A Simple Kubernetes Admission Webhook

While adding a recent feature to our Kubernetes compute platform, we had the need to mutate newly-created pods based on annotations set by users. The mutation needed to follow simple business rules, and didn’t need to keep track of any state. Surely there must be a canonical solution to this simple problem? Well, sort of.…

Clément Labbe
12 min readintermediate
--
View Original

Overview

This article provides a practical guide on creating a simple Kubernetes admission webhook using Go. It covers the essential concepts of admission webhooks, their implementation, and the specific use case of mutating pod creations based on user-defined annotations.

What You'll Learn

1

How to create a Kubernetes admission webhook in Go

2

Why mutating admission webhooks are essential for customizing pod configurations

3

When to use validating versus mutating webhooks in Kubernetes

Prerequisites & Requirements

  • Basic understanding of Kubernetes admission controllers
  • Familiarity with Go programming language

Key Questions Answered

What are Kubernetes admission webhooks and how do they work?
Kubernetes admission webhooks are HTTP callbacks that receive admission requests and can modify or validate them. They are invoked during the creation of resources such as pods, allowing for custom defaults or validation rules to be enforced before the resource is accepted by the API server.
How can I implement a mutating admission webhook in Kubernetes?
To implement a mutating admission webhook, you need to create a service that handles requests from the Kubernetes API server. This service will modify the incoming pod creation requests based on specified rules and return a JSON patch to apply the changes.
What is the difference between validating and mutating admission webhooks?
Validating admission webhooks are used to enforce policies by rejecting requests that do not comply, while mutating admission webhooks can modify the incoming requests before they are processed. Mutating webhooks are called first, followed by validating webhooks.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Implementing a mutating admission webhook can streamline your Kubernetes deployment process by automatically applying configurations like tolerations to pods.
This is particularly useful in environments where specific configurations are required for pods to function correctly, reducing manual errors and ensuring compliance with organizational policies.
2
Using a lightweight Go web server for your admission webhook minimizes dependencies and complexity, making it easier to maintain.
This approach is beneficial for teams looking to quickly implement custom admission logic without the overhead of larger frameworks like Kubebuilder.

Common Pitfalls

1
One common pitfall is failing to ensure that mutations in admission webhooks are idempotent, which can lead to unexpected behaviors if the webhook is called multiple times.
This is important because Kubernetes does not guarantee the order of webhook calls, and if a webhook is invoked more than once, it should produce the same result to avoid inconsistencies.

Related Concepts

Kubernetes Admission Controllers
Custom Resource Definitions (crds)
Go Programming For Kubernetes