Merge pull request #730 from denis-tingaikin/add-admission-webhook-de…

…ployments feat: Add admission-webhook-k8s deployment and example
networkservicemesh · Apr 7, 2021 · 3509653 · 3509653
2 parents a968d84 + c7895dc
commit 3509653
Show file tree

Hide file tree

Showing 10 changed files with 248 additions and 1 deletion.
diff --git a/apps/admission-webhook-k8s/admission-webhook.yaml b/apps/admission-webhook-k8s/admission-webhook.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: admission-webhook-k8s
+  labels:
+    app: admission-webhook-k8s
+spec:
+  selector:
+    matchLabels:
+      app: admission-webhook-k8s
+  template:
+    metadata:
+      labels:
+        app: admission-webhook-k8s
+    spec:
+      serviceAccount: admission-webhook-sa
+      containers:
+        - name: admission-webhook-k8s
+          image: networkservicemeshci/cmd-admission-webhook-k8s:master
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+            - name: NSM_SERVICE_NAME
+              value: admission-webhook-svc
+            - name: NSM_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NSM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NSM_ANNOTATION
+              value: networkservicemesh.io
+            - name: NSM_CONTAINER_IMAGES
+              value: networkservicemeshci/cmd-nsc:281975be
+            - name: NSM_INIT_CONTAINER_IMAGES
+              value: networkservicemeshci/cmd-nsc-init:master
diff --git a/apps/admission-webhook-k8s/binding.yaml b/apps/admission-webhook-k8s/binding.yaml
@@ -0,0 +1,12 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: admission-webhook-binding
+subjects:
+  - kind: ServiceAccount
+    name: admission-webhook-sa
+roleRef:
+  kind: ClusterRole
+  name: admission-webhook-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/apps/admission-webhook-k8s/kustomization.yaml b/apps/admission-webhook-k8s/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service.yaml
+- sa.yaml
+- admission-webhook.yaml
+- binding.yaml
+- role.yaml
+
+namespace: default
diff --git a/apps/admission-webhook-k8s/role.yaml b/apps/admission-webhook-k8s/role.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: admission-webhook-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - "mutatingwebhookconfigurations"
+    verbs: ["*"]
diff --git a/apps/admission-webhook-k8s/sa.yaml b/apps/admission-webhook-k8s/sa.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admission-webhook-sa
diff --git a/apps/admission-webhook-k8s/service.yaml b/apps/admission-webhook-k8s/service.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: admission-webhook-svc
+  labels:
+    app: admission-webhook-k8s
+spec:
+  ports:
+    - port: 443
+      targetPort: 443
+  selector:
+    app: admission-webhook-k8s
diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -57,5 +57,6 @@ kubectl apply -k .
 To free resouces follow the next command:
 
 ```bash
+kubectl delete mutatingwebhookconfiguration --all
 kubectl delete ns nsm-system
 ```
diff --git a/examples/basic/kustomization.yaml b/examples/basic/kustomization.yaml
@@ -8,3 +8,4 @@ bases:
 - ../../apps/nsmgr
 - ../../apps/forwarder-vpp
 - ../../apps/registry-k8s
+- ../../apps/admission-webhook-k8s
diff --git a/examples/features/README.md b/examples/features/README.md
@@ -14,5 +14,5 @@ To run any feature example follow steps for [Basic NSM setup](../basic)
 - Heal
 - Refresh
 - Timeout
-- Admission webhook
+- [Admission webhook](./webhook)
 - DNS
diff --git a/examples/features/webhook/README.md b/examples/features/webhook/README.md
@@ -0,0 +1,150 @@
+# Alpine requests for postgresql service
+
+This example demonstrates how alpine can get connectivity to Postgres deployment via NSM.
+Alpine pod and Postgres deployment located on different nodes.
+
+
+## Requires
+
+Make sure that you have completed steps from [features](../)
+
+## Run
+
+1. Create test namespace:
+```bash
+NAMESPACE=($(kubectl create -f ../../use-cases/namespace.yaml)[0])
+NAMESPACE=${NAMESPACE:10}
+```
+
+2. Register namespace in `spire` server:
+```bash
+kubectl exec -n spire spire-server-0 -- \
+/opt/spire/bin/spire-server entry create \
+-spiffeID spiffe://example.org/ns/${NAMESPACE}/sa/default \
+-parentID spiffe://example.org/ns/spire/sa/spire-agent \
+-selector k8s:ns:${NAMESPACE} \
+-selector k8s:sa:default
+```
+
+3. Get all available nodes to deploy:
+```bash
+NODES=($(kubectl get nodes -o go-template='{{range .items}}{{ if not .spec.taints  }}{{index .metadata.labels "kubernetes.io/hostname"}} {{end}}{{end}}'))
+```
+
+4. Create alpine deployment and set `nodeSelector` to the first node:
+```bash
+cat > alpine.yaml <<EOF
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine
+  annotations:
+    networkservicemesh.io: kernel://my-postgres-service/nsm-1
+  labels:
+    app: alpine
+spec:
+  containers:
+  - name: alpine
+    image: alpine
+    stdin: true
+    tty: true
+  nodeSelector:
+    kubernetes.io/hostname: ${NODES[0]}
+EOF
+```
+
+5. Add to nse-kernel the postgres container and set `nodeSelector` it to the second node:
+```bash
+cat > patch-nse.yaml <<EOF
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nse-kernel
+spec:
+  template:
+    spec:
+      containers:
+        - name: postgres
+          image: postgres
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_DB
+              value: test
+            - name: POSTGRES_USER
+              value: admin
+            - name: POSTGRES_PASSWORD
+              value: admin
+        - name: nse
+          env:
+            - name: NSE_SERVICE_NAME
+              value: my-postgres-service
+            - name: NSE_CIDR_PREFIX
+              value: 172.16.1.100/31
+      nodeSelector:
+        kubernetes.io/hostname: ${NODES[1]}
+EOF
+```
+
+6. Create kustomization file:
+```bash
+cat > kustomization.yaml <<EOF
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ${NAMESPACE}
+
+bases:
+- ../../../apps/nse-kernel
+
+resources:
+- alpine.yaml
+
+patchesStrategicMerge:
+- patch-nse.yaml
+EOF
+```
+
+7. Deploy alpine and postgres-nse
+```bash
+kubectl apply -k .
+```
+
+8. Wait for applications ready:
+```bash
+kubectl wait --for=condition=ready --timeout=1m pod alpine -n ${NAMESPACE}
+```
+```bash
+kubectl wait --for=condition=ready --timeout=5m pod -l app=nse-kernel -n ${NAMESPACE}
+```
+
+9. Find NSC and NSE pods by labels:
+```bash
+NSC=$(kubectl get pods -l app=alpine -n ${NAMESPACE} --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+```
+```bash
+NSE=$(kubectl get pods -l app=nse-kernel -n ${NAMESPACE} --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+```
+
+10. Install to alpine psql:
+```bash
+kubectl exec ${NSC} -n ${NAMESPACE} -- apk update 
+```
+```bash
+kubectl exec ${NSC} -n ${NAMESPACE} -- apk add postgresql
+```
+
+11. Try to connect from alpine to database from postgresql service:
+```bash
+kubectl exec ${NSC} -n ${NAMESPACE} -c alpine -- sh -c 'PGPASSWORD=admin psql -h 172.16.1.100 -p 5432 -U admin test'
+```
+
+## Cleanup
+
+Delete ns:
+```bash
+kubectl delete ns ${NAMESPACE}
+```
-Original file line number
+Diff line change
@@ Expand Up @@
     - Heal
     - Refresh
     - Timeout
-    - Admission webhook
+    - [Admission webhook](./webhook)
     - DNS