This is a Kubernetes Mutating Admission Webhook (see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It can apply arbitrary changes (a "patch") to a Pod's manifest. A patch can do anything from adding or changing metadata to containers and init-containers with volumes.
The Kubernetes API server only supports communication with webhooks over HTTPS - an init-container is included that automates cert generation
and any necessary configuration (i.e. applying the caBundle to the MutatingWebhookConfiguration).
It is a recurring requirement in Kubernetes deployments to transparently mutate Pod manifests - either to add new functionality transparently to existing deployments and applications, or to enforce compliance and other policies and requirements.
This webhook provides a flexible and scalable solution to those problems.
Path to the YAML file containing the patch to be applied to eligible Pods (see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#pod-v1-core for help).
Patches support wildcards ("*") instead of specific names for containers, init-containers and volumes. If a wildcard is specified, the operation is applied to all existing containers/init-containers/volumes (see examples).
A patch can contain wildcard and regular operations simultaneously.
A patch can contain only one wildcard per type (container/init-container/volume) currently.
panic | fatal | error | warn | info | debug | trace
- adjust the
values.yamlindeploy/helmto your requirements - install the chart via
helm install k8s-pod-mutator deploy/helm -f deploy/helm/values.yaml
By default, the webhook is reachable under "https://<service_name>:8443/mutate"
Issue: Azure/azure-sdk-for-net#18312
To apply the workaround proposed here simply install the Helm chart with the provided example values:
helm upgrade --install k8s-pod-mutator deploy/helm -f values.yaml -f examples/values.example.yaml.
This example adds an init-container
spec:
initContainers:
- name: wait-for-imds
image: busybox:1.33
command: ['sh', '-c', 'wget "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" --header "Metadata: true" -S --spider -T 6']to all Pods that have a Label aadpodidbinding.
Feature Request: #3
Consider the following patch:
spec:
initContainers:
- name: ca
image: alpine
command: ["sh", "-c", "cp -r /etc/ssl/certs /volume"]
volumeMounts:
- mountPath: /volume
name: cacerts
containers:
- name: "*"
volumeMounts:
- mountPath: /etc/ssl
name: cacerts
volumes:
- name: cacerts
emptyDir: {}When this patch is applied, the volumeMount "cacerts" is added to all containers currently present in the pod.
If you feel like anything is missing, should be fixed or could be improved, issues and pull requests are more than welcome.
MIT