Webhooks are HTTP callbacks triggered by the Kubernetes API server during resource operations.<\/p>\n
There are two main types<\/p>\n
A validating webhook configuration<\/p>\n
\r\napiVersion: admissionregistration.k8s.io\/v1\r\nkind: ValidatingWebhookConfiguration\r\nmetadata:\r\n name: validate-pods.k8s.io\r\nwebhooks:\r\n - name: podcheck.k8s.io\r\n rules:\r\n - apiGroups: [""]\r\n apiVersions: ["v1"]\r\n operations: ["CREATE"]\r\n resources: ["pods"]\r\n clientConfig:\r\n service:\r\n name: pod-validator\r\n namespace: default\r\n path: "\/validate"\r\n caBundle: <base64-ca>\r\n admissionReviewVersions: ["v1"]\r\n sideEffects: None\r\n<\/pre>\nEssentially k8s web hooks give us the opportunity to intercept k8s API requests such as CREATE, UPDATE or DELETE. Using webhooks we can accept of reject requests without modifying the k8s object.<\/p>\n
In the example YAML above, we’re going to intercept CREATE calls for pods. This is a validate-pods.k8s.io<\/em> or validating web hook, which is non-mutating and can reject requests but not modify them. The name of the web hook is podcheck.k8s.io<\/em> and then we have the rules, which we’ve already touched on. Then we have the clientConfig<\/em> which will use our pod-validator<\/em> service in the default namespace and the path \/validate<\/em>. For example this would mean a service is accessible via https:\/\/pod-validator.default.svc\/validate. The sideEffects<\/em> of None<\/em> means this webhook doesn’t write to external systems, hence is safe for retries.<\/p>\n
The webhook server must expose an HTTPS endpoint which access AdmissionReview requests and should return a response to denote whether the operation can proceed.<\/p>\n
The AdmissionReview request will look similar to this for a pod CREATE<\/p>\n
\r\n{\r\n "apiVersion": "admission.k8s.io\/v1",\r\n "kind": "AdmissionReview",\r\n "request": {\r\n "uid": "1234abcd-5678-efgh-ijkl-9012mnopqrst",\r\n "kind": {\r\n "group": "",\r\n "version": "v1",\r\n "kind": "Pod"\r\n },\r\n "resource": {\r\n "group": "",\r\n "version": "v1",\r\n "resource": "pods"\r\n },\r\n "requestKind": {\r\n "group": "",\r\n "version": "v1",\r\n "kind": "Pod"\r\n },\r\n "requestResource": {\r\n "group": "",\r\n "version": "v1",\r\n "resource": "pods"\r\n },\r\n "name": null,\r\n "namespace": "default",\r\n "operation": "CREATE",\r\n "userInfo": {\r\n "username": "system:serviceaccount:default:deployer",\r\n "uid": "abc123",\r\n "groups": [\r\n "system:serviceaccounts",\r\n "system:authenticated"\r\n ]\r\n },\r\n "object": {\r\n "apiVersion": "v1",\r\n "kind": "Pod",\r\n "metadata": {\r\n "name": "example-pod",\r\n "namespace": "default",\r\n "labels": {\r\n "app": "demo"\r\n }\r\n },\r\n "spec": {\r\n "containers": [\r\n {\r\n "name": "nginx",\r\n "image": "nginx:1.21",\r\n "resources": {\r\n "limits": {\r\n "cpu": "500m",\r\n "memory": "128Mi"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n },\r\n "oldObject": null,\r\n "dryRun": false\r\n }\r\n}\r\n<\/pre>\nA response will look something like this<\/p>\n
\r\n{\r\n "apiVersion": "admission.k8s.io\/v1",\r\n "kind": "AdmissionReview",\r\n "response": {\r\n "uid": "1234abcd-5678-efgh-ijkl-9012mnopqrst",\r\n "allowed": true,\r\n "status": {\r\n "code": 200,\r\n "message": "Pod validated successfully"\r\n }\r\n }\r\n}\r\n<\/pre>\nThe allowed<\/em> field can just be sent to false which minimal response like the one below<\/p>\n
\r\n"allowed": false,\r\n"status": {\r\n "code": 400,\r\n "message": "Missing required label: team"\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Webhooks are HTTP callbacks triggered by the Kubernetes API server during resource operations. There are two main types Mutating Webhook: Modify or inject fields into a resource Validating Webook: Accept or reject a resource based upon logic A validating webhook configuration apiVersion: admissionregistration.k8s.io\/v1 kind: ValidatingWebhookConfiguration metadata: name: validate-pods.k8s.io webhooks: – name: podcheck.k8s.io rules: – apiGroups: […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[314],"tags":[],"class_list":["post-11663","post","type-post","status-publish","format-standard","hentry","category-kubernetes"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts\/11663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/comments?post=11663"}],"version-history":[{"count":3,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts\/11663\/revisions"}],"predecessor-version":[{"id":11954,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts\/11663\/revisions\/11954"}],"wp:attachment":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/media?parent=11663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/categories?post=11663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/tags?post=11663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}