This ValidatingAdmissionWebhook admission controller helps to stop creating bad ingress objects in the multi-tenant clusters.
In particular it denies ingress with
- Empty Host
- Wilcard Host (*)
- Local Host (localhost)
- Duplicate Host/Path
This code is inspired from the example-webhook-admission-controller, but made it to work with Kubernetes 1.9
- Start minkube with dynamic admission controllers
minikube start \
--extra-config=apiserver.Admission.PluginNames=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--kubernetes-version=v1.9.0
- install
helm
helm init
Wait until the tiller pod is running
- install the helm chart
helm install k8s-ingress-admission-controller-helm/ --debug --namespace=kube-system
- apply
ingresswith no host
kubectl apply -f test/empty-host.yaml
and the admission controller should deny the ingress with
Error from server (Forbidden): error when creating "test/empty-host.yaml":
admission webhook "k8s-ingress-admission-controller.target.k8s.io" denied the request:
Empty hostname is not allowed in this cluster