深入理解AdmissionWebhook part - 1

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: <name of this configuration object>
webhooks:
- name: <webhook name, e.g., pod-policy.example.io>
  failurePolicy: Fail #Ignore或Fail
  rules:
  - apiGroups:# 列出一个活多个api group,空代表core *代表所有
    - ""
    apiVersions:# api版本
    - v1
    operations:# 列出需要匹配的动作
    - CREATE
    resources:# 列出一个或多个资源
    - pods
    scope: "Namespaced"# 指定匹配范围有效值为Cluster、Namespaced、*
  clientConfig:
    url: #webhook地址 必须为https
    service:
      namespace: #命名空间
      name: #服务名称 端口必须为443
    caBundle: #pem编码的ca证书，用于签署webhook使用的服务器证书，默认apiserver的系统根证书
  admissionReviewVersions:
  - v1beta1 #版本 默认v1beta1
  timeoutSeconds: 1#请求超时时间，默认30，1-30秒
  namespaceSelector:# 选择过滤哪些ns下的对象
    matchExpressions:
      key: environment
      operator: In
      values:
      - prod
      - staging
  sideEffects: # 明这个webhook是否有副作用，有效值 Unknown, None, Some, NoneOnDryRun，如果具有dryrun属性，切sideEffects为unknown或some，将自动拒绝执行。

apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- name: ValidatingAdmissionWebhook
  configuration:
    apiVersion: apiserver.config.k8s.io/v1alpha1
    kind: WebhookAdmission
    kubeConfigFile: <path-to-kubeconfig-file>
- name: MutatingAdmissionWebhook
  configuration:
    apiVersion: apiserver.config.k8s.io/v1alpha1
    kind: WebhookAdmission
    kubeConfigFile: <path-to-kubeconfig-file>

apiVersion: v1
kind: Config
users:
# webhook 的dns名称格式为<service name>.<namespace>.svc,或URL
- name: 'webhook1.ns1.svc'
  user: # 证书认证
    client-certificate-data: <pem encoded certificate>
    client-key-data: <pem encoded key>
# The `name` supports using * to wildmatch prefixing segments.
- name: '*.webhook-company.org'
  user: #用户密码认证
    password: <password>
    username: <name>
# '*'匹配所有.
- name: '*'
  user:
    token: <token> # 令牌认证