Understanding and Extending Admission Controllers

This repository is the proving ground for learning about and implementing admission controllers. The walk-through contains my thinking process.

0. Create a kind cluster

make cluster-init

1. Generate TLS keys and certificates to setup the Webhook Server

make gen-keys

2. Add a Secret to hold the tls.crt and tls.key and add it to the manifests directory

kubectl -n submariner create secret tls webhook-server-tls \
    --cert "./keys/webhook-server-tls.crt" \
    --key "./keys/webhook-server-tls.key" \
    --dry-run=client -o yaml

3. Base64 encode the ca.crt generated in Step 2 and add it to the mutatingwebookconfig.yaml as the caBundle dynamically using make (so we don't commit the ca.crt)

base64 ./keys/ca.crt

webooks:
  - name: mutating-webhook-configuration
    namespace: submariner
    caBundle: "{{FILL HERE}}"

• A Guide to Kubernetes Admission Controllers
• What Does Each Admission Controller Do
• Stackrox Demo

🥃 J.Stone 💎