此项目使用Kubernetes admission webhooks,在pod创建之前将lxcfs相关目录挂在到容器内。
本项目部署在openshift环境上,如果使用k8s将脚本中的oc 改为 kubectl 即可
$ ./deployment/webhook-create-signed-cert.sh
creating certs in tmpdir /var/folders/3z/\_d8d8kl951ggyvw360dkd_y80000gn/T/tmp.xPApwE5H
Generating RSA private key, 2048 bit long modulus
..............................................+++
...........+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io "lxcfs-webhook-svc.default" created
NAME AGE REQUESTOR CONDITION
admission-webhook-example-svc.default 1s ekscluster-marton-423 Pending
certificatesigningrequest.certificates.k8s.io "lxcfs-webhook-svc.default" approved
secret "lxcfs-webhook-certs" created
$ oc get secret lxcfs-webhook-certs
NAME TYPE DATA AGE
lxcfs-webhook-certs Opaque 2 2m
- 创建角色,用户并绑定关系
oc create -f ./deployment/service-account.yaml && oc create -f ./deployment/clusterrole.yaml && oc create -f ./deployment/clusterrolebinding.yaml
- 创建scc
oc create -f ./deployment/lxcfs-webhook-scc.yaml --validate=false
$ oc create -f deployment/deployment.yaml
deployment.apps "lxcfs-webhook-deployment" created
$ oc create -f deployment/service.yaml
service "lxcfs-webhook-svc" created
$ cat ./deployment/mutatingwebhook.yaml | ./deployment/webhook-patch-ca-bundle.sh > ./deployment/mutatingwebhook-ca-bundle.yaml
$ kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml
mutatingwebhookconfiguration.admissionregistration.k8s.io "lxcfs-webhook-cfg" created
$ kubectl label namespace default lxcfs-webhook=enabled
namespace "default" labeled
sleep 测试容器需要有挂载卷的权限
$ kubectl create -f deployment/sleep.yaml
项目支持黑白名单模式,在deployment中配置环境变量 ‘BLACK_OR_WHITE’ ,BLACK为黑名单模式,WHITE 为白名单模式,默认为黑名单模式。
env:
- name: BLACK_OR_WHITE
value: BLACK
黑名单模式下,应用带有 lxcfs-webhook.paradeum.com/mutate=false 注解,webhook将不进行修改
白名单模式下,应用带有 lxcfs-webhook.paradeum.com/mutate=true 注解,webhook将进行修改