Prerequisites
- A Kubernetes cluster (kind, minikube, etc.)
- OpenFaaS CLI
- Arkade
- Kubectl
- KinD
2. Setup Tools
- Arkade
$ curl -sLS https://dl.get-arkade.dev | sudo sh- KinD
$ arkade get kind- Kubectl
$ arkade get kubectl- OpenFaaS CLI
$ arkade get faas-cliSetup
1. Set Up a Kubernetes Cluster with Kind (Optional)
With Kind, you can run a local Kubernetes cluster using Docker containers as nodes. The steps in this section are optional. Follow them only if you don't have a running Kubernetes cluster.
Create a file named openfaas-cluster.yaml, and copy in the following spec:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker$ kind create cluster --config kind-specs/kind-cluster.yaml- Deploy OpenFaaS to a Kubernetes Cluster with:
$ arkade install openfaas- Verify that the deployments were created
$ kubectl get deployments -n openfaas -l "release=openfaas, app=openfaas"3. Deploy Validating Admission Webhook
$ cd deployment
$ sh webhook-create-signed-cert.sh
$ export CA_BUNDLE=$(kubectl config view --minify --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
$ sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" validatingwebhook.yaml | kubectl apply -f -
$ cd ..
$ DOCKER_USER=username ./build
$ cd deployment
$ kubectl apply -f rbac.yaml
$ kubectl apply -f service.yaml
$ kubectl apply -f deployment.yaml # make sure you are using same 'DOCKER_USER' in deployment.yaml. i.e: devopps
# Label the default namespace to enable the webhook
$ kubectl label namespaces default admission-webhook-example=enabled4. Building OpenFaaS Function
$ cd functions
$ faas-cli up -f requiredlabel.yml # (build-push-deploy) make sure you are using your docker hub username. i.e: devopps- Verify the functions that are working in
openfaas-fnnamespace.
5. Testing the whole workflow
-
K8S API -> WebHook Broker w/TLS -> OpenFaaS Gateway (w/HTTP) --> OpenFaaS Function
-
The purpose of this PoC is that to validate that pods has required
labels. Which means you must have that labels:
app.kubernetes.io/name: sleep
app.kubernetes.io/instance: sleep
app.kubernetes.io/version: "0.1"
app.kubernetes.io/component: dummy
app.kubernetes.io/part-of: admission-webhook-example
app.kubernetes.io/managed-by: kubernetes- Any Pod who have above labels is valid for us.
`./deployment/sleep.yaml` -> Incorrect, not-valid (We should deny this creation request.)
`./deployment/sleep-no-validation.yaml` -> Skip-validation (Based on `admission-webhook-example.qikqiak.com/validate: "false"` annotation, we skipped validation.)
`./deployment/sleep-with-labels.yaml` -> Correct, valid (We should accept this creation request.)