Mutating admission controller for kubernetes that ensures restricted ingress.
The hook services utilizes a mix of environment variables and files for configuration.
Port that the webhook will listen on, defaults to 8443.
A mutating webhook can only be called on a TLS connection. Therefore a utility cli has been added to generate a self signed certificate for deploying bluepill.
Run go run cmd/certificate_generator/main.go bluepill default to get a secret containing certificate and private key.
Points to the mounted certificate file.
Points to the mounted private key file.
Points to the mounted whitelist file.
name1=ip1
name2=ip2
...
nameN=ipNIndicates if the we should mutate or just log.
The deploy/ folder contains all resources to get up and running except the secret containing the self signed certificate.
./setup-kind prepares a cluster where the functionality can be tested by running:
kubectl apply -f deploy/admission-webhook.yaml && kubectl apply -f deploy/test/ingress-blue.yamland then inspecting the ingress resource afterwards.