Requirement:
We need to implement a policy requested by the security team that Kubernetes service should have an annotation : service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: None Thus no security list will be updated by Kubernetes. This is an example that how we build our own admission controller which implements various policies from security or other teams. ie we can add only internal load balancer is allowed for internal service.....etc
Solution:
- Please refer github repo
- git clone https://github.com/HenryXie1/oke-admission-webhook
- go build -o oke-admission-webhook
- docker build --no-cache -t repo-url/oke-admission-webhook:v1 .
- rm -rf oke-admission-webhook
- docker push repo-url/oke-admission-webhook:v1
- ./deployment/webhook-create-signed-cert.sh --service oke-admission-webhook-svc --namespace kube-system --secret oke-admission-webhook-secret
- kubectl replace --force -f deployment/validatingwebhook.yaml
- kubectl replace --force -f deployment/deployment.yaml
- kubectl replace --force -f deployment/service.yaml
Demo:
