- Introduction & Environment Bootstrap
- Implementing Main Reconcile Logic
- Implementing Resource Cleanup
- Implementing Webhooks (this post)
- Testing Your Operator
In previous posts, we covered bootstrapping an operator, implementing the reconciliation loop, and handling cleanup logic using finalizers. Now let's look at enhancing the robustness and reliability of our Tenant Operator using admission webhooks.
Webhooks allow our operator to intercept and validate requests before the Kubernetes API server persists changes. This gives us the power to enforce business logic, prevent conflicts, and ensure consistency.
Admission webhooks are HTTP callbacks that receive admission requests and can mutate or validate resources during create, update, and delete operations. They allow injecting custom logic into the Kubernetes API server request flow without modifying the core Kubernetes code.
Some key things to know about admission webhooks:
- They intercept API requests before persistence of the object in etcd, allowing mutating or validating the resources
- Two types - mutating webhooks can modify objects sent to the API server, validating webhooks can reject requests.
- Run as standalone services, not part of API server. API server POSTs admission requests to webhook over HTTP.
- Can be used to enforce custom business logic, security policies, schema validation, defaults, etc.