KEWL - K8s Easy Webhook Library
Description
This library aims to facilitate the implementation of k8s webhooks
for Dynamic Admission Control
.
Features
- easy implementation of validators/mutators for k8s objects
- multiple validators and mutators can be added at the same time
- supports v1 and v1beta1 AdmissionReview from the same URLs
- exposes metrics for validators and mutators
- custom handlers for an admission-review can be easily implemented
- validation responses contain the cause of the validation error with the fields and messages
- mutation responses contain an RFC6902 compatible JSON patch
Usage
Issue a go get github.com/dbsystel/kewl
adding KEWL to your go module.
Examples
Exposed paths
/healthz
for health checks
/metrics
for prometheus metrics
/validate
for validation hooks
/mutate
for mutation hooks
Metrics and health
Healthz
The webhook exposes and endpoint /healthz
which can be used to check, if the server still runs fine.
Prometheus metrics
Also, prometheus summaries are exposed via /metrics
for the following:
HTTP requests
A prometheus summary is exposed for all requests as webhook_http_request_seconds_sum
labeled by:
- request
method
- request
path
- response
status
code.
Example:
webhook_http_request_seconds_sum{method="POST",path="/validate",status="200"} 7.3844e-05
webhook_http_request_seconds_count{method="POST",path="/validate",status="200"}
Invoked validations
Invoked validations are registered in a summary named webhook_handler_validation_sum
labeled by:
- version of the admission review (
admission_review_version
)
- group of the reviewed object:
obj_group
- kind of the reviewed object:
obj_kind
- version of the reviewed object: :
obj_version
- namespace of the reviewed object (
obj_namespace
)
- result of the review (
result
), which can be the following
allowed
- the validation was successful (admission was allowed)
denied
- the validation was unsuccessful (admission was denied)
error
- an error occurred in the server (or validator)
Example:
webhook_handler_validation_sum{admission_review_version="v1",group="",kind="Pod",result="allowed",target_namespace="test",version="v1"} 2.9475e-05
webhook_handler_validation_count{admission_review_version="v1",group="",kind="Pod",result="allowed",target_namespace="test",version="v1"} 1
Invoked mutations
Invoked mutations are registered in a summary named webhook_handler_mutation_sum
labeled by:
- version of the admission review (
admission_review_version
)
- group of the reviewed object:
obj_group
- kind of the reviewed object:
obj_kind
- version of the reviewed object: :
obj_version
- namespace of the reviewed object (
obj_namespace
)
- result of the review (
result
), which can be the following
allowed
- object was not modified (admission was allowed)
mutated
- object was mutated (admission was allowed)
error
- an error occurred in the server (or mutator)
Example:
webhook_handler_mutation_sum{admission_review_version="v1",group="",kind="Pod",result="mutated",target_namespace="test",version="v1"} 4.258e-05
webhook_handler_mutation_count{admission_review_version="v1",group="",kind="Pod",result="mutated",target_namespace="test",version="v1"} 1
License
This project is licensed under Apache License v2.0, which is included in the repository.
Contributions
Contributions are very welcome, please refer to the Contribution guide
Code of conduct
Our code of conduct can be found here.