestedAdmissionReview.Response))

	respBytes, err := json.Marshal(reponseAdmissionReview)
	if err != nil {
		klog.Errorf("can not encode reponse: %v ", err)
		http.Error(w, fmt.Sprintf("could not encode reponse: %v", err), http.StatusInternalServerError)
	}

	klog.Info("read to write reponse...")
	if _, err := w.Write(respBytes); err != nil {
		klog.Errorf("can not write response: %v", err)
		http.Error(w, fmt.Sprintf("could not write reponse: %v", err), http.StatusInternalServerError)
	}

}

// validate pod
func (serv *WebhookServer) validate(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
	req := ar.Request
	var (
		allowed = true
		code    = 200
		message = ""
	)

	klog.Infof("AdmissionReview for Kind=%s, Namespace=%s Name=%v UID=%v Operation=%v UserInfo=%v",
		req.Kind.Kind, req.Namespace, req.Name, req.UID, req.Operation, req.UserInfo)

	var pod corev1.Pod
	if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
		klog.Errorf("Could not unmarshal raw object: %v", err)
		allowed = false
		code = 400
		return &admissionv1.AdmissionResponse{
			Allowed: allowed,
			Result: &metav1.Status{
				Code:    int32(code),
				Message: err.Error(),
			},
		}
	}
	for _, container := range pod.Spec.Containers {
		var whitelisted = false
		for _, reg := range serv.WhiteListRegistries {
			if strings.HasPrefix(container.Image, reg) {
				whitelisted = true
			}
		}
		if !whitelisted {
			allowed = false
			code = 403
			message = fmt.Sprintf("%s image comes from an untrusted registry! Only images from %v are allowed.",
				container.Image, serv.WhiteListRegistries)
			break
		}
	}

	return &admissionv1.AdmissionResponse{
		Allowed: allowed,
		Result: &metav1.Status{
			Code:    int32(code),
			Message: message,
		},
	}
}

func (s *WebhookServer) mutate(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
	req := ar.Request

	var (
		objectMeta *metav1.ObjectMeta
	)

	klog.Infof("admissionreview for kind=%s, namespace=%s", req.Kind.Kind, req.Namespace)

	switch req.Kind.Kind {
	case "Deployment":
		var deployment appsv1.Deployment
		if err := json.Unmarshal(req.Object.Raw, &deployment); err != nil {
			klog.Errorf("can not unmarshal %v", err)
			return &admissionv1.AdmissionResponse{
				Result: &metav1.Status{
					Code:    http.StatusBadRequest,
					Message: err.Error(),
				},
			}
		}
		objectMeta = &deployment.ObjectMeta
	case "Service":
		var service corev1.Service
		if err := json.Unmarshal(req.Object.Raw, &service); err != nil {
			klog.Errorf("can not unmarshal %v", err)
			return &admissionv1.AdmissionResponse{
				Result: &metav1.Status{
					Code:    http.StatusBadRequest,
					Message: err.Error(),
				},
			}
		}
		objectMeta = &service.ObjectMeta
	default:
		return &admissionv1.AdmissionResponse{
			Result: &metav1.Status{
				Code:    http.StatusBadRequest,
				Message: fmt.Sprintf("can not handle the kind %s object", req.Kind.Kind),
			},
		}
	}

	if !mutateRequired(objectMeta) {
		return &admissionv1.AdmissionResponse{
			Allowed: true,
		}
	}

	annotations := map[string]string{AnnotationStatusKey: "mutated"}

	var patch []patchOperation

	patch = append(patch, mutateAnnotations(objectMeta.GetAnnotations(), annotations)...)

	fmt.Println("********")
	fmt.Println(patch)
	fmt.Println("********")
	patchBytes, err := json.Marshal(patch)
	if err != nil {
		klog.Errorf("patch marshal error: %v", err)
		return &admissionv1.AdmissionResponse{
			Result: &metav1.Status{
				Code:    http.StatusBadRequest,
				Message: err.Error(),
			},
		}
	}

	return &admissionv1.AdmissionResponse{
		Allowed: true,
		Patch:   patchBytes,
		PatchType: func() *admissionv1.PatchType {
			pt := admissionv1.PatchTypeJSONPatch
			return &pt
		}(),
	}
}

func mutateAnnotations(target map[string]string, added map[string]string) (patch []patchOperation) {
	for key, value := range added {
		if target == nil || target[key] == "" {
			target = map[string]string{}
			patch = append(patch, patchOperation{
				Op:   "add",
				Path: "/metadata/annotations",
				Value: map[string]string{
					key: value,
				},
			})
		} else {
			patch = append(patch, patchOperation{
				Op:    "replace",
				Path:  "/metadata/annotations/" + key,
				Value: value,
			})
		}
	}
	return
}

func mutateRequired(metadata *metav1.ObjectMeta) bool {
	annotations := metadata.GetAnnotations()

	if annotations == nil {
		annotations = map[string]string{}
	}

	var required bool

	switch strings.ToLower(annotations[AnnotationMutateKey]) {
	case "n", "no", "false", "off":
		required = false
	default:
		required = true
	}

	status := annotations[AnnotationStatusKey]

	if strings.ToLower(status) == "mutated" {
		required = false
	}

	klog.Infof("mutation policy for %s/%s: required: %v", metadata.Name, metadata.Namespace, required)
	return required
}

dockerfile如下

FROM golang:1.18 as builder

RUN apt-get -y update && apt-get -y install upx

WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum

# Copy the go source
COPY main.go main.go
COPY pkg/ pkg/

# Build
ENV CGO_ENABLED=0
ENV GOOS=linux
ENV GOARCH=amd64
ENV GO111MODULE=on
ENV GOPROXY="https://goproxy.cn"

# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download && \
    go build -a -o admission-registry main.go && \
    upx admission-registry

FROM alpine:3.9.2
COPY --from=builder /workspace/admission-registry .
ENTRYPOINT ["/admission-registry"]

我们把认证作为pod运行在集群中

apiVersion: apps/v1
kind: Deployment
metadata:
  name: admission-deploy
  labels: 
    app: admission-deploy
spec:
  replicas: 1
  selector: 
    matchLabels: 
      app: admission-deploy
  template:
    metadata:
      labels:
        app: admission-deploy 
    spec:
      containers: 
        - name: whitelist
          image: webhook-validate-mutate:v1.0
          imagePullPolicy: IfNotPresent
          env: 
          - name: WHITELIST_REGISTRIES
            value: "docker.io,gcr.io"
          ports:
          - containerPort: 443
          volumeMounts: 
          - name: webhook-certs
            mountPath: /etc/webhook/certs
            readOnly: true
      volumes:
        - name: webhook-certs
          secret:
            secretName: admission-registry-tls
---
apiVersion: v1
kind: Service
metadata:
  name: admission-registry
  labels:
    app: admission-registry
spec:
  ports:
  - port: 443
    targetPort: 443
  selector:
    app: admission-deploy

在这一步之前需要创建secret,接着需要创建validatingwebhookconfigurations,mutatingwebhookconfigurations

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: admission-registry
webhooks:
- name: io.ydzs.admission-registry
  rules:
  - apiGroups:   [""]
    apiVersions: ["v1"]
    operations:  ["CREATE"]
    resources:   ["pods"]
  clientConfig:
    service:
      namespace: default
      name: admission-registry
      path: "/validate"
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVUkZkVTlRNTZXenA0UFNwUHQ0U05sdm9LOVBZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl6TURZd016QXlNVEV3TUZvWERUSTRNRFl3TVRBeU1URXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMXNKdWwzR3doYXM1NURiVU45VzMKMFpKSEN0TCszZ2tYdzFGT1ZRZ1ZvSkVQcHFhV3pMN2hTTElHenNpQkRyQm5sWVIxVWR0TzNieU52dmVjcnZ5Mgo1ZVh1MmlVcFJkc2Q2NVpGbmZQUVZYNkFWditUSVNVMGg1a0RrU0VmdFpJNm5jNDNkaU9xMVhpVE5vWS82RG9hClZVV0tHemVCcHp0NG1zY2RLYXdvUENvMFZibGdmUytvT1FEQTVPdGl3NTVPclNVYUlrb3NHazlnVkhsU1V1SVMKUUNhaG4zTkxHMG9oblhLWkVWSlpwQ25wZDgwejJPWFRXb3FwSEZpdXVoTjZtd3Z6RUJYaXY3ay96dG9zKzFwVApkYXd4WWMyUVFBVURTK0NubTdwWGE2Sk82eUhjV1d4ZWxwUENMRnBjQm0yN0tJM2tESW1OMVB6SEZaUHFDYlVHCitRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVMEQzZ2RPUERwVzc5Q0ZFZVA1M1ZTK1JnNEVFd0h3WURWUjBqQkJnd0ZvQVUwRDNnZE9QRApwVzc5Q0ZFZVA1M1ZTK1JnNEVFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLUUlmQUVVdUEzQmgzOTJ6VkNMCmxHY0NpMzJpeGRBdmpVeXRNaU5pNHpFRHZDNVJoU05CT3lKWmVqemswRmRzZGNXcU9LTEtJT1J2NEpXV1NIQ1EKaDUwM28rUUNBMGQ2RkJmSDNHMkV3ak5iWUJYOWphYkM5K05rSVpDT1U3b3RqSTd4NUxJSGVWanpGZWJXR0FnOQpYejJGQVd2eXlTK3FPVzRzc3N1djAyQW1KMjJqTWlXSHd2elBWTlFDdHZIVWpZNDFrTXlnUmEyYzlYRmN4Wms5CkY2em56ZWdpamlzUXJBVm9jR09KbXNwYVd6N3JlZmFKalYzVU1ZcnZLWGlDRVhHS1JBZ05KRUthTzN5dlBZN3cKaVVHODFTbGdwY1hJNEFjci9QN0FUMGVzc1AwU1NPU1E1aU44UVhqcWhNN0FhRHlKRmNNYU53QzJUcWk1bEpETgprZUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

  admissionReviewVersions: ["v1"]
  sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: admission-registry-mute
webhooks:
  - name: io.ydzs.admission-registry-mutate
    clientConfig:
      service:
        namespace: default
        name: admission-registry
        path: "/mutate"
      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVUkZkVTlRNTZXenA0UFNwUHQ0U05sdm9LOVBZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl6TURZd016QXlNVEV3TUZvWERUSTRNRFl3TVRBeU1URXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMXNKdWwzR3doYXM1NURiVU45VzMKMFpKSEN0TCszZ2tYdzFGT1ZRZ1ZvSkVQcHFhV3pMN2hTTElHenNpQkRyQm5sWVIxVWR0TzNieU52dmVjcnZ5Mgo1ZVh1MmlVcFJkc2Q2NVpGbmZQUVZYNkFWditUSVNVMGg1a0RrU0VmdFpJNm5jNDNkaU9xMVhpVE5vWS82RG9hClZVV0tHemVCcHp0NG1zY2RLYXdvUENvMFZibGdmUytvT1FEQTVPdGl3NTVPclNVYUlrb3NHazlnVkhsU1V1SVMKUUNhaG4zTkxHMG9oblhLWkVWSlpwQ25wZDgwejJPWFRXb3FwSEZpdXVoTjZtd3Z6RUJYaXY3ay96dG9zKzFwVApkYXd4WWMyUVFBVURTK0NubTdwWGE2Sk82eUhjV1d4ZWxwUENMRnBjQm0yN0tJM2tESW1OMVB6SEZaUHFDYlVHCitRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVMEQzZ2RPUERwVzc5Q0ZFZVA1M1ZTK1JnNEVFd0h3WURWUjBqQkJnd0ZvQVUwRDNnZE9QRApwVzc5Q0ZFZVA1M1ZTK1JnNEVFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLUUlmQUVVdUEzQmgzOTJ6VkNMCmxHY0NpMzJpeGRBdmpVeXRNaU5pNHpFRHZDNVJoU05CT3lKWmVqemswRmRzZGNXcU9LTEtJT1J2NEpXV1NIQ1EKaDUwM28rUUNBMGQ2RkJmSDNHMkV3ak5iWUJYOWphYkM5K05rSVpDT1U3b3RqSTd4NUxJSGVWanpGZWJXR0FnOQpYejJGQVd2eXlTK3FPVzRzc3N1djAyQW1KMjJqTWlXSHd2elBWTlFDdHZIVWpZNDFrTXlnUmEyYzlYRmN4Wms5CkY2em56ZWdpamlzUXJBVm9jR09KbXNwYVd6N3JlZmFKalYzVU1ZcnZLWGlDRVhHS1JBZ05KRUthTzN5dlBZN3cKaVVHODFTbGdwY1hJNEFjci9QN0FUMGVzc1AwU1NPU1E1aU44UVhqcWhNN0FhRHlKRmNNYU53QzJUcWk1bEpETgprZUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

    rules: 
      - operations: ["CREATE"]
        apiGroups: ["apps",""]
        apiVersions: ["v1"]
        resources: ["deployments", "services"]
    admissionReviewVersions: ["v1"]
    sideEffects: None
hanfengsasa1
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
安装k8s 1.28 所需的离线镜像
03-19
部署k8s1.28集群所需离线镜像包,已经为大家准备好了,大家有需要可以自行下载,下载后部署的方法,在主页k8s专栏的文章中有详细说明,如果大家有疑问可以查看文章,或者私信我,我会尽快回复,谢谢大家 registry....
kubernetes的webhook开发(一篇搭好开发架构)
weixin_40965647的博客
08-02 831
webhook 对kubernetes的webhook开发实例 介绍 Webhook就是一种HTTP回调,用于在某种情况下执行某些动作,Webhook不是K8S独有的,很多场景下都可以进行Webhook,比如在提交完代码后调用一个Webhook自动构建docker镜像 K8S中提供了自定义资源类型和自定义控制器来扩展功能,还提供了动态准入控制,其实就是通过Webhook来实现准入控制,分为两种:验...
vs2022调用动态库的步骤
li_yi_feng_的博客
03-10 1535
vs2022调用动态库的步骤
Istio 1.11.2 底层自动注入流程
baobaoxiannv的博客
02-08 1451
自动注入流程 简单说下 正式开始之前简单说一下 webhook,这样对以下理解更方便一些。 准入控制器也就是 webhook 会拦截 API Server 收到的请求,拦截发生在认证和鉴权完成之后,对象进行持久化之前(这个时候可以修改 pod 模版完成自动注入)。可以定义两种类型的 webhook: Mutating 和 Validating Mutating 修改资源,可以对请求内容进行修改 Validating 验证资源,根据请求的内容判断是继续执行该请求还是拒绝该请求 实现流程 pkg/kub
kubernetes-准入控制器-13
xiong
07-03 373
Pod资源需求及资源限制 如:CPU资源属于可压缩资源,一个Pod获取资源不到时会长期等待CPU资源,而Pod获取不到内存时,会报错因为内存属于非可压缩资源 requests: Pod资源需求,最低保障,作用: 确保调度时对应节点应该满足于这个Pod运行时的基本需求 limits: Pod限制,最高或最低区域,硬限制,作用: 限制运行的Pod运行时资源的天花板 一般来讲 requests 一般小于 limits,资源需求与资源限定需要同时使用 指标说明 CPU:在资源中是指一颗逻辑(虚
Kubernetes 准入控制器详解!
weixin_44100171的博客
02-04 611
**Kubernetes 控制平面由几个组件组成。其中一个组件是 kube-apiserver,简单的 API server。**它公开了一个 REST 端点,用户、集群组件以及客户端应用程序可以通过该端点与集群进行通信。总的来说,它会进行以下操作: 从客户端应用程序(如 kubectl)接收标准 HTTP 请求。 验证传入请求并应用授权策略。 在成功的身份验证中,它能根据端点对象(Pod、Deployments、Namespace 等)和 http 动作(Create、Put、Get、Dele
第十三课 k8s源码学习和二次开发原理篇-准入控制器
QnHyn
11-03 297
第十三课 k8s源码学习和二次开发原理篇-准入控制器 tags: k8s 源码学习 categories: 源码学习 二次开发 准入控制器 文章目录第十三课 k8s源码学习和二次开发原理篇-准入控制器第一节 Admission Webhook介绍1.1 准入控制器介绍1.2 创建配置一个 Admission Webhook第二节 ValidatingAdmissionWebhook 实现2.1 准入控制器示例2.2 准入控制器逻辑实现2.3 证书准备2.4 Docker 镜像2.5 部署webho
Kubernetes Admission Webhook Validating 与 mutating 实践
爱死亡机器人
01-06 3311
以非root运行pod 需求 Kubernetes 的很多默认设置是为了便于使用,有时它们会牺牲一定的安全性。因为按照默认设置,容器一般是以 root 身份运行的(即便没有进一步配置,Dockerfile 中也没有指令)。 尽管容器在一定程度上与底层主机隔离,但这样确实会增加部署风险,比如去年曝光的 runC 漏洞(CVE-2019-5736),它被利用的原因之一就是容器内进程都是以 root 权限运行的。 下面我们以这个问题为例,一起利用准入控制器 webhook 建立自定义安全策略。 为了解决上述问题,
浅识k8s中的准入控制器
weixin_40418457的博客
07-04 1636
背景 在 k8s中各组件和kube apiserver通信时的认证和鉴权 中提到"NodeRestriction准入插件",实际上它是一个"准入控制器"。 "准入控制器"是一个重要的概念,在istio、apisix、某些安全产品中都有用到。 本文简要记录一下以下内容: "准入控制器"是什么 怎么开启"准入控制器" 从源码浅析"准入控制器" 本文使用的k8s集群是用kubekey搭建,
Kubernetes 的安全机制 APIServer 认证、授权、准入控制
weixin_34005042的博客
12-14 712
本文讲解 kubernetes 的安全机制。主要会按照这几个部分来讲解:APIServer 认证、授权、准入控制等。 我们都知道 kubenetes 默认在两个端口提供服务:一个是基于 https 安全端口 6443,另一个是基于 http 的非安全端口 8080。其中非安全端口 8080 限制只能本机访问,即绑定的是 localhost。 对于安全端口...
k8s实践(6)--Kubernetes安全:API Server访问控制
黄规速博客:学如逆水行舟,不进则退
06-16 3055
Kubernetes安全 安全永远是一个重大的话题,特别是云计算平台,更需要设计出一套完善的安全方案,以应对复杂的场景。 Kubernetes主要使用Docker作为应用承载环境,Kubernetes首先设计出一套API和敏感信息处理方案,当然也基于Docker提供容器安全控制。以下是Kubernetes的安全设计原则: 1. 保证容器与其运行的宿主机之间有明确的隔离 2. 限制容器对基础设施...
k8s.gcr.io/kube-apiserver:v1.17.3镜像
03-06
kubernetesk8s.gcr.io/kube-apiserver:v1.17.3镜像包,版本为v1.17.3。文件是kube-controller-manager_v_1_17.3.tar
K8S镜像容器安全架构设计
10-17
该文档介绍了K8S镜像容器安全架构设计
手把手打镜像并运行到k8s容器上(亲测可用)
06-03
手把手打镜像并运行到k8s容器上(亲测可用) 博客地址:https://blog.csdn.net/qq_36963950/article/details/125036352 第一个示例:wordpress博客系统 第二个示例:自己写一个springboot项目生成镜像部署到K8S集群...
k8s部署docker容器实现
01-09
环境:(docker ,k8s集群),继续上次docker 启动的java程序的...k8s部署该镜像k8s创建命名空间及secret 创建命名空间cl-test,这里名字根据自己的命名规范自己定义,我这是测试用的 kubectl create namespace cl-te
Kubernetes 开发【1】——webhook 实现 API Server 请求拦截和修改
kingu_crimson的博客
08-04 1279
admission controller是一段代码,它会在请求通过认证和授权之后、对象被持久化之前拦截到达 API 服务器的请求。控制器编译进可执行文件,并且只能由集群管理员配置。使用准入控制器 | Kubernetes我们也可以通过自己编写一段代码二次开发实现更为高级更为复杂的需求,官方有具体的实例,该实例的用途是即仅允许pod从指定的镜像仓库拉取image,否则apiserver将会拒绝本次请求。............
Istio注入SideCar原理
m0_47495420的博客
05-03 838
简介Istio提供一种简单的方式来建立已部署的服务的网络,具备负载均衡,服务到服务认证,监控等等功能,而不需要改动任何服务代码。简单的说,有了Istio,你的服务就不再需要任何微服务开发框架(典型如Spring Cloud,Dubbo),也不再需要自己动手实现各种复杂的服务治理的功能(很多是Spring Cloud和Dubbo也不能提供的,需要自己动手)。只要服务的客户端和服务器可以进行简单的直接...
Kubernetes开发(5)-validateadmission练手
zyxpaomian的博客
06-01 546
补充好基础知识后,上手实践才是最快的学习方法,所以先写一个validateadmission练练手。模拟一个生产需求,假设生产环境所有的deployment不允许单点,即副本数量不能少于2,如果少于2则不允许创建,且多个Kubernetes集群都有类似需求,那么这个场景用webhook实现就非常简单。 先上一下自己写的demo地址webhook demo,可以对照查看 思路 之前有提过webhook的调用逻辑,结合当前场景,大致上是以下几个步骤: 创建一个tls 的webserver, 做好路由,路由绑定
企业级容器技术 k8s api server访问控制
passnetY的博客
03-03 514
访问控制需要如下三点 1.认证,针对用户,分别可以进入的用户,认证方式有8种,只要通过一种就不再进行其他方式认证。 2.授权 ** <-决定可以使用哪些东西 3.准入控制 认证 认证信息我们一般会写在yaml文件中,但是这种方法是很不安全的,因为普通用户可以直接查看到这个文件, kubectl create secret docker-registry myregistrykey --doc...
k8s镜像运行到k8s容器
最新发布
01-05
Kubernetes(简称K8s)是一个开源的容器编排平台,用于管理容器化应用程序的部署、扩展和自动化操作。在Kubernetes中,我们可以通过将容器镜像部署到Kubernetes集群中的容器中来运行应用程序。 首先,我们需要创建...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值