diff --git a/Dockerfile b/Dockerfile index da4612e..2d9d3b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,18 @@ -FROM alpine:latest +FROM golang:1.23-alpine AS builder -ADD lxcfs-admission-webhook /lxcfs-admission-webhook -ENTRYPOINT ["./lxcfs-admission-webhook"] \ No newline at end of file +LABEL stage=gobuilder + +ENV CGO_ENABLED=0 + +WORKDIR /build +COPY . . +RUN go build + +FROM ubuntu:22.04 + +ENV TZ=Asia/Shanghai + +WORKDIR /app + +COPY --from=builder /build/lxcfs-admission-webhook /app/lxcfs-admission-webhook +ENTRYPOINT ["./lxcfs-admission-webhook"] diff --git a/Gopkg.lock b/Gopkg.lock deleted file mode 100644 index dab8e68..0000000 --- a/Gopkg.lock +++ /dev/null @@ -1,260 +0,0 @@ -# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. - - -[[projects]] - branch = "master" - digest = "1:4189ee6a3844f555124d9d2656fe7af02fca961c2a9bad9074789df13a0c62e0" - name = "github.com/docker/distribution" - packages = [ - "digestset", - "reference", - ] - pruneopts = "UT" - revision = "34c706e759240975178df82495f147559cc0edc1" - -[[projects]] - digest = "1:ac425d784b13d49b37a5bbed3ce022677f8f3073b216f05d6adcb9303e27fa0f" - name = "github.com/evanphx/json-patch" - packages = ["."] - pruneopts = "UT" - revision = "026c730a0dcc5d11f93f1cf1cc65b01247ea7b6f" - version = "v4.5.0" - -[[projects]] - digest = "1:2cd7915ab26ede7d95b8749e6b1f933f1c6d5398030684e6505940a10f31cfda" - name = "github.com/ghodss/yaml" - packages = ["."] - pruneopts = "UT" - revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7" - version = "v1.0.0" - -[[projects]] - digest = "1:a7534feda0f15b5fd691e59e4fb6b7547e27df4b415a62e02c7cb71b3439c1b1" - name = "github.com/gogo/protobuf" - packages = [ - "proto", - "sortkeys", - ] - pruneopts = "UT" - revision = "1adfc126b41513cc696b209667c8656ea7aac67c" - version = "v1.0.0" - -[[projects]] - branch = "master" - digest = "1:1ba1d79f2810270045c328ae5d674321db34e3aae468eb4233883b473c5c0467" - name = "github.com/golang/glog" - packages = ["."] - pruneopts = "UT" - revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998" - -[[projects]] - branch = "master" - digest = "1:3ee90c0d94da31b442dde97c99635aaafec68d0b8a3c12ee2075c6bdabeec6bb" - name = "github.com/google/gofuzz" - packages = ["."] - pruneopts = "UT" - revision = "24818f796faf91cd76ec7bddd72458fbced7a6c1" - -[[projects]] - digest = "1:bb3cc4c1b21ea18cfa4e3e47440fc74d316ab25b0cf42927e8c1274917bd9891" - name = "github.com/json-iterator/go" - packages = ["."] - pruneopts = "UT" - revision = "f2b4162afba35581b6d4a50d3b8f34e33c144682" - -[[projects]] - digest = "1:33422d238f147d247752996a26574ac48dcf472976eda7f5134015f06bf16563" - name = "github.com/modern-go/concurrent" - packages = ["."] - pruneopts = "UT" - revision = "bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94" - version = "1.0.3" - -[[projects]] - digest = "1:d711dfcf661439f1ef0b202a02e8a1ff4deac48f26f34253520dcdbecbd7c5f1" - name = "github.com/modern-go/reflect2" - packages = ["."] - pruneopts = "UT" - revision = "1df9eeb2bb81f327b96228865c5687bc2194af3f" - version = "1.0.0" - -[[projects]] - digest = "1:ee4d4af67d93cc7644157882329023ce9a7bcfce956a079069a9405521c7cc8d" - name = "github.com/opencontainers/go-digest" - packages = ["."] - pruneopts = "UT" - revision = "279bed98673dd5bef374d3b6e4b09e2af76183bf" - version = "v1.0.0-rc1" - -[[projects]] - digest = "1:cf31692c14422fa27c83a05292eb5cbe0fb2775972e8f1f8446a71549bd8980b" - name = "github.com/pkg/errors" - packages = ["."] - pruneopts = "UT" - revision = "ba968bfe8b2f7e042a574c888954fccecfa385b4" - version = "v0.8.1" - -[[projects]] - digest = "1:1b21a2b4058a779f290c7341cd93267492e0ecea6c8b54f64a4a5fd7ff131034" - name = "github.com/spf13/pflag" - packages = ["."] - pruneopts = "UT" - revision = "e57e3eeb33f795204c1ca35f56c44f83227c6e66" - version = "v1.0.0" - -[[projects]] - branch = "master" - digest = "1:e8003673b445a203b83c643175136f264149eaee4d8f379fafdb6273d83cf3f7" - name = "golang.org/x/net" - packages = [ - "http2", - "http2/hpack", - "idna", - "lex/httplex", - ] - pruneopts = "UT" - revision = "892bf7b0c6e2f93b51166bf3882e50277fa5afc6" - -[[projects]] - digest = "1:a2ab62866c75542dd18d2b069fec854577a20211d7c0ea6ae746072a1dccdd18" - name = "golang.org/x/text" - packages = [ - "collate", - "collate/build", - "internal/colltab", - "internal/gen", - "internal/tag", - "internal/triegen", - "internal/ucd", - "language", - "secure/bidirule", - "transform", - "unicode/bidi", - "unicode/cldr", - "unicode/norm", - "unicode/rangetable", - ] - pruneopts = "UT" - revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0" - version = "v0.3.0" - -[[projects]] - digest = "1:ef72505cf098abdd34efeea032103377bec06abb61d8a06f002d5d296a4b1185" - name = "gopkg.in/inf.v0" - packages = ["."] - pruneopts = "UT" - revision = "3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4" - version = "v0.9.0" - -[[projects]] - digest = "1:2a81c6e126d36ad027328cffaa4888fc3be40f09dc48028d1f93705b718130b9" - name = "gopkg.in/yaml.v2" - packages = ["."] - pruneopts = "UT" - revision = "7f97868eec74b32b0982dd158a51a446d1da7eb5" - version = "v2.1.1" - -[[projects]] - branch = "release-1.10" - digest = "1:ac4ff6eb87d2b0b6cb3a1494dd4fbe083eb2f052ee2c4e922c83889836d633bf" - name = "k8s.io/api" - packages = [ - "admission/v1beta1", - "admissionregistration/v1beta1", - "authentication/v1", - "core/v1", - ] - pruneopts = "UT" - revision = "12444147eb1150aa5c80d2aae532cbc5b7be73d0" - -[[projects]] - branch = "release-1.10" - digest = "1:b46a162d7c7e9117ae2dd9a73ee4dc2181ad9ea9d505fd7c5eb63c96211dc9dd" - name = "k8s.io/apiextensions-apiserver" - packages = ["pkg/features"] - pruneopts = "UT" - revision = "f584b16eb23bd2a3fd292a027d698d95db427c5d" - -[[projects]] - branch = "release-1.10" - digest = "1:b585f5d64c80705b003b1632340d7da1ef74e1c152b5071d1d8eb35929a86de0" - name = "k8s.io/apimachinery" - packages = [ - "pkg/api/resource", - "pkg/apis/meta/internalversion", - "pkg/apis/meta/v1", - "pkg/apis/meta/v1beta1", - "pkg/conversion", - "pkg/conversion/queryparams", - "pkg/fields", - "pkg/labels", - "pkg/runtime", - "pkg/runtime/schema", - "pkg/runtime/serializer", - "pkg/runtime/serializer/json", - "pkg/runtime/serializer/protobuf", - "pkg/runtime/serializer/recognizer", - "pkg/runtime/serializer/versioning", - "pkg/selection", - "pkg/types", - "pkg/util/errors", - "pkg/util/framer", - "pkg/util/intstr", - "pkg/util/json", - "pkg/util/net", - "pkg/util/runtime", - "pkg/util/sets", - "pkg/util/validation", - "pkg/util/validation/field", - "pkg/util/wait", - "pkg/util/yaml", - "pkg/watch", - "third_party/forked/golang/reflect", - ] - pruneopts = "UT" - revision = "e386b2658ed20923da8cc9250e552f082899a1ee" - -[[projects]] - branch = "release-1.10" - digest = "1:69f7f9af51c404e8a61f3c86e7c3c73fecde09f188c8642072a9c09036c8762d" - name = "k8s.io/apiserver" - packages = [ - "pkg/features", - "pkg/util/feature", - ] - pruneopts = "UT" - revision = "88d4601515c27f180f7efc8705e4cc18dc19100d" - -[[projects]] - branch = "release-1.10" - digest = "1:516748ed941aec1cb5f9deab82b34f7bcfa1e8c8702fa63197a1d7df04d4cffc" - name = "k8s.io/kubernetes" - packages = [ - "pkg/apis/autoscaling", - "pkg/apis/core", - "pkg/apis/core/v1", - "pkg/apis/extensions", - "pkg/apis/networking", - "pkg/features", - "pkg/util/parsers", - "pkg/util/pointer", - ] - pruneopts = "UT" - revision = "efe960cdc41ee7b18d408128dfb80babb5bc746a" - -[solve-meta] - analyzer-name = "dep" - analyzer-version = 1 - input-imports = [ - "github.com/evanphx/json-patch", - "github.com/golang/glog", - "k8s.io/api/admission/v1beta1", - "k8s.io/api/admissionregistration/v1beta1", - "k8s.io/api/core/v1", - "k8s.io/apimachinery/pkg/apis/meta/v1", - "k8s.io/apimachinery/pkg/runtime", - "k8s.io/apimachinery/pkg/runtime/serializer", - "k8s.io/kubernetes/pkg/apis/core/v1", - ] - solver-name = "gps-cdcl" - solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml deleted file mode 100644 index 6fd6a84..0000000 --- a/Gopkg.toml +++ /dev/null @@ -1,42 +0,0 @@ -[[constraint]] - branch = "master" - name = "github.com/golang/glog" - -[[constraint]] - name = "k8s.io/api" - branch = "release-1.10" - -[[constraint]] - name = "k8s.io/kubernetes" - branch = "release-1.10" - -[[constraint]] - name = "k8s.io/apimachinery" - branch = "release-1.10" - -[prune] - go-tests = true - unused-packages = true - -# Fix: vendor/k8s.io/kubernetes/pkg/util/parsers/parsers.go:36:16: undefined: reference.ParseNormalizedNamed -[[override]] - name = "github.com/docker/distribution" - branch = "master" - -# Fix: vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go:109:16: unknown field 'CaseSensitive' in struct literal of type jsoniter.Config -# https://github.com/kubernetes/apimachinery/issues/46 -[[override]] - name = "github.com/json-iterator/go" - revision = "f2b4162afba35581b6d4a50d3b8f34e33c144682" - -[[override]] - name = "k8s.io/apiextensions-apiserver" - branch = "release-1.10" - -[[override]] - name = "k8s.io/apiserver" - branch = "release-1.10" - -[[constraint]] - name = "k8s.io/client-go" - version = "7.0.0" diff --git a/README.md b/README.md index e5611d8..683f040 100644 --- a/README.md +++ b/README.md @@ -1,105 +1,5 @@ # Kubernetes Admission Webhook for LXCFS -This project shows how to build and deploy an [AdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) for [LXCFS](https://github.com/lxc/lxcfs). - -## Prerequisites - -Kubernetes 1.9.0 or above with the `admissionregistration.k8s.io/v1beta1` API enabled. Verify that by the following command: -``` -kubectl api-versions | grep admissionregistration.k8s.io/v1beta1 -``` -The result should be: -``` -admissionregistration.k8s.io/v1beta1 -``` - -In addition, the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver. - -## Build - -1. Setup dep - - The repo uses [dep](https://github.com/golang/dep) as the dependency management tool for its Go codebase. Install `dep` by the following command: - -``` -go get -u github.com/golang/dep/cmd/dep -``` - -2. Build and push docker image - -``` -./build -``` - -## Deploy - -1. Deploy lxcfs to worker nodes - -``` -kubectl apply -f deployment/lxcfs-daemonset.yaml -``` - -2. Install injector with lxcfs-admission-webhook - -``` -deployment/install.sh -``` - -## Test - -1. Enable the namespace for injection - -``` -kubectl label namespace default lxcfs-admission-webhook=enabled -``` - -Note: All the new created pod under the namespace will be injected with LXCFS - - -2. Deploy the test deployment - -``` -kubectl apply -f deployment/web.yaml -``` - -3. Inspect the resource inside container - - -``` -$ kubectl get pod - -NAME READY STATUS RESTARTS AGE -lxcfs-admission-webhook-deployment-f4bdd6f66-5wrlg 1/1 Running 0 8m29s -lxcfs-pqs2d 1/1 Running 0 55m -lxcfs-zfh99 1/1 Running 0 55m -web-7c5464f6b9-6zxdf 1/1 Running 0 8m10s -web-7c5464f6b9-nktff 1/1 Running 0 8m10s - -$ kubectl exec -ti web-7c5464f6b9-6zxdf sh -# free - total used free shared buffers cached -Mem: 262144 2744 259400 0 0 312 --/+ buffers/cache: 2432 259712 -Swap: 0 0 0 -# -``` - -## Cleanup - -1. Uninstall injector with lxcfs-admission-webhook - -``` -deployment/uninstall.sh -``` - -2. Uninstall lxcfs from cluster nodes - -``` -kubectl delete -f deployment/lxcfs-daemonset.yaml -``` - -## How does it work? - -If you want to know webhooks in depth, please check [it](https://aliyun.com/blog/k8s-admission-webhooks/) out! - +本项目从`https://github.com/denverdino/lxcfs-admission-webhook` fork而来 +本项目依赖cert manager,需要集群中已安装cert manager \ No newline at end of file diff --git a/build b/build deleted file mode 100755 index b173c54..0000000 --- a/build +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -DOCKER_USER=denverdino - -dep ensure -v -CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o lxcfs-admission-webhook -docker build --no-cache -t registry.cn-hangzhou.aliyuncs.com/${DOCKER_USER}/lxcfs-admission-webhook:v1 . -rm -rf lxcfs-admission-webhook - -docker push registry.cn-hangzhou.aliyuncs.com/${DOCKER_USER}/lxcfs-admission-webhook:v1 diff --git a/build-container.sh b/build-container.sh deleted file mode 100755 index 5e2db86..0000000 --- a/build-container.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -docker build -t registry.cn-hangzhou.aliyuncs.com/denverdino/lxcfs:3.1.2 lxcfs-image -docker push registry.cn-hangzhou.aliyuncs.com/denverdino/lxcfs:3.1.2 - -./build diff --git a/deployment/deployment.yaml b/deployment/deployment.yaml index 81a7dcd..2b30a8a 100644 --- a/deployment/deployment.yaml +++ b/deployment/deployment.yaml @@ -1,34 +1,55 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: lxcfs-admission-webhook-deployment - labels: - app: lxcfs-admission-webhook + name: lxcfs-admission-webhook + namespace: lxcfs spec: - replicas: 1 + progressDeadlineSeconds: 600 + replicas: 3 + revisionHistoryLimit: 10 selector: matchLabels: app: lxcfs-admission-webhook + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate template: metadata: labels: app: lxcfs-admission-webhook + namespace: lxcfs spec: containers: - - name: lxcfs-admission-webhook - image: registry.cn-hangzhou.aliyuncs.com/denverdino/lxcfs-admission-webhook:v1 + - image: xhpolaris/lxcfs-admission-webhook:v1 imagePullPolicy: IfNotPresent - args: - - -tlsCertFile=/etc/webhook/certs/cert.pem - - -tlsKeyFile=/etc/webhook/certs/key.pem - - -alsologtostderr - - -v=4 - - 2>&1 + name: webhook + ports: + - containerPort: 443 + name: https + protocol: TCP + resources: + limits: + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs + - mountPath: /etc/webhook/certs + name: vol-hpgcr readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 volumes: - - name: webhook-certs + - name: vol-hpgcr secret: - secretName: lxcfs-admission-webhook-certs + defaultMode: 420 + secretName: lxcfs-admission-webhook-crt \ No newline at end of file diff --git a/deployment/install.sh b/deployment/install.sh deleted file mode 100755 index 12be25f..0000000 --- a/deployment/install.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -./deployment/webhook-create-signed-cert.sh -kubectl get secret lxcfs-admission-webhook-certs - -kubectl create -f deployment/deployment.yaml -kubectl create -f deployment/service.yaml -cat ./deployment/mutatingwebhook.yaml | ./deployment/webhook-patch-ca-bundle.sh > ./deployment/mutatingwebhook-ca-bundle.yaml -kubectl create -f deployment/mutatingwebhook-ca-bundle.yaml - diff --git a/deployment/lxcfs-admission-webhook-crt.yaml b/deployment/lxcfs-admission-webhook-crt.yaml new file mode 100644 index 0000000..f2bcf31 --- /dev/null +++ b/deployment/lxcfs-admission-webhook-crt.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lxcfs-admission-webhook-crt + namespace: lxcfs +spec: + dnsNames: + - lxcfs-admission-webhook + - lxcfs-admission-webhook.lxcfs + - lxcfs-admission-webhook.lxcfs.svc + - lxcfs-admission-webhook.lxcfs.svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: ca-issuer + secretName: lxcfs-admission-webhook-crt \ No newline at end of file diff --git a/deployment/lxcfs-daemonset.yaml b/deployment/lxcfs-daemonset.yaml deleted file mode 100644 index 83115b5..0000000 --- a/deployment/lxcfs-daemonset.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: lxcfs - labels: - app: lxcfs -spec: - selector: - matchLabels: - app: lxcfs - template: - metadata: - labels: - app: lxcfs - spec: - hostPID: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: lxcfs - image: registry.cn-hangzhou.aliyuncs.com/denverdino/lxcfs:3.1.2 - imagePullPolicy: Always - securityContext: - privileged: true - volumeMounts: - - name: cgroup - mountPath: /sys/fs/cgroup - - name: lxcfs - mountPath: /var/lib/lxcfs - mountPropagation: Bidirectional - - name: usr-local - mountPath: /usr/local - - name: usr-lib64 - mountPath: /usr/lib64 - volumes: - - name: cgroup - hostPath: - path: /sys/fs/cgroup - - name: usr-local - hostPath: - path: /usr/local - - name: usr-lib64 - hostPath: - path: /usr/lib64 - - name: lxcfs - hostPath: - path: /var/lib/lxcfs - type: DirectoryOrCreate diff --git a/deployment/mutating-webhook.yaml b/deployment/mutating-webhook.yaml new file mode 100644 index 0000000..cb6cab6 --- /dev/null +++ b/deployment/mutating-webhook.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: lxcfs/lxcfs-admission-webhook-crt.yaml + labels: + app: lxcfs-admission-webhook + name: mutating-lxcfs-admission-webhook-cfg +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: lxcfs-admission-webhook + namespace: lxcfs + path: /mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: mutating.lxcfs-admission-webhook.xhpolaris.com + namespaceSelector: + matchExpressions: + - key: lxcfs-admission-webhook + operator: NotIn + values: + - disabled + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - core + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: None + timeoutSeconds: 10 diff --git a/deployment/mutatingwebhook.yaml b/deployment/mutatingwebhook.yaml deleted file mode 100644 index d7542f1..0000000 --- a/deployment/mutatingwebhook.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: mutating-lxcfs-admission-webhook-cfg - labels: - app: lxcfs-admission-webhook -webhooks: - - name: mutating.lxcfs-admission-webhook.aliyun.com - clientConfig: - service: - name: lxcfs-admission-webhook-svc - namespace: default - path: "/mutate" - caBundle: ${CA_BUNDLE} - rules: - - operations: [ "CREATE" ] - apiGroups: ["core", ""] - apiVersions: ["v1"] - resources: ["pods"] - namespaceSelector: - matchLabels: - lxcfs-admission-webhook: enabled diff --git a/deployment/service.yaml b/deployment/service.yaml deleted file mode 100644 index 04b80f4..0000000 --- a/deployment/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: lxcfs-admission-webhook-svc - labels: - app: lxcfs-admission-webhook -spec: - ports: - - port: 443 - targetPort: 443 - selector: - app: lxcfs-admission-webhook diff --git a/deployment/uninstall.sh b/deployment/uninstall.sh deleted file mode 100755 index 1c1ca7d..0000000 --- a/deployment/uninstall.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -kubectl delete -f deployment/mutatingwebhook-ca-bundle.yaml -kubectl delete -f deployment/service.yaml -kubectl delete -f deployment/deployment.yaml -kubectl delete secret lxcfs-admission-webhook-certs - diff --git a/deployment/validatingwebhook.yaml b/deployment/validatingwebhook.yaml deleted file mode 100644 index df73797..0000000 --- a/deployment/validatingwebhook.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation-lxcfs-admission-webhook-cfg - labels: - app: lxcfs-admission-webhook -webhooks: - - name: validation.lxcfs-admission-webhook.aliyun.com - clientConfig: - service: - name: lxcfs-admission-webhook-svc - namespace: default - path: "/validate" - caBundle: ${CA_BUNDLE} - rules: - - operations: [ "CREATE" ] - apiGroups: ["pod", ""] - apiVersions: ["v1"] - resources: ["pods"] - namespaceSelector: - matchLabels: - lxcfs-admission-webhook: enabled diff --git a/deployment/web.yaml b/deployment/web.yaml deleted file mode 100644 index 8118627..0000000 --- a/deployment/web.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web -spec: - replicas: 2 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - containers: - - name: web - image: httpd:2.4.32 - imagePullPolicy: Always - resources: - requests: - memory: "256Mi" - cpu: "500m" - limits: - memory: "256Mi" - cpu: "500m" diff --git a/deployment/webhook-create-signed-cert.sh b/deployment/webhook-create-signed-cert.sh deleted file mode 100755 index dc05387..0000000 --- a/deployment/webhook-create-signed-cert.sh +++ /dev/null @@ -1,130 +0,0 @@ -#!/bin/bash - -set -e - -usage() { - cat <> ${tmpdir}/csr.conf -[req] -req_extensions = v3_req -distinguished_name = req_distinguished_name -[req_distinguished_name] -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = ${service} -DNS.2 = ${service}.${namespace} -DNS.3 = ${service}.${namespace}.svc -EOF - -openssl genrsa -out ${tmpdir}/server-key.pem 2048 -openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf - -# clean-up any previously created CSR for our service. Ignore errors if not present. -kubectl delete csr ${csrName} 2>/dev/null || true - -# create server cert/key CSR and send to k8s API -cat <&2 - exit 1 -fi -echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem - - -# create the secret with CA cert and server cert/key -kubectl create secret generic ${secret} \ - --from-file=key.pem=${tmpdir}/server-key.pem \ - --from-file=cert.pem=${tmpdir}/server-cert.pem \ - --dry-run -o yaml | - kubectl -n ${namespace} apply -f - diff --git a/deployment/webhook-patch-ca-bundle.sh b/deployment/webhook-patch-ca-bundle.sh deleted file mode 100755 index 406e0e8..0000000 --- a/deployment/webhook-patch-ca-bundle.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -ROOT=$(cd $(dirname $0)/../../; pwd) - -set -o errexit -set -o nounset -set -o pipefail - - -export CA_BUNDLE=$(kubectl config view --raw --flatten --minify -o jsonpath='{.clusters[].cluster.certificate-authority-data}') - -if command -v envsubst >/dev/null 2>&1; then - envsubst -else - sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" -fi diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..4b91f76 --- /dev/null +++ b/go.mod @@ -0,0 +1,49 @@ +module github.com/xh-polaris/lxcfs-admission-webhook + +go 1.23 + +require ( + github.com/evanphx/json-patch v0.5.2 + github.com/golang/glog v1.2.1 + k8s.io/api v0.31.2 + k8s.io/apimachinery v0.31.2 + k8s.io/kubernetes v1.31.2 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/distribution/reference v0.5.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/logr v1.4.2 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/x448/float16 v0.8.4 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/text v0.19.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/apiextensions-apiserver v0.31.2 // indirect + k8s.io/apiserver v0.31.2 // indirect + k8s.io/client-go v0.31.2 // indirect + k8s.io/component-base v0.31.2 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect + sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..761fedf --- /dev/null +++ b/go.sum @@ -0,0 +1,137 @@ +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= +github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k= +github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4= +github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= +k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= +k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= +k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= +k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= +k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= +k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kubernetes v1.31.2 h1:VNSu4O7Xn5FFRsh9ePXyEPg6ucR21fOftarSdi053Gs= +k8s.io/kubernetes v1.31.2/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= +sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA= +sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/lxcfs-image/Dockerfile b/lxcfs-image/Dockerfile deleted file mode 100644 index 738952d..0000000 --- a/lxcfs-image/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM centos:7 as build -RUN yum -y update -RUN yum -y install fuse-devel pam-devel wget install gcc automake autoconf libtool make -ENV LXCFS_VERSION 3.1.2 -RUN wget https://linuxcontainers.org/downloads/lxcfs/lxcfs-$LXCFS_VERSION.tar.gz && \ - mkdir /lxcfs && tar xzvf lxcfs-$LXCFS_VERSION.tar.gz -C /lxcfs --strip-components=1 && \ - cd /lxcfs && ./configure && make - -FROM centos:7 -STOPSIGNAL SIGINT -COPY --from=build /lxcfs/lxcfs /usr/local/bin/lxcfs -COPY --from=build /lxcfs/.libs/liblxcfs.so /usr/local/lib/lxcfs/liblxcfs.so -COPY --from=build /lxcfs/lxcfs /lxcfs/lxcfs -COPY --from=build /lxcfs/.libs/liblxcfs.so /lxcfs/liblxcfs.so -COPY --from=build /usr/lib64/libfuse.so.2.9.2 /lxcfs/libfuse.so.2.9.2 -COPY --from=build /usr/lib64/libulockmgr.so.1.0.1 /lxcfs/libulockmgr.so.1.0.1 - -COPY start.sh / -CMD ["/start.sh"] diff --git a/lxcfs-image/start.sh b/lxcfs-image/start.sh deleted file mode 100755 index 5fd6f91..0000000 --- a/lxcfs-image/start.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -# Cleanup -nsenter -m/proc/1/ns/mnt fusermount -u /var/lib/lxcfs 2> /dev/null || true -nsenter -m/proc/1/ns/mnt [ -L /etc/mtab ] || \ - sed -i "/^lxcfs \/var\/lib\/lxcfs fuse.lxcfs/d" /etc/mtab - -# remove /var/lib/lxcfs -rm -rf /var/lib/lxcfs/* - -# Prepare -mkdir -p /usr/local/lib/lxcfs /var/lib/lxcfs - -# Update lxcfs -cp -f /lxcfs/lxcfs /usr/local/bin/lxcfs -cp -f /lxcfs/liblxcfs.so /usr/local/lib/lxcfs/liblxcfs.so - -cp -f /lxcfs/libfuse.so.2.9.2 /usr/lib64/libfuse.so.2.9.2 -cp -f /lxcfs/libulockmgr.so.1.0.1 /usr/lib64/libulockmgr.so.1.0.1 - -ln -s /usr/lib64/libfuse.so.2.9.2 /usr/lib64/libfuse.so.2 -ln -s /usr/lib64/libulockmgr.so.1.0.1 /usr/lib64/libulockmgr.so.1 - -# Mount -exec nsenter -m/proc/1/ns/mnt /usr/local/bin/lxcfs /var/lib/lxcfs/ diff --git a/main.go b/main.go index 62bc1df..d7d864a 100644 --- a/main.go +++ b/main.go @@ -18,8 +18,8 @@ func main() { // get command line parameters flag.IntVar(¶meters.port, "port", 443, "Webhook server port.") - flag.StringVar(¶meters.certFile, "tlsCertFile", "/etc/webhook/certs/cert.pem", "File containing the x509 Certificate for HTTPS.") - flag.StringVar(¶meters.keyFile, "tlsKeyFile", "/etc/webhook/certs/key.pem", "File containing the x509 private key to --tlsCertFile.") + flag.StringVar(¶meters.certFile, "tlsCertFile", "/etc/webhook/certs/tls.crt", "File containing the x509 Certificate for HTTPS.") + flag.StringVar(¶meters.keyFile, "tlsKeyFile", "/etc/webhook/certs/tls.key", "File containing the x509 private key to --tlsCertFile.") flag.Parse() pair, err := tls.LoadX509KeyPair(parameters.certFile, parameters.keyFile)