Deploy the k8s-mutating-admission-webhook helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

In this guide, we will go through the process of deploying a Kubernetes mutating admission webhook using a Helm chart on Azure Kubernetes Service (AKS) with Pulumi. The mutating admission webhook is a form of admission controller in Kubernetes that intercepts and possibly changes requests to the Kubernetes API server before the objects are stored.

Firstly, we'll need an AKS cluster where our mutating admission webhook will reside. We then configure Pulumi to install the Helm chart of the mutating admission webhook onto the AKS cluster.

The resources that we will use to accomplish this are:

azure-native.containerservice.ManagedCluster to create an AKS cluster.
kubernetes.helm.v3.Chart to deploy the mutating admission webhook using a Helm chart onto our AKS cluster.

Ensure that you've already set up your Azure and Pulumi accounts and have the Pulumi CLI installed. You need kubectl installed to interact with the Kubernetes cluster. Also, this guide assumes that you have already configured your Pulumi CLI with the correct Azure credentials.

Program Overview:

Import the necessary Pulumi libraries.
Create an AKS cluster.
Deploy the mutating admission webhook via the Helm chart on the AKS cluster.

Below is the Pulumi TypeScript program that will create an AKS cluster and deploy a mutating admission webhook using a Helm chart:

import * as azure from "@pulumi/azure";
import * as azure_native from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

const name = "akscluster";  // Replace with the desired cluster name

// Create a resource group for the AKS cluster
const resourceGroup = new azure_native.resources.ResourceGroup(`${name}-rg`);

// Create the AKS cluster
const aksCluster = new azure_native.containerservice.ManagedCluster(`${name}-aks`, {
    resourceGroupName: resourceGroup.name,
    agentPoolProfiles: [{
        count: 2,   // The number of desired nodes in the node pool
        maxPods: 110,
        mode: "System",
        name: "agentpool",
        osDiskSizeGB: 30,
        osType: "Linux",
        vmSize: "Standard_DS2_v2",
    }],
    dnsPrefix: name,
    enableRBAC: true,
    kubernetesVersion: "1.18.14",
    linuxProfile: {
        adminUsername: "adminuser",
        ssh: {
            publicKeys: [{
                keyData: "ssh-rsa <YOUR_SSH_PUBLIC_KEY>", // Replace with your SSH public key
            }],
        },
    },
    nodeResourceGroup: `${name}-node-rg`,
    servicePrincipalProfile: {
        clientId: "<YOUR_SERVICE_PRINCIPAL_ID>",       // Replace with your service principal client ID
        secret: "<YOUR_SERVICE_PRINCIPAL_SECRET>",     // Replace with your service principal secret
    },
}, { dependsOn: resourceGroup });

// Export the kubeconfig
export const kubeconfig = aksCluster.kubeConfigRaw;

// Create a k8s provider with the kubeconfig from the AKS cluster
const k8sProvider = new k8s.Provider(`${name}-k8sprovider`, {
    kubeconfig: aksCluster.kubeConfigRaw,
});

// Deploy the k8s-mutating-admission-webhook chart 
const admissionWebhookChart = new k8s.helm.v3.Chart("mutating-admission-webhook", {
    chart: "k8s-mutating-admission-webhook",  // The name of the chart. Replace if it's different.
    version: "1.0.0",   // The chart version, replace if you need a different version
    namespace: "default", // The namespace where you want to deploy your webhook
}, { provider: k8sProvider });

// Output the name of the chart deployment
export const chartName = admissionWebhookChart.metadata.apply(metadata => metadata.name);

In the above program, we start by creating an Azure resource group and then provisioning an AKS cluster within this group. We specify some configurations like the number of nodes, VM size, and enabled RBAC for security. It is important to fill in the placeholders with your SSH public key, Azure Service Principal ID, and secret.

The second part of the program initializes a Kubernetes provider using the kubeconfig from our newly created AKS cluster. This provider is what we use to work with Kubernetes resources via Pulumi.

Lastly, we deploy the Helm chart for the mutating admission webhook specifying the chart name and version. Once deployed, we export the name of the Helm chart deployment as an output. You can then use kubectl to interact with your new Kubernetes cluster using this kubeconfig output.

Ensure you replace <YOUR_SSH_PUBLIC_KEY>, <YOUR_SERVICE_PRINCIPAL_ID>, and <YOUR_SERVICE_PRINCIPAL_SECRET> with your actual SSH public key, Azure service principal ID, and secret respectively.

By running this Pulumi program, it will set up the necessary infrastructure on Azure and deploy the mutating admission webhook on AKS.

It's important to note that the mutating admission webhook Helm chart named k8s-mutating-admission-webhook should exist or be available in your Helm repository. If it is not, or if you're using a private Helm repository, additional configuration will be necessary to specify the correct repository URL and credentials.