The Deployment

Ok, so we have some code that can listen and respond to requests from the Kubernetes API server, but where do we deploy it? And how do we get Kubernetes to forward us those requests? You can deploy this endpoint anywhere the Kubernetes API server has connectivity. The simplest place to deploy this code is within the Kubernetes cluster itself, which is what we will do for this example. I’ve tried to keep the example as simple as possible so everything is done with Docker and kubectl. Let’s start by building a container to host the code:

Dockerfile

As you can see this is as simple as it gets. Take the community node image and push our code into it. Then you can do a simple build:

docker build . -t localserver

Next, we create a Kubernetes deployment:

deployment.yaml

Notice how we reference the image we just created? This could have just as easily been a pod, or anything we can connect a Kubernetes service to. Let’s define that service next:

service.yaml

That will create an internal named endpoint within Kubernetes that points to our container. The final step will be to tell Kubernetes that we want the API server to call this service when it’s ready to do mutations:

hook.yaml

MutatingWebhookConfiguration… that’s a mouthful. The name and path can be anything here, but I tried to make them as semantic as possible. Changing the path will mean you also need to change it in your JavaScript. The webhook failurePolicy is important as well — that will determine whether or not the object should be persisted if your hook returns an error or fails. In this case, we are telling Kubernetes NOT to proceed if that happens. Finally, the rules — these will change depending on what type of API calls you want Kubernetes to send. Here, since we are trying to emulate sidecar injection, we want to intercept pod creation requests.

That’s it! So simple… but what about security? One aspect we won’t cover here is RBAC within Kubernetes. I am assuming that you are just running all this with minikube, or the Kubernetes that comes with Docker for X. However, we will cover one required element. Kubernetes API server will only call HTTPS endpoints, and for that, you need to have SSL certificates on the application. You’ll also need to tell Kubernetes what the root certificate authority is.