kubevirt-template-validator

module
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2019 License: Apache-2.0

README

kubevirt-template-validator

kubevirt-template-validator is a kubevirt addon to check the annotations on templates and reject them if unvalid. It is implemented using a validating webhook.

Go Report Card

License

Apache v2

Dependencies

Installation - K8S

PLEASE NOTE: vanilla kubernetes does not support openshift template (obviously) so the webhook cannot function properly. Anyway, if you want to install it in your kubernetes cluster anyway, follow these steps:

  1. Create and deploy the certificates in a Kubernetes Secret, to be used in the following steps:
./cluster/k8s/webhook-create-signed-cert.sh
  1. [OPTIONAL] Check that the secret exists:
kubectl get secret -n kubevirt kubevirt-template-validator-certs
NAME                                TYPE      DATA      AGE
kubevirt-template-validator-certs   Opaque    2         1h
  1. Deploy the service:
kubectl create -f ./cluster/k8s/manifests/service.yaml
  1. Register the webhook. In order to set up the webhook, we need a CA bundle. We can reuse the one from the certs we create from the step #1.
cat ./cluster/k8s/manifests/validating-webhook.yaml | ./cluster/k8s/extract-ca.sh | kubectl apply -f -

Done!

installation on OKD/OCP
  1. Make sure the validating webhooks are enabled. You either need to configure the platform when you install it or to use OKD/OCP >= 4.0. See:
  1. Then, make sure you have the template:view cluster role binding in your cluster. If not, add it:
oc create -f ./cluster/okd/manifests/template-view-role.yaml
  1. Deploy the service:
kubectl create -f ./cluster/okd/manifests/service.yaml

OKD can automatically generate the TLS certificates thanks to the annotation in the provided manifests. So, unlike the steps for kubernetes#1, you don't have to do this manually.

  1. Register the webhook. Like for Kubernetes, we need to set up the CA bundle

TODO

Disable the webhook

To disable the webhook, just de-register it from the apiserver:

$KUBECTL delete -f ./cluster/$PLATFORM/manifests/validating-webhook.yaml

Caveats & Gotchas

content pending

Directories

Path Synopsis
cmd
kubevirt-template-validator
internal
pkg/k8sutils
pkg/log
pkg/service
pkg
kubevirtobjs
template-validator
validation
virtinformers
webhooks
webhooks/validating

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.