README
¶
kubevirt-template-validator
kubevirt-template-validator is a kubevirt addon to check the annotations on templates and reject them if unvalid.
It is implemented using a validating webhook.
License
Apache v2
Dependencies
Installation
You need to pick the platform on which you want to install. For kubernetes:
export PLATFORM=k8s
for OKD/OCP:
export PLATFORM=okd
now you can set which tool you need to use to interact with the cluster. Usually: for kubernetes:
export KUBECTL=kubectl
for OKD/OCP:
export KUBECTL=oc
installation on OKD/OCP
Make sure the validating webhooks are enabled. You either need to configure the platform when you install it or to use OKD/OCP >= 4.0. See:
- https://github.com/openshift/origin/issues/20842
- https://github.com/openshift/openshift-ansible/issues/7983
Then, make sure you have the template:view cluster role binding in your cluster. If not, add it:
$KUBECTL create -f ./cluster/okd/manifests/template-view-role.yaml
common installation instructions
- first, create and deploy the certificates in a Kubernetes Secret, to be used in the following steps:
./cluster/$PLATFORM/webhook-create-signed-cert.sh
2.a. check that the secret exists:
$KUBECTL get secret -n kubevirt virtualmachine-template-validator-certs
NAME TYPE DATA AGE
virtualmachine-template-validator-certs Opaque 2 1h
- deploy the service:
$KUBECTL create -f ./cluster/$PLATFORM/manifests/service.yaml
- In order to set up the webhook, we need a CA bundle. We can reuse the one from the certs we create from the step #1.
cat ./cluster/$PLATFORM/manifests/validating-webhook.yaml | ./cluster/$PLATFORM/extract-ca.sh | $KUBECTL apply -f -
Done!
Disable the webhook
To disable the webhook, just de-register it from the apiserver:
$KUBECTL delete -f ./cluster/$PLATFORM/manifests/validating-webhook.yaml
Caveats & Gotchas
content pending
Directories
Click to show internal directories.
Click to hide internal directories.