Introduction #
Deepfactor provides a mutating admission webhook to seamlessly run your K8s workloads with Deepfactor. If you would like to read more about the mutating admission webhook, you can refer to the following Kubernetes documentation article.
Mutating Admission Webhook K8s Documentation
Deepfactor admission webhook controller works with K8s v1.19 and up
Prerequisites for installing Deepfactor Mutating Admission webhook #
- admissionregistration.k8s.io/v1 apiversion should be supported
kubectl api-versions | grep admissionregistration.k8s.io
Output should have
admissionregistration.k8s.io/v1
- Mutating admission plugin should be enabled in kube-apiserver flags
kube-apiserver -h | grep enable-admission-plugins
Output should have the following in the list
MutatingAdmissionWebhook
- Ensure you have the following cluster level permissions
In order to install the Deepfactor mutating admission webhook in your cluster, you will need permissions for admissionregistration.k8s.io/v1 api group. If you are using cert-manager to manage the webhook certificate, you will need permissions for certmanager.k8s.io api group as well. An example cluster role is shown below.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: deepfactor-webhook-admin rules: - apiGroups: - "certmanager.k8s.io" resources: - issuers - certificates verbs: - create - update - apply - patch - delete - get - list - watch - apiGroups: - "admissionregistration.k8s.io/v1" resources: - mutatingwebhookconfigurations verbs: - create - update - apply - patch - delete - get - list - watch
- Ensure you have the following namespace level permissions
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: df-webhook name: deepfactor-namespace-role rules: - apiGroups: [""] resources: - secrets - services - configmaps - pods - deployments - jobs - horizontalpodautoscalers verbs: - create - update - apply - patch - delete - get - list - watch
#
Install Deepfactor Mutating Admission Webhook #
Deepfactor’s mutating admission controller webhook can be deployed using helm charts. Detailed instructions can be found at Install Deepfactor Mutating Webhook
Configuring Mutating Admission Webhook #
The webhook can be configured with a list of namespaces along with defaults parameters per namespace. Each of these defaults can be overridden using specific annotations in pod specs. A detailed description of the webhook configs and annotations can be found at How To Configure Deepfactor Mutating Webhook