Using kubernetes admissionregistration.k8s.io with velero.io
TypeScriptTo integrate Kubernetes admission controllers with Velero for backup and restore operations, you would first need to deploy Velero to your Kubernetes cluster and then configure the relevant admission webhooks (ValidatingWebhookConfiguration or MutatingWebhookConfiguration, depending on your use case).
First, let's understand the components involved:
- Velero: An open-source tool that helps you back up and restore your Kubernetes cluster resources and persistent volumes.
- Admission Controllers: An integral part of Kubernetes that intercept requests to the Kubernetes API server before object persistence but after the request is authenticated and authorized. The two types of admission controllers you might configure are:
ValidatingWebhookConfiguration
: It intercepts requests to validate the object creation request before it is saved.MutatingWebhookConfiguration
: It can intercept and modify requests before they are processed.
Now, to set up Velero with admission controllers in Kubernetes:
- Install Velero using its official documentation.
- Define your admission controller webhooks in Pulumi, depending on your needs (mutation or validation of requests).
Below is a sample Pulumi code that demonstrates creating a
MutatingWebhookConfiguration
in TypeScript. This webhook is configured to communicate with a service that Velero provides for backups, which is an example use case. The actual service and its path would be specific to your Velero setup and the operations you want to perform.import * as kubernetes from "@pulumi/kubernetes"; const mutatingWebhookConfiguration = new kubernetes.admissionregistration.v1.MutatingWebhookConfiguration("exampleMutatingWebhookConfiguration", { metadata: { name: "example-mutating-webhook-configuration" }, webhooks: [{ name: "example.mutating.webhook.velero.io", clientConfig: { // The service that the webhook communicates with. This should point to the service that exposes Velero server. service: { name: "velero", namespace: "velero", path: "/mutate", // The path of Velero's mutation service. }, // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. // You must provide the correct CA bundle for the Velero service here. caBundle: "Ci0tLS0tRU...", }, rules: [{ apiGroups: [""], // The API group of the resources you want to mutate. apiVersions: ["v1"], operations: ["CREATE", "UPDATE"], // The operations to apply this webhook to. resources: ["pods"], // The resources this webhook applies to. }], sideEffects: "None", // Make sure your webhook has no side effects on other processes. admissionReviewVersions: ["v1"], // The API version of the AdmissionReview objects that can be sent to this webhook. }], }); export const mutatingWebhookConfigurationName = mutatingWebhookConfiguration.metadata.name;
In this example, the
MutatingWebhookConfiguration
object is created with a single webhook configured. TheclientConfig
should be updated with the correct service information where Velero listens for API requests.Please note that for a real-world usage, the
caBundle
must be a base64-encoded string containing the PEM-encoded CA bundle for the Velero service to authenticate the SSL/TLS connection. You might obtain this from your Velero setup, or it may be dynamically injectable depending on how your cluster's certificate management is configured.After creating the webhook configuration, any time a matching request is made to the Kubernetes API (in this case, creating or updating a Pod), it will be intercepted by the configured webhook, which utilizes the Velero service to perform any necessary handling.
Make sure to change the
name
,namespace
,path
,apiGroups
,apiVersions
,operations
, andresources
to match the specific configuration needed for your Velero interaction.This Pulumi program assumes you have already configured Pulumi to interact with the desired Kubernetes cluster. To apply this configuration, save the code to a file (
index.ts
), then runpulumi up
within the directory containing your Pulumi project.Keep in mind that this code serves as a starting point. Integrating with a tool like Velero would require deeper knowledge about the specific mechanisms used by Velero for webhook integrations, and the example above will likely need to be adapted for your setup.