Run your Kubernetes workload with Deepfactor

Table of Contents

Introduction #

Deepfactor provides a mutating admission webhook to seamlessly run your K8s workloads with Deepfactor. If you would like to read more about the mutating admission webhook, you can refer to the following Kubernetes documentation article.

Mutating Admission Webhook K8s Documentation

Deepfactor admission webhook controller works with K8s v1.19 and up

 

Prerequisites for installing Deepfactor Mutating Admission webhook #

  1. admissionregistration.k8s.io/v1 apiversion should be supported

    kubectl api-versions | grep admissionregistration.k8s.io

    Output should have 

    admissionregistration.k8s.io/v1
  2. Mutating admission plugin should be enabled in kube-apiserver flags 
    kube-apiserver -h | grep enable-admission-plugins

    Output should have the following in the list

    MutatingAdmissionWebhook
  3. Ensure you have the following cluster level permissions
    In order to install the Deepfactor mutating admission webhook in your cluster, you will need permissions for admissionregistration.k8s.io/v1 api group. If you are using cert-manager to manage the webhook certificate, you will need permissions for certmanager.k8s.io api group as well. An example cluster role is shown below.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: deepfactor-webhook-admin
rules:
- apiGroups:
  - "certmanager.k8s.io"
  resources:
  - issuers
  - certificates
  verbs:
  - create
  - update
  - apply
  - patch
  - delete
  - get
  - list
  - watch
- apiGroups:
  - "admissionregistration.k8s.io/v1"
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - create
  - update
  - apply
  - patch
  - delete
  - get
  - list
  - watch
  4. Ensure you have the following namespace level permissions

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: df-webhook
  name: deepfactor-namespace-role
rules:
- apiGroups: [""]
  resources: 
  - secrets
  - services
  - configmaps
  - pods
  - deployments
  - jobs
  - horizontalpodautoscalers
  verbs: 
  - create
  - update
  - apply
  - patch
  - delete
  - get
  - list
  - watch

#

Install Deepfactor Mutating Admission Webhook #

Deepfactor’s mutating admission controller webhook can be deployed using helm charts. Detailed instructions can be found at Install Deepfactor Mutating Webhook

 

Configuring Mutating Admission Webhook #

The webhook can be configured with a list of namespaces along with defaults parameters per namespace. Each of these defaults can be overridden using specific annotations in pod specs. A detailed description of the webhook configs and annotations can be found at How To Configure Deepfactor Mutating Webhook

Was this article helpful?

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a developer security platform that enables engineering teams to quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing.

Product Pricing Resources Company Documentation Login Request a Quote Demo

SUBSCRIBE TO OUR NEWSLETTER!

© 2023 Deepfactor, Inc. All Rights Reserved.

Privacy Policy | Terms of Service | Open Source Disclosure