该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
贡献代码
同步代码
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
Loading...
README
Apache-2.0

Gesher

K8s Admission control proxy.
"Gesher" means bridge in Hebrew.

Motivation

Kubernetes has Admission Webhooks.

These enable administrators of a Kubernetes cluster to include their own set of admission control over Kubernetes objects.

The problem is that admission control as it works today, really just works at the cluster level. Every webhook admission service will get admission requests for every object in every namespace by default. In the world of namespaced operators this becomes a problem for 2 reasons.

  1. as each operator might want to do admission control itself. In fact, the operator-sdk encourages building the admission control webhook HTTPs servers as part of the operator binary. This would result in many webhook servers getting sent many requests for objects not in their own namespace. While, one can create webhook that select based on a namspace's labels, these can be fragile as they are dependent on the labels always being setup correctly

  2. to create a webhook, one needs cluster level privileges, which would mean that a user in a namespace can use a validating webhook to intercept all any object in any namespace. users within a namespace should be able to setup admission control juet for their namespace without any ability to impact other namespaces.

Solution

Gesher is a cluster level admission proxy, that is the single point for the kubernetes api-server to issue admission requests. In turn, Gesher proxies the request to the correct admission control https server in the correct namespace.

空文件

简介

暂无描述 展开 收起
Go 等 3 种语言
Apache-2.0
取消

发行版

暂无发行版

贡献者

全部

近期动态

不能加载更多了
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化