This project was initiated with two primary goals in mind:
- Explore the capabilities of Kubernetes mutating webhooks.
- Facilitate the upgrade process of Ingress objects' API version from
extensions/v1beta1andnetworking.k8s.io/v1beta1tonetworking.k8s.io/v1.
The main intention behind this project was to see if mutating webhooks could be used to fix unsupported legacy API versions and objects. By doing so, the Kubernetes upgrade process could be simplified. With the introduction of mutating webhooks, Kubernetes users would then have the flexibility to adjust their Kubernetes objects at their own pace.
- Kubernetes API Libraries: Used to handle, decode, and interact with Kubernetes objects.
- HTTP and JSON: To serve the webhook over HTTP and encode/decode requests and responses.
serve: Main HTTP request handler. Reads the request body, deserializes it, and processes based on its type.readRequestBody: Reads the HTTP request body.deserializeRequestBody: Decodes the incoming HTTP request to determine its Kubernetes kind.createResponseObject: Based on the decoded request, forms the appropriate response. The main logic is applied if the request is of kindAdmissionReview, leading to potential modifications to the Ingress object.sendResponse: Encodes and sends the response back to the Kubernetes API server.handleError: Common function to handle and log errors.mutateIngress: Core mutation function. Checks the provided Ingress object's annotations and, if applicable, modifies the backend service configuration.
- The webhook listens on port 8443 at the
/rodsmutatorendpoint. - When an Ingress object is created or modified, and the annotations
mutate/service-nameandmutate/service-portare provided, the webhook modifies the Ingress object to target the service specified by those annotations. - If the annotations are missing or incomplete, an error is returned.
- The mutation ensures that the backend service details are replaced with the ones specified in the annotations and sets the
pathTypetoPrefix.
The webhook server uses TLS for secure communication. The paths to the TLS certificate and private key are hardcoded as ./tls.crt and ./tls.key respectively. The server starts by calling the main function, setting up an HTTP server, and listening for incoming requests on port 8443.
One of the key takeaways from this project is the realization that, for the request to successfully reach the mutating webhook service, a valid API version and object compatible with the Kubernetes version in use are required. This realization led me to use annotations as a solution, minimizing the changes users would need to make to their Ingress objects. This approach helps users adapt their Ingress objects with minimal effort, making the transition smoother.