feature: mutating webhook post ready

developer-guy · developer-guy · commit 648583880ba3 · 2020-11-22T22:15:59.000+03:00
Signed-off-by: Batuhan Apaydın &lt;batuhan.apaydin@trendyol.com&gt;
diff --git a/_posts/2020-10-27-kubernetes-webhooks-made-easy-with-openfaas.md b/_posts/2020-10-27-kubernetes-webhooks-made-easy-with-openfaas.md
@@ -146,6 +146,12 @@ $ cd deployment
 $ kubectl apply -f rbac.yaml,service.yaml,deployment.yaml
 ```
 
+* Label the default namespace to enable the webhook
+
+```sh
+$ kubectl label namespaces default admission-webhook-example=enabled
+```
+
 ### 5. Build and Deploy OpenFaaS Function (Optional)
 
 * Pull the [golang-middleware](https://github.com/openfaas-incubator/golang-http-template) template from [OpenFaaS Official Template Store](https://github.com/openfaas/store)
diff --git a/_posts/2020-11-2-kubernetes-webhooks-made-easy-with-openfaas-part-2.md b/_posts/2020-11-2-kubernetes-webhooks-made-easy-with-openfaas-part-2.md
@@ -0,0 +1,281 @@
+---
+title: "Kubernetes Webhooks made easy with OpenFaaS - Part 2"
+description: "In this post you'll learn how to write Kubernetes Admission webhooks using OpenFaaS functions - Part 2"
+date: 2020-11-2
+image: /images/2020-10-27-k8s-validatingwebhook-openfaas/puzzle.jpg
+categories:
+  - arkade
+  - kubectl
+  - faas-cli
+  - admissionwebhooks
+  - mutatingadmissionwebhooks
+  - k8s extensibility
+author_staff_member: developer-guy
+dark_background: true
+---
+
+In this post you'll learn how to write Kubernetes Admission webhooks using OpenFaaS functions - Part 2
+
+<p align="center">
+<img height="128" src="/images/openfaas/kubernetes.png">
+</p>
+
+## Introduction to Kubernetes Mutating Admission webhooks
+In the previous [part](https://www.openfaas.com/blog/kubernetes-webhooks-made-easy-with-openfaas/), we talked about what Kubernetes Admission Webhooks are and how can we use Validating Admission Webhook.
+
+Today we are gonna talk about Mutating Admission Webhook and demonstrate how can we use it as OpenFaaS Function.
+
+The main difference between the two types of admission webhook are pretty self-explanatory: validating webhooks can reject a request, but they cannot modify the object they are receiving in the admission request, while mutating webhooks can modify objects by creating a patch that will be sent back in the admission response and can reject a request too. If a webhook rejects a request, an error is returned to the end-user.
+
+Also, the other difference between two types are validating webhooks are called in parallel and mutating webhooks are called in-sequence by the api-server.
+
+## The Scenario
+This time we will inject a file to the container filesystem using [configMap volume](https://kubernetes.io/docs/concepts/storage/volumes/#configmap) automatically by the Mutating Admission Webhook.
+
+In order to do that, we need to create a file that will inject by the Mutating Admission Webhook to the container's filesystem like below:
+
+```sh
+$ cat functions/fileinjector/hello-openfaas.txt
+  _  _     _ _        ___                 ___          ___
+ | || |___| | |___   / _ \ _ __  ___ _ _ | __|_ _ __ _/ __|
+ | __ / -_) | / _ \ | (_) | '_ \/ -_) ' \| _/ _` / _` \__ \
+ |_||_\___|_|_\___/  \___/| .__/\___|_||_|_|\__,_\__,_|___/
+                          |_|
+```
+
+There is one important thing we need to say about Mutating Admission webhook is that:
+
+> In a mutating admission controller webhook, mutations are performed via JSON patches. While the JSON patch standard includes a lot of intricacies that go well beyond the scope of this discussion, the Go data structure in our example as well as its usage should give the user a good initial overview of how JSON patches work:
+
+```golang
+type patchOperation struct {
+  Op    string      `json:"op"`
+  Path  string      `json:"path"`
+  Value interface{} `json:"value,omitempty"`
+}
+```
+
+For setting the field .spec.securityContext.runAsNonRoot of a pod to true, we construct the following patchOperation object:
+
+```golang
+patches = append(patches, patchOperation{
+  Op:    "add",
+  Path:  "/spec/securityContext/runAsNonRoot",
+  Value: true,
+})
+```
+
+Reminder, we will use the same workflow defined in previous post like below:
+
+* Kubernetes API -> Webhook (w/TLS) -> OpenFaaS Gateway (w/HTTP) -> OpenFaaS Function
+
+![Workflow](/images/2020-10-27-k8s-validatingwebhook-openfaas/admission-controller-phases.png)
+> Credit: [https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/](https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/)
+
+### Prerequisites
+##### Arkade
+
+* [arkade](https://get-arkade.dev) is The OpenFaaS community built tool for Kubernetes developers, with arkade you can easily install all necessary cli tools to your host and deploy apps to the cluster.
+
+```sh
+$ curl -sLS https://dl.get-arkade.dev | sudo sh
+```
+
+##### KinD (Kubernetes in Docker)
+
+*  Kubernetes is our recommendation for teams running at scale, but in this demo we will be using [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/) for the sake of simplicity.
+
+```sh
+$ arkade get kind
+```
+
+##### kubectl
+
+* You can control your cluster using [kubectl](https://github.com/kubernetes/kubectl) CLI.
+
+```sh
+$ arkade get kubectl
+```
+
+##### faas-cli
+
+* [faas-cli](https://github.com/openfaas/faas-cli) is an official CLI for OpenFaaS , with "faas-cli" you can build and deploy functions easily.
+
+```sh
+$ arkade get faas-cli
+```
+
+### Setup
+
+### 1. Setup a Kubernetes Cluster with KinD
+
+You can start a Kubernetes cluster with KinD if you don't have one already
+
+```bash
+$ arkade get kind
+$ kind create cluster
+```
+
+### 2. Deploy OpenFaaS to our local Kubernetes Cluster with arkade:
+
+* Install a OpenFaaS
+
+```sh
+$ arkade install openfaas
+```
+
+Read the output from the installation and run the commands given to you.
+
+You can access them again at any time with `arkade info openfaas`
+
+### 3. Clone the project
+
+* Clone the sample from GitHub
+
+```sh
+$ git clone https://github.com/developer-guy/admission-webhook-example-with-openfaas
+$ cd admission-webhook-example-with-openfaas
+$ git checkout feature/mutating
+```
+
+* Let's explore the structure of the project.
+
+```
+deployment/ --> includes necessary manifests and scripts for the deployment of the project
+functions/ --> includes templates and the requiredlabel function itself
+Dockerfile --> includes instructions to build an image of the project
+build --> automated way to build and push an image of the project
+```
+
+### 4. Deploy MutatingAdmissionWebhook
+
+* We will generate the TLS certificates required for the ValidatingAdmissionWebhook using the following: [Kubernetes TLS Certificates Management](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/)
+
+```sh
+$ cd deployment
+$ sh webhook-create-signed-cert.sh
+```
+
+* Get the Certificate Authority (CA) from the local cluster
+
+```sh
+$ export CA_BUNDLE=$(kubectl config view --minify --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
+$ sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" mutatingwebhook.yaml | kubectl apply -f -
+$ cd ..
+```
+
+* Build the project
+
+```sh
+$ export DOCKER_USER="docker-hub-username"
+$ ./build
+```
+
+Now edit `deployment.yaml` and set 'DOCKER_USER' to the above.
+
+* Deploy it project
+
+```sh
+$ cd deployment
+$ kubectl apply -f rbac.yaml,service.yaml,deployment.yaml
+# Label the default namespace to enable the webhook
+$ kubectl label namespaces default admission-webhook-example=enabled
+```
+
+* This time we are using "fileinjector" as a FUNCTION_NAME environment variable in the deployment.yaml file
+
+```yaml
+env:
+  - name: FUNCTION_NAME
+    value: fileinjector
+```
+
+### 5. Build and Deploy OpenFaaS Function (Optional)
+
+* Pull the [golang-middleware](https://github.com/openfaas-incubator/golang-http-template) template from [OpenFaaS Official Template Store](https://github.com/openfaas/store)
+
+```sh
+$ faas-cli template store list # check available templates in store
+$ faas-cli template store describe golang-middleware # describe the specific template
+$ faas-cli template store pull golang-middleware
+```
+
+* Create the function
+
+```sh
+$ export OPENFAAS_PREFIX=$DOCKER_USER
+$ faas-cli new fileinjector --lang go-middleware
+$ cd fileinjector
+$ go mod init fileinjector
+$ # fill the handler.go with the corresponding code: [functions/fileinjector/handler.go](https://github.com/developer-guy/admission-webhook-example-with-openfaas/blob/feature/mutating/functions/fileinjector/handler.go)
+$ go get
+```
+
+* Deploy the function
+
+```sh
+$ cd functions
+$ faas-cli up -f fileinjector.yml --build-arg GO111MODULE=on # (build-push-deploy) make sure you are using your docker hub username. i.e: devopps
+```
+
+* Verify the functions that are working in `openfaas-fn` namespace
+
+```sh
+$ kubectl get pods --namespace openfaas-fn
+```
+
+### 6. Testing the whole workflow
+* The purpose of this PoC is that to add a simple volume which is type configMap and volumeMount which is mounted to that volume to the pod automatically by our Mutating Admission Webhook. 
+
+* First, we need to create a ConfigMap to be able to mount a file to the Pod:
+
+```sh
+$ cat functions/fileinjector/hello-openfaas.txt
+
+  _  _     _ _        ___                 ___          ___
+ | || |___| | |___   / _ \ _ __  ___ _ _ | __|_ _ __ _/ __|
+ | __ / -_) | / _ \ | (_) | '_ \/ -_) ' \| _/ _` / _` \__ \
+ |_||_\___|_|_\___/  \___/| .__/\___|_||_|_|\__,_\__,_|___/
+                          |_|
+```
+
+```
+$ kubectl create hello-configmap --from-file=functions/fileinjector/hello-openfaas.txt
+```
+
+* Now , you can apply the Pod manifest, once you done, you will notice that Pod includes a volume + volumeMount additional to the manifest you wrote in the beginning
+
+```sh
+$ kubectl apply -f busybox.yaml
+```
+
+* Check the logs of the Pod, you will see "Hello OpenFaaS" text as the output of the container.
+
+```sh
+$ kubectl logs -f busybox
+
+  _  _     _ _        ___                 ___          ___
+ | || |___| | |___   / _ \ _ __  ___ _ _ | __|_ _ __ _/ __|
+ | __ / -_) | / _ \ | (_) | '_ \/ -_) ' \| _/ _` / _` \__ \
+ |_||_\___|_|_\___/  \___/| .__/\___|_||_|_|\__,_\__,_|___/
+                          |_|
+```
+
+### Join the community
+
+Have you got questions, comments, or suggestions? Join the community on [Slack](https://slack.openfaas.io).
+
+Would you like help to set up your OpenFaaS installation, or someone to call when things don't quite go to plan? [Our Premium Subscription plan](https://www.openfaas.com/support/) gives you a say in the project roadmap, a support contact, and access to Enterprise-grade authentication with OIDC.
+
+### Acknowledgements
+
+* Special Thanks to [Alex Ellis](https://twitter.com/alexellisuk) for all guidance and for merging changes into OpenFaaS to better support this workflow.
+* Special Thanks to [Furkan Türkal](https://twitter.com/furkanturkaI) for all the support.
+
+### References
+* [https://banzaicloud.com/blog/k8s-admission-webhooks](https://banzaicloud.com/blog/k8s-admission-webhooks)
+* [https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/](https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/)
+* [https://medium.com/ibm-cloud/diving-into-kubernetes-mutatingadmissionwebhook-6ef3c5695f74](https://medium.com/ibm-cloud/diving-into-kubernetes-mutatingadmissionwebhook-6ef3c5695f74)
+* [https://blog.alexellis.io/get-started-with-openfaas-and-kind/](https://blog.alexellis.io/get-started-with-openfaas-and-kind/)
+* [https://github.com/morvencao/kube-mutating-webhook-tutorial](https://github.com/morvencao/kube-mutating-webhook-tutorial)
+* [https://github.com/developer-guy/admission-webhook-example-with-openfaas](https://github.com/developer-guy/admission-webhook-example-with-openfaas)
