Dynamically add volumes to all pods inside all namespaces with the label k8s-volume-injector: "true"
.
- You need to mount /etc/ssl/certs as a hostPath for every pod in order to get pods to trust private CA certificates.
- You need to mount a PersistentVolumeClaim for every pod in order to save logs or data.
- Kubernetes cluster up & running
- Certmanager needs to be installed
- Create the namespace
k8s-volume-injector
:
kubectl apply -f deployment/01_namespace.yaml
- Configure your k8s-volume-injector instance:
vim deployment/02_configmap.yaml # EDIT volumes and volumeMounts as you consider
kubectl apply -f deployment/02_configmap.yaml
- Deploy k8s-volume-injector:
kubectl apply -f deployment/03_deployment.yaml
NOTE: Wait until pod is running and ready: kubectl get po -n k8s-volume-injector NAME READY STATUS RESTARTS AGE k8s-volume-injector-776fb7cd9f-v9vnz 1/1 Running 0 10s
- Configure the CA bundle for the webhook:
caBundle=$( kubectl get secrets -n k8s-volume-injector k8s-volume-injector-cert -o go-template='{{ index .data "ca.crt" }}' )
sed "s@___CA_BUNDLE___@$caBundle@g" deployment/04_webhook.yaml.tmpl > deployment/04_webhook.yaml
- Deploy the webhook:
kubectl apply -f deployment/04_webhook.yaml
- Deploy a demo nginx pod:
kubectl apply -f examples/demo.yaml
- Verify volumes and volumeMounts:
$ kubectl -n k8s-volume-injector-demo describe po testpod1
Name: testpod1
Namespace: k8s-volume-injector-demo
...
Containers:
web:
...
Mounts:
/etc/ssl/certs from etc-ssl-certs (ro)
...
...
Volumes:
...
etc-ssl-certs:
Type: HostPath (bare host directory volume)
Path: /etc/ssl/certs
HostPathType:
...
- Cleanup
kubectl delete -f deployment/04_webhook.yaml # To ensure that the service is not affected
kubectl delete -f deployment/