Adding Admission Webhooks to an Ansible-based Operator

    This guide will assume that you understand the above content, and that you have an existing admission webhook server. You will likely need to make a few modifications to the webhook server container.

    When integrating an admission webhook server into your Ansible-based Operator, we recommend that you deploy it as a sidecar container alongside your operator. This allows you to make use of the proxy server that the operator deploys, as well as the cache that backs it.

    When an Ansible-based Operator runs, it creates a Kubernetes proxy server and serves it on . This proxy server does not require any authorization, so all you need to do to make use of the proxy is ensure that your Kubernetes client is pointing at http://localhost:8888 and that it does not attempt to verify SSL. If you use the default in-cluster configuration, you will be hitting the real API server and will not get caching for free.

    Then, update config/default/kustomization.yaml to include this patch:

    Now, when deploying the operator with make deploy, your webhook server will run alongside the operator, but Kubernetes will not yet call the webhooks before resources can be created. In order to let Kubernetes know about your webhooks, you must create specific API resources.

    In order to make your webhooks callable at all, first you must create a Service that points at your webhook server. Below is a sample service that creates a Service named , that will send traffic on port 443 to port 5000 in a Pod that matches the selector name=my-operator. Modify these values to match your environment.

    Below are examples of both MutatingWebhookConfiguration and objects, which will tell Kubernetes to call the my-operator-webhook service when resources are created. The mutating webhook is served on the /mutating path in my example webhook server, and the validating webhook is served on /validating. Update these values as needed to reflect your environment and desired behavior. These objects are thoroughly documented in the official Kubernetes documentation on Extensible Admission Controllers

    If these resources are configured properly you will now have an admissions webhook that can reject or mutate incoming resources before they are written to the Kubernetes database.

    To deploy an existing admissions webhook to validate or mutate your Kubernetes resources alongside an Ansible-based Operator, you must

    1. Configure your admissions webhook to use the proxy server running on http://localhost:8888 in the operator pod
    2. Create a Service pointing to your webhook
    3. Make sure your webhook is reachable via the Service over https