feat: implement pod-specific secret injection for DaemonSets with automated lifecycle management
This commit is contained in:
Pengzhan Hao
@@ -0,0 +1,80 @@
|
||||
# DaemonSet Secret Injector
|
||||
|
||||
A Kubernetes Mutating Webhook that automatically injects a unique, node-specific Secret into Pods belonging to a targeted DaemonSet.
|
||||
|
||||
## Features
|
||||
|
||||
- **Automatic Injection**: Intercepts Pod creation and injects a Secret volume and mount.
|
||||
- **Node-Specific Data**: Each Pod gets a unique Secret containing information relevant to the node it resides on.
|
||||
- **Lifecycle Management**: Automatically creates the Secret upon Pod creation and deletes it when the Pod is removed.
|
||||
- **Node Authorizer Compatibility**: Secret names are derived from the Pod name, ensuring predictable access control.
|
||||
|
||||
## Architecture
|
||||
|
||||
1. **Mutating Webhook**: Intercepts `CREATE` requests for Pods. It calculates the target Node name (from affinity or spec), generates a unique Pod name, creates a Secret, and patches the Pod spec to include the Secret volume.
|
||||
2. **Pod Controller**: Watches for Pod deletion events and cleans up the associated Secret from the namespace.
|
||||
3. **Test Client**: A helper utility that uses Node credentials (`kubeconfig`) to verify it can read the injected secret.
|
||||
4. **Secret Manager**: A CLI tool for managing Kubernetes Secrets from your local machine with automatic decoding. See [cmd/secret-manager/README.md](cmd/secret-manager/README.md) for details.
|
||||
|
||||
## Getting Started
|
||||
|
||||
### Prerequisites
|
||||
|
||||
- Kubernetes cluster (GKE, EKS, Kind, etc.)
|
||||
- `kubectl` and `docker`
|
||||
- `openssl` (for certificate generation)
|
||||
|
||||
### Configuration
|
||||
|
||||
The webhook is configured via command-line arguments in the deployment:
|
||||
- `--target-namespace`: The namespace to monitor (default: `gps-system`).
|
||||
- `--target-daemonsets`: Comma-separated list of DaemonSet names to inject.
|
||||
|
||||
### Deployment
|
||||
|
||||
1. **Clone the repository**.
|
||||
2. **(Optional) Configure your registry**:
|
||||
The default registry is set to `git.pengzhan.dev/haopengzhan/k8s-ds-secret-injection`. If you want to push to your own registry:
|
||||
```bash
|
||||
export REGISTRY=your-registry.com/your-username
|
||||
```
|
||||
3. **Build and Push images**:
|
||||
If you are using the default public registry, you can skip the push step if the images are already there.
|
||||
To push your own images:
|
||||
```bash
|
||||
docker login git.pengzhan.dev
|
||||
make push
|
||||
```
|
||||
4. **Setup Certificates**:
|
||||
```bash
|
||||
# Create namespace first
|
||||
kubectl apply -f deploy/namespace.yaml
|
||||
# Generate and upload certs
|
||||
make certs
|
||||
```
|
||||
5. **Deploy the system**:
|
||||
```bash
|
||||
make deploy REGISTRY=$REGISTRY
|
||||
```
|
||||
|
||||
## Verification
|
||||
|
||||
Check the logs of the test DaemonSet pods to see the successful retrieval of the secret:
|
||||
|
||||
```bash
|
||||
kubectl logs -n gps-system -l app=test-daemonset
|
||||
```
|
||||
|
||||
You should see:
|
||||
```text
|
||||
Successfully retrieved secret gps-system/test-daemonset-xxxxx
|
||||
Key: secret-data, Value: unique-secret-for-test-daemonset-xxxxx-on-node-yyyyy
|
||||
```
|
||||
|
||||
## Cleanup
|
||||
|
||||
To remove all resources created by this project:
|
||||
|
||||
```bash
|
||||
make clean
|
||||
```
|
||||
Reference in New Issue
Block a user