Pengzhan Hao
80 lines
2.8 KiB
Markdown
80 lines
2.8 KiB
Markdown
# DaemonSet Secret Injector
|
|
|
|
A Kubernetes Mutating Webhook that automatically injects a unique, node-specific Secret into Pods belonging to a targeted DaemonSet.
|
|
|
|
## Features
|
|
|
|
- **Automatic Injection**: Intercepts Pod creation and injects a Secret volume and mount.
|
|
- **Node-Specific Data**: Each Pod gets a unique Secret containing information relevant to the node it resides on.
|
|
- **Lifecycle Management**: Automatically creates the Secret upon Pod creation and deletes it when the Pod is removed.
|
|
- **Node Authorizer Compatibility**: Secret names are derived from the Pod name, ensuring predictable access control.
|
|
|
|
## Architecture
|
|
|
|
1. **Mutating Webhook**: Intercepts `CREATE` requests for Pods. It calculates the target Node name (from affinity or spec), generates a unique Pod name, creates a Secret, and patches the Pod spec to include the Secret volume.
|
|
2. **Pod Controller**: Watches for Pod deletion events and cleans up the associated Secret from the namespace.
|
|
3. **Test Client**: A helper utility that uses Node credentials (`kubeconfig`) to verify it can read the injected secret.
|
|
4. **Secret Manager**: A CLI tool for managing Kubernetes Secrets from your local machine with automatic decoding. See [cmd/secret-manager/README.md](cmd/secret-manager/README.md) for details.
|
|
|
|
## Getting Started
|
|
|
|
### Prerequisites
|
|
|
|
- Kubernetes cluster (GKE, EKS, Kind, etc.)
|
|
- `kubectl` and `docker`
|
|
- `openssl` (for certificate generation)
|
|
|
|
### Configuration
|
|
|
|
The webhook is configured via command-line arguments in the deployment:
|
|
- `--target-namespace`: The namespace to monitor (default: `gps-system`).
|
|
- `--target-daemonsets`: Comma-separated list of DaemonSet names to inject.
|
|
|
|
### Deployment
|
|
|
|
1. **Clone the repository**.
|
|
2. **(Optional) Configure your registry**:
|
|
The default registry is set to `git.pengzhan.dev/haopengzhan/k8s-ds-secret-injection`. If you want to push to your own registry:
|
|
```bash
|
|
export REGISTRY=your-registry.com/your-username
|
|
```
|
|
3. **Build and Push images**:
|
|
If you are using the default public registry, you can skip the push step if the images are already there.
|
|
To push your own images:
|
|
```bash
|
|
docker login git.pengzhan.dev
|
|
make push
|
|
```
|
|
4. **Setup Certificates**:
|
|
```bash
|
|
# Create namespace first
|
|
kubectl apply -f deploy/namespace.yaml
|
|
# Generate and upload certs
|
|
make certs
|
|
```
|
|
5. **Deploy the system**:
|
|
```bash
|
|
make deploy REGISTRY=$REGISTRY
|
|
```
|
|
|
|
## Verification
|
|
|
|
Check the logs of the test DaemonSet pods to see the successful retrieval of the secret:
|
|
|
|
```bash
|
|
kubectl logs -n gps-system -l app=test-daemonset
|
|
```
|
|
|
|
You should see:
|
|
```text
|
|
Successfully retrieved secret gps-system/test-daemonset-xxxxx
|
|
Key: secret-data, Value: unique-secret-for-test-daemonset-xxxxx-on-node-yyyyy
|
|
```
|
|
|
|
## Cleanup
|
|
|
|
To remove all resources created by this project:
|
|
|
|
```bash
|
|
make clean
|
|
``` |