First, let's create a secret to store the certificate and key we just created in step 1:
kubectl create secret tls k8s-admission-demo-tls --cert=certs/app.crt --key=certs/app.keyI would like to create the app as a simple Deployment. Let,s first create a starting point to work:
kubectl create deployment k8s-admission-demo --image ghcr.io/felipempda/k8s-admission-controller --dry-run=client -o yamlThat will generate the following template:
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: k8s-admission-demo
name: k8s-admission-demo
spec:
replicas: 1
selector:
matchLabels:
app: k8s-admission-demo
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: k8s-admission-demo
spec:
containers:
- image: ghcr.io/felipempda/k8s-admission-controller
name: k8s-admission-controller
resources: {}
status: {}We need to mount the secret as a volume in the /etc/certs/ folder. Here is the next step:
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: k8s-admission-demo
name: k8s-admission-demo
spec:
replicas: 1
selector:
matchLabels:
app: k8s-admission-demo
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: k8s-admission-demo
spec:
containers:
- image: ghcr.io/felipempda/k8s-admission-controller
name: k8s-admission-controller
resources: {}
volumeMounts:
- name: certs
mountPath: /etc/certs/
volumes:
- name: certs
secret:
secretName: k8s-admission-demo-tls
status: {}If you try to deploy that as it is:
kubectl create -f Deployment.ymlMake sure the deployment is running fine:
kubectl get pod -l app=k8s-admission-demoIn my case there is a problem, let's see what that was:
NAME READY STATUS RESTARTS AGE
k8s-admission-demo-7b58bf558-nsg86 0/1 CrashLoopBackOff 1 (10s ago) 13sWhen I consult the logs:
kubectl logs -l app=k8s-admission-demoCertificates are biting me in the face:
E0325 23:56:28.118143 1 main.go:32] Filed to load key pair: open /etc/certs/app.crt: no such file or directory
E0325 23:56:28.118143 1 main.go:32] glog: exiting because of error: log: cannot create log: open /tmp/k8s-admission-controller.k8s-admission-demo-7b58bf558-nsg86.webhook.log.INFO.20230325-235628.1: no such file or directoryThis is because files were mounted with names different than the defaults coded in the app:
# kubectl exec -it k8s-admission-demo-<TAB> -- sh
# cd /etc/certs
# ls -l
total 0
lrwxrwxrwx 1 root root 14 Mar 26 00:06 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root 14 Mar 26 00:06 tls.key -> ..data/tls.keyAlso, there is no /tmp folder in the container, we can fix that by changing logs to standard error. Let's fix the deployment and pass these files as arguments:
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: k8s-admission-demo
name: k8s-admission-demo
spec:
replicas: 1
selector:
matchLabels:
app: k8s-admission-demo
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: k8s-admission-demo
spec:
containers:
- image: ghcr.io/felipempda/k8s-admission-controller
name: k8s-admission-controller
args:
- --cert
- /etc/certs/tls.crt
- --key
- /etc/certs/tls.key
- -logtostderr
resources: {}
volumeMounts:
- name: certs
mountPath: /etc/certs
volumes:
- name: certs
secret:
secretName: k8s-admission-demo-tls
status: {}After fixing this error, we can see pod is running fine:
# kubectl get pod -l app=k8s-admission-demo
NAME READY STATUS RESTARTS AGE
k8s-admission-demo-f8d66f6cc-hkk4f 1/1 Running 0 11sNow logs are saying what we wanted to see:
# kubectl logs -l app=k8s-admission-demo
I0326 00:15:59.132156 1 main.go:53] Server running listening in port: 9000