这是一个极简的 Kubernetes Mutating Admission Webhook,专门用于拦截 ResourceQuota 的 PATCH 操作,将所有资源配额值设置为 999999。
- 拦截对 ResourceQuota 的 UPDATE 操作
- 将
/spec/hard路径下的所有资源配额值设置为 999999 - 提供健康检查端点
- 完整的错误处理和日志记录
- 极简设计,专注核心功能
├── src/ │ ├── index.ts # 主服务器入口 │ ├── types.ts # TypeScript 类型定义 │ └── webhook.ts # Webhook 处理逻辑 ├── dist/ # 编译后的 JavaScript 文件 ├── package.json # 项目配置 ├── tsconfig.json # TypeScript 配置 └── README.md # 项目说明
npm install
npm run build
npm run dev
npm start
PORT: 服务器监听端口(默认: 8443)TLS_CERT_FILE: TLS 证书文件路径(默认: /etc/certs/tls.crt)TLS_KEY_FILE: TLS 私钥文件路径(默认: /etc/certs/tls.key)
当前实现的修改逻辑非常简单:
- 统一覆盖: 将 ResourceQuota 的
/spec/hard路径下所有资源配额值设置为 999999 - 无条件处理: 对所有 ResourceQuota PATCH 请求都执行相同的修改操作
- JSON Patch: 使用标准的 JSON Patch
replace操作来修改资源配额
修改逻辑位于 src/webhook.ts 中的 handleResourceQuotaPatch() 函数。
GET /health
返回服务器健康状态。
POST /mutate
接收 Kubernetes Admission Review 请求并返回修改后的响应。
# 安装 cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
# 等待 cert-manager 启动完成
kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=cert-manager -n cert-manager --timeout=300s
# ca-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: tke-quota-breach-ca
namespace: devops
spec:
selfSigned: {}
# webhook-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tke-quota-breach
namespace: devops
spec:
secretName: tke-quota-breach-webhook-certs
issuerRef:
name: tke-quota-breach-ca
kind: Issuer
group: cert-manager.io
dnsNames:
- tke-quota-breach-webhook.devops.svc
- tke-quota-breach-webhook.devops.svc.cluster.local
应用证书配置:
kubectl apply -f ca-issuer.yaml kubectl apply -f webhook-certificate.yaml
FROM node:18-alpine WORKDIR /app COPY package*.json ./ RUN npm ci --only=production COPY dist/ ./dist/ EXPOSE 8443 CMD ["npm", "start"]
apiVersion: apps/v1
kind: Deployment
metadata:
name: tke-quota-breach-webhook
namespace: devops
spec:
replicas: 1
selector:
matchLabels:
app: tke-quota-breach-webhook
template:
metadata:
labels:
app: tke-quota-breach-webhook
spec:
containers:
- name: webhook
image: docker.cnb.cool/yankeguo/tke-quota-breach:latest
ports:
- containerPort: 8443
env:
- name: PORT
value: "8443"
- name: TLS_CERT_FILE
value: "/etc/certs/tls.crt"
- name: TLS_KEY_FILE
value: "/etc/certs/tls.key"
volumeMounts:
- name: webhook-certs
mountPath: /etc/certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: tke-quota-breach-webhook-certs
---
apiVersion: v1
kind: Service
metadata:
name: tke-quota-breach-webhook
namespace: devops
spec:
selector:
app: tke-quota-breach-webhook
ports:
- port: 443
targetPort: 8443
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: tke-quota-breach-webhook
annotations:
cert-manager.io/inject-ca-from: devops/tke-quota-breach
webhooks:
- name: resourcequota.tke-quota-breach.webhook
clientConfig:
service:
name: tke-quota-breach-webhook
namespace: devops
path: /mutate
# caBundle 将由 cert-manager 自动注入
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["resourcequotas"]
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
应用部署配置:
kubectl apply -f deployment.yaml
检查证书是否创建成功:
# 检查证书状态
kubectl get certificate -n devops
# 检查 secret 是否创建
kubectl get secret tke-quota-breach-webhook-certs -n devops
检查 webhook 是否正常运行:
# 检查 pod 状态
kubectl get pods -n devops -l app=tke-quota-breach-webhook
# 查看日志
kubectl logs -n devops -l app=tke-quota-breach-webhook
# 检查 MutatingWebhookConfiguration 配置
kubectl get mutatingwebhookconfiguration tke-quota-breach-webhook -o yaml
- 此项目已配置 HTTPS 和 TLS 证书支持,使用 cert-manager 自动管理证书
- 确保 webhook 服务具有适当的 RBAC 权限
- 此 webhook 会将所有 ResourceQuota 的配额值设置为 999999,请谨慎使用
- 建议在测试环境中充分验证功能
- cert-manager 需要在集群中正确安装和配置
- 监控 webhook 的性能和错误日志
MIT License
35/F,Tencent Building,Kejizhongyi Avenue,Nanshan District,Shenzhen
