kubernetes
/
ingress-nginx
mirror of https://github.com/kubernetes/ingress-nginx.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ingress-nginx/deploy/validating-webhook/index.html

1587 lines
46 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<link rel="canonical" href="https://kubernetes.github.io/ingress-nginx/deploy/validating-webhook/">
<meta name="lang:clipboard.copy" content="Copy to clipboard">
<meta name="lang:clipboard.copied" content="Copied to clipboard">
<meta name="lang:search.language" content="en">
<meta name="lang:search.pipeline.stopwords" content="True">
<meta name="lang:search.pipeline.trimmer" content="True">
<meta name="lang:search.result.none" content="No matching documents">
<meta name="lang:search.result.one" content="1 matching document">
<meta name="lang:search.result.other" content="# matching documents">
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
<title>Validating Webhook (admission controller) - NGINX Ingress Controller</title>
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
<meta name="theme-color" content="#009688">
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
<link rel="stylesheet" href="../../assets/fonts/material-icons.css">
<link rel="stylesheet" href="../../extra.css">
<script>
window.ga = window.ga || function() {
(ga.q = ga.q || []).push(arguments)
}
ga.l = +new Date
/* Setup integration and send page view */
ga("create", "UA-118407822-1", "kubernetes.github.io")
ga("set", "anonymizeIp", true)
ga("send", "pageview")
/* Register handler to log search on blur */
document.addEventListener("DOMContentLoaded", () => {
if (document.forms.search) {
var query = document.forms.search.query
query.addEventListener("blur", function() {
if (this.value) {
var path = document.location.pathname;
ga("send", "pageview", path + "?q=" + this.value)
}
})
}
})
</script>
<script async src="https://www.google-analytics.com/analytics.js"></script>
</head>
<body dir="ltr" data-md-color-primary="teal" data-md-color-accent="green">
<svg class="md-svg">
<defs>
<svg xmlns="http://www.w3.org/2000/svg" width="416" height="448" viewBox="0 0 416 448" id="__github"><path fill="currentColor" d="M160 304q0 10-3.125 20.5t-10.75 19T128 352t-18.125-8.5-10.75-19T96 304t3.125-20.5 10.75-19T128 256t18.125 8.5 10.75 19T160 304zm160 0q0 10-3.125 20.5t-10.75 19T288 352t-18.125-8.5-10.75-19T256 304t3.125-20.5 10.75-19T288 256t18.125 8.5 10.75 19T320 304zm40 0q0-30-17.25-51T296 232q-10.25 0-48.75 5.25Q229.5 240 208 240t-39.25-2.75Q130.75 232 120 232q-29.5 0-46.75 21T56 304q0 22 8 38.375t20.25 25.75 30.5 15 35 7.375 37.25 1.75h42q20.5 0 37.25-1.75t35-7.375 30.5-15 20.25-25.75T360 304zm56-44q0 51.75-15.25 82.75-9.5 19.25-26.375 33.25t-35.25 21.5-42.5 11.875-42.875 5.5T212 416q-19.5 0-35.5-.75t-36.875-3.125-38.125-7.5-34.25-12.875T37 371.5t-21.5-28.75Q0 312 0 260q0-59.25 34-99-6.75-20.5-6.75-42.5 0-29 12.75-54.5 27 0 47.5 9.875t47.25 30.875Q171.5 96 212 96q37 0 70 8 26.25-20.5 46.75-30.25T376 64q12.75 25.5 12.75 54.5 0 21.75-6.75 42 34 40 34 99.5z"/></svg>
</defs>
</svg>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#validating-webhook-admission-controller" tabindex="0" class="md-skip">
Skip to content
</a>
<header class="md-header" data-md-component="header">
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
</a>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--menu md-header-nav__button" for="__drawer"></label>
</div>
<div class="md-flex__cell md-flex__cell--stretch">
<div class="md-flex__ellipsis md-header-nav__title" data-md-component="title">
<span class="md-header-nav__topic">
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic">
Validating Webhook (admission controller)
</span>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--search md-header-nav__button" for="__search"></label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
</button>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="result">
<div class="md-search-result__meta">
Type to start searching
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<div class="md-header-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
</div>
</div>
</nav>
</header>
<div class="md-container">
<nav class="md-tabs md-tabs--active" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../.." class="md-tabs__link">
Welcome
</a>
</li>
<li class="md-tabs__item">
<a href="../" class="md-tabs__link md-tabs__link--active">
Deployment
</a>
</li>
<li class="md-tabs__item">
<a href="../../user-guide/nginx-configuration/" class="md-tabs__link">
User guide
</a>
</li>
<li class="md-tabs__item">
<a href="../../examples/" class="md-tabs__link">
Examples
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main" role="main">
<div class="md-main__inner md-grid" data-md-component="container">
<div class="md-sidebar md-sidebar--primary" data-md-component="navigation">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" data-md-level="0">
<label class="md-nav__title md-nav__title--site" for="__drawer">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-nav__button md-logo">
<i class="md-icon">public</i>
</a>
NGINX Ingress Controller
</label>
<div class="md-nav__source">
<a href="https://github.com/kubernetes/ingress-nginx/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
kubernetes/ingress-nginx
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-1" type="checkbox" id="nav-1">
<label class="md-nav__link" for="nav-1">
Welcome
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-1">
Welcome
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." title="Welcome" class="md-nav__link">
Welcome
</a>
</li>
<li class="md-nav__item">
<a href="../../how-it-works/" title="How it works" class="md-nav__link">
How it works
</a>
</li>
<li class="md-nav__item">
<a href="../../troubleshooting/" title="Troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
<li class="md-nav__item">
<a href="../../kubectl-plugin/" title="kubectl plugin" class="md-nav__link">
kubectl plugin
</a>
</li>
<li class="md-nav__item">
<a href="../../development/" title="Development" class="md-nav__link">
Development
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-2" type="checkbox" id="nav-2" checked>
<label class="md-nav__link" for="nav-2">
Deployment
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-2">
Deployment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" title="Installation Guide" class="md-nav__link">
Installation Guide
</a>
</li>
<li class="md-nav__item">
<a href="../baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Validating Webhook (admission controller)
</label>
<a href="./" title="Validating Webhook (admission controller)" class="md-nav__link md-nav__link--active">
Validating Webhook (admission controller)
</a>
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#configure-the-webhook" class="md-nav__link">
Configure the webhook
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generate-the-webhook-certificate" class="md-nav__link">
Generate the webhook certificate
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#self-signed-certificate" class="md-nav__link">
Self signed certificate
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#using-kubernetes-ca" class="md-nav__link">
Using Kubernetes CA
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#using-helm" class="md-nav__link">
Using helm
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ingress-controller-flags" class="md-nav__link">
Ingress controller flags
</a>
</li>
<li class="md-nav__item">
<a href="#kube-api-server-flags" class="md-nav__link">
kube API server flags
</a>
</li>
<li class="md-nav__item">
<a href="#additional-kubernetes-objects" class="md-nav__link">
Additional kubernetes objects
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../upgrade/" title="Upgrade" class="md-nav__link">
Upgrade
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3">
<label class="md-nav__link" for="nav-3">
User guide
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-3">
User guide
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-1" type="checkbox" id="nav-3-1">
<label class="md-nav__link" for="nav-3-1">
NGINX Configuration
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-1">
NGINX Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/basic-usage/" title="Basic usage" class="md-nav__link">
Basic usage
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/annotations/" title="Annotations" class="md-nav__link">
Annotations
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/configmap/" title="ConfigMap" class="md-nav__link">
ConfigMap
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/custom-template/" title="Custom NGINX template" class="md-nav__link">
Custom NGINX template
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/nginx-configuration/log-format/" title="Log format" class="md-nav__link">
Log format
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../user-guide/cli-arguments/" title="Command line arguments" class="md-nav__link">
Command line arguments
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/custom-errors/" title="Custom errors" class="md-nav__link">
Custom errors
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/default-backend/" title="Default backend" class="md-nav__link">
Default backend
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/fcgi-services/" title="Exposing FCGI services" class="md-nav__link">
Exposing FCGI services
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/external-articles/" title="External Articles" class="md-nav__link">
External Articles
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/miscellaneous/" title="Miscellaneous" class="md-nav__link">
Miscellaneous
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/monitoring/" title="Prometheus and Grafana installation" class="md-nav__link">
Prometheus and Grafana installation
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/multiple-ingress/" title="Multiple Ingress controllers" class="md-nav__link">
Multiple Ingress controllers
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/tls/" title="TLS/HTTPS" class="md-nav__link">
TLS/HTTPS
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3-13" type="checkbox" id="nav-3-13">
<label class="md-nav__link" for="nav-3-13">
Third party addons
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-3-13">
Third party addons
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/modsecurity/" title="ModSecurity Web Application Firewall" class="md-nav__link">
ModSecurity Web Application Firewall
</a>
</li>
<li class="md-nav__item">
<a href="../../user-guide/third-party-addons/opentracing/" title="OpenTracing" class="md-nav__link">
OpenTracing
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4" type="checkbox" id="nav-4">
<label class="md-nav__link" for="nav-4">
Examples
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-4">
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/" title="Introduction" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/PREREQUISITES/" title="Prerequisites" class="md-nav__link">
Prerequisites
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/affinity/cookie/" title="Sticky Sessions" class="md-nav__link">
Sticky Sessions
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4-4" type="checkbox" id="nav-4-4">
<label class="md-nav__link" for="nav-4-4">
Auth
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-4-4">
Auth
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/auth/basic/" title="Basic Authentication" class="md-nav__link">
Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/client-certs/" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/external-auth/" title="External Basic Authentication" class="md-nav__link">
External Basic Authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/auth/oauth-external-auth/" title="External OAUTH Authentication" class="md-nav__link">
External OAUTH Authentication
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-4-5" type="checkbox" id="nav-4-5">
<label class="md-nav__link" for="nav-4-5">
Customization
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="2">
<label class="md-nav__title" for="nav-4-5">
Customization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../examples/customization/configuration-snippets/" title="Configuration Snippets" class="md-nav__link">
Configuration Snippets
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-configuration/" title="Custom Configuration" class="md-nav__link">
Custom Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-errors/" title="Custom Errors" class="md-nav__link">
Custom Errors
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/custom-headers/" title="Custom Headers" class="md-nav__link">
Custom Headers
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/ssl-dh-param/" title="Custom DH parameters for perfect forward secrecy" class="md-nav__link">
Custom DH parameters for perfect forward secrecy
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/sysctl/" title="Sysctl tuning" class="md-nav__link">
Sysctl tuning
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../examples/docker-registry/" title="Docker registry" class="md-nav__link">
Docker registry
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/grpc/" title="gRPC" class="md-nav__link">
gRPC
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/multi-tls/" title="Multi TLS certificate termination" class="md-nav__link">
Multi TLS certificate termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/rewrite/" title="Rewrite" class="md-nav__link">
Rewrite
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/static-ip/" title="Static IPs" class="md-nav__link">
Static IPs
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/tls-termination/" title="TLS termination" class="md-nav__link">
TLS termination
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/psp/" title="Pod Security Policy (PSP)" class="md-nav__link">
Pod Security Policy (PSP)
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="#configure-the-webhook" class="md-nav__link">
Configure the webhook
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generate-the-webhook-certificate" class="md-nav__link">
Generate the webhook certificate
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#self-signed-certificate" class="md-nav__link">
Self signed certificate
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#using-kubernetes-ca" class="md-nav__link">
Using Kubernetes CA
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#using-helm" class="md-nav__link">
Using helm
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ingress-controller-flags" class="md-nav__link">
Ingress controller flags
</a>
</li>
<li class="md-nav__item">
<a href="#kube-api-server-flags" class="md-nav__link">
kube API server flags
</a>
</li>
<li class="md-nav__item">
<a href="#additional-kubernetes-objects" class="md-nav__link">
Additional kubernetes objects
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/validating-webhook.md" title="Edit this page" class="md-icon md-content__icon">&#xE3C9;</a>
<h1 id="validating-webhook-admission-controller">Validating webhook (admission controller)<a class="headerlink" href="#validating-webhook-admission-controller" title="Permanent link"></a></h1>
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link"></a></h2>
<p>Nginx ingress controller offers the option to validate ingresses before they enter the cluster, ensuring controller will generate a valid configuration.</p>
<p>This controller is called, when <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook">ValidatingAdmissionWebhook</a> is enabled, by the Kubernetes API server each time a new ingress is to enter the cluster, and rejects objects for which the generated nginx configuration fails to be validated.</p>
<p>This feature requires some further configuration of the cluster, hence it is an optional feature, this section explains how to enable it for your cluster.</p>
<h2 id="configure-the-webhook">Configure the webhook<a class="headerlink" href="#configure-the-webhook" title="Permanent link"></a></h2>
<h3 id="generate-the-webhook-certificate">Generate the webhook certificate<a class="headerlink" href="#generate-the-webhook-certificate" title="Permanent link"></a></h3>
<h4 id="self-signed-certificate">Self signed certificate<a class="headerlink" href="#self-signed-certificate" title="Permanent link"></a></h4>
<p>Validating webhook must be served using TLS, you need to generate a certificate. Note that kube API server is checking the hostname of the certificate, the common name of your certificate will need to match the service name.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>To run the validating webhook with a service named <code class="codehilite"><span class="err">ingress-validation-webhook</span></code> in the namespace <code class="codehilite"><span class="err">ingress-nginx</span></code>, run</p>
<div class="codehilite"><pre><span></span><code>openssl req -x509 -newkey rsa:2048 -keyout certificate.pem -out key.pem -days <span class="m">365</span> -nodes -subj <span class="s2">&quot;/CN=ingress-validation-webhook.ingress-nginx.svc&quot;</span>
</code></pre></div>
</div>
<h5 id="using-kubernetes-ca">Using Kubernetes CA<a class="headerlink" href="#using-kubernetes-ca" title="Permanent link"></a></h5>
<p>Kubernetes also provides primitives to sign a certificate request. Here is an example on how to use it</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="codehilite"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="nv">SERVICE_NAME</span><span class="o">=</span>ingress-nginx
<span class="nv">NAMESPACE</span><span class="o">=</span>ingress-nginx
<span class="nv">TEMP_DIRECTORY</span><span class="o">=</span><span class="k">$(</span>mktemp -d<span class="k">)</span>
<span class="nb">echo</span> <span class="s2">&quot;creating certs in directory </span><span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span><span class="s2">&quot;</span>
cat <span class="s">&lt;&lt;EOF &gt;&gt; ${TEMP_DIRECTORY}/csr.conf</span>
<span class="s">[req]</span>
<span class="s">req_extensions = v3_req</span>
<span class="s">distinguished_name = req_distinguished_name</span>
<span class="s">[req_distinguished_name]</span>
<span class="s">[ v3_req ]</span>
<span class="s">basicConstraints = CA:FALSE</span>
<span class="s">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</span>
<span class="s">extendedKeyUsage = serverAuth</span>
<span class="s">subjectAltName = @alt_names</span>
<span class="s">[alt_names]</span>
<span class="s">DNS.1 = ${SERVICE_NAME}</span>
<span class="s">DNS.2 = ${SERVICE_NAME}.${NAMESPACE}</span>
<span class="s">DNS.3 = ${SERVICE_NAME}.${NAMESPACE}.svc</span>
<span class="s">EOF</span>
openssl genrsa -out <span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-key.pem <span class="m">2048</span>
openssl req -new -key <span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-key.pem <span class="se">\</span>
-subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">SERVICE_NAME</span><span class="si">}</span><span class="s2">.</span><span class="si">${</span><span class="nv">NAMESPACE</span><span class="si">}</span><span class="s2">.svc&quot;</span> <span class="se">\</span>
-out <span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server.csr <span class="se">\</span>
-config <span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/csr.conf
cat <span class="s">&lt;&lt;EOF | kubectl create -f -</span>
<span class="s">apiVersion: certificates.k8s.io/v1beta1</span>
<span class="s">kind: CertificateSigningRequest</span>
<span class="s">metadata:</span>
<span class="s"> name: ${SERVICE_NAME}.${NAMESPACE}.svc</span>
<span class="s">spec:</span>
<span class="s"> request: $(cat ${TEMP_DIRECTORY}/server.csr | base64 | tr -d &#39;\n&#39;)</span>
<span class="s"> usages:</span>
<span class="s"> - digital signature</span>
<span class="s"> - key encipherment</span>
<span class="s"> - server auth</span>
<span class="s">EOF</span>
kubectl certificate approve <span class="si">${</span><span class="nv">SERVICE_NAME</span><span class="si">}</span>.<span class="si">${</span><span class="nv">NAMESPACE</span><span class="si">}</span>.svc
<span class="k">for</span> x in <span class="k">$(</span>seq <span class="m">10</span><span class="k">)</span><span class="p">;</span> <span class="k">do</span>
<span class="nv">SERVER_CERT</span><span class="o">=</span><span class="k">$(</span>kubectl get csr <span class="si">${</span><span class="nv">SERVICE_NAME</span><span class="si">}</span>.<span class="si">${</span><span class="nv">NAMESPACE</span><span class="si">}</span>.svc -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.status.certificate}&#39;</span><span class="k">)</span>
<span class="k">if</span> <span class="o">[[</span> <span class="si">${</span><span class="nv">SERVER_CERT</span><span class="si">}</span> !<span class="o">=</span> <span class="s1">&#39;&#39;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">break</span>
<span class="k">fi</span>
sleep <span class="m">1</span>
<span class="k">done</span>
<span class="k">if</span> <span class="o">[[</span> <span class="si">${</span><span class="nv">SERVER_CERT</span><span class="si">}</span> <span class="o">==</span> <span class="s1">&#39;&#39;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">&quot;ERROR: After approving csr </span><span class="si">${</span><span class="nv">SERVICE_NAME</span><span class="si">}</span><span class="s2">.</span><span class="si">${</span><span class="nv">NAMESPACE</span><span class="si">}</span><span class="s2">.svc, the signed certificate did not appear on the resource. Giving up after 10 attempts.&quot;</span> &gt;<span class="p">&amp;</span><span class="m">2</span>
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
<span class="nb">echo</span> <span class="si">${</span><span class="nv">SERVER_CERT</span><span class="si">}</span> <span class="p">|</span> openssl base64 -d -A -out <span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-cert.pem
kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
--from-file<span class="o">=</span>key.pem<span class="o">=</span><span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-key.pem <span class="se">\</span>
--from-file<span class="o">=</span>cert.pem<span class="o">=</span><span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-cert.pem <span class="se">\</span>
-n <span class="si">${</span><span class="nv">NAMESPACE</span><span class="si">}</span>
</code></pre></div>
</div>
<h4 id="using-helm">Using helm<a class="headerlink" href="#using-helm" title="Permanent link"></a></h4>
<p>To generate the certificate using helm, you can use the following snippet</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="codehilite"><pre><span></span><code><span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">cn</span> <span class="o">:=</span> <span class="nv">printf</span> <span class="s2">&quot;%s.%s.svc&quot;</span> <span class="o">(</span> <span class="nv">include</span> <span class="s2">&quot;nginx-ingress.validatingWebhook.fullname&quot;</span> <span class="err">.</span> <span class="o">)</span> <span class="nv">.Release.Namespace</span> <span class="cp">}}</span><span class="x"></span>
<span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">ca</span> <span class="o">:=</span> <span class="nv">genCA</span> <span class="o">(</span><span class="nv">printf</span> <span class="s2">&quot;%s-ca&quot;</span> <span class="o">(</span> <span class="nv">include</span> <span class="s2">&quot;nginx-ingress.validatingWebhook.fullname&quot;</span> <span class="err">.</span> <span class="o">))</span> <span class="nv">.Values.validatingWebhook.certificateValidity</span> -<span class="cp">}}</span><span class="x"></span>
<span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">cert</span> <span class="o">:=</span> <span class="nv">genSignedCert</span> <span class="err">$</span><span class="nv">cn</span> <span class="nv">nil</span> <span class="nv">nil</span> <span class="nv">.Values.validatingWebhook.certificateValidity</span> <span class="err">$</span><span class="nv">ca</span> -<span class="cp">}}</span><span class="x"></span>
</code></pre></div>
</div>
<h3 id="ingress-controller-flags">Ingress controller flags<a class="headerlink" href="#ingress-controller-flags" title="Permanent link"></a></h3>
<p>To enable the feature in the ingress controller, you <em>need</em> to provide 3 flags to the command line.</p>
<table>
<thead>
<tr>
<th>flag</th>
<th>description</th>
<th>example usage</th>
</tr>
</thead>
<tbody>
<tr>
<td><code class="codehilite"><span class="err">--validating-webhook</span></code></td>
<td>The address to start an admission controller on</td>
<td><code class="codehilite"><span class="err">:8080</span></code></td>
</tr>
<tr>
<td><code class="codehilite"><span class="err">--validating-webhook-certificate</span></code></td>
<td>The certificate the webhook is using for its TLS handling</td>
<td><code class="codehilite"><span class="err">/usr/local/certificates/validating-webhook.pem</span></code></td>
</tr>
<tr>
<td><code class="codehilite"><span class="err">--validating-webhook-key</span></code></td>
<td>The key the webhook is using for its TLS handling</td>
<td><code class="codehilite"><span class="err">/usr/local/certificates/validating-webhook-key.pem</span></code></td>
</tr>
</tbody>
</table>
<h3 id="kube-api-server-flags">kube API server flags<a class="headerlink" href="#kube-api-server-flags" title="Permanent link"></a></h3>
<p>Validating webhook feature requires specific setup on the kube API server side. Depending on your kubernetes version, the flag can, or not, be enabled by default.
To check that your kube API server runs with the required flags, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook">kubernetes</a> documentation.</p>
<h3 id="additional-kubernetes-objects">Additional kubernetes objects<a class="headerlink" href="#additional-kubernetes-objects" title="Permanent link"></a></h3>
<p>Once both the ingress controller and the kube API server are configured to serve the webhook, add the you can configure the webhook with the following objects:</p>
<div class="codehilite"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Service</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-validation-webhook</span>
<span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-nginx</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">ports</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">admission</span>
<span class="nt">port</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">443</span>
<span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
<span class="nt">targetPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">8080</span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-ingress</span>
<span class="nt">component</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">controller</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">admissionregistration.k8s.io/v1beta1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ValidatingWebhookConfiguration</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">check-ingress</span>
<span class="nt">webhooks</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">validate.nginx.ingress.kubernetes.io</span>
<span class="nt">rules</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">apiGroups</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1beta1</span>
<span class="nt">apiVersions</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">v1beta1</span>
<span class="nt">operations</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">CREATE</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">UPDATE</span>
<span class="nt">resources</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">ingresses</span>
<span class="nt">failurePolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Fail</span>
<span class="nt">clientConfig</span><span class="p">:</span>
<span class="nt">service</span><span class="p">:</span>
<span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-nginx</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-validation-webhook</span>
<span class="nt">path</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/networking.k8s.io/v1beta1/ingress</span>
<span class="nt">caBundle</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">&lt;pem encoded ca cert that signs the server cert used by the webhook&gt;</span>
</code></pre></div>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../rbac/" title="Role Based Access Control (RBAC)" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Role Based Access Control (RBAC)
</span>
</div>
</a>
<a href="../upgrade/" title="Upgrade" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Upgrade
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-forward md-footer-nav__button"></i>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
</div>
</div>
</footer>
</div>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink