IMPORTANT: this is a work in progress.
Create a local Kubernetes cluster with ValidatingAdmissionPolicy
feature gate enabled, and admissionregistration.k8s.io/v1beta1
API enabled:
kind create cluster --config kind.yaml
Install Capsule CRDs:
kubectl apply -k ./crds
Create a Tenant and a Tenant owner:
kubectl apply -f ./oil-tenant.yaml
kubectl apply -f ./alice-tenant-owner-rolebinding.yaml
Install a Validating Admission Policy with Binding:
kubectl apply -f ./ingressclasses-validatingadmissionpolicy.yaml
As Tenant owner, create Ingress of denied class:
kubectl --as "alice" --as-group "capsule.clastix.io" apply -f ./ingress-silver.yaml
As Tenant owner, create Ingress of allowed class:
kubectl --as "alice" --as-group "capsule.clastix.io" apply -f ./ingress-bronze.yaml
make e2e
Configure a MutatingAdmissionWebhookConfiguration
(they're executed before validating webhooks) with an exposed web server like ngrok
:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: aaa-ingressclass-validating-policy
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
url: <YOUR WEB SERVER URL HERE>
name: ingresses.vap.capsule.clastix.io
rules:
- apiGroups: ["networking.k8s.io"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["ingresses"]
sideEffects: None
You can run
ngrok
locally withngrok http 8080
.
Open your browser to http://localhost:4040
and make a request:
kubectl --as "alice" --as-group "capsule.clastix.io" create -f ./ingress-silver.yaml
You can analyse the request with the AdmissionReview
sent by the API server. You can find example of a AdmissionReview
of a request made impersonating Alice User
and capsule.clastix.io Group
, in this sample.